Electronic Communications and Transactions Amendment Bill 2012

[ellipsis]

The Minister of Communications has published a bill setting out extensive amendments to be made to the Electronic Communications and Transactions Act of 2002 ("the ECT Act").

The ECT Act is the first real piece of "digital-era" legislation in SA and it covers things like
- establishing that writing in data form has, for most purposes, the same legal force and effect as traditional writing
- authentication services
- cryptography services
- consumer protection in e-commerce and spam
- the creation and maintenance of the ZA domain name authority (ZADNA)
- limits on liability for ISPs and take down notices
- cyberinspectors and cybercrime
- eGovernment services
- the protection of critical databases

The review of the ECT Act was initiated by the SA Law Reform Commission - after 10 years and given that the DoC has ignored most of the obligations imposed on it by the Act it is probably fair to say that it is time for an overhaul.

The bill is available at http://www.ellipsis.co.za/electronic-communications-and-transactions-amendment-bill/

Comments are due by 7 December - internal deadline if mybb is to make a submission will be close of business on 4 December.

There is a lot that is covered. In the next few posts I will cut and paste the explanatory memorandum to the bill so you can get an overview of what it is about.

 

[ellipsis]

Explanatory Memo - Introduction

1. Background to this consultation

1.1 The Electronic Communications and Transactions Act, 2002, or ECT Act as it has become known, has been in place for a decade. During this time, the ECT Act has functioned well in all areas, providing for consumer protection ahead of the introduction of the Consumer Protection Act, 2008, and heralding the important notions of privacy and data protection. In addition, this Act has enabled the creation of the.za Domain Name Authority and so provided for the protection of level one and two domain names, and the resolution of disputes regarding registration of competing domain names. This Act has also enabled the creation of our first authentication service providers, LawTrust, to accredit electronic signature providers and cryptography providers.

1.2 However, in the decade since its introduction, the world has seen significant changes in the electronic communications sector, affecting our use of the internet. Social media over the internet and other forms of communications have revolutionized the way we communicate with one another and our fellow man, removing physical barriers to communications and the sharing of information. At the same time and as a consequence of the exponential growth in electronic transactions and our dependence on the internet, we have experienced a significant increase in hacking, security breaches, data mining for economic purposes, misuse of personal information, cyber security threats and cyber crime.

1.3 In response to these changes, the international community is seeking to harmonise their approach to a communications system that traverses borders, and to the sort of threats that are nameless and faceless but that can destroy or harm these otherwise beneficial systems. South Africa is a participant in many international initiatives and is a party to associated agreements and therefore has agreed to certain reforms. These reforms have some effect on the way in which electronic transactions and the internet and associated activities including cryptography and cyber security are carried out. As a result it is appropriate to review the ECT Act to ensure that South Africa measures up to the international benchmark in these areas.

1.4 Amendments are also proposed to this Act to take account of industry needs and recommendations that have been brought to the Minister's attention. The original version of the Act was based largely and still is consistent with the UNCITRAL model for e-commerce legislation. Where the South African law of contract and/or sale provides rules for the conclusion of transactions, whether electronically or not, which are entrenched in our law, those rules have been preferred.

1.5 The Minister is grateful to the South African Law Reform Commission (SALRC) for certain suggestions in key areas affecting communications sector, namely, the institutional framework, the regulation of electronic communications, e-commerce, and interception and monitoring.

1.6 The Minister welcomes your views on these proposed amendments

 

[ellipsis]

Explanatory Memo - Definitions

2. CHAPTER I: Interpretation, Objects and Application

2.1 Several definitions now refer simply to the definition given to that term or word in another Act. Although we recognise that requires cross-referencing as between Acts, if the other Acts change then this one would have to change every time to reflect the exact definition if we were to copy the existing definition into this Act. For reