Archivos de la etiqueta: Cybercrimes and Cybersecurity Bill Republic of South Africa 2017

03Oct/17

Cybercrimes and Cybersecurity Bill Republic of South Africa 2017

Cybercrimes and Cybersecurity Bill Republic of South Africa (Published in Government Gazette nº 40487 of 9 December 2016)

BILL To create offences and impose penalties which have a bearing on cybercrime; to criminalise the distribution of data messages which is harmful and to provide for interim protection orders; to further regulate jurisdiction in respect of cybercrimes; to further regulate the powers to investigate cybercrimes; to further regulate aspects relating to mutual assistance in respect of the investigation of cybercrime; to provide for the establishment of a 24/7 Point of Contact; to further provide for the proof of certain facts by affidavit; to impose obligations on electronic communications service providers and financial institutions to assist in the investigation of cybercrimes and to report cybercrimes; to provide for the establishment of structures to promote cybersecurity and capacity building; to regulate the identification and declaration of critical information infrastructures and measures to protect critical information infrastructures; to provide that the Executive may enter into agreements with foreign States to promote cybersecurity; to delete and amend provisions of certain laws; and to provide for matters connected therewith.

 

PARLIAMENT of the Republic of South Africa enacts as follows

 

CHAPTER 1.- DEFINITIONS

 

Definitions

 

  1. In this Act, unless the context indicates otherwise:

‘‘access’’, for purposes of Chapter 5, includes, without limitation, to make use of data, a computer program, a computer data storage medium or a computer system or their accessories or components or any part thereof or any ancillary device or component to the extent necessary to search for and seize an article;

‘‘article’’ means any data, computer program, computer data storage medium or computer system which:

(a) is concerned with, connected with or is, on reasonable grounds, believed to be concerned with or connected with the commission or suspected commission;

(b) may afford evidence of the commission or suspected commission; or

(c) is intended to be used or is, on reasonable grounds, believed to be intended to be used in the commission,

of an offence in terms of Chapter 2 or sections 16, 17 or 18 or any other offence which may be committed by means of, or facilitated through, the use of such an article, whether within the Republic or elsewhere;

‘‘computer’’ means any electronic programmable device used, whether by itself or as part of a computer system or any other device or equipment or any part thereof, to perform predetermined arithmetic, logical, routing, processing or storage operations in accordance with set instructions and includes all:

(a) input devices;

(b) output devices;

(c) processing devices;

(d) computer data storage mediums; and

(e) other equipment and devices that are related to, connected with or used with such a device;

‘‘computer data storage medium’’ means any device or location from which data or a computer program is capable of being reproduced or on which data or a computer program is capable of being stored by a computer system, irrespective of whether the device is physically attached to or connected with the computer system;

‘‘computer program’’ means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

‘‘computer system’’ means:

(a) one computer; or

(b) two or more inter-connected or related computers, which allow these inter-connected or related computers to:

(i) exchange data or any other function with each other; or

(ii) exchange data or any other function with another computer or a computer system;

‘‘Criminal Procedure Act’’ means the Criminal Procedure Act, 1977 (Act nº 51 of 1977);

‘‘Customs and Excise Act’’ means the Customs and Excise Act, 1964 (Act nº 91 of 1964);

‘‘Customs Control Act’’ means the Customs Control Act, 2014 (Act nº 31 of 2014);

‘‘data’’ means electronic representations of information in any form;

‘‘data message’’ means data generated, sent, received or stored by electronic means, where any output of the data is in an intelligible form;

‘‘designated judge’’ means a designated judge as defined in section 1 of the Regulation of Interception of Communications and Provision of Communicationrelated Information Act, 2002;

‘‘electronic communications service provider’’ means any person who provides an electronic communications service under and in accordance with an electronic communications service licence issued to such person under Chapter 3 of the Electronic Communications Act, 2005 (Act nº 36 of 2005), or who is deemed to be licensed or exempted from being licensed as such in terms of the Electronic Communications Act, 2005;

‘‘financial institution’’ means a financial institution as defined in section 1 of the Financial Services Board Act, 1990 (Act nº 97 of 1990);

‘‘foreign State’’ means any State other than the Republic;

‘‘Intelligence Services Act’’ means the Intelligence Services Act, 2002 (Act nº 65 of 2002);

‘‘Intelligence Services Control Act’’ means the Intelligence Services Control Act, 1994 (Act nº 40 of 1994);

‘‘International Co-operation in Criminal Matters Act’’ means the International Co-operation in Criminal Matters Act, 1996 (Act nº 75 of 1996);

‘‘investigator’’ means any person who is not a member of the South African Police Service and who is:

(a) identified and authorised in terms of a search warrant contemplated in section 27(3); or

(b) requested by a police official in terms of sections 29(2), 30(3) or 31(4), to, subject to the direction and control of the police official, assist a police official with the search for, access or seizure of an article;

‘‘magistrate’’ includes a regional court magistrate;

‘‘Magistrates’ Courts Act’’ means the Magistrates’ Courts Act, 1944 (Act nº 32 of 1944);

‘‘National Commissioner’’ means the National Commissioner of the South African Police Service, appointed by the President under section 207(1) of the Constitution of the Republic of South Africa, 1996;

‘‘National Prosecuting Authority Act’’ means the National Prosecuting Authority Act, 1998 (Act nº 32 of 1998);

‘‘output of a computer program’’ means any:

(a) data or output of the data;

(b) computer program; or

(c) instructions, generated by a computer program;

‘‘output of data’’ means having data displayed or in any other manner;

‘‘payment system institution’’ means a clearing system participant, a designated clearing system participant, a designated settlement system, a designated settlement system operator, a designated settlement system participant, a PCH system operator, a Reserve Bank settlement system, a Reserve Bank settlement system participant, a payment system, a settlement system, a settlement system participant or a system operator, as defined in the National Payment System Act, 1998 (Act nº 78 of 1998), or any other entity or system subject to that Act;

‘‘person’’ means a natural or a juristic person;

‘‘police official’’ means a member of the South African Police Service as defined in section 1 of the South African Police Service Act, 1995 (Act nº 68 of 1995);

‘‘Prevention of Organised Crime Act’’ means the Prevention of Organised Crime Act, 1998 (Act nº 121 of 1998);

‘‘Protection from Harassment Act’’ means the Protection from Harassment Act, 2011 (Act nº 17 of 2011);

‘‘public available data’’ means data which is accessible in the public domain without restriction;

‘‘Public Finance Management Act’’ means the Public Finance Management Act, 1999 (Act nº 1 of 1999);

‘‘Public Service Act’’ means the Public Service Act, 1994 (Proclamation nº 103 of 3 June 1994);

‘‘Regulation of Interception of Communications and Provision of Communication-related Information Act’’ means the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002 (Act nº 70 of 2002);

‘‘seize’’ includes to:

(a) remove a computer data storage medium or any part of a computer system;

(b) render inaccessible data, a computer program, a computer data storage medium or any part of a computer system in order to preserve evidence;

(c) make and retain a copy of data or a computer program; or

(d) make and retain a printout of output of data or a computer program;

‘‘specifically designated police official’’ means a commissioned officer referred to in section 33 of the South African Police Service Act, 1995 (Act nº 68 of 1995), who has been designated in writing by the National Commissioner to:

(a) make oral applications for a search warrant or an amendment of a warrant contemplated in section 28;

(b) issue expedited preservation of data directions contemplated in section 39; or

(c) serve an order from the designated judge on a person, electronic communications service provider or financial institution contemplated in section 46(10);

‘‘South African Reserve Bank’’ means the South African Reserve Bank referred to in section 223 of the Constitution of the Republic of South Africa, 1996, read with section 2 of the South African Reserve Bank Act, 1989;

‘‘South African Reserve Bank Act’’ means the South African Reserve Bank Act, 1989 (Act nº 90 of 1989);

‘‘Superior Courts Act’’ means the Superior Courts Act, 2013 (Act nº 10 of 2013);

‘‘Tax Administration Act’’ means the Tax Administration Act, 2011 (Act nº 28 of 2011); and

‘‘traffic data’’ means data relating to a communication indicating the communication’s origin, destination, route, format, time, date, size, duration or type of the underlying service.

 

CHAPTER 2.- CYBERCRIMES

 

Unlawful securing of access

 

2.-

(1) Any person who unlawfully and intentionally secures access to:

(a) data;

(b) a computer program;

(c) a computer data storage medium; or

(d) a computer system,

is guilty of an offence.

(2) For purposes of this section a person secures access to:

(a) data when the person is in a position to:

(i) alter, modify or delete the data;

(ii) copy or move the data to a different location in the computer data storage medium in which it is held or to any other computer data storage medium;

(iii) obtain its output data; or

(iv) otherwise use the data;

(b) a computer program when the person is in a position to:

(i) alter, modify or delete the computer program;

(ii) copy or move the computer program to a different location in the computer data storage medium in which it is held or to any other computer data storage medium;

(iii) cause the computer program to perform any function;

(iv) obtain its output; or

(v) otherwise use the computer program;

(c) a computer data storage medium when the person is in a position to:

(i) access data as contemplated in paragraph (a) or access a computer program as contemplated in paragraph (b), stored on the computer data storage medium;

(ii) store data or a computer program on a computer data storage medium; or

(iii) otherwise use the computer data storage medium; or

(d) a computer system when the person is in a position to:

(i) use any resources of;

(ii) instruct; or

(iii) communicate with,

a computer system,

and the access contemplated in paragraph (a), (b), (c) or (d) which the person secures is unauthorised.

(3) For purposes of subsection (2), ‘‘unauthorised’’ means that the person:

(a) is not himself or herself lawfully entitled to secure access;

(b) does not have the lawful consent of another person who is lawfully entitled to secure access; or

(c) exceeds his or her entitlement or consent, to secure access,

to data, a computer program, a computer data storage medium or a computer system.

 

Unlawful acquiring of data

 

3.-

(1) Any person who unlawfully and intentionally:

(a) overcomes any protection measure which is intended to prevent access to data; and

(b) acquires data, within or which is transmitted to or from a computer system, is guilty of an offence.

(2) Any person who unlawfully and intentionally possesses data, with the knowledge that such data was acquired unlawfully as contemplated in subsection (1), is guilty of an offence.

(3) Any person who is found in possession of data, in regard to which there is a reasonable suspicion that such data was acquired unlawfully as contemplated in subsection (1) and who is unable to give a satisfactory exculpatory account of such possession, is guilty of an offence.

(4) For purposes of this section, ‘‘acquire’’ means:

(a) use;

(b) examine or capture data or any output thereof;

(c) copy data;

(d) move data to:

(i) a different location in a computer system in which it is held; or

(ii) any other location; or

(e) divert data from its intended destination to any other destination.

 

 

Unlawful acts in respect of software or hardware tool

 

4.-

(1) Any person who unlawfully and intentionally possesses, manufactures, assembles, obtains, sells, purchases, makes available or advertises any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.

(2) Any person who unlawfully and intentionally uses any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.

(3) For purposes of this section, ‘‘software or hardware tool’’ means any electronic, mechanical or other instrument, device, equipment, apparatus or a substantial component of such a device or a computer program, which is designed or adapted primarily for the purposes of:

(a) securing access as contemplated in section 2(1);

(b) acquiring data as contemplated in section 3(1);

(c) interfering with data or a computer program as contemplated in section 5(1);

(d) interfering with a computer data storage medium or a computer system as contemplated in section 6(1); or

(e) acquiring, modifying, providing, making available, copying, using or cloning a password, access code or similar data or devices as defined in section 7(3).

 

Unlawful interference with data or computer program

 

5.-

(1) Any person who unlawfully and intentionally interferes with:

(a) data; or

(b) a computer program, is guilty of an offence.

(2) For purposes of this section, ‘‘interference with data or a computer program’’ means to permanently or temporarily:

(a) delete data or a computer program;

(b) alter data or a computer program;

(c) render vulnerable, damage or deteriorate data or a computer program;

(d) render data or a computer program meaningless, useless or ineffective;

(e) obstruct, interrupt or interfere with the lawful use of data or a computer program; or

(f) deny access to data or a computer program.

 

Unlawful interference with computer data storage medium or computer system

 

6.-

(1) Any person who unlawfully and intentionally interferes with a computer data storage medium or a computer system, is guilty of an offence.

(2) For purposes of this section, ‘‘interference with a computer data storage medium or a computer system’’ means to permanently or temporarily:

(a) alter any resource of; or

(b) interrupt or impair:

(i) the functioning of;

(ii) the confidentiality of;

(iii) the integrity of; or

(iv) the availability of, a computer data storage medium or a computer system.

 

Unlawful acquisition, possession, provision, receipt or use of password, access codes or similar data or devices

 

7.-

(1) Any person who unlawfully and intentionally:

(a) acquires;

(b) possesses;

(c) provides to another person; or

(d) uses,

a password, an access code or similar data or device for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1), 8 or 9(1), is guilty of an offence.

(2) Any person who is found in possession of a password, an access code or similar data or device in regard to which there is a reasonable suspicion that such password, access code or similar data or device:

(a) was acquired;

(b) is possessed;

(c) is to be provided to another person; or

(d) was used or may be used, for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1), 8 or 9(1), and who is unable to give a satisfactory exculpatory account of such possession, is guilty of an offence.

(3) For purposes of this section, ‘‘password, access codes or similar data or device’’ means without limitation:

(a) a secret code or pin;

(b) an image;

(c) a security token;

(d) an access card;

(e) any device;

(f) biometric data; or

(g) a word or a string of characters or numbers, used for:

(i) financial transactions; or

(ii) user authentication in order to access or use data, a computer program, a computer data storage medium or a computer system.

 

Cyber fraud

 

8.- Any person who unlawfully and with the intention to defraud, makes a misrepresentation:

(a) by means of data or a computer program; or

(b) through any interference with data or a computer program as contemplated in subsection 5(2) or interference with a computer data storage medium or a computer system as contemplated in section 6(2), which:

(i) causes actual prejudice; or

(ii) is potentially prejudicial,

to another person, is guilty of the offence of cyber fraud.

 

Cyber forgery and uttering

 

9.-

(1) Any person who unlawfully and with the intention to defraud, makes:

(a) false data; or

(b) a false computer program, to the actual or potential prejudice of another person, is guilty of the offence of cyber forgery.

