The second draft of the Cyber Bill (also known as the Cybercrime Bill) will have a significant impact on many organisations and individuals. Unfortunately, the impact is mostly negative and frankly scary. Correctional services are going to have to build more prisons to lock up everyone who commits a cybercrime. Few people will actually go to jail because we don’t have enough skilled people to enforce these laws, but you better start saving money to pay fines.
The POPI Act has very few but specific crimes, and there was a collective sigh of relief by everyone when failing to comply with the POPI Act did not mean that you were committing a crime. The unintended effect of the Cyber Bill is that it essentially criminalises the POPI Act, and makes non-compliance a crime. The Cyber Bill also opens the door for selective prosecution.
Read what the impact is on you below and if it scares you, attend our full-day Cyber Crime and Security Workshop.
For private organisations (like insurance providers, media houses or direct marketers)
- If you fail to process any data (including personal information) in accordance with any law (or without authorisation from someone who can do it lawfully), you could be fined or imprisoned for five years. For example, you’re a criminal if you fail to: retain records for the prescribed period, or comply with the conditions for lawfully processing any personal information under data protection laws. You’re going to have to be very careful to process all data according to all laws. You are going to have to engage with (and pay) lawyers who know the laws that apply to data or information.
- If you acquire personal information unlawfully (for example, contrary to the conditions in the POPI Act), or possess personal information that someone else acquired unlawfully, you could be fined or imprisoned for 10 years.
- If law enforcement finds you in possession of data (like personal information) that they think was acquired unlawfully by anyone, and you cannot explain it, you could be fined or imprisoned for five years. The onus is reversed, which means that you have to prove your innocence.
- If you do anything with software or hardware tools that could be used to commit a cybercrime, you could be fined or imprisoned for 10 years. This is like prosecuting someone for murder because they have a hammer in their hand.
- You are going to have to help law enforcement catch cyber criminals at your cost or else you could be fined or imprisoned for two years.
- A court can order you to preserve any evidence at your cost.
- The Minister of State Security may declare that you have a critical information infrastructure. The Minister can issue directives on the minimum standards (for example, regards how you classify your data, protect it and secure it) that you must comply with. Every two years you will have to appoint an independent auditor to check that you comply, at your own cost, which could run into the tens of millions. State Security may monitor the audit and you must report back to State Security about the audit and provide them with any additional information they request. Your employees must assist the auditor, which will divert your valuable resources away from their day jobs. If you don’t do these things, you could be fined or imprisoned for two years.
For financial institutions (like banks)
- All of the above, and
- If you become aware that a crime has been committed, you must report the offence to SAPS and preserve any evidence in the manner prescribed by the Minister of Police at your cost. If you don’t, you could be fined R50 000.
For ICT companies (like service providers, ISPs, network operators, vendors)
- All of the above, and
- If you sell a tool that could be used to commit a cybercrime, you are probably going to have to shut down that business, because selling such tools is a cybercrime.
- You are going to have to initiate an extensive compliance programme to ensure you process data in accordance with the law because your customers are going to look to you if they get into trouble. You might even have warranted in your contract that you will comply with all laws.
For individual users of computers (like your mother or a journalist)
- If you send a message (like a skype, tweet, whatsapp, or email) that is harmful (or could incite others to cause damage to property or hurt people), you could be fined or imprisoned for three years. You will have to be very careful of what you write in an email, private messages and social media.
- If you share fake news on social media, you could be fined or imprisoned for three years. For example, if you distribute an article saying that parents should not vaccinate their children, you’re a criminal.
- If you have a tool (like an app on your phone that bypasses wifi passwords) that could be used to commit a cybercrime, you could be fined or imprisoned for 10 years.
- If you share your password or access code with someone, you could be fined or imprisoned for 10 years. For example, if you share your online banking details and log-ins so someone can access your money, you could be a criminal.
- If law enforcement finds you in possession of a password that they think you are going to use to commit a cybercrime and you cannot explain why you have it, you could be fined or imprisoned for five years. The onus is reversed, which means you have to prove your innocence.
- If you commit an offence (which is easy to do) regards the computer system of a financial institution or the state, and you will be fined more or imprisoned for longer.
- Law enforcement has extensive powers to search, access and seize your data, computer or phone.
For parents (like me)
- If your child if being cyber bullied, you will have a better chance of getting law enforcement to help you stop the bully. On the negative side, if your child is accused of bullying, the consequences could be severe.
- If someone is distributing nude pictures of your child, you will have a better chance of stopping them. You could even get an interim order preventing others from sharing the pictures online. This is one of the few positive impacts of the Cyber Bill.
- If you have a teenager in the house who has a computer, you will probably be harbouring a cyber criminal.
For Government, public bodies, or municipalities
- The information infrastructure of all government bodies is critical. This means that State Security are going to be telling you how to secure, protect and generally manage your information infrastructure. For example, State Security will be telling Home Affairs how to process their data. If you don’t, you could be fined or imprisoned for two years.
- Public bodies can only act if the law authorises them to do so. If the law does not authorise you to process data (including personal information), you could be fined or imprisoned for five years. This will put most public bodies into a state of paralysis for fear of committing a crime.
For law enforcement and the judiciary
- You are going to have to comply with lots of procedures and rules to prosecute people. You will have to undergo extensive training and be very careful what you do each day. Your job is going to get a lot harder because you are going to have to enforce this Cyber Bill.
- You’re also a user, so you might also commit crimes in your personal capacity, and the Cyber Bill’s impact on you would be the same as other individual users.
How does the Cyber Bill impact Lawyers?
They are going to make lots of money – it’s party time. Bad laws (like the Cyber Bill) are good news for lawyers.
If this scares you, attend our full-day Cyber Crime and Security Workshop.