Tension Mounts on South Africa Cybersecurity Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Edwin Naidu

Feb. 5 — South Africa's controversial cybersecurity laws recently took a step closer to becoming law when the country's State Security Minister David Mahlobo published proposed National Cybersecurity Policy Framework regulations in late 2015.

(Click image to enlarge.)

south african flags

A coalition of U.S. businesses operating in South Africa said in a submission on the legislation underlying the framework that “there needs to be clarity” on the government's authority, roles, responsibilities and goals and “these should be balanced against the public's interest without infringing on any constitutional rights.”

The group said some provisions of the law are “vague and far-reaching” and that electronic communications service providers are too broadly defined, essentially making everyone a service provider.

Indra de Lanerolle, visiting research associate and adjunct lecturer at the University of Witwatersrand, Johannesburg, told Bloomberg BNA that there is widespread concern over the cybersecurity laws. But until South Africa has something similar to the disclosures about U.S. surveillance made by Edward Snowden, “business and others will remain relatively uninterested and uninformed. It's one thing to discuss powers the state has to snoop with the most limited of scrutiny. It's another when people discover how state actors actually use those powers,” he said in a statement.

Dominic Cull, regulatory advisor to the Internet Service Providers' Association (ISPA), told Bloomberg BNA that although adopting cybersecurity and cybercrime framework laws is important, the challenge remains the implementation of the plethora of regulations being drafted. “I do not see much happening in 2016 and expect the process to continue being shaped further,” he said.

Practicality Questioned

Carol O’Brien, the executive director of the American Chamber of Commerce, told Bloomberg BNA that many provisions of the proposed framework regulations are a step forward in addressing criminal offenses relating to cybersecurity threats and scams. “However, we caution that legislation can only be effective if it is practical and enforceable and, in our view, it does not take these two principles into account,” she said.

An edited version of the framework, originally approved by the government in March 2012, was published without an opportunity for an open public comment process. The cybersecurity provisions have been labelled by privacy advocates as being a threat to the country's data protection framework law, the Protection of Personal Information Act (POPI), which itself hasn't been fully implemented.

Cull said that it is unfortunate the Draft Cybercrimes and Cybersecurity Bill 2015 framework document was only made public after the period for submissions had closed.

However, Cull said the legislation was at least three years from reality and would likely see further changes before becoming law. “Regulating online content is very difficult,” he said.


The ISPA said that electronic communications service providers already operate in a highly regulated environment, which imposes obligations on them regarding the way in which they conduct their daily business to protect customers.

Another piece of cybersecurity legislation, the Protection of State Information Bill, dubbed the Security Bill, is also awaiting executive approval—the President's signature—five years since first surfacing in 2010. Despite changes, the Right2Know lobby group, believes that the proposed law remains a “deep threat to the free flow of information”.

Less controversy surrounded the passage of POPI. Leishen Pillay, a partner at Hogan Lovells (South Africa) Inc. in Johannesburg, told Bloomberg BNA the framwork data protection legislation isn't particularly onerous and is in synch with global data protection standards.

The impact on businesses coming into compliance with POPI, particularly from a cost perspective, has been an issue but the cost isn't great when compared to the right to privacy—which is enshrined in the South African Constitution—and the scourge of rampant cybercrime in South Africa. Cybercrime costs South African businesses as much as $298 million each year, according to government estimates.

Pillay said that POPI needs to be fully implemented because without that “ there is little doubt that cybercrime and data privacy breaches will continue to rise exponentially, unchecked and unabated.”

Implementing POPI would aid global competitiveness, cybercrime and the right to privacy but “cost remains a recurring obstacle to the POPI Act being implemented in South Africa,“ he said.

Cybersecurity Framework Goals

In March 2012, the South African Cabinet approved the National Cybersecurity Policy Framework (NCPF), which seeks to, among other things:

  •  centralize coordination of cybersecurity activities within South Africa;
  •  strengthen intelligence collection, investigation, prosecution and judicial processes;
  •  anticipate and confront emerging cybersecurity threats; and
  •  foster cooperation and coordination between government, the private sector and civil society.

    The cybersecurity framework document focuses on cybercrime and cybersecurity. It would create offenses and prescribe penalties.

    Privacy Advocates React

    The Draft Cybercrimes and Cybersecurity Bill 2015 has already drawn strong criticism from several organizations, including the Right2Know advocacy group, which said in its written comments on the bill that it was alarmed at recent developments threatening Internet freedom in South Africa and around the world.

    The group pointed to what it said was the overreach of state security services, widespread state and corporate surveillance and new censorship mechanisms to regulate online content under the guise of security. “These deeply troubling events underscore the need for the public to remain vigilant in defending internet rights and push back against reactionary legislation and policies that enable greater state and corporate control of the Internet,” the organization said.

    The group said the bill would “hand wide-ranging powers to state-security structures to secure vast parts of the Internet as assets of state-security, rather than common spaces for the good of all.”

    The group said the bill has provisions that compete with those in POPI, which it said provides excellent safeguards to protect all personal and financial information, in line with international best practice.

    Johan Kruger, director of the Centre for Constitutional Right, welcomed the framework as it seeks to prevent, suppress and criminalize cybercrime, but said some provisions especially around the right to freedom of expression, as well as powers of security services, raise legitimate and serious concerns.

    In a submission to the government on the bill, the U.S.-based Electronic Frontier Foundation, said the legislation creates several new offenses that are overbroad and vaguely defined. “If passed in its present form, it will criminalize innocent activities of ordinary users, will chill speech, and will inhibit innovation. We recommend that the Bill be significantly revised in the respects that we have suggested above before it is presented to Parliament,” EFF said.

    Inability to Face Evolving Cybercrime?

    Johannesburg area independent technology analyst Steven Ambrose told Bloomberg BNA that the cybersecurity regulations would need serious work before it can be presented to Parliament for debate. “The bill is far to formulaic and does not cater well to the constantly evolving online and cybercrime environment,” he said.

    “From an online perspective the government seems to have demonstrated an ignorance of the online space and how it is to be managed” and this is a risk for doing business in South Africa, he said.

    “A key factor in any business is stability and surety of the operating environment, these new bills in their current form introduce uncertainty that will need to tested in court,” he said.

    Meshendri Padayachy, the Department of Trade and Industry's deputy director for intellectual property policy and Law told Bloomberg BNA that the department is considering public comments and there is no time line for when the government will send a revised bill to Parliament.

    To contact the reporter on this story: Edwin Naidu in Johannesburg at correspondents@bna.com

    To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

    Request Bloomberg Law: Privacy & Data Security