(2) Any person who unlawfully and with the intention to defraud, passes off:

(a) false data; or

(b) a false computer program,

to the actual or potential prejudice of another person, is guilty of the offence of cyber uttering.

 

Cyber extortion

 

10.- Any person who unlawfully and intentionally:

(a) threatens to commit any offence; or

(b) commits any offence,

contemplated in sections 3(1), 5(1), 6(1) or 7(1)(a) or (d), for the purpose of:

(i) obtaining any advantage from another person; or

(ii) compelling another person to perform or to abstain from performing any act, is guilty of the offence of cyber extortion.

 

Aggravated offences

 

11.-

(1)

(a) Any person who commits an offence referred to in:

(i) section 3(1), 5(1) or 6(1), in respect of; or

(ii) section 7(1), in so far as the passwords, access codes or similar data and devices relate to,

a restricted computer system, is guilty of an aggravated offence.

(b) For purposes of paragraph (a), ‘‘a restricted computer system’’ means any data, computer program, computer data storage medium or computer system under the control of or exclusively used by:

(i) any financial institution;

(ii) an organ of state as set out in section 239 of the Constitution of the Republic of South Africa, 1996, including a court; or

(iii) a critical information infrastructure as contemplated in section 57(2).

(2) Any person who commits an offence referred to in section 5(1), 6(1) or 10, which:

(a) endangers the life or violates the physical integrity or physical freedom of, or causes bodily injury to, any person, or any number of persons;

(b) causes serious risk to the health or safety of the public or any segment of the public;

(c) causes the destruction of or substantial damage to any property;

(d) causes a serious interference with, or serious disruption of, an essential service, facility or system, or the delivery of any essential service;

(e) causes any major economic loss;

(f) creates a serious public emergency situation; or

(g) prejudices the security, defence, law enforcement or international relations of the Republic,

is guilty of an aggravated offence.

(3) A prosecution in terms of subsection (1) or (2) must be authorised in writing by the Director of Public Prosecutions having jurisdiction.

 

Attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding or procuring to commit offence

 

12.- Any person who unlawfully and intentionally:

(a) attempts;

(b) conspires with any other person; or

(c) aids, abets, induces, incites, instigates, instructs, commands or procures another person,

to commit an offence in terms of this Chapter, is guilty of an offence and is liable on conviction to the punishment to which a person convicted of actually committing that offence would be liable.

 

Theft of incorporeal

 

13.- The common law offence of theft must be interpreted so as not to exclude the theft of an incorporeal.

 

Penalties

 

14.-

(1) Any person who contravenes the provisions of section 2(1), 3(3) or 7(2) is liable on conviction to a fine or to imprisonment for a period not exceeding five years or to both a fine and such imprisonment.

(2) Any person who contravenes the provisions of section 3(1) or (2), 4(1) or (2), 5(1), 6(1) or 7(1) is liable on conviction to a fine or to imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment.

(3) Any person who contravenes the provisions of section 11(1) is liable on conviction to a fine or to imprisonment for a period not exceeding 15 years or to both a fine and such imprisonment.

(4) A court which convicts a person of an offence in terms of section 8, 9(1) or (2), 10 or 11(2) may, where a penalty is not prescribed in respect of that offence by any other law, impose a sentence as provided for in section 276 of the Criminal Procedure Act, 1977, which that court considers appropriate and which is within that court’s penal jurisdiction.

(5) A court which imposes any sentence in terms of this section must, without excluding other relevant factors, consider as aggravating factors:

(a) the fact that the offence was committed by electronic means;

(b) the extent of the prejudice and loss suffered by the complainant or other person as a result of the commission of such an offence;

(c) the extent to which the person gained financially or received any favour, benefit, reward, compensation or any other advantage from the commission of the offence; or

(d) the fact that the offence was committed in concert with one or more persons.

(6) If a person is convicted of any offence provided for in section 2(1), 3(1), 5(1), 6(1), 7(1), 8, 9(1) or (2), 10 or 11(1) or (2), a court which imposes any sentence in terms of those sections where the offence was committed:

(a) by a person; or

(b) with the collusion or assistance of another person,

who as part of his or her duties, functions or lawful authority was in charge of, in control of, or had access to data, a computer program, a computer data storage medium or a computer system which was involved in the offence, must, unless substantial and compelling circumstances justifying the imposition of another sentence, impose, with or without a fine, a period of direct imprisonment which may not be suspended as contemplated in section 297(4) of the Criminal Procedure Act, 1977.

 

Competent verdicts

 

15.-

(1) If the evidence in criminal proceedings does not prove the commission of the offence charged but proves a contravention of section 12:

(a) in respect of the offence charged; or

(b) in respect of any other offence of which an accused may be convicted on the offence charged, the accused may be found guilty of the offence so proved.

(2) If the evidence on a charge of a contravention of section 3(1), does not prove the offence, but proves:

(a) a contravention of section 2(1);

(b) a contravention of section 3(2) or (3); or

(c) a contravention of section 4(2) in so far as it relates to the use of a software or hardware tool for purposes of contravening section 3(1),

the accused may be found guilty of the offence so proved.

(3) If the evidence on a charge of a contravention of section 5(1), does not prove the offence, but proves:

(a) a contravention of section 2(1);

(b) a contravention of section 4(2) in so far as it relates to the use of a software or hardware tool for purposes of contravening section 5(1); or

(c) the offence of malicious injury to property, the accused may be found guilty of the offence so proved.

(4) If the evidence on a charge of a contravention of section 6(1), does not prove the offence or attempt to commit the offence, but proves:

(a) a contravention of section 2(1);

(b) a contravention of section 4(2) in so far as it relates to the use of a software or hardware tool for purposes of contravening section 6(1); or

(c) the offence of malicious injury to property,

the accused may be found guilty of the offence so proved.

(5)

(a) If the evidence on a charge of a contravention of section 7(1)(a) or (d) does not prove the offence, but proves:

(i) a contravention of section 2(1);

(ii) a contravention of section 7(2); or

(iii) a contravention of section 4(2) in so far as it relates to the use of a software or hardware tool for purposes of contravening section 7(1)(a) or (d),

the accused may be found guilty of the offence so proved.

(b) If the evidence on a charge of a contravention of section 7(1)(b) or (c) does not prove the offence, but proves a contravention of section 7(2), the accused may be found guilty of the offence so proved.

(6) If the evidence on a charge of a contravention of section 8, does not prove the offence, but proves:

(a) a contravention of section 2(1);

(b) a contravention of section 4(2), in so far as it relates to the use of a software or hardware tool for the purposes of:

(i) interfering with data or a computer program as contemplated in section 5(1);

(ii) interfering with a computer data storage medium or a computer system as contemplated in section 6(1); or

(iii) acquiring, modifying, providing, making available, copying, using or cloning a password, access code or similar data or devices as contemplated in section 7(1)(a) and (d);

(c) a contravention of sections 9(1) or (2);

(d) the common law offence of fraud or attempt to commit that offence;

(e) the common law offence of forgery or uttering or attempt to commit that offence; or

(f) the common law offence of theft or attempt to commit that offence, the accused may be found guilty of the offence so proved.

(7)

(a) If the evidence on a charge of a contravention of section 9(1), does not prove the offence, but proves the common law offence of forgery, the accused may be found guilty of the offence so proved.

(b) If the evidence on a charge of a contravention of section 9(2), does not prove the offence, but proves the common law offence of uttering, the accused may be found guilty of the offence so proved.

(8) If an accused is charged with a contravention of section 3(1), 5(1), 6(1) or 7(1) as contemplated in section 11(1), and the evidence on the charge does not prove a contravention of section 11(1), but proves a contravention of:

(a) section 2(1);

(b) section 3(1) or any competent verdict provided for in subsection (2);

(c) section 5(1) or any competent verdict provided for in subsection (3);

(d) section 6(1) or any competent verdict provided for in subsection (4); or

(e) section 7(1) or any competent verdict provided for in subsection (5),

the accused may be found guilty of the offence so proved.

(9) If an accused is charged with a contravention of sections 5(1), 6(1) or 10, as contemplated in section 11(2), and the evidence on the charge does not prove a contravention of section 11(2), but proves a contravention of:

(a) section 2(1);

(b) section 5(1) or any competent verdict provided for in subsection (3); or

(c) section 6(1) or any competent verdict provided for in subsection (4),

the accused may be found guilty of the offence so proved.

 

CHAPTER 3.- MALICIOUS COMMUNICATIONS

 

Data message which incites damage to property or violence

 

16.- Any person who unlawfully makes available, broadcasts or distributes, by means of a computer system, a data message to a specific person, group of persons or the general public with the intention to incite:

(a) the causing of any damage to any property belonging to; or

(b) violence against,

a person or a group of persons, is guilty of an offence.

 

Data message which is harmful

 

17.-

(1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message which is harmful, is guilty of an offence.

(2) For purposes of subsection (1), a data message is harmful when:

(a) it threatens a person with:

(i) damage to any property belonging to, or violence against, that person; or

(ii) damage to any property belonging to, or violence against, any member of the family or household of the person or any other person in a close relationship with the person;

(b) it threatens a group of persons with damage to any property belonging to, or violence against, the group of persons or any identified person forming part of the group of persons or who is associated with the group of persons;

(c) it intimidates, encourages or harasses a person to harm himself or herself or any other person; or

(d) it is inherently false in nature and it is aimed at causing mental, psychological, physical or economic harm to a specific person or a group of persons,

and a reasonable person in possession of the same information and with regard to all the circumstances would regard the data message as harmful.

 

Distribution of data message of intimate image without consent

 

18.-

(1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence.

(2) For purposes of subsection (1), ‘‘intimate image’’ means a visual depiction of a person made by any means:

(a) under circumstances that give rise to a reasonable expectation of privacy; and

(b) in which the person is nude, is exposing his or her genital organs or anal region or, in the case of a female, her breasts.

 

Order to protect complainant pending finalisation of criminal proceedings

 

19.-

(1) A complainant who lays a charge with the South African Police Service that an offence contemplated in section 16, 17 or 18 has allegedly been committed against him or her, may on an ex parte basis in the prescribed form and manner, apply to a magistrate’s court for an order pending the finalisation of the criminal proceedings to:

(a) prohibit any person from further making available, broadcasting or distributing the data message contemplated in section 16, 17 or 18 which relates to the charge; or

(b) order an electronic communications service provider or person in control of a computer system to remove or disable access to the data message in question.

(2) The court must as soon as is reasonably possible consider an application submitted to it in terms of subsection (1) and may, for that purpose, consider any additional evidence it deems fit, including oral evidence or evidence by affidavit, which must form part of the record of proceedings.

(3) If the court is satisfied that there is prima facie evidence that the data message in question constitutes an offence as contemplated in sections 16, 17 or 18, the court may issue the order referred to in subsection (1), in the prescribed form.

(4) The order must be served on the person referred to in subsection (1)(a) or electronic communications service provider or person referred to in subsection (1)(b) in the prescribed form and manner: Provided that, if the court is satisfied that the order cannot be served in the prescribed form and manner, the court may make an order allowing service to be effected in the manner specified in that order.

(5) An order referred to in subsection (1) is of force and effect from the time it is issued by the court and the existence thereof has been brought to the attention of the person referred to in subsection (1)(a) or electronic communications service provider or person referred to in subsection (1)(b).

(6) A person referred to in subsection (1)(a) or electronic communications service provider or person referred to in subsection (1)(b) may, within 30 days after the order has been served on him or her in terms of subsection (4), upon notice to the magistrate’s court concerned, in the prescribed form and manner, apply to the court for the setting aside or amendment of the order referred to in subsection (1).

(7) The court must as soon as is reasonably possible consider an application submitted to it in terms of subsection (6) and may for that purpose, consider such additional evidence as it deems fit, including oral evidence or evidence by affidavit, which shall form part of the record of the proceedings.

(8) The court may, for purposes of subsections (2) and (7), in the prescribed manner cause to be subpoenaed any person as a witness at those proceedings or to provide any book, document or object, if the evidence of that person or book, document or object appears to the court essential to the just decision of the case.

(9) Any person or electronic communications service provider who fails to comply with an order referred to in subsection (5) is guilty of an offence.

(10) Any person who is subpoenaed in terms of subsection (8) to attend proceedings and who fails to:

(a) attend or to remain in attendance;

(b) appear at the place and on the date and at the time to which the proceedings in question may be adjourned;

(c) remain in attendance at those proceedings as so adjourned; or (d) produce any book, document or object specified in the subpoena, is guilty of an offence.

(11) The provisions in respect of appeal and review as provided for in the Magistrates’ Courts Act, 1944, and the Superior Courts Act, 2013, apply to proceedings in terms of this section.

 

Electronic communications service provider or person in control of computer system to furnish particulars to court

 

20.-

(1) If an application for a protection order is made in terms of section 19(1) and the court is satisfied in terms of section 19(3) that a protection order must be issued and the identity or address of the person who made available, broadcast or distributed the data message in question is not known, the court may:

(a) adjourn the proceedings to any time and date on the terms and conditions which the court deems appropriate; and

(b) issue a direction in the prescribed form directing an electronic communications service provider or person in control of a computer system to furnish the court in the prescribed manner by means of an affidavit in the prescribed form with:

(i) the electronic communications identity number from where the data message originated;

(ii) the name, surname, identity number and address of the person to whom the electronic communications identity number has been assigned;

(iii) any information which indicates that the data message was or was not sent from the electronic communications identity number of the person to the electronic communications identity number of the complainant; and

(iv) any other information that is available to an electronic communications service provider or a person in control of a computer system which may be of assistance to the court to identify the person who made available, broadcast or distributed the data message in question or the electronic communications service provider or person in control of a computer system which provides a service to the person who made available, broadcast or distributed the data message.

(2) If the court issues a direction in terms of subsection (1) the court must direct that the direction be served on the electronic communications service provider or person in control of a computer system in the prescribed manner.

(3)

(a) The information referred to in subsection (1)(b)(i), (ii), (iii) and (iv) must be provided to the court within five ordinary court days from the time that the direction is served on an electronic communications service provider or person.

