by Adv. Lufuno T Khorommbi

Cybersecurity laws and policies have a direct impact on human rights, particularly the right to privacy, freedom of expression, and the free flow of information. The world over, policymakers have created several national policies with the intention of balancing these rights; protecting information communication technologies (ICTs) systems against malicious attacks and minimizing data breaches.  

The South African Constitution of 1996 provides for the Bill of Rights that protects individual rights from being undermined, abused and or violated. The Bill of Rights includes the right to privacy as stipulated in Section 14 – “everybody has the right to privacy which includes the right not to have their communications infringed.” 

The Current Regulatory and Policy Framework for Personal Data Protection and Cybersecurity in South Africa 

In order to enforce the Bill of Rights, South Africa has established few laws and policies to enforce the promotion and protection of these fundamental rights in the cyberspace. In the digital era where everything is connected to everything, it is important to for Internet users to know these laws in order to protect their digital human rights and for purposes of compliance. 

The Electronic Communications and Transactions (ECT) Act of 2002. 

The ECT Act became the first legislation that provided for cybersecurity and cybercrimes, as well as a legislative environment for secure electronic transactions in South Africa. The Act also set out principles that govern the protection of personal information; and introduced the concept of consumer protection by protecting individuals from unsolicited commercial communication. 

Read together with the Consumer Protection Act (CPA) of 2008, the ECT Act deals firmly with the issue of unsolicited communications. In this regard, the CPA reinforces the principles advocated in the ECT Act. 

The Regulation of Interception Communications Act of 2002

The Act provides that no person is allowed to intentionally intercept or attempt to intercept communications anywhere in South Africa. The Act also provides for deterring penalties that will ensure that any unlawful interception of communication or abuse of this law, which intentionally infringes on the right to privacy of any person is punishable with costs.

Protection of Personal Information Act, 2013

In November 2013, the Protection of Personal Information (POPI) Act was enacted. The purpose of the POPI Act is inter alia to enforce personal data protection, and minimize cyber security risks. N.B. POPI Act officially came into effect from 01 July 2020. Organisations, big and small, are expected to comply with the POPI Act compliance requirements for the processing of personal data and the deployment of appropriate security measures.  

In response to the policy gaps regarding the issue of the use of social media as a communication instrument and the right to privacy, Government has enacted the Film and Publication Amendment Act of 2019 in December 2019. The Law has not come into effect yet, pending the approval of the Regulations. 

National Cybersecurity Policy Framework

In 2012, the South African Cabinet adopted the National Cybersecurity Policy Framework (NCPF) to set out policy guidelines related to cybersecurity in SA, a focused and coherent approach to ensure the security of the country’s cyberspace.

The NCPF also addresses the lack of co-ordination between various governmental bodies, the lack of an effective regulatory framework to support the country’s cybersecurity, inadequate public awareness, and lack of ICT capacity, skills and resources. Under the NCPF the Cybersecurity Hub was established. The hub is South Africa’s National Computer Security Incident Response Team (CSIRT); it’s a decision-making body that identifies and counters cybersecurity threats. 

Are available laws – enabling or contributing to the online vulnerabilities?

Since the early 2000s, the South African government has made strides in introducing various forms of legislation to address the ever-evolving threat of cybercrime. 

Though undisputable that South Africa lags behind in certain aspects of cybersecurity, the steps that government has been taking shows real intention to solve the regulatory gaps within the cyber space. Thus, existing policies provide the enabling legal framework within which to work with.

Maybe the main consideration should be “if the legal framework is adequate?” Apart from the fact that the technological world is dynamic, making it difficult for legislatures to keep up. It does seem like despite all of the legislature’ efforts, effective implementation of legislation to counter cybercrime, minimize cybersecurity risks, and ensure data protection remains a real challenge.