You may be wondering whether you are an Electronic Communications Service Provider (ESCP) as defined by law. It’s an interesting question. A lot more people are ECSPs than you realise. You probably are one. What does it means for you if you are?
Who falls within the definition of an Electronic Communications Service Provider?
The Cybercrimes and Cybersecurity Bill (CaC Bill) defines an Electronic Communication and Service Provider very broadly. An ESCP includes:
- a person who provides an electronic communications service with an electronic communications service licence
- a financial institution for example a bank, or
- anyone (including an entity) who processes or stores data for someone else.
Essentially, an ESCP is anyone who does anything with someone else’s data, which is basically everyone.
Does CaC force an ECSP to keep data?
Yes. Clause 64(2)(b) states that the moment ECSPs are aware or becomes aware that their network is being used to commit a CaC crime, they must preserve any information that could assist in investigating the offence. No length of time is specified for how long the information must be preserved, but if you don’t comply, you are guilty of an offence.
Clause 33(1)(b) requires an ECSP to provide “such other assistance as may be necessary” to a member of law enforcement to access, copy or obtain data. CaC does not specify what sort of assistance is required, but you would probably have to keep the data for as long as the law enforcement member needs it. If you don’t do this you could be fined R5 million or face 5 years in prison.
Clause 40 specifies how long you need to keep data. It applies when the Regulation of Interception of Communications and Provision of Communication-related Information Act (RICA) doesn’t require you to intercept, record or store information. When a specific law enforcement member believes that a person or ECSP may possess or is in control of data relevant to the commission of an offence, they may issue an expedited preservation of data direction. If you receive the direction, you must immediately preserve the specified data in its current state. You must preserve it for a 120 days and this period can be extended if necessary. You may apply to a magistrate to amend or cancel the direction on the grounds that they cannot comply with it timeously or in a reasonable fashion.
What does it mean if I am an ESCP?
The CaC Bill places some pretty onerous legal obligations on ECSPs. Things like reporting cybercrimes to the police and storing evidence about cybercrimes. And you could be fined R10,000 a day if you don’t comply.
To find out more attend one of our Cyber Crime and Security Law Workshop.