(b) An electronic communications service provider or person in control of a computer system on which a direction is served, may in the prescribed manner by means of an affidavit in the prescribed form apply to the court for:

(i) an extension of the period of five ordinary court days referred to in paragraph (a) for a further period of five ordinary court days on the grounds that the information cannot be provided timeously; or

(ii) the cancellation of the direction on the grounds that:

(aa) it does not provide an electronic communications service to either the respondent or complainant or a related person; or

(bb) the requested information is not available in the records of the electronic communications service provider or person in control of a computer system.

(4) After receipt of an application in terms of subsection (3)(b), the court:

(a) must consider the application;

(b) may, in the prescribed manner, request such additional evidence by way of affidavit from the electronic communications service provider or the person in control of a computer system as it deems fit;

(c) must give a decision in respect thereof; and

(d) must inform the electronic communications service provider or the person in control of a computer system in the prescribed form and in the prescribed manner of the outcome of the application.

(5)

(a) The court may, on receipt of an affidavit from an electronic communications service provider or person in control of a computer system which contains the information referred to in subsection (1)(b)(i) and (ii), consider the issuing of a protection order in terms of section 19(3) against the person who made available, broadcast or distributed the data message contemplated in section 16, 17 or 18 on the date to which the proceedings have been adjourned.

(b) Any information furnished to the court in terms of subsection (1)(b) forms part of the evidence that a court may consider in terms of section 19(3).

(6) The Cabinet member responsible for the administration of justice may, by notice in the Gazette, prescribe reasonable tariffs of compensation payable to electronic communications service providers or persons in control of a computer system for providing the information referred to in subsection (1)(b).

(7) Any electronic communications service provider, employee of an electronic communications service provider or person in control of a computer system who:

(a) fails to furnish the required information within five ordinary court days from the time that the direction is served on such electronic communications service provider or person to a court in terms of subsection (3)(a) or such extended period allowed by the court in terms of subsection (3)(b); or

(b) makes a false statement in an affidavit referred to in subsection (1)(b) or (3)(b) in a material respect,

is guilty of an offence.

 

Orders on finalisation of criminal proceedings

 

21.-

(1) Whenever a person is:

(a) convicted of an offence in terms of section 16, 17 or 18; or

(b) acquitted of an offence in terms of section 16, 17 or 18,

and evidence proves that the person engaged in, or attempted to engage in, harassment as contemplated in the Protection from Harassment Act, 2011, the trial court may, after holding an enquiry, issue a protection order contemplated in section 9(4) of the Protection from Harassment Act, 2011, against the person, whereafter the provisions of that Act shall apply with the changes required by the context.

(2) The trial court must, on convicting a person for the commission of an offence contemplated in section 16, 17 or 18, order:

(a) that person to refrain from further making available, broadcasting or distributing the data message contemplated in section 16, 17 or 18 which relates to the charge on which he or she is convicted;

(b) that person or any other person to destroy the data message in question or any copy of the data message; or

(c) an electronic communications service provider or person in control of a computer system to remove or disable access to the data message in question.

(3) The orders referred to in subsection (2)(b), in so far as it relates to a person other than the accused, and subsection (2)(c), must be in the prescribed form and must be served on the electronic communications service provider or person in control of a computer system in the prescribed manner: Provided that, if the trial court is satisfied that the order cannot be served in the prescribed form and manner, the court may make an order allowing service to be effected in the manner specified in that order.

(4) Any person contemplated in subsection (2)(a) or (b) or electronic communications service provider or person in control of a computer system contemplated in subsection (2)(c) who fails to comply with an order referred to in subsection (2) is guilty of an offence.

(5) For purposes of this section ‘‘trial court’’ means:

(a) a magistrate’s court established under section 2(1)(f)(i) of the Magistrates’ Courts Act, 1944;

(b) a court for a regional division established under section 2(1)(g)(i) of the Magistrates’ Courts Act, 1944; or

(c) a High Court referred to in section 6 (1) of the Superior Courts Act, 2013.

 

Penalties

 

22.-

(1) Any person who contravenes the provisions of section 16, 17 or 18 is liable on conviction to a fine or to imprisonment for a period not exceeding three years or to both a fine and such imprisonment.

(2) Any person or electronic communications service provider who contravenes the provisions of section 19(9) or (10), 20(7) or 21(4) is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

 

CHAPTER 4.- JURISDICTION

 

Jurisdiction

 

23.-

(1) A court in the Republic trying an offence in terms of Chapter 2 or section 16, 17 or 18 has jurisdiction if:

(a) the offence was committed in the Republic;

(b) any act in preparation for the offence or any part of the offence was committed in the Republic, or where any result of the offence has had an effect in the Republic;

(c) the offence was committed in the Republic or outside the Republic by a South African citizen or a person with permanent residence in the Republic or by a person carrying on business in the Republic; or

(d) the offence was committed on board in any ship or aircraft registered in the Republic or on a voyage or flight to or from the Republic at the time that the offence was committed.

(2) If the act alleged to constitute an offence in terms of Chapter 2 or section 16, 17 or 18 occurred outside the Republic, a court of the Republic, regardless of whether or not the act constitutes an offence at the place of its commission, has jurisdiction in respect of that offence if the person to be charged:

(a) is a citizen of the Republic;

(b) is ordinarily resident in the Republic;

(c) was arrested in the territory of the Republic, or in its territorial waters or on board a ship or aircraft registered or required to be registered in the Republic at the time the offence was committed;

(d) is a company, incorporated or registered as such under any law, in the Republic; or

(e) is any body of persons, corporate or unincorporated, in the Republic.

(3) Any act alleged to constitute an offence in terms of Chapter 2 or section 16, 17 or 18 and which is committed outside the Republic by a person, other than a person contemplated in subsection (2), is, regardless of whether or not the act constitutes an offence or not at the place of its commission, deemed also to have been committed in the Republic if that:

(a) act affects or is intended to affect a public body, a business or any other person in the Republic;

(b) person is found to be in South Africa; and

(c) person is for one or other reason not extradited by South Africa or if there is no application to extradite that person.

(4) Where a person is charged with attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding or procuring to commit an offence or as an accessory after the offence, the offence is deemed to have been committed not only at the place where the act was committed, but also at every place where the person acted.

(5)

(a) A prosecution in terms of subsections (2) and (3):

(i) may only be instituted against a person with the written permission of the National Director of Public Prosecutions; and

(ii) must commence before a court designated by the National Director of Public Prosecutions.

(b) A copy of the written permission and designation must be served on the accused and the original thereof must be handed in at the court in which the proceedings are to commence.

 

CHAPTER 5.-  POWERS TO INVESTIGATE, SEARCH AND ACCESS OR SEIZE

 

Standard Operating Procedures

 

24.-

(1) The Cabinet member responsible for policing, in consultation with the National Director of Public Prosecutions and the Cabinet member responsible for the administration of justice must, after following a process of public consultation, within six months of the commencement of this Chapter, issue Standard Operating Procedures which must be observed by:

(a) the South African Police Service; or

(b) any other person or agency who or which is authorised in terms of the provision of any other law to investigate any offence in terms of any law,

in the investigation of any offence in terms of Chapter 2 or section 16, 17 or 18 or any other offence which is or was committed by means of or facilitated by the use of an article.

(2) The Standard Operating Procedures referred to in subsection (1) and any amendment thereto must be published in the Gazette.

 

Application of provisions in this Chapter

 

25.- The Criminal Procedure Act, 1977, applies in addition to the provisions of this Chapter in so far that it is not inconsistent with the provisions of this Chapter.

 

Search for and access to, or seizure of, certain articles

 

  1. A police official may, in accordance with the provisions of this Chapter, search for, access or seize any article within the Republic.

 

Article to be searched for, accessed or seized under search warrant

 

27.-

(1) Subject to the provisions of sections 29, 30 and 31 of this Act, section 4(3) of the Customs and Excise Act, 1964, sections 69(2)(b) and 71 of the Tax Administration Act, 2011, and section 21(e) and (f) of the Customs Control Act, 2014, an article can only be searched for, accessed or seized by virtue of a search warrant issued:

(a) by a magistrate or judge of the High Court, on written application by a police official, if it appears to the magistrate or judge from information on oath or by way of affirmation that there are reasonable grounds for believing that an article is:

(i) within his or her area of jurisdiction; or

(ii) being used or is involved in the commission of an offence:

(aa) within his or her area of jurisdiction; or

(bb) within the Republic, if he or she is unsure within which area of jurisdiction the article is being used or is involved in the commission of an offence; or

(b) by a magistrate or judge presiding at criminal proceedings, if it appears to such magistrate or judge that an article is required in evidence at such proceedings.

(2) A search warrant issued under subsection (1) must require a police official identified in the warrant to search for, access and seize the article in question and, to that end, must authorise the police official to:

(a) search any person identified in the warrant;

(b) enter and search any container, premises, vehicle, facility, ship or aircraft identified in the warrant;

(c) search any person who is believed, on reasonable grounds, to be able to furnish any information of material importance concerning the matter under investigation and who is found near such container, on or at such premises, vehicle, facility, ship or aircraft;

(d) search any person who is believed, on reasonable grounds, to be able to furnish any information of material importance concerning the matter under investigation and who:

(i) is nearby;

(ii) uses; or

(iii) is in possession of or in direct control of,

any data, computer program, computer data storage medium or computer system identified in the warrant to the extent set out in the warrant;

(e) search for any article identified in the warrant to the extent set out in the warrant;

(f) access an article identified in the warrant to the extent set out in the warrant;

(g) seize an article identified in the warrant to the extent set out in the warrant; or

(h) use or obtain and use any instrument, device, equipment, password, decryption key, data, computer program, computer data storage medium or computer system or other information that is believed, on reasonable grounds, to be necessary to search for, access or seize an article identified in the warrant to the extent set out in the warrant.

(3) A search warrant issued under subsection (1) may require an investigator or other person identified in the warrant to assist the police official identified in the warrant, with the search for, access or seizure of the article in question, to the extent set out in the warrant.

(4)

(a) A search warrant may be executed at any time, unless the person issuing the warrant in writing specifies otherwise.

(b) A search warrant may be issued on any day and is of force until it is executed or is cancelled by the person who issued it or, if such person is not available, by a person with like authority.

(5) A police official who executes a warrant under this section must hand to any person whose rights in respect of any search, or article accessed or seized under the warrant have been affected, a copy of the warrant and the written application of the police official contemplated in subsection (1)(a).

(6) The provisions of subsections (1) to (5) apply with the changes required by the context to an amendment of a warrant issued in terms of subsection (1).

 

Oral application for search warrant or amendment of warrant

 

28.-

(1) An application referred to in section 27(1)(a), or an application for the amendment of a warrant issued in terms of section 27(1)(a), may be made orally by a specifically designated police official, if it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application.

(2) An oral application referred to in subsection (1) must:

(a) indicate the particulars of the urgency of the case or the other exceptional circumstances which, in the opinion of the police official, justify the making of an oral application; and

(b) comply with any supplementary directives relating to oral applications issued by the Chief Justice in terms of section 8(3) of the Superior Courts Act, 2013.

(3) A magistrate or judge of the High Court may, upon an oral application made to him or her in terms of subsection (1) and subject to subsection (4), issue a warrant or amend a warrant as contemplated in section 27(1)(a).

(4) A warrant or any amendment to a warrant may only be issued under subsection (3):

(a) if the magistrate or judge of the High Court concerned is satisfied, on the facts alleged in the oral application concerned, that:

(i) there are reasonable grounds to believe that a warrant or any amendment to a warrant applied for could be issued;

(ii) a warrant or an amendment to a warrant is necessary immediately in order to search for, access or seize an article:

(aa) within his or her area of jurisdiction; or

(bb) within the Republic, if he or she is unsure within which area of jurisdiction the article is being used or is involved in the commission of an offence; and

(iii) it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application for the issuing of a warrant or to amend a warrant; and

(b) on condition that the police official concerned must submit a written application to the magistrate or judge of the High Court concerned within 48 hours after the issuing of the warrant or amended warrant under subsection (3).

(5) A warrant or any amendment to a warrant issued under subsection (3) must:

(a) be in writing;

(b) be transmitted electronically to the member of the law enforcement agency; and

(c) contain a summary of the facts which were considered and the grounds upon which the warrant was issued.

(6) A magistrate or judge of the High Court who has issued a warrant or amended a warrant under subsection (3) or, if he or she is not available, any other magistrate or judge of the High Court must, upon receipt of a written application submitted to him or her in terms of subsection (4)(b), reconsider that application whereupon he or she may confirm, amend or cancel that warrant.

(7) A magistrate or judge of the High Court contemplated in subsection (6), who amends or cancels the warrant must make such an order as he or she deems fit in respect of how any article which is affected by his or her decision is to be dealt with.

 

Search for, access to, or seizure of article without search warrant with consent of person who has lawful authority to consent

 

29.-

(1) Any police official may, without a search warrant, execute the powers referred to in section 27(2), subject to any other law, if the person who has the lawful authority to consent to the search for, access to or seizure of the article in question consents, in writing, to such search, access or seizure.

(2) A police official acting in terms of subsection (1), may, subject to the lawful consent, in writing, of the person who has the lawful authority to consent, request an investigator to assist him or her with the search for, access to or seizure of the article in question.

 

Search for, access to or seizure of article involved in commission of offence without search warrant

 

30.-

(1) A police official may without a search warrant referred to in section 27(1)(a) search any person or container or premises for the purposes of performing the powers referred to in paragraphs (a) and (b) of the definition of ‘‘seize’’ in respect of a computer data storage medium or any part of a computer system referred to in the definition of ‘‘article’’, if the police official on reasonable grounds believes:

(a) that a search warrant will be issued to him or her under section 27(1)(a) if he or she applies for such warrant; and

(b) that the delay in obtaining such warrant would defeat the object of the search and seizure.

(2) A police official may only access or perform the powers referred to in paragraphs (c) or (d) of the definition of ‘‘seize’’, in respect of the computer data storage medium or a computer system referred to in subsection (1), in accordance with a search warrant issued in terms of section 27(1)(a): Provided that a police official may if he or she on reasonable grounds believes:

(a) that a search warrant will be issued to him or her under section 27(1)(a) if he or she applies for such warrant; and

(b) it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written or oral application for a search warrant,

he or she may access and perform the powers referred to in paragraphs (c) or (d) of the definition of ‘‘seize’’ without a search warrant.

(3) An investigator authorised in writing by a police official may assist the police official to seize an article as contemplated subsections (1) and (2) and to access the article as contemplated in subsection (2).

 

Search for, access to and seizure of article on arrest of person

 

31.-

(1) A police official may without a warrant, as contemplated in section 40 of the Criminal Procedure Act, 1977, arrest any person:

(a) who commits any offence in terms of Chapter 2 or section 16, 17 or 18 in his or her presence;

(b) whom he or she reasonably suspects of having committed any offence in terms of Chapter 2 or section 16, 17 or 18; or

(c) who has been concerned with or against whom a reasonable complaint has been made or credible information has been received or a reasonable suspicion exists that he or she has been concerned with an offence in terms of Chapter 2 or section 16, 17 or 18 or any other offence substantially similar to an offence recognised in the Republic which is or was committed by means of, or facilitated by the use of an article, in a foreign State and for which he or she is, under any law relating to extradition or fugitive offenders, liable to be arrested or detained in custody in the Republic.

(2) On the arrest of a person contemplated in subsection (1) or in terms of section 40 or in terms of a warrant issued in terms of section 43 of the Criminal Procedure Act, 1977, a police official may search for and perform the powers referred to in paragraphs (a) and (b) of the definition of ‘‘seize’’ in respect of a computer data storage medium or any part of a computer system referred to in the definition of ‘‘article’’, which is found in the possession, in the custody or under the control of the person.

(3) A police official may only access or perform the powers referred to in paragraphs (c) or (d) of the definition of ‘‘seize’’, in respect of a computer data storage medium or a computer system referred to in subsection (2), in accordance with a search warrant issued in terms of section 27(1)(a): Provided that a police official may if he or she on reasonable grounds believes:

(a) that a search warrant will be issued to him or her under section 27(1)(a) if he or she applies for such warrant; and

(b) it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written or oral application for a search warrant,

he or she may access and perform the powers referred to in paragraph (c) or (d) of the definition of ‘‘seize’’ without a search warrant.

(4) An investigator authorised in writing by a police official may assist the police official to seize an article as contemplated subsections (2) and (3) and to access the article as contemplated in subsection (3).

 

Assisting member of law enforcement agency or investigator

 

32.-

(1) An electronic communications service provider, financial institution or person, other than the person who is suspected of having committed the offence which is being investigated, who is in control of any container, premises, vehicle, facility, ship, aircraft, data, computer program, computer data storage medium or computer system that is subject to a search authorised in terms of section 27(1) must, if required, provide:

(a) technical assistance; and

(b) such other assistance as may be necessary,

to a police official or investigator in order to search for, access and seize an article.

(2) An electronic communications service provider, financial institution or person who fails to comply with the provisions of subsection (1) is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both a fine and such imprisonment.

 

Obstructing or hindering police official or investigator and authority to overcome resistance

 

33.-

(1) Any person who unlawfully and intentionally obstructs or hinders a police official or an investigator in the exercise of his or her powers or the performance of his or her duties or functions in terms of this Chapter or who refuses or fails to comply with a search warrant issued in terms of section 27(1), is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both such fine and such imprisonment.

(2)

(a) A police official who may lawfully execute any power conferred upon him or her in terms of section 27(2), may use such force as may be:

(i) reasonably necessary; and

(ii) proportional to all the circumstances, relating to the execution of such powers.

(b) No police official may enter upon or search any premises, vehicle, facility, ship or aircraft unless he or she has audibly demanded admission to the premises, vehicle, facility, ship or aircraft and has notified the purpose of his or her entry.

(c) The provisions of paragraph (b) do not apply where the police official is, on reasonable grounds, of the opinion that an article which is the subject of the search may be destroyed, disposed of or tampered with if the provisions of paragraph (b) are complied with.

 

Powers conferred upon police official or investigator to be conducted in decent and orderly manner with due regard to rights of other persons

 

34.-

(1) The powers conferred upon a police official or an investigator in terms of section 27(2), 29, 30 or 31, must be conducted:

(a) with strict regard to decency and order; and

(b) with due regard to the rights, responsibilities and legitimate interests of other persons in proportion to the severity of the offence.

(2) If a female needs to be searched physically in terms of section 27(2)(a), (c) or (d) or 31, such search must be carried out by a police official who is also a female: Provided that if no female police official is available, the search must be carried out by any female designated for that purpose by a police official.

 

Wrongful search, access or seizure and restriction on use of instrument, device, password or decryption key or information to gain access

 

35.-

(1) A police official or an investigator who unlawfully and intentionally:

(a) acts contrary to the authority of:

(i) a search warrant issued under section 27(1); or

(ii) consent granted in terms of section 29(1); or

(b) without being authorised thereto under this Chapter or the provision of any other law which affords similar powers to a police official or investigator:

(i) searches for, accesses or seizes data, a computer program, a computer data storage medium or any part of a computer system or any other information, instrument, device or equipment; or

(ii) obtains or uses any instrument, device, password, decryption key or other information that is necessary to access data, a computer program, a computer data storage medium or any part of a computer system, is guilty of an offence.

(2) A police official or an investigator who obtains or uses any instrument, device, equipment, password, decryption key, data or other information contemplated in section 27(2)(h):

(a) must use the instrument, device, equipment, password, decryption key, data or information only in respect of and to the extent specified in the warrant to gain access to or use data, a computer program, a computer data storage medium or any part of a computer system in the manner and for the purposes specified in the search warrant concerned; and

(b) must destroy all passwords, decryption keys, data or other information if:

(i) it is not required by a person who may lawfully possess the passwords, decryption keys, data or other information;

(ii) it will not be required for purposes of any criminal or civil proceedings contemplated in Chapter 5 or 6 of the Prevention of Organised Crime Act, 1998, or for purposes of evidence or for purposes of an order of court; or

(iii) no criminal proceedings or civil proceedings as contemplated in Chapter 5 or 6 of the Prevention of Organised Crime Act, 1998 are to be instituted in connection with such information.

(3) A police official or an investigator who contravenes or fails to comply with subsection (1) or (2), is liable on conviction to a fine or imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

(4) Where a police official or an investigator is convicted of an offence referred to in subsection (1) or (2), the court convicting such a person may, upon application of any person who has suffered damage or upon the application of the prosecutor acting on the instructions of that person, award compensation in respect of such damage, whereupon the provisions of section 300 of the Criminal Procedure Act, 1977, apply with the changes required by the context to such award.

 

False information under oath or by way of affirmation

 

36.-

(1) Any person who unlawfully or intentionally gives false information under oath or by way of affirmation knowing it to be false or not knowing it to be true, with the result that:

(a) a search warrant is issued;

(b) a search contemplated in section 29 took place on the basis of such information;

(c) a computer data storage medium or any part of a computer system is seized in terms of section 30;

(d) an expedited preservation of data direction contemplated in section 39 is issued;

(e) a preservation of evidence direction contemplated in section 40 is issued; or

(f) a disclosure of data direction contemplated in section 42 is issued, is guilty of an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

(2) If a person is convicted of an offence referred to in subsection (1), the court convicting such a person may, upon application of any person who has suffered damage or upon the application of the prosecutor acting on the instructions of that person, award compensation in respect of such damage, whereupon the provisions of section 300 of the Criminal Procedure Act, 1977, apply with the changes required by the context with reference to such award.

 

Prohibition on disclosure of information

 

37.-

(1) No person, investigator, police official, electronic communications service provider, financial institution or employee of an electronic communications service provider or financial institution may, subject to subsection

(2), disclose any information which he or she has obtained in the exercise of his, her or its powers or the performance of his, her or its duties in terms of Chapters 5 and 6 of this Act, except:

(a) to any other person who of necessity requires it for the performance of his or her functions in terms of this Act;

(b) if he or she is a person who of necessity supplies such information in the performance of his or her duties or functions in terms of this Act;

(c) if it is information which is required in terms of any law or as evidence in any court of law;

(d) if it constitutes information sharing:

(i) contemplated in Chapter 10; or ç

(ii) between electronic communications service providers, financial institutions, the South African Police Service or any other person or entity which is aimed at preventing, investigating or mitigating cybercrime:

Provided that such information sharing may not prejudice any criminal investigation or criminal proceedings; or

(e) to any competent authority which requires it for the institution of criminal proceedings or an investigation with a view to institute criminal proceedings.

(2) The prohibition on disclosure of information contemplated in subsection (1) does not apply where the disclosure:

(a) is protected or authorised under the Protected Disclosures Act, 2000 (Act nº 26 of 2000), the Companies Act, 2008 (Act nº 71 of 2008), the Prevention and Combating of Corrupt Activities Act, 2004 (Act nº 12 of 2004), the National Environmental Management Act, 1998 (Act nº 107 of 1998), or the Labour Relations Act, 1995 (Act nº 66 of 1995);

(b) is authorised in terms of this Act or any other Act of Parliament; or (c) reveals a criminal activity.

(3) A person, investigator, police official, electronic communications service provider, financial institution or an employee of an electronic communications service provider or financial institution who contravenes the provisions of subsection (1) is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding three years or to both a fine and such imprisonment.

 

Interception of indirect communication, obtaining of real-time communicationrelated information and archived communication-related information.

 

38.-

(1) The interception of data which is an indirect communication as defined in section 1 of the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002, must take place in terms of an interception direction issued in terms of section 16(4) or 18(3)(a) of that Act and must, subject to subsection (4), be dealt with further in the manner provided for in that Act.

(2) The obtaining of real-time communication-related information as defined in section 1 of the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002, on an ongoing basis, as it becomes available must take place in terms of a real-time communication-related direction issued in terms of section 17(3) or 18(3)(b) of that Act, and must, subject to subsection (4), be dealt with further in the manner provided for in that Act.

(3) An electronic communications service provider who is:

(a) in terms of section 30(1)(b) of the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002, required to provide an electronic communications service which has the capability to store communication-related information; and

(b) not required to store communication-related information in terms of a directive issued in terms of section 30(2) of that Act,

must, in addition to any other obligation imposed by any law, comply with:

(i) a real-time communication-related direction referred to in subsection (2) in terms of which the electronic communications service provider is directed to provide real-time communication-related information in respect of a customer, on an ongoing basis, as it becomes available;

(ii) an expedited preservation of data direction contemplated in section 39 in terms of which the electronic communications service provider is directed to preserve real-time communication-related information or archived communicationrelated information in respect of a customer;

(iii) a preservation of evidence direction contemplated in section 40 in terms of which the electronic communications service provider is directed to preserve real-time communication-related information or archived communicationrelated information in respect of a customer;

(iv) a disclosure of data direction contemplated in section 42 in terms of which the electronic communications service provider is directed to provide archived communication-related information in respect of a customer that was stored by the electronic communications service provider; or

(v) any order of the designated judge in terms of subsection (1) or (2) or section 46(6), in terms of which the electronic communications service provider is ordered to:

(aa) obtain and preserve any real-time communication-related information or archived communication-related information; or:

(bb) furnish traffic data, in so far as it may indicate that an electronic communications service provider in a foreign State was involved in the transmission of the communication.

(4) Any indirect communication referred to in subsection (1) which is intercepted or any real-time communication-related information which is obtained on an ongoing basis, or archived communication-related information which was obtained and stored at the request of an authority, court or tribunal exercising jurisdiction in a foreign State must further be dealt with in the manner provided for in an order referred to in section 46(6), which is issued by the designated judge.

 

Expedited preservation of data direction

 

39.-

(1) Subject to section 38(1) and (2), a specifically designated police official may, if he or she on reasonable grounds believes that any person, an electronic communications service provider or a financial institution is in possession of, is to receive or is in control of data:

(a) which is relevant to;

(b) which was used or may be used in;

(c) for the purposes of or in connection with;

(d) which has facilitated or may facilitate; or (e) which may afford evidence of, the commission or intended commission of:

(i) an offence under Chapter 2 or section 16, 17 or 18;

(ii) any other offence in terms of the laws of the Republic which is or was committed by means of, or facilitated by, the use of an article; or

(iii) an offence:

(aa) similar to those contemplated in Chapter 2 or section 16, 17 or 18; or

(bb) substantially similar to an offence recognised in the Republic which is or was committed by means of, or facilitated by the use of an article, in a foreign State,

issue, with due regard to the rights, responsibilities and legitimate interests of other persons in proportion to the severity of the offence in question, an expedited preservation of data direction to such a person, electronic communications service provider or financial institution.

(2) Subsection (1) also applies to:

(a) archived communication-related information which an electronic communications service provider is no longer required to store due to the fact that the period contemplated in section 30(2)(a)(iii) of the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2002, is due to come to an end; or

(b) any other information which must be stored for a certain period in terms of any other law and that period is due to come to an end.

(3) An expedited preservation of data direction must be in the prescribed form and must be served on the person, electronic communications service provider or financial institution affected thereby in the prescribed manner by a police official.

(4) An expedited preservation of data direction must direct the person, electronic communications service provider or financial institution affected thereby, from the time of service of the direction and for a period of 21 days:

(a) to preserve the current status of;

(b) not to deal in any manner with; or

(c) to deal in a certain manner with, the data referred to in the direction in order to preserve the availability and integrity of the data.

(5) No data may be disclosed to a police official on the strength of an expedited preservation of data direction unless it is authorised in terms of section 42.

(6) The 21 day period referred to in subsection (4) may only be extended by way of a preservation of evidence direction contemplated in section 40.

(7) A person, electronic communications service provider or financial institution to whom an expedited preservation of data direction, referred to in subsection (1), is addressed may, in writing in the prescribed form and manner, apply to a magistrate in whose area of jurisdiction the person, electronic communications service provider or financial institution is situated, for an amendment or the cancellation of the direction concerned on the ground that he or she cannot timeously or in a reasonable fashion comply with the direction.

(8) The magistrate to whom an application is made in terms of subsection (7) must, as soon as possible after receipt thereof:

(a) consider the application and may for this purpose order oral or written evidence to be adduced regarding any fact alleged in the application;

(b) give a decision in respect of the application; and

(c) inform the applicant and specifically designated police official referred to in subsection (1) of the outcome of the application.

(9) A person, electronic communications service provider or financial institution referred to in subsection (1) who:

(a) fails to comply with an expedited preservation of data direction or contravenes the provisions of subsection (5); or

(b) makes a false statement in an application referred to in subsection (7), is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both a fine and such imprisonment.

 

Preservation of evidence direction

 

40.-

(1) A magistrate or judge of the High Court may, on written application by a police official, if it appears to the magistrate or judge from information on oath or by way of affirmation that there are reasonable grounds for believing that any person, electronic communications service provider or financial institution may receive, is in possession of or is in control of an article:

(a) relevant to;

(b) which was used or may be used in;

(c) for the purpose of or in connection with;

(d) which has facilitated or may facilitate; or

(e) which may afford evidence of, the commission or intended commission of:

(i) an offence under Chapter 2 or section 16, 17 or 18;

(ii) any other offence in terms of the laws of the Republic which is or was committed by means of, or facilitated by the use of an article; or

(iii) an offence:

(aa) similar to those contemplated in Chapter 2 or section 16, 17 or 18 committed in a foreign State; or

(bb) any other offence substantially similar to an offence recognised in the Republic which is or was committed by means of, or facilitated by the use of an article, in a foreign State,

with due regard to the rights, responsibilities and legitimate interests of other persons in proportion to the severity of the offence in question, issue a preservation of evidence direction.

(2) A preservation of evidence direction must be in the prescribed form and must be served on the person, electronic communications service provider or financial institution affected thereby, in the prescribed manner by a police official.

(3) The preservation of evidence direction must direct the person, electronic communications service provider or financial institution, from the time of service of the direction and for the time period specified in the direction, which may not exceed 90 days:

(a) to preserve the current status of;

(b) not to deal in any manner with; or

(c) to deal in a certain manner with, an article in order to preserve the availability of or integrity of the evidence.

(4) Any person, electronic communications service provider or financial institution who fails to comply with a preservation of evidence direction is guilty of an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding three years or to both a fine and such imprisonment.

(5) A person, electronic communications service provider or financial institution to whom a preservation of evidence direction referred to in subsection (1) is addressed may, in writing in the prescribed form and manner, apply to a magistrate or judge of the High Court in whose area of jurisdiction the person, electronic communications service provider or financial institution is situated for an amendment or the cancellation of the direction concerned on the ground that he or she cannot timeously or in a reasonable fashion, comply with the order.

(6) The magistrate or judge of the High Court to whom an application is made in terms of subsection (5) must, as soon as possible after receipt thereof:

(a) consider the application and may, for this purpose, order oral or written evidence to be adduced regarding any fact alleged in the application;

(b) give a decision in respect of the application; and

(c) inform the applicant and police official of the outcome of the application.

 

Oral application for preservation of evidence direction

 

41.-

(1) An application referred to in section 40(1), may be made orally by a police official if he or she is of the opinion that it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make written application.

(2) An oral application referred to in subsection (1) must:

(a) indicate the particulars of the urgency of the case or the other exceptional circumstances which, in the opinion of the police official, justify the making of an oral application; and

(b) comply with any supplementary directives relating to oral applications issued by the Chief Justice in terms of section 8(3) of the Superior Courts Act, 2013.

(3) A magistrate or judge of the High Court may, upon an oral application made to him or her in terms of subsection (1), with due regard to the rights, responsibilities and legitimate interests of other persons in proportion to the severity of the offence in question, issue the preservation of evidence direction applied for.

(4) A preservation of evidence direction may only be issued under subsection (3):

(a) if the magistrate or judge of the High Court concerned is satisfied, on the facts alleged in the oral application concerned, that:

(i) there are reasonable grounds to believe that a preservation of evidence direction applied for could be issued;

(ii) a preservation of evidence direction is necessary immediately in order to preserve the integrity of the evidence; and

(iii) it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application for the issuing of the preservation of evidence direction applied for; and

(b) on condition that the police official concerned must submit a written application to the magistrate or judge of the High Court concerned within 48 hours after the issuing of the preservation of evidence direction under subsection (3).

(5) A preservation of evidence direction issued under subsection (3) must be in writing and must be transmitted electronically to the police official.

(6) A magistrate or judge of the High Court who issued a direction under subsection (3) or, if he or she is not available, any other magistrate or judge of the High Court must, upon receipt of a written application submitted to him or her in terms of subsection (4)(b), reconsider that application whereupon he or she may confirm, amend or cancel that preservation of evidence direction.

 

Disclosure of data direction

 

42.-

(1) Where:

(a) an expedited preservation of data direction or a preservation of evidence direction is in place; or

(b) it is otherwise expedient to obtain data without issuing a search warrant contemplated in section 27(1),

a magistrate or judge of the High Court may, subject to section 4(3) of the Customs and Excise Act, 1964, sections 69(2)(b) and 71 of the Tax Administration Act, 2011, and section 21(e) and (f) of the Customs Control Act, 2014, on written application by a police official, if it appears to the magistrate or judge from information on oath or by way of affirmation that there are reasonable grounds for believing that a person, electronic communications service provider or financial institution, other than the person, electronic communications service provider or financial institution who is suspected of having committed the offence which is being investigated, may receive, is in possession of or is in control of data which is relevant to or which may afford evidence of the commission or intended commission of:

(i) an offence under Chapter 2 or section 16, 17 or 18; or

(ii) any other offence in terms of the laws of the Republic which is or was committed by means of, or facilitated by the use of an article,

issue a disclosure of data direction.

(2) An application contemplated in subsection (1) must:

(a) contain the identity of the police official who applies for the disclosure of data direction;

(b) identify the customer, if known, or the service or communication in respect of whom data is to be provided;

(c) identify the person, electronic communications service provider or financial institution to whom the disclosure of data direction must be addressed;

(d) contain a description of the data which must be provided and the format in which it must be provided;

(e) contain a description of the offence which has been or is being or will probably be committed; and

(f) comply with any supplementary directives relating to applications for expedited disclosure of data issued by the Chief Justice in terms of section 8(3) of the Superior Courts Act, 2013.

(3) Upon receipt of an application in terms of subsection (1), a magistrate or judge must satisfy himself or herself:

(a) that there are reasonable grounds for believing that:

(i) an offence in terms of Chapter 2 or section 16, 17 or 18; or

(ii) any other offence in terms of the laws of the Republic which is or was committed by means of or facilitated by the use of an article,

has been, is being or will probably be committed or that it is necessary to determine whether such an offence has been so committed; and

(b) that it will be in the interests of justice if a disclosure of data direction is issued.

(4) A disclosure of data direction must be in the prescribed form and must be served on the person, electronic communications service provider or financial institution affected thereby in the prescribed manner by a police official.

(5) The disclosure of data direction:

(a) must direct the person, electronic communications service provider or financial institution to provide data identified in the direction to the extent set out in the direction to an identified police official;

(b) must set out the period within which the data identified in paragraph (a) must be provided; and

(c) may specify conditions or restrictions relating to the provision of data authorised therein.

(6) A person, electronic communications service provider or financial institution to whom a disclosure of data direction referred to in subsection (5) is addressed may, in writing in the prescribed form and manner, apply to the magistrate or judge for an amendment or the cancellation of the direction concerned on the ground that he or she cannot timeously or in a reasonable fashion comply with the direction.

(7) The magistrate or judge to whom an application is made in terms of subsection (6) must, as soon as possible after receipt thereof:

(a) consider the application and may, for this purpose, order oral or written evidence to be adduced regarding any fact alleged in the application;

(b) give a decision in respect of the application; and

(c) if the application is successful, inform the police official of the outcome of the application.

(8) Any data which is made available in terms of a disclosure of data direction must be:

(a) provided to the police official identified in the direction; and

(b) accompanied by an affidavit in the prescribed form by the person or authorised representative of an electronic communications service provider or financial institution, verifying the authenticity, integrity and reliability of the data that is furnished.

(9) A person, electronic communications service provider or a financial institution who:

(a) fails to comply with a disclosure of data direction;

(b) makes a false statement in an application referred to in subsection (6); or

(c) fails to comply with subsection (8),

is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both a fine and such imprisonment.

 

Search for, access to and seizure of data where no authorisation is required

 

43.- A police official may, without being specifically authorised thereto in terms of this Chapter, for the purposes of investigating any offence under Chapter 2 or section 16, 17 or 18:

(a) search for, access or perform the powers referred to in paragraphs (c) or (d) of the definition of ‘‘seize’’ in respect of publicly available data regardless of where the data is located geographically; or

(b) receive non-public available data, regardless of where the data is located geographically, if the person who has the lawful authority to disclose the data, voluntarily and on such conditions regarding confidentiality and limitation of use which he or she deems necessary, discloses the data to a police official.

 

CHAPTER 6.- MUTUAL ASSISTANCE

 

Application of provisions in this Chapter

 

44.- The provisions of sections 46 to 49 apply in addition to Chapter 2 of the International Co-operation in Criminal Matters Act, 1996, and relate, unless specified otherwise, to the preservation of evidence pending a request in terms of section 2 or 7 of the International Co-operation in Criminal Matters Act, 1996.

 

Spontaneous information

 

45.-

(1) The National Commissioner may, on such conditions regarding confidentiality and limitation of use as he or she may determine and after obtaining the written approval of the National Director of Public Prosecutions as contemplated in subsection (2), forward any information obtained during any investigation to a law enforcement agency of a foreign State if the National Commissioner is of the opinion that the disclosure of such information may:

(a) assist the foreign State if the initiation or carrying out of investigations regarding an offence committed within the jurisdiction of that foreign State; or

(b) lead to further cooperation with a foreign State to carry out an investigation regarding the commission or intended commission of:

(i) an offence contemplated in Chapter 2 or section 16, 17 or 18;

(ii) any other offence in terms of the laws of the Republic which may be committed or facilitated by means of an article; or

(iii) an offence:

(aa) similar to those contemplated in Chapter 2 or section 16, 17 or 18; or

(bb) any other offence substantially similar to an offence recognised in the Republic which is or was committed by means of or facilitated by the use of an article,

in that foreign State.

(2) The National Director of Public Prosecutions must consider a request by the National Commissioner in terms of subsection (1) and may only grant approval referred to in subsection (1) if he or she is satisfied that the forwarding of information:

(a) will not adversely affect any pending criminal proceedings or investigations within the Republic;

(b) will not be prejudicial to the interests of the Republic; and

(c) is in accordance with any applicable law of the Republic.

(3) The South African Police Service may receive any information from a foreign State, subject to such conditions regarding confidentiality and limitation of use as may be agreed upon, which will:

(a) assist the South African Police Service in the initiation or carrying out of investigations regarding an offence committed within the Republic; or

(b) lead to further cooperation with a foreign State to carry out an investigation regarding the commission or intended commission of:

(i) an offence contemplated in Chapter 2 or section, 16, 17 or 18; or

(ii) any other offence in terms of the laws of the Republic which may be committed by means of or facilitated by an article.

 

Foreign requests for assistance and cooperation

 

46.-

(1) A request by an authority, court or tribunal exercising jurisdiction in a foreign State for the:

(a) preservation of data or other article;

(b) seizure of data or other article;

(c) expedited disclosure of traffic data, in so far as it may indicate that a person, electronic communications service provider or financial institution in another State was involved in the transmission of the communication;

(d) obtaining of data which is real-time communication-related information or archived communication-related information; or

(e) interception of data which is an indirect communication, must, subject to subsection (7), be submitted to the 24/7 Point of Contact.

(2) The 24/7 Point of Contact must submit the request to the National Director of Public Prosecutions for consideration.

(3)

(a) Upon receipt of a request referred to in subsection (2), the National Director of Public Prosecutions must satisfy himself or herself:

(i) that proceedings have been instituted in a court or tribunal exercising jurisdiction in the requesting foreign State; or

(ii) that there are reasonable grounds for believing that an offence has been committed in the requesting foreign State or that it is necessary to determine whether an offence has been so committed and that an investigation in respect thereof is being conducted in the requesting foreign State; and

(iii) that the offence in question is:

(aa) similar to those contemplated in Chapter 2 or section, 16, 17 or 18; or

(bb) substantially similar to an offence recognised in the Republic which is or was committed by means of, or facilitated by the use of an article; and

(iv) that the foreign State intends to submit a request in terms of section 7 of the International Co-operation in Criminal Matters Act, 1996, for obtaining the data, communication or article in the Republic for use in such proceedings or investigation in the foreign State.

(b) For purposes of paragraph (a), the National Director of Public Prosecutions may rely on a certificate purported to be issued by a competent authority in the foreign State concerned, stating the facts contemplated in subsection (3)(a).

(4)

(a) The National Director of Public Prosecutions must submit the request for assistance, together with his or her recommendations, to the Cabinet member responsible for the administration of justice for his or her approval.

(b) Upon being notified of the Cabinet member’s approval the National Director of Public Prosecutions must forward the request contemplated in subsection (1) to the designated judge for consideration.

(5) Where the request relates to the expedited disclosure of traffic data, in so far as it may indicate that a person, electronic communications service provider or financial institution in a foreign State was involved in the transmission of the communication, subsections (3)(a)(iv) and (4) do not apply and the National Director of Public Prosecutions must submit the request for assistance, together with his or her recommendations, to the designated judge.

(6) Subject to subsections (7) and (8), the designated judge may on receipt of a request referred to in subsection (4) or (5), issue any order which he or she deems appropriate to ensure that the requested:

(a) data or other article is preserved in accordance with section 40;

(b) data is seized on an expedited basis in accordance with section 27 and preserved;

(c) traffic data, in so far as it may indicate that a person, electronic communications service provider or financial institution in a foreign State was involved in the transmission of the communication, is disclosed on an expedited basis in accordance with section 42;

(d) data, which is a real-time communication-related information, is obtained and preserved; or

(e) data which is an indirect communication is intercepted and preserved, as is specified in the request.

