Are you wondering whether you are an Electronic Communications Service Provider (ECSP) as defined by the Cybercrimes Act? In this article, we’ll help you know if you are one and understand what it means for you if you are?
Who falls within the definition of an Electronic Communications Service Provider?
The Cybercrimes Act defines an Electronic Communication and Service Provider to include:
- any person who provides an electronic communications service to the public, sections of the public, the State, or the subscribers to such service, under and in accordance with an electronic communications service licence issued to that person in terms of the Electronic Communications Act, 2005, or who is deemed to be licenced or exempted from being licenced as such in terms of that Act; and
- a person who has lawful authority to control the operation or use of a private electronic communications network used primarily for providing electronic communications services for the owner’s own use and which is exempted from being licensed in terms of the Electronic Communications Act, 2005.
The Act defines an electronic communications service as “any service which consists wholly or mainly of the conveyance by any means of electronic communications over an electronic communications network. This definition excludes broadcasting services.” (Section 1).
Note that an ECSP is defined differently in other laws (like RICA)
What does it mean if I am an ECSP?
The Cybercrimes Act has a big impact on you. It places some onerous legal obligations on ECSPs and financial institutions. Not just on reporting cybercrimes to the police, but also storing evidence about cybercrimes. The financial implications to comply with these obligations could be enormous.
If an ECSP or financial institution does not comply with their obligations to keep data, they will be guilty of an offence and may face a fine of up to R50,000.
Does the Act force ECSPs and financial institutions to keep data?
Yes! However, because these obligations fall under section 54 of the Act, they are not in operation yet. When this section of the Act commences, an ECSP or financial institution must preserve any information which may help the police in investigating cybercrime. (Section 54 (1)(b)).
The moment an ECSP or financial institution is aware or becomes aware that someone is using their network to commit a cybercrime, they must keep data for an unspecified amount of time to help the police catch the cyber-criminal.
Financial institutions and ECSPs (or anyone else who controls data, networks, or computers) must provide technical or other assistance to law enforcement to search for, access or seize any data or computer that may be linked to cybercrime. (Section 34)
The Cybercrimes Act does not specify what assistance ECSPs or financial intuitions must render. You would have to keep the data or computer for as long as the law enforcement member needs it.
If you don’t assist the police or an investigator, you could receive a hefty fine or face up to two years in prison.
Actions you could take
- Understand how the Act impacts you by attending our half day online workshop on the Cybercrimes Act.
- Ask us to help you determine the impact of cybercrimes on your organisation and the next steps by doing the online Cybercrimes impact assessment.
- Receive future updates or alerts about the Cybercrimes Act and our events by subscribing to the Michalsons newsletter.
- Dive into the details of the Act by reading the web-based version of it.
- Know how the law applies to you specifically by asking us for a legal opinion or interpretation of the law.
- Brief your board on the Cybercrimes Act and the legal implications for your organisation by asking us to present an executive briefing to them.
- Find out what other actions you can take related to cybercrime by visiting our main cybercrime law page.