South Africa Introduces Revised Cybercrime Legislation, Acknowledging Criticism

Mailyn Fidler is a fellow at the Berkman Klein Center for Internet and Society at Harvard University. You can follow her @mailynfidler. 

In February 2017, South Africa introduced a new cybercrime bill to its parliament. It is a revision of a previous 2015 bill that received substantial opposition from South African and international civil society organizations and businesses. These groups critiqued the 2015 legislation’s handling of computer-related terrorist activity, copyright offenses, free speech, and investigative powers. In the new 2017 bill, the South African government addresses many of these concerns, producing draft legislation civil society and private groups will more likely support, although some issues remain. The bill also takes important steps towards readying South Africa to cooperate internationally on cybercrime.

The new bill abandons the previous draft’s approaches to copyright infringement, which critics charged went beyond existing South African law. The revised legislation also drops much-criticized provisions on computer-related terrorist activity. The earlier bill defined such activity broadly, criminalizing, for example, causing “feelings of insecurity among . . . the public,” including economic insecurity.

South African and international civil society organizations argued that the 2015 bill placed excessive restrictions on free speech. For instance, the 2015 bill prohibited sharing “a data message which advocates, promotes or incites hate, discrimination or violence against a person or group of persons.” South African organization Right2Know criticized this language for violating constitutional protections for freedom of expression. The South African Constitution only permits restrictions on speech that constitutes war propaganda, incitement to imminent violence, or advocates hatred based on race, ethnicity, gender, or religion that constitutes incitement to cause harm.

The revised bill removes references to hate speech, and, in doing so, moves further from the approach favored by the African Union Convention on Cybercrime. However, the new legislation includes restrictions on speech that incites property damage--a limitation not found in the South African Constitution’s provisions on freedom of expression. The revised bill also targets “harmful” data messages, defined broadly as threats of violence or property damage, which might not qualify as incitement to imminent violence under the Constitution (see critique of earlier bill). The bill also defines harmful data messages to include those that are “inherently false” and “aimed at causing mental, psychological, physical or economic harm.” These types of restrictions on expression also may not be constitutional.

Other criticized aspects of the 2015 bill reappear in the new version. Concerns that the government could use the bill could to target whistleblowers remain. The revised legislation still grants officials with a warrant the authority to “use or obtain” relevant decryption keys, and electronic service providers must still report cybercrimes “if they are aware or become aware” of them. These provisions suggest the government might be moving towards compelled decryption and service providers might be expected to monitor users.

South Africa claims the legislation substantially expands its jurisdiction concerning cybercrime, compared to existing law. Both 2015 and 2017 versions of the bill give South Africa jurisdiction over cybercrimes committed in its territory or by its nationals and over foreign-origin cybercrimes that have an “effect in the Republic.” This last approach is not a unique expansion of jurisdiction. Countries routinely apply this “effects doctrine” in exercising jurisdiction over cybercrime, reflecting customary international law.

Claiming jurisdiction, however, is less of a challenge than establishing effective law enforcement cooperation across borders. To give the effects doctrine teeth, countries must cooperate on investigating and extraditing individuals charged with cybercrimes, a struggle even for the United States and other developed countries.

The legislation takes steps towards readying South Africa to cooperate with other nations on cybercrime. Both the new and old drafts establish a 24/7 point of contact and dual criminality requirement. The new draft adds sections dealing with a broader range of requestable data (real-time interception, traffic data, archived and indirect communications). These elements mirror sections of the Budapest Convention on Cybercrime, the main multilateral mechanism for international cooperation on cybercrime.

Despite these parallels, South Africa has not ratified the Budapest Convention, citing concerns over sovereignty. South Africa also has not supported the African Union Convention, which seeks to harmonize African cybercrime laws. Refraining from multilateral approaches to cybercrime leaves South Africa reliant on existing or newly concluded bilateral agreements, which can be time and resource intensive to set up, slowing cooperation. A go-it-alone approach could leave South Africa at a disadvantage.

That disadvantage aside, the bill’s mutual assistance procedures could turn South Africa into a regional hub for cooperation, like Brazil, bolstering its place among its neighbors. Consistency with the Budapest Convention could also qualify South Africa for a second-generation cross-border data request agreement with the United States, giving it expedited access to data stored by U.S. companies about South African crimes.

Overall, South Africa’s legislation models a “third way” of approaching cybercrime. South Africa’s government recognizes the importance of legal harmonization, making important adjustments to domestic cybercrime law, while still formally avoiding multilateral institutions that could impinge on its sovereignty. Other global south governments may follow South Africa’s example.