(7) The designated judge may only issue an order contemplated in subsection (6) if:

(a) on the facts alleged in the request, there are reasonable grounds to believe that:

(i) an offence substantially similar to the offences contemplated in Chapter 2, or section 16, 17 or 18, has been or is being or will probably be committed; or

(ii) any other offence substantially similar to an offence recognised in the Republic was committed by means of, or facilitated through the use of an article, and for purposes of the investigation it is necessary, in the interests of justice, to give an order contemplated in subsection (6);

(b) the request clearly identifies:

(i) the person, electronic communications service provider or financial institution:

(aa) who or which will receive, is in possession of or is in control of the data or other article that must be preserved; or

(bb) from whose facilities the data or traffic data must be obtained or intercepted; and

(ii) the data or other article which must be preserved;

(iii) the data which must be seized on an expedited basis;

(iv) the traffic data which must be disclosed on an expedited basis;

(v) the data, which is real-time communication-related information, and which must be obtained; or

(vi) data, which is an indirect communication, and which is to be intercepted;

(c) the request is, where applicable, in accordance with:

(i) any treaty, convention or other agreement to which that foreign State and the Republic are parties to or which can be used as a basis for mutual assistance; or

(ii) any agreement with any foreign State entered into in terms of section 59; and

(d) the order contemplated in subsection (6) is in accordance with any applicable law of the Republic.

(8) Where a request relates to the expedited disclosure of traffic data as contemplated in subsection (6)(c), the designated judge may:

(a) specify conditions or restrictions relating to the disclosure of traffic data as he or she deems appropriate; or

(b) refuse to issue an order referred to in subsection (6)(c), if the disclosure of the traffic data will, or is likely to, prejudice the sovereignty, security, public safety or other essential interests of the Republic.

(9)

(a) In the case of urgency, a request by any authority, court or tribunal exercising jurisdiction in a foreign State referred to in subsection (1) may be submitted directly to the designated judge.

(b) Upon receipt of a request in terms of paragraph (a), the designated judge may issue any order referred to in subsection (6).

(10)

(a) An order contemplated in subsection (6) must be executed by a specifically designated police official. (b) The specifically designated police official referred to in paragraph (a), must inform:

(i) the designated judge; and

(ii) the National Director of Public Prosecutions, in writing, of the fact that an order has been executed.

(11) The National Director of Public Prosecutions must, in writing, inform a foreign State of the fact that an order was issued and executed or not issued.

 

Complying with order of designated judge

 

47.-

(1) A person, electronic communications service provider or financial institution must comply with an order of the designated judge issued in terms of section 46(6).

(2) A person, electronic communications service provider or financial institution to whom an order referred to in section 46(6) is addressed may, in writing, apply to the designated judge for an amendment or the cancellation of the order concerned on the ground that he or she cannot timeously or in a reasonable fashion comply with the order.

(3) The designated judge to whom an application is made in terms of subsection (2) must, as soon as possible after receipt thereof:

(a) consider the application and may, for this purpose, order oral or written evidence to be adduced regarding any fact alleged in the application;

(b) give a decision in respect of the application; and

(c) if the application is successful, inform the National Director of Public Prosecutions of the outcome of the application.

(4) A person, electronic communications service provider or financial institution who:

(a) fails to comply with an order referred to in section 46(6); or (

  1. b) makes a false statement in an application referred to in subsection (2),

is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both a fine and such imprisonment.

 

Informing foreign State of outcome of request for mutual assistance and expedited disclosure of traffic data

 

48.-

(1) The National Director of Public Prosecutions must inform:

(a) the designated judge; and

(b) a foreign State, of the outcome of the request for assistance and cooperation.

(2) Any traffic data which is made available in terms of an order referred to in section 46(6)(c), must be:

(a) provided to the 24/7 Point of Contact for submission to an authority, court or tribunal of a foreign State; and (b) accompanied by:

(i) a copy of the order referred to in section 46(6); and

(ii) an affidavit in the prescribed form by the person or authorised representative of an electronic communications service provider or financial institution, verifying the authenticity, integrity and reliability of the information that is furnished.

(3) The information referred to in subsection (2)(a), together with the copy of the order and affidavit referred to in subsection (2)(b), must be provided to the authority, court or tribunal exercising jurisdiction in a foreign State which requested the assistance in terms of section 46(1).

(4) A person, electronic communications service provider or financial institution who:

(a) fails to comply with subsection (2); or

(b) makes a false statement in an affidavit referred to in subsection (2)(b)(ii), is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years or to both a fine and such imprisonment.

 

Issuing of direction requesting foreign mutual assistance

 

49.-

(1) If it appears to a magistrate from information on oath or by way of affirmation that there are reasonable grounds for believing that:

(a) an offence contemplated in Chapter 2 or section 16, 17 or 18; or

(b) any other offence in terms of the laws of the Republic which may be committed or facilitated by means of an article,

has been committed and that it is necessary, pending the issuing of a letter of request in terms of section 2(2) of the International Co-operation in Criminal Matters Act, 1996, to:

(i) preserve data or other articles;

(ii) seize data or other articles on an expedited basis;

(iii) disclose traffic data on an expedited basis;

(iv) obtain data which is real-time communication-related information or archived communication-related information; or

(v) intercept data which is an indirect communication, within the area of jurisdiction of a foreign State, the magistrate may issue a direction in the prescribed form in which assistance from that foreign State is sought as is stated in the direction.

(2) A direction contemplated in subsection (1) must specify that:

(a) there are reasonable grounds for believing that an offence contemplated in this Act has been committed in the Republic or that it is necessary to determine whether an offence has been committed;

(b) an investigation in respect thereof is being conducted; and

(c) for purposes of the investigation it is necessary, in the interests of justice, that:

(i) data or other articles specified in the direction be preserved;

(ii) data or an article is to be seized on an expedited basis and be preserved;

(iii) traffic data, in so far as it may indicate that a person, electronic communications service provider or financial institution in a foreign State was involved in the transmission of the communication, specified in the direction, be disclosed on an expedited basis;

(iv) data specified in the direction, which is real-time communication-related information or archived communication-related information, be obtained and be preserved; or

(v) data specified in the direction, which is an indirect communication, be intercepted and be preserved,

within the area of jurisdiction of a foreign State.

(3) The direction must be sent to the National Director of Public Prosecutions for transmission to:

(a) the appropriate authority in the foreign State which is requested to provide assistance and cooperation; or

(b) a designated point of contact in the foreign State which is requested to provide assistance and cooperation.

 

CHAPTER 7.- 24/7 POINT OF CONTACT

 

Establishment and functions of 24/7 Point of Contact

 

50.-

(1) The Cabinet member responsible for policing must:

(a) establish an office to be known as the 24/7 Point of Contact for the Republic; and

(b) equip, operate and maintain the 24/7 Point of Contact.

(2) The Cabinet member responsible for policing exercises final responsibility over the administration and functioning of the 24/7 Point of Contact.

(3) (a) The 24/7 Point of Contact must operate on a twenty-four hour, seven-day-aweek basis, in order to ensure the provision of immediate expedited assistance for the purposes of proceedings or investigations regarding the commission or intended commission of:

(i) an offence under Chapter 2 or section 16, 17 or 18;

(ii) any other offence in terms of the laws of the Republic which may be committed or facilitated by means of an article; or

(iii) an offence:

(aa) similar to those contemplated in Chapter 2 or section 16, 17 or 18; or

(bb) any other offence substantially similar to an offence recognised in the Republic which is or was committed by means of or facilitated by the use of an article,

in a foreign State.

(b) The assistance contemplated in subsection (3)(a) includes:

(i) the provision of technical advice and assistance;

(ii) the facilitation or provision of assistance regarding anything which is authorised under Chapters 5 and 6;

(iii) the provision of legal assistance;

(iv) the identification and location of an article;

(v) the identification and location of a suspect; and

(vi) cooperation with appropriate authorities of a foreign State.

(4) The Cabinet member responsible for policing may make regulations to further:

(a) regulate any aspect provided for in subsection (3);

(b) impose additional duties on the 24/7 Point of Contact; and

(c) regulate any aspect which is necessary or expedient for the proper implementation of this section.

(5) The National Director of Public Prosecutions must make available members of the National Prosecuting Authority:

(a) who have particular knowledge and skills in respect of any aspect dealt with in this Act; and

(b) to whom a security clearance has been issued by the State Security Agency in terms of section 2A of the National Strategic Intelligence Act, 1994 (Act nº 39 of 1994), to the satisfaction of the National Director of Public Prosecutions,

to provide such legal assistance to the 24/7 Point of Contact as may be necessary or expedient for the effective operation of the 24/7 Point of Contact.

(6)

(a) The Cabinet member responsible for policing must, at the end of each financial year, submit a report to the Chairperson of the Joint Standing Committee on Intelligence established by section 2 of the Intelligence Services Control Act, 1994, on the functions and activities of the 24/7 Point of Contact.

(b) The report contemplated in paragraph (a) must include:

(i) the number of matters in which technical advice and assistance were provided to a foreign State; and

(ii) the number of matters in which technical advice and assistance were received from a foreign State.

 

 

CHAPTER 8.- EVIDENCE

 

Proof of certain facts by affidavit

 

51.-

(1) Whenever any fact established by any examination or process requiring any skill in:

(a) the interpretation of data;

(b) the design or functioning of data, a computer program, a computer data storage medium or a computer system;

(c) computer science;

(d) electronic communications networks and technology;

(e) software engineering; or

(f) computer programming,

is or may become relevant to an issue at criminal proceedings or civil proceedings as contemplated in Chapter 5 or 6 of the Prevention of Organised Crime Act, 1998, a document purporting to be an affidavit made by a person who, in that affidavit, states that he or she:

(i) is in the service of a body in the Republic or a foreign State designated by the Cabinet member responsible for the administration of justice by notice in the Gazette;

(ii) possesses relevant qualifications, expertise and experience which make him or her competent to make the affidavit; and

(iii) has established such fact by means of an examination or process, is, upon its mere production at such proceedings, prima facie proof of such fact.

(2) Any person who makes an affidavit under subsection (1) and who in such affidavit wilfully states anything which is false, is guilty of an offence and is liable on conviction to a fine or imprisonment not exceeding two years.

(3) The court before which an affidavit is produced as prima facie proof of the relevant contents thereof may, in its discretion, cause the person who made the affidavit to be subpoenaed to give oral evidence in the proceedings in question or may cause written interrogatories to be submitted to such person for reply and such interrogatories and any reply thereto purporting to be a reply from such person are likewise admissible in evidence at such proceedings.

(4) No provision of this section affects any other law under which any certificate or other document is admissible in evidence and the provisions of this section are deemed to be additional to and not in substitution of any such law.

(5)

(a) For purposes of subsection (1), a document purporting to be an affidavit made by a person who in that affidavit alleges that he or she is in the service of a body in the Republic or foreign State designated by the Cabinet member responsible for the administration of justice by notice in the Gazette, has no effect unless:

(i) it is obtained in terms of an order of a competent court or on the authority of a government institution of the foreign State concerned, as the case may be; and

(ii) it is authenticated:

(aa) in the manner prescribed in the rules of court for the authentication of documents executed outside the Republic; or

(bb) by a person and in the manner contemplated in section 7 or 8 of the Justices of the Peace and Commissioners of Oaths Act, 1963 (Act nº 16 of 1963).

(b) The admissibility and evidentiary value of an affidavit contemplated in paragraph (a) are not affected by the fact that the form of the oath, confirmation or attestation thereof differs from the form of the oath, confirmation or attestation prescribed in the Republic.

(c) A court before which an affidavit contemplated in paragraph (a) is placed may, in order to clarify any obscurities in the said affidavit and at the request of a party to the proceedings, order that a supplementary affidavit be submitted or that oral evidence be heard: Provided that oral evidence may only be heard if the court is of the opinion that it is in the interests of the administration of justice and that a party to the proceedings would be prejudiced materially if oral evidence is not heard.

 

CHAPTER 9.- OBLIGATIONS OF ELECTRONIC COMMUNICATIONS SERVICE PROVIDERS AND FINANCIAL INSTITUTIONS

 

Obligations of electronic communications service providers and financial institutions

 

52.-

(1) An electronic communications service provider or financial institution that is aware or becomes aware that its computer system is involved in the commission of any category or class of offences provided for in Chapter 2 and which is determined in terms of subsection (2), must:

(a) without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service; and

(b) preserve any information which may be of assistance to the law enforcement agencies in investigating the offence.

(2) The Cabinet member responsible for policing, in consultation with the Cabinet member responsible for the administration of justice, must, by notice in the Gazette, prescribe:

(a) the category or class of offences which must be reported to the South African Police Service in terms of subsection (1); and

(b) the form and manner in which an electronic communications service provider or financial institution must report offences to the South African Police Service.

(3) An electronic communications service provider or financial institution that fails to comply with subsection (1), is guilty of an offence and is liable on conviction to a fine of R50 000.

(4) Subject to any other law or obligation, the provisions of subsection (1) must not be interpreted as to impose obligations on an electronic service provider or financial institution to:

(a) monitor the data which the electronic communications service provider or financial institution transmits or stores; or

(b) actively seek facts or circumstances indicating any unlawful activity.

(5) This Chapter does not apply to a financial sector regulator or a function performed by the South African Reserve Bank in terms of section 10 of the South African Reserve Bank Act, 1989.

 

CHAPTER 10.- STRUCTURES TO DEAL WITH CYBERSECURITY

 

Cyber Response Committee

 

53.-

(1) The Cyber Response Committee is hereby established.

(2) The Cyber Response Committee consists of:

(a) a chairperson who is the Director-General: State Security;

(b) members who are the Heads of the representative Departments and one of their nominees who must be officials:

(i) at the rank of at least a chief director or equivalent, of a representative Department, who are specifically nominated by a Head of that representative Department to serve on the Cyber Response Committee; and

(ii) to whom a security clearance certificate has been issued by the State Security Agency in terms of section 2A of the National Strategic Intelligence Act, 1994 (Act nº 39 of 1994).

(3) The Cabinet member responsible for State security must appoint a member to act as chairperson whenever the chairperson is absent from the Republic or from duty, or for any reason is temporarily unable to carry out the responsibilities as chairperson.

(4) The work incidental to the performance of the functions of the Cyber Response Committee must be performed by a secretariat, consisting of designated administrative personnel of the State Security Agency.

(5) The objects and functions of the Cyber Response Committee are to implement Government policy relating to cybersecurity.

(6) The Cabinet member responsible for State security must oversee and exercise control over the performance of the functions of the Cyber Response Committee.

(7) The Cabinet member responsible for State security must, at the end of each financial year, submit a report to the Chairperson of the Joint Standing Committee on Intelligence established by section 2 of the Intelligence Services Control Act, 1994, regarding progress that has been made towards achieving the objects and functions of the Cyber Response Committee.

