Guide to the ECT Act in South Africa | ECTA

The ECT Act (or Electronic Communications and Transactions Act 25 of 2002 or ECTA) became law in South Africa on Friday, 30 August 2002 and we summarise it for you. This marked the end of a process initiated by the South African Government in 1999 to establish a formal structure to define, develop, regulate and govern e-commerce in South Africa. The word cloud on the right provides an overview of the ECT Act and which words or concepts appear most prominently throughout.

The ECT Act is one of many sources of law which impact on electronic communications and transactions and must not be read in isolation of relevant statutory and common law. It applies to any form of communication by e-mail, the Internet, SMS etc except for possibly voice communications between 2 people. The ECT Act is also “an enabling” piece of legislation in that it provides functional equivalents for paper-based concepts (including writing, original and signature), some of which were encountered in over 300 pieces of legislation identified by the Department of Communications in 1999 as not being suitable to the information age as they all had paper-based concepts within them.

The ECT Act is also a very wide piece of legislation and also deals with issues which are not related to electronic communications and transactions (such as cyber inspectors, liability of service providers and domain names). It also attempts to provide legal certainty in areas of law where there was legal uncertainty prior to August 2002 (e.g. the formation of contracts and the status of so-called “click wrap” agreements).

Chapter I of the ECT Act: Interpretation, Objects and Application

This part of the Act defines critical words and phrases and sets out the main objects of the Act.

Chapter II of the ECTA: Maximising Benefits and Policy Framework

The objective is to maximise the benefits the Internet offers by promoting universal access in under serviced areas and ensuring that the special needs of particular communities, areas and the disabled are duly taken into account. The ECT Act required the Minister to develop a 3-year national e-strategy for the Republic by no later than 30 August 2004. This was to, then, be submitted to the Cabinet for approval, which, on acceptance, would declare the implementation of the national e-strategy as a national priority. The national e-strategy was required to set out:

• the electronic transactions strategy of the Republic,
• programmes and means to achieve universal access,
• human resource development and development of SMMEs,
• ways to promote the Republic as a preferred provider and user of electronic transactions in the international market,
• the utilising of existing Government initiatives in attaining the objectives of the e-strategy,
• the role expected to be performed by the private sector in the implementation of the new national strategy,
• the objectives, timeframes and resources required to achieve the objectives provided for in the national e-strategy.

Chapter III of the ECT Act: Facilitating Electronic Transactions

This Chapter deals with the removal of legal barriers to electronic transacting and comprises 2 parts.

Part 1 provides for the legal requirements of data messages (a form of electronic communication). Various sections are drafted from the perspective of where a requirement is prescribed by “law”. It also attempts to create technology neutrality in respect of the legal treatment of data messages.

Part I gives legal recognition to electronic documents and recognises that electronic documents and signatures can serve as the electronic functional equivalent of their paper-based counterparts. Provision is made for the legal recognition of electronic signatures and the ECT Act does not prescribe what type of technology must be used. Examples of electronic signatures include:

• your typed name at the end of your e-mail,
• a scanned image of your handwritten signature embedded into a Word document and
• a so-called digital signature.

The ECT Act also creates special type of electronic signature, known as an “advanced electronic signature” (AES), which is a particularly reliable form of signature. Where a law (such as the Credit Agreements Act) requires a signature, only an AES will be valid.

Provision is made for the legal recognition of the electronic version of paper-based concepts and electronic data will, subject to certain conditions, be regarded as “writing” and constituting a “original”. The Act permits the keeping of records in electronic form. However, the ECT Act states the general legal principle but does not provide details or guidelines on what organisations should implement in practice.

Provision is also made for integrity being key to ensuring proper evidentiary weight of electronic evidence and the ability to notarise, acknowledge or certify electronic documents.

The Part also permits one to send a document by e-registered post through the South African Post Office.

Part 1 also recognises that information can be incorporated into a document through the use of hyperlinks and that contracts can be performed by machines functioning as electronic agents for parties to an electronic transaction.

Part 2 creates certain presumptions as to the time when and place where you are deemed to have received information. Part 2 also provides legal certainty as to the status of so-called “click wrap” (mouse-click-on-icon) and “web wrap” agreements. It also covers situations where data messages are deemed to have been sent by someone. The Part also provides for the acknowledgement of receipt of a data message, although there is not a legal requirement to do so.

Chapter IV: E‑government

This Chapter facilitates electronic access to government services, such as e-filing. It lists the requirements for the production of electronic documents and the integrity of information. Provision is made for any public body to accept and transmit documents in the form of data messages, and to issue permits or licenses in the form of data messages or make or receive payment in electronic form or by electronic means. The public body may specify any requirements (such as security and authentication) in the Government Gazette.

Chapter V: Cryptography Providers

The Internet presents security challenges which, without an effective regulatory framework, would pose a threat to the security of consumers and the State. This Chapter requires that suppliers (not users) of “cryptography” services or products to register their names and addresses, the names of their products with a brief description in a register maintained by the Department of Communications. Unless the (local or foreign) supplier has registered, they cannot provide their services or products in South Africa.

Registration will allow investigative authorities such as the SAPS, to identify which organisation provide the encryption technologies intercepted by them in terms of our monitoring and interception laws. This will enable the investigative authorities to approach these service providers to assist with deciphering the encrypted messages. In June 2007, the Department of Communications licensed approximately 16 cryptography service providers.

Chapter VI: Authentication Service Providers

Identification and authentication of the parties in cyberspace remains a challenge and poses threats to consumers and businesses. The ECT Act seeks to provide for the establishment of an Accreditation Authority within the Department, allowing voluntary accreditation of electronic signature technologies in accordance with minimum standards. Once accredited, these Government endorsed “advanced” electronic signatures can be used by parties who have to sign by means of an “advanced” electronic signature where required “by law”. In addition, the legislature has created a presumption of integrity where “advanced” electronic signatures are used – i.e. they will allow a party to place reliance on its authenticity by shifting the burden of proof onto the signatory to disprove its authenticity. It has also created a benefit in favour of those processes which have been accredited, that are recognised as particularly reliable. The Regulations governing accreditation were published on Wednesday, 20 June 2007 (in Government Gazette No. 8701, No. 29995, Vol. 504).

Chapter VII: Consumer Protection

Website categories of information

Suppliers of goods or services must provide consumers with a minimum set of information, including:

• the price of the product or service,
• the name, contact details, and a brief description of the business, and
• the right to withdraw from an electronic transaction before its completion.

A consumer is defined as a natural person acting as end-user of the goods or services. Consumers are also entitled, under certain circumstances, to a “cooling off” period within which they may cancel certain types of transactions concluded electronically without incurring any penalty.

Spam

Consumers also have the right not to be bound to unsolicited communications (spam) offering goods or services and the sender of the unsolicited communication must at the request of the consumer provide the identifying particulars of the source from which it obtained the consumers personal information. A person who continues to send unsolicited communications to a consumer after having been advised that the unsolicited communications are not welcome, commits an offence.

The ECT Act also seeks to place the responsibility on businesses trading online to make use of sufficiently secure payment systems. If a payment system is breached as a result of the system not being sufficiently secure, the supplier must reimburse the consumer for any loss suffered.

Chapter VIII: Personal Information and Privacy Protection

This Chapter establishes a voluntary regime for protection of personal information. Personal information includes any information capable of identifying an individual. Collectors of personal information (data collectors) may subscribe to a set of universally accepted data protection principles. It is envisaged that consumers will prefer to deal with only those data collectors that have subscribed to the recorded data protection principles. The sanction for breach of these provisions is left to the parties themselves to agree on. Subscription to these principles is voluntary due to the fact that the South African Law Commission’s investigation into privacy in South Africa. An Issue Paper was released in October 2003 which is accessible from Privacy Law. Following an evaluation of Submissions on the Issue Paper which had to be submitted by 01 December 2003, the Law Commission may publish a Discussion Paper on privacy containing draft legislation sometime in 2008.

