Data Privacy & Security

South Africa To Introduce New Cybersecurity Legislation

South Africa, like many other countries, is currently introducing comprehensive cybersecurity legislation. Following calls by various stakeholders to enact specialised cybercrime legislation and to align South Africa with international practice, South African authorities recently published a 128-page draft Cybercrimes and Cybersecurity Bill (the "Bill") for public comment. Comments will close on 30 November.  The Bill is part of a set of laws and policy initiatives in South Africa that aim to regulate the ever-expanding online economy and the surge in cyber-related crimes.  

Snapshot Of The Bill

 If passed, the Bill will codify numerous offences or "cybercrimes" and their respective penalties. In essence, the Bill:

  • imposes various obligations on electronic communications service providers;

  • criminalises the dissemination of data messages that advocate, promote or incite hate, discrimination or violence;

  • includes controversial provisions criminalising computer-related espionage and unlawful access to, and interception of, data;

  • provides local authorities with extensive investigation, search, access and/or seizure powers; and

  • gives South African courts jurisdiction over all defined cybercrimes that affect a person in South Africa regardless of where in the world the crime is committed.

     We discuss the first and second points below.  See here for our detailed client alert on the Bill.

 New Obligations For Electronic Communications Service Providers

 The Bill defines an "electronic communications service provider" (ECSP) as:

(a) a licensee or deemed licensee in terms of Electronic Communications and Transactions Act;

(b) a "financial institution" in terms of the Financial Service Board Act; or

(c) any person or entity who or which transmits, receives, processes or stores data of any other person.

 According to the Bill, an ECSP must:

  • take reasonable steps to inform its clients of cybercrime trends which affect or may affect them;

  • establish procedures for its clients to report cybercrimes;

  • inform its clients of measures which can be taken in order to safeguard itself against cybercrimes;

  • immediately report to the National Cybercrime Centre if it becomes aware that its computer network or electronic communications network is being used to commit a cybercrime; and

  • preserve any information which may be of assistance to the law enforcement agencies in investigation the offence.

 Given the wide definition of ECSP, the Bill as currently drafted will regulate a wide range of activities in the IT and communications, retail, banking and financial sectors, to name a few. Such a broad definition may have unintended consequences and, if passed without carve-outs or safe harbours,  will cover, for example, employers that process or store employee data, any retailer (both virtual and physical) that processes a purchaser's credit card information, or any website that stores its visitors' cookie data, even if temporarily. 

New Criminal Offences Relating To The Promotion Of Hate, Discrimination Or Violence

 The Bill provides that any person who unlawfully and intentionally

(a) makes available, broadcasts or distributes;

(b) causes to be made available, broadcast or distributed; or

(c) assists in making available, broadcasting or distributing a data message which advocates, promotes or incites hate, discrimination or violence against a person or a group of persons, is guilty of an offence.

This clause, while seemingly innocuous, even laudable, should be received with caution and scrutinised for unintended consequences.  On its face, this section would make it unlawful to distribute, share or broadcast prohibited speech, even for the purposes of analysis, comment or public discourse. Moreover, it would constitute a criminal offence to share a link to an article or video which constitutes prohibited speech. Such an arrangement, while not patently unconstitutional, may constitute an unreasonable restriction on freedom of information.


The Bill will likely be the subject of immense scrutiny in the coming months. Stakeholders should take the opportunity to influence the final text of the Bill by submitting their comments.  


Contributors – Sbo Cibane & Widaad Ebrahim