(8) For purposes of this section:

(a) ‘‘Head of a Department’’ means the incumbent of a post mentioned in Column 2 of Schedule 1, 2 or 3 to the Public Service Act, 1994, and includes any employee acting in such post; and

(b) ‘‘representative Department’’ means:

(i) the Department of Defence;

(ii) the Department of Home Affairs;

(iii) the Department of International Relations and Cooperation;

(iv) the Department of Justice and Constitutional Development;

(v) the Department of Science and Technology;

(vi) the Department of Telecommunications and Postal Services;

(vii) the Financial Intelligence Centre, established by section 2 of the Financial Intelligence Centre Act, 2001 (Act nº 38 of 2001);

(viii) the National Prosecuting Authority;

(ix) the National Treasury;

(x) the South African Police Service;

(xi) the South African Reserve Bank;

(xii) the South African Revenue Service;

(xiii) the State Security Agency; and

(xiv) any other Department or public entity which is requested, in writing, by the Chairperson of the Cyber Response Committee to assist the Committee.

 

Government structures supporting cybersecurity

 

54.-

(1)

(a) The Cabinet member responsible for State security must:

(i) establish, equip, operate and maintain a computer security incident response team for Government;

(ii) establish and maintain sufficient human and operational capacity to:

(aa) give effect to cybersecurity measures falling within the Constitutional mandate of the State Security Agency; and

(bb) effectively deal with critical information infrastructure protection; and

(iii) in cooperation with any institution of higher learning, in the Republic or elsewhere, develop and implement accredited training programs for members of the State Security Agency in order to give effect to subparagraphs (i) and (ii).

(b) The Cabinet member responsible for State security may make regulations to further regulate any aspect referred to in paragraph (a).

(c) The Cabinet member responsible for State security must, at the end of each financial year, submit a report to the Chairperson of the Joint Standing Committee on Intelligence established by section 2 of the Intelligence Services Control Act, 1994, on the progress made with the implementation of this subsection.

(2)

(a) The Cabinet member responsible for policing must:

(i) establish and maintain sufficient human and operational capacity to detect, prevent and investigate cybercrimes;

(ii) ensure that members of the South African Police Service receive basic training in aspects relating to the detection, prevention and investigation of cybercrimes; and

(iii) in cooperation with any institution of higher learning, in the Republic or elsewhere, develop and implement accredited training programs for members of the South African Police Service primarily involved with the detection, prevention and investigation of cybercrimes.

(b) The Cabinet member responsible for policing may make regulations to further regulate any aspect referred to in paragraph (a).

(c) The Cabinet member responsible for policing must, at the end of each financial year, submit a report to Parliament regarding:

(i) progress made with the implementation of this subsection;

(ii) the number of:

(aa) offences provided for in Chapter 2 or sections 16, 17 or 18, which were reported to the South African Police Services;

(bb) cases which were, in terms of item (aa), reported to the South African Police Service which resulted in criminal prosecutions; and

(cc) cases where no criminal prosecutions were instituted after a period of 18 months after a case was, in terms of item (aa), reported to the South African Police Service; and

(iii) the number of members of the South African Police Service who received training as contemplated in paragraph (a)(iii).

(3)

(a) The Cabinet member responsible for defence must:

(i) establish and maintain a cyber offensive and defensive capacity as part of the defence mandate of the South African National Defence Force; and

(ii) in cooperation with any institution of higher learning, in the Republic or elsewhere, develop and implement accredited training programs for members of the South African National Defence Force in order to give effect to subparagraph (i).

(b) The Cabinet member responsible for defence may make regulations to regulate any aspect which is necessary or expedient for the proper implementation of this subsection.

(c) The Cabinet member responsible for defence must, at the end of each financial year, submit a report to the Chairperson of the Joint Standing Committee on Defence of Parliament on the progress made with the implementation of this subsection.

(4)

(a) The Cabinet member responsible for telecommunications and postal services must:

(i) establish a maintain a Cybersecurity Hub as part of the Department of Telecommunications and Postal Services to:

(aa) promote cybersecurity in the private sector;

(bb) act as a central point of contact between Government and the private sector on cybersecurity;

(cc) encourage and facilitate the establishment of nodal points and private sector computer security incident response teams in the private sector; and

(dd) respond to cybersecurity incidents;

(ii) equip, operate and maintain the Cybersecurity Hub; and

(iii) in cooperation with any institution of higher learning, in the Republic or elsewhere, develop and implement accredited training programs for members of the Cybersecurity Hub in order to give effect to subparagraph (i).

(b) The Cabinet member responsible for telecommunications and postal services exercises final responsibility over the administration and functioning of the Cybersecurity Hub.

(c) The Cabinet member responsible for telecommunications and postal services may make regulations to regulate any aspect which is necessary or expedient for the proper implementation of this subsection.

(d) The Cabinet member responsible for telecommunications and postal services must, at the end of each financial year, submit a report to Parliament regarding progress that has been made towards achieving the objects and functions of the Cybersecurity Hub contemplated in paragraph (a).

 

Nodal points and private sector computer security incident response teams

 

55.-

(1)

(a) The Cabinet member responsible for telecommunications and postal services must, by notice in the Gazette, after following a consultation process with the persons or entities in a sector, declare different sectors which provide an electronic communications service for which a nodal point must be established.

(b) The declaration of different sectors referred to in paragraph (a) must be done in consultation with the Cabinet member responsible for the administration of that sector.

(2) Each sector must, within six months from the date of the publication of a notice referred to in subsection (1)(a), identify and establish a nodal point, which will be responsible for:

(a) distributing information regarding cyber incidents to other entities within the sector;

(b) receiving and distributing information about cybersecurity incidents to the nodal points established for other sectors or any computer security incident response team recognised in terms of subsection (6);

(c) reporting cybersecurity incidents to the Cybersecurity Hub contemplated in section 54(4); and

(d) receiving information about cybersecurity incidents from the Cybersecurity Hub.

(3) If a sector fails to identify or establish a nodal point contemplated in subsection (2), the Cabinet member responsible for telecommunications and postal services may, after consultation with the sector, identify and establish a nodal point for that sector on such terms and conditions as he or she deems fit in order to give effect to the objects of this section.

(4) A particular sector is responsible for the establishment and operating costs of a nodal point established in terms of subsections (2) or (3).

(5)

(a) The Cabinet member responsible for telecommunications and postal services may make regulations, after consultation with a sector to further regulate:

(i) contributions to be made by entities in a sector to fund a nodal point established for a particular sector in terms of subsections (2) or (3); and

(ii) any aspect relating to the establishment, operation or functioning of a nodal point which is established for a sector.

(b) The regulations contemplated in paragraph (a) may provide that any person or entity that contravenes or fails to comply with a regulation is guilty of an offence and is liable on conviction to a fine or to imprisonment not exceeding one year or to both a fine and such imprisonment.

(6)

(a) The Cabinet member responsible for telecommunications and postal services may, by notice in the Gazette, recognise any computer security incident response team which is established for a sector.

(b) The Cabinet member responsible for telecommunications and postal services may:

(i) after consultation with any computer security incident response team which is established for a sector and the entities of that sector; and

(ii) in consultation with the Cabinet member responsible for the administration of the sector for which a computer security incident response team has been recognised in terms of paragraph (a),

make regulations to further facilitate the effective functioning of such a computer security incident response team. (c)

The regulations contemplated in paragraph (b) may provide that any person or entity that contravenes or fails to comply with a regulation is guilty of an offence and is liable on conviction to a fine or to imprisonment not exceeding one year or to both a fine and such imprisonment.

 

Information sharing

 

56.- Subject to any other law, the Cabinet member responsible for the administration of justice must make regulations to regulate information sharing, for purposes of this Chapter, regarding:

(a) cybersecurity incidents; and

(b) the detection, prevention, investigation or mitigation of cybercrime.

 

CHAPTER 11.- CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

 

Protection of critical information infrastructure

 

57.-

(1) The State Security Agency:

(a) in consultation with the Cyber Response Committee; and

(b) after consultation with the owner or the person in control of any information infrastructure which is identified as a potential critical information infrastructure,

must within 12 months of the fixed date, submit to the Cabinet member responsible for State security, information and recommendations regarding information infrastructures which need to be declared as critical information infrastructures.

(2) The Cabinet member responsible for State security may, subject to subsection (3), after considering any information and recommendations made to him or her in terms of subsection (1), by notice in the Gazette, declare any information infrastructure, or category or class of information infrastructures or any part thereof, as critical information infrastructures if such information infrastructure or information infrastructures are of such a strategic nature that any interference with them or their loss, damage, disruption or immobilisation may:

(a) substantially prejudice the security, defence, law enforcement or international relations of the Republic;

(b) substantially prejudice the health or safety of the public;

(c) cause a major interference with or disruption of an essential service;

(d) cause any major economic loss;

(e) cause destabilisation of the economy of the Republic; or

(f) create a major public emergency situation.

(3) Before the Cabinet member responsible for State security declares an information infrastructure a critical information infrastructure in terms of subsection (2), he or she must:

(a) with the exception of the State Security Agency, as referred to in section 3(1) of the Intelligence Services Act, 2002, where the information infrastructure, or any part thereof, belongs to, or is under the control of, a Department of State, consult with the Cabinet member responsible for that Department;

(b) if the information infrastructure, or any part thereof:

(i) is under the functional control or administration of a Provincial Government; or (ii) relates to or is incidental to:

(aa) a functional area listed in Schedule 4 or 5 to the Constitution;

(bb) any matter outside the functional areas listed in Schedule 4 or 5 to the Constitution that is expressly assigned to the province by national legislation; or

(cc) any matter for which a provision of the Constitution envisages the enactment of provincial legislation, consult with the Premier of the province concerned;

(c) where the information infrastructure, or any part thereof:

(i) is under the functional control or administration of a municipality; or

(ii) relates to, or is incidental to:

(aa) any matter listed in Part B of Schedule 4 and Part B of Schedule 5 to the Constitution; or

(bb) any matter outside the functional areas listed in Part B of Schedule 4 or 5 to the Constitution and that is expressly assigned by national or provincial legislation to a Municipal Council,

consult with the municipal manager of the municipality concerned;

(d) where the information infrastructure, or any part thereof, belongs to a constitutional institution contemplated in Schedule 1 to the Public Finance Management Act, 1999, or the Public Service Commission, consult with the chief executive officer of the institution concerned;

(e) where the information infrastructure, or any part thereof, belongs to a public entity contemplated in Schedule 2 or Parts A and B of Schedule 3 to the Public Finance Management Act, 1999, consult with the Cabinet member responsible for the administration of the national public entity and the chief executive officer of the national public entity;

(f) where the information infrastructure, or any part thereof, belongs to a financial sector regulator, consult with:

(i) the Cabinet member responsible for finance; and

(ii) the financial sector regulator concerned;

(g) where the information infrastructure, or any part thereof, belongs to, or is under the control of, the South African Reserve Bank or is a payment system institution, consult with the Cabinet member responsible for finance and the Governor of the South African Reserve Bank;

(h) where the information infrastructure, or any part thereof, belongs to, or is under the control of, a financial institution, consult with each applicable financial sector regulator and:

(i) consult with that financial institution;

(ii) afford the financial institution the opportunity to make written representations on any aspect relating to the Cabinet member’s intention to declare the information structure as a critical information infrastructure;

(iii) consider the representations of the financial institution; and

(iv) give a written decision to the financial institution and each applicable financial sector regulator; or

(i) where the information infrastructure, or any part thereof, belongs to, or is under the control of, a company, an entity or a person not referred to in paragraphs (a) to (h):

(i) consult with the company, entity or person;

(ii) consult with any regulatory body, established in terms of any law, which exercises regulatory control over actions of the company, entity or person;

(iii) afford the company, entity, person and the regulatory body concerned the opportunity to make written representations on any aspect relating to the Cabinet member’s intention to declare the information infrastructure as a critical information infrastructure;

(iv) consider the representations of the company, entity, person and regulatory body; and

(v) give a written decision to the company, entity or person and regulatory body concerned.

(4) The Cabinet member responsible for State security must, within six months of the declaration of any information infrastructure, or category or class of information infrastructure or any part thereof, as a critical information infrastructure, in consultation with the relevant Cabinet members, issue directives to the critical information infrastructure in order to regulate minimum standards relating to:

(a) the classification of data held by the critical information infrastructure;

(b) the protection of, the storing of and archiving of data held by the critical information infrastructure;

(c) cybersecurity incident management by the critical information infrastructure;

(d) disaster contingency and recovery measures which must be put in place by the critical information infrastructure;

(e) minimum physical and technical security measures that must be implemented in order to protect the critical information infrastructure;

(f) the period within which the owner, or person in control of a critical information infrastructure must comply with the directives; and

(g) any other relevant matter which is necessary or expedient in order to promote cybersecurity in respect of the critical information infrastructure.

(5) A directive or any amendment to a directive referred to in subsection (4) must be issued in consultation with the relevant Cabinet members, and if it is a critical information infrastructure referred to in:

(a) subsection (3)(a), (b) or (c), in consultation with the Cabinet member responsible for that Department or the Premier of the province concerned or the municipal manager of the municipality concerned;

(b) subsection 3(d), in consultation with the chief executive officer of the institution concerned;

(c) subsection 3(e), in consultation with the Cabinet member responsible for the administration of the national public entity and the chief executive officer of the national public entity;

(d) subsection (3)(f), in consultation with the Cabinet member responsible for finance and the financial sector regulators concerned;

(e) subsection 3(g), in consultation with the Cabinet member responsible for finance and the Governor of the South African Reserve Bank;

(f) subsection 3(h):

(i) in consultation with the financial sector regulator concerned; and

(ii) after consultation with the financial institution; or

(g) subsection 3

(i) in consultation with any applicable regulatory body concerned; and

(ii) after consultation with the company, entity or person.

(6) Any information infrastructure declared a critical information infrastructure must, within the period stipulated in the directives, comply with the directives issued in terms of subsection (4).

(7)

(a) A financial institution contemplated in subsection (3)(h), or company, entity or person contemplated in subsection (3)(i), may dispute the decision of the Cabinet member responsible for State security:

(i) in terms of subsection (3)(h)(iv) or (i)(v); or

(ii) any aspect relating to the directives referred to in subsection (4).

(b) A dispute in terms of:

(i) paragraph (a)(i) must be lodged within 30 days from the date on which the decision in terms of subsection (3)(h)(iv) or (i)(v) is made known by the Cabinet member; or

(ii) paragraph (a)(ii) must be lodged before the end of the period within which the owner of, or person in control of a critical information infrastructure must comply with the directives as contemplated in subsection (4)(f),

and set out the grounds for the dispute.

(c) The Cabinet member responsible for State security or his or her representative must take appropriate steps to settle the dispute by consensus within 30 days from lodging the dispute referred to in paragraph (b).

(d) The Cabinet member responsible for State security, in consultation with the Cabinet member responsible for the administration of justice, must make regulations to provide for:

(i) the form and manner in which a dispute must be lodged in terms of paragraph (b); and

(ii) matters necessary or incidental to the process for settlement of disputes as contemplated in paragraph (c).

(e) If the dispute is not settled within 30 days, as contemplated in paragraph (c), the dispute must be referred for arbitration, at the request of the Cabinet member responsible for State security, by a recognised body concerned with the facilitation and promotion of the resolution of disputes by means of mediation or arbitration to be agreed on between the financial institution, financial sector regulator, company, entity, person or regulating body concerned and the Cabinet member responsible for State security.

(f) An arbitrator referred to in paragraph (e) must be a person appointed on account of his or her knowledge of:

(i) the law;

(ii) cybersecurity;

(iii) (iii) protection of critical information infrastructures; and

(iv) the activities of the financial institution, company, entity or person concerned.

(g) The provisions of the Arbitration Act, 1965 (Act nº 42 of 1965), apply, with the changes required by the context, to an arbitration contemplated in paragraph (e).

(h) The unsuccessful party in the arbitration proceedings is responsible for the costs of the arbitration proceedings.

(i) The Cabinet member responsible for State security, company, entity or person may appeal the decision of the arbitrator to the High Court.

(j) An appeal in terms of paragraph (i) must:

(i) be lodged within 180 days from the date on which the arbitration award is made or such later date as the High Court permits;

(ii) set out the grounds for the appeal; and

(iii) be proceeded with as if it were an appeal from a magistrate’s court to the High Court.

(8) The owner or person in control of a critical information infrastructure must, in consultation with the Cabinet member responsible for State security, at own cost, take steps to the satisfaction of the Cabinet member for purposes of complying with the directives contemplated in subsection (4).

(9) If the owner or person in control of a critical information infrastructure fails to take the steps referred to in subsection (8), the Cabinet member responsible for State security may, by written notice, order him or her to take such steps in respect of the critical information infrastructure specified in the notice, within the period specified in the notice.

(10) An owner or person in control of the critical information infrastructure who without reasonable cause refuses or fails to take the steps specified in the notice within the period specified therein, is guilty of an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

(11) If the owner or person in control of the critical information infrastructure fails or refuses to take the steps specified in the notice within the period specified therein, the Cabinet member responsible for State security may take or cause to be taken those steps which the owner or person failed or refused to take, irrespective of whether the owner or person has been charged or convicted in connection with that failure or refusal, and the Cabinet member may recover the costs of those steps from the owner or person on whose behalf they were taken.

(12) For purposes of this section:

(a) ‘‘classification of data’’, means to assign a level of sensitivity, value and criticality to the data for purposes of security controls for the protection of the data;

(b) ‘‘day’’ means a calendar day, and must be calculated by excluding the first and including the last day, unless the last day falls on a Saturday, a Sunday or any public holiday, in which case the number of days shall be calculated by excluding the first day and also any such Saturday, Sunday or public holiday: Provided that the days between 16 December of a year and 5 January of the following year, both inclusive, shall not be taken into account in determining days;

(c) ‘‘fixed date’’ means the date fixed by the President by proclamation in the Gazette as contemplated in section 63;

(d) ‘‘information infrastructure’’ means any data, computer program, computer data storage medium, computer system or any part thereof or any building, structure, facility, system or equipment associated therewith or part or portion thereof or incidental thereto; and

(e) ‘‘relevant Cabinet members’’ means the Cabinet members responsible for defence, telecommunications and postal services, the administration of justice, policing and State security.

 

Auditing of critical information infrastructures to ensure compliance

 

58.-

(1) The owner or person in control of a critical information infrastructure must, once every 24 months, at own cost, cause an audit to be performed on the critical information infrastructure by an independent auditor in order to evaluate compliance with the directives issued in terms of section 57(4).

(2) Before an audit referred to in subsection (1) is performed on a critical information infrastructure, the owner or person in control of a critical information infrastructure must, at least 30 days in advance of the date of the audit, notify the Director-General: State Security, in writing of:

(a) the date on which an audit is to be performed; and

(b) the particulars and contact details of the person who is responsible for the overall management and control of the audit.

(3) The Director-General: State Security may designate any member of the State Security Agency or any other person to monitor, evaluate and report on the adequacy and effectiveness of any audit referred to in subsection (1).

(4) The owner or person in control of a critical information infrastructure must, within 40 days after an audit referred to in subsection (1) has been completed, report in the prescribed form and manner to the Director-General: State Security regarding the outcome of the audit referred to in subsection (1).

(5) The Director-General: State Security may request the owner or person in control of a critical information infrastructure to provide such additional information as may be necessary within a specified period in order to evaluate the report referred to in subsection (4).

(6) If the owner or person in control of a critical information infrastructure:

(a) fails to cause an audit to be performed on a critical information infrastructure in terms of subsection (1) in order to evaluate compliance with the directives issued in terms of section 57(4);

(b) fails to give a report referred to in subsection (4) to the satisfaction of the Director-General: State Security;

(c) fails to provide such additional information as may be necessary within a specified period in order to evaluate the report after he or she has been requested to do so in terms of subsection (5) to the satisfaction of the Director-General: State Security; or

(d) requests the Director-General: State Security to perform an audit referred to in subsection (1),

the Director-General: State Security must, subject to subsections (3) and (7), cause an audit to be performed on the critical information infrastructure by an independent auditor in order to evaluate compliance with the provisions of section 57(4).

(7) Before an audit is performed pursuant to a failure contemplated in subsection (6)(a), (b) or (c), the Director-General: State Security must, in respect of a critical information infrastructure referred to in:

(i) section 57(3)(f), consult with the Director-General: National Treasury and the financial sector regulator concerned;

(ii) section 57(3)(g), consult with the Cabinet member responsible for finance and the Governor of the South African Reserve Bank; or

(iii) section 57(3)(h), consult each relevant financial sector regulator.

(8) No person may perform an audit on a critical information infrastructure pursuant to the provisions of subsection (6) unless he or she:

(a) has been authorised in writing by the Director-General: State Security to perform such audit;

(b) is in possession of a certificate of appointment, in the prescribed form, issued by the Director-General: State Security, which certificate must be submitted to the owner or person in control of a critical information infrastructure at the commencement of the audit; and

(c) is accompanied by a person in control of the critical information infrastructure or a person designated by such a person.

(9) The person contemplated in subsection (8)(c) and any other employee of the critical information infrastructure must assist and provide technical assistance and support to any person who is authorised, in terms of subsection (8)(a), to carry out an audit.

(10) The critical information infrastructure which is audited pursuant to the provisions of subsection (6) is responsible for the cost of the audit.

(11) The owner or person in control of a critical information infrastructure who:

(a) fails to cause an audit to be performed on a critical information infrastructure in terms of subsection (1) in order to evaluate compliance with the provisions of section 57(4);

(b) fails to notify the Director-General: State Security in writing of an audit to be performed as contemplated in subsection (2);

(c) fails to:

(i) report on the outcome of the audit within 40 days as contemplated in subsection (4); or

(ii) provide, within the specified time period, the additional information requested by the Director-General: State Security as contemplated in subsection (5); or

(d) furnishes:

(i) a report referred to in subsection (4); or

(ii) any additional information referred to in subsection (5), to the Director-General: State security which he or she knows to be false or which he or she does not know or believe to be true,

is guilty of an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

(12) Any person who:

(a) hinders, obstructs or improperly attempts to influence any member of the State Security Agency, person or entity to monitor, evaluate and report on the adequacy and effectiveness of an audit contemplated in subsection (3);

(b) hinders, obstructs or improperly attempts to influence any person authorised to carry out an audit in the exercise of his or her powers or the performance of his or her functions or duties;

(c) fails to accompany any person authorised to carry out an audit as contemplated in subsection (8)(c); or

(d) fails to assist or provide technical assistance and support to a person authorised to carry out an audit as contemplated in subsection (9), is guilty of an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding two years or to both a fine and such imprisonment.

(13) The Cabinet member responsible for State security must, by notice in the Gazette, prescribe the persons or the category or class of persons who are competent to be appointed to perform an audit as contemplated in this section.

 

CHAPTER 12.- AGREEMENTS WITH FOREIGN STATES

 

National Executive may enter into agreements

 

59.-

(1) The National Executive may enter into any agreement with any foreign State regarding:

(a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of:

(i) an offence under Chapter 2 or section, 16, 17 or 18;

(ii) any other offence in terms of the laws of the Republic which is or was committed by means or facilitated by the use of an article; or

(iii) an offence:

(aa) similar to those contemplated in Chapter 2 or section, 16, 17 or 18 committed in a foreign State; or

(bb) any other offence substantially similar to an offence recognised in the Republic which is or was committed by means of, or facilitated by the use of an article, in that foreign State;

(b) the implementation of cyber threat response activities;

(c) research, information and technology-sharing and the development and exchange of information on cybersecurity-related matters;

(d) the establishment of 24/7 Point of Contact;

(e) the implementation of emergency cross-border response mechanisms to address cyber threats;

(f) the reciprocal implementation of measures to curb cybercrime; and

(g) the establishment of emergency centres to deal with cyber-related threats.

(2) A member of the National Executive must, as soon as it is practical after Parliament has agreed to the ratification of, accession to or amendment or revocation of an agreement referred to in subsection (1), give notice thereof in the Gazette.

 

CHAPTER 13.- GENERAL PROVISIONS

 

National Director of Public Prosecutions must keep statistics of prosecutions

 

60.-

(1) The National Director of Public Prosecutions must keep statistics of the number of prosecutions instituted in terms of Chapter 2 or section, 16, 17 or 18, the outcome of those prosecutions and any other information relating to those prosecutions, which is determined by the Cabinet member responsible for the administration of justice.

(2) The statistics or information contemplated in subsection (1) must:

(a) be included in the report of the National Director of Public Prosecutions referred to in section 22(4)(g) of the National Prosecuting Authority Act, 1998; and

(b) on the written request of the Chairperson of the Cyber Response Committee referred to in section 53, be made available to the Chairperson of the Cyber Response Committee.

 

Repeal or amendment of laws

 

61.- The laws mentioned in the Schedule are hereby repealed or amended to the extent reflected in the third column of the Schedule.

 

Regulations

62.-

(1) The Cabinet member responsible for the administration of justice must make regulations:

(a) to prescribe the:

(i) form and manner of the application contemplated in section 19(1);

(ii) form of the order contemplated in section 19(3);

(iii) form and manner of serving the order contemplated in section 19(4);

(iv) form and manner of the application contemplated in section 19(6);

(v) manner in which the court may subpoena a person as contemplated in section 19(8);

(vi) form of the direction and affidavit and manner to furnish information to court as contemplated in section 20(1)(b);

(vii) manner of serving a direction as contemplated in section 20(2);

(viii) manner and the form of the affidavit to apply for an extension of the time period or cancellation of the direction as contemplated in section 20(3)(b);

(ix) manner for requesting additional information as contemplated in section 20(4)(b);

(x) form and manner of informing an electronic communications service provider or person of the outcome of application as contemplated in section 20(4)(d);

(xi) tariffs of compensation payable to an electronic communications service provider as contemplated in section 20(6);

(xii) form of the order and manner of service of the order as contemplated in section 21(3);

(xiii) the form of the expedited preservation of data direction and manner of service as contemplated in section 39(3);

(xiv) form and manner for the making of an application contemplated in section 39(7);

(xv) form of the preservation of evidence direction and manner of service contemplated in in section 40(2);

(xvi) form and manner for an application to set aside a preservation of evidence direction as contemplated in section 40(5);

(xvii) form of the disclosure of data direction and manner of service as contemplated in section 42(4);

(xviii) form and manner of an application for the amendment or setting aside of a disclosure of data direction as contemplated in section 42(6);

(xix) form of the affidavit contemplated in section 42(8)(b);

(xx) form of the affidavit contemplated in section 48(2)(b)(ii); and

(xxi) form of the direction contemplated in section 49(1); and

(b) to regulate information sharing as contemplated in section 56.

(2)

(a) The Cabinet member responsible for policing must make regulations in terms of section 52(2), prescribing the:

(i) category or class of offences which must be reported to the South African Police Service in terms of section 52(2)(a); and

(ii) form and manner in which an electronic communications service provider or financial institution must report offences to the South African Police Service as contemplated in section 52(2)(b).

(b) The Cabinet member responsible for policing may make regulations to further regulate aspects contemplated in section 50(4) and 54(2)(b).

(3)

(a) The Cabinet member responsible for State security must make regulations to prescribe the:

(i) form and manner in which a dispute must be lodged as contemplated in section 57(7)(d);

(ii) form of the report and manner of reporting to the Director-General: State Security as contemplated in section 58(4);

(iii) form of the certificate as contemplated in section 58(8)(b); and

(iv) persons or the category or class of persons who are competent to be appointed to perform an audit as contemplated in section 58(13).

(b) The Cabinet member responsible for State security may make regulations as contemplated in section 54(1)(b).

(4) The Cabinet member responsible for defence may make regulations as contemplated in subsection 54(3)(b).

(5) The Cabinet member responsible for telecommunications and postal services may make regulations as contemplated in sections 54(4)(c) and 55(5).

(6) Any regulation made in terms of subsection (1), (2), (3), (4), (5) or (6), must be submitted to Parliament before publication thereof in the Gazette.

 

Short title and commencement

 

63.-

(1) This Act is called the Cybercrimes and Cybersecurity Act, 2017, and comes into operation on a date fixed by the President by proclamation in the Gazette.

(2) Different dates may be fixed under subsection (1) in respect of different provisions of this Act.