Chapter IX: Protection of Critical Data

In terms of its definition, critical data is information which, if compromised, may pose a risk to the national security of the Republic or to the economic or social well being of its citizens. The Minister may prescribe matters relating to the registration of critical databases and require certain procedures and technological methods to be used in their storage and archiving. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa. The purpose of this according to the press release is to assist the Minister to (i) put in place regulations, with respect to the development, maintenance, validity, integrity and security of these databases and related systems, (ii) review progress and compliance on an ongoing basis, (iii) refine policy, legislative and regulatory requirements where appropriate and (iv) ensure that databases and data, in the Republic of South Africa, that could negatively impact on companies and citizens, are developed, maintained and secured to meet appropriate standards.

Chapter X: Domain Name Authority and Administration

The ECT Act has established a Domain Name Authority (the .za Domain Name Authority (Zadna)) to assume responsibility for the .za domain name space. All citizens and permanent residents of the Republic are eligible for membership of the Authority and must be registered as members upon application and on payment of a nominal fee. The Act provides for certain issues that have to be provided for in the Memorandum and Articles of Association of the Authority, which will be managed and controlled by a board of directors consisting of 9 directors (see the Minister’s Parliamentary Briefing on 12 September 2003). The directors are broadly representative of the demographics of the country and include stakeholders from the existing Domain Name Authority, academic and legal sectors, science, technology and engineering sectors, labour, business and the private section, culture and language, public sector and the Internet user community. The functions of the Authority are provided for in the Act. Provision is made for finances and reporting and for disputes involving Domain Names to be settled by means of alternate disputes resolution methods. In August 2007, Zadna published new policies and procedures for its members. The regulations state inter alia that domain names are to be allocated on a first come, first serve basis, with dispute resolution processes to be utilised if needs be to protect the rightful owners of domain names.

Chapter XI Limitation of Liability of Service Providers

Chapter XI deals with the limitation of the liability of service providers or so‑called “intermediaries” in cases where they may otherwise have been liable for third party data hosted on their servers. It creates a safe harbour for service providers who were previously exposed to a wide variety of potential liability by virtue of merely fulfilling their basic technical functions. The service providers may seek to limit their liability where they have acted as mere conduits for the transmission of data messages. In each situation, the ECT Act seeks to provide for specific requirements that the actions of the service providers must meet before the clause may be invoked to limit his or her liability.

Chapter XII: Cyber Inspectors

Chapter XII of the ECT Act seeks to provide for the Department of Communications to appoint cyber inspectors. The cyber inspectors may monitor Internet websites in the public domain and investigate whether cryptography service providers and authentication service providers comply with the relevant provisions. The inspectors are granted powers of search and seizure, subject to obtaining a warrant. Inspectors can also assist the police or other investigative bodies, on request.

Chapter XIII ‑ Cyber Crime

Chapter XIII of the ECT Act seeks to make the first statutory provisions on cyber crime in South African jurisprudence. The Act seeks to introduce statutory criminal offences relating to the following:

• unauthorised access to data (e.g. so-called “hacking” and trading in passwords used to commit an offence);
• interception with data (e.g. tapping into data flows or denial of service attacks);
• interference with data (e.g. viruses and denial of service attacks);
• computer related extortion, fraud and forgery (e.g. where someone gains financially by undertaking to cease or desist from doing something using a computer).

Any person aiding or abetting another in the performance of any of these crimes will be guilty as an accessory. The ECT Act prescribes the penalties for those convicted of offences which render a person liable to a fine or imprisonment for periods not exceeding 12 months in certain circumstances or five years in certain circumstances.

Chapter XIV: General Provisions

Chapter XIV contains certain “long arm” provisions which give a Court in the Republic jurisdiction to try an offence which was committed in the Republic, or where any active preparation towards the offence was committed in the Republic, where the offence was committed by a South African citizen or a permanent resident in the Republic or by a person carrying on business in the Republic, or was committed onboard any ship or aircraft registered in the Republic or on an aeroplane to or from the Republic at the time the offence was committed.

ECTA repeals the Computer Evidence Act of 1983 and limits the liability of the State, the Minister of Communications and any employee of the State for any act or omission carried out by a person in good faith and without gross negligence.

You can access the full document on the South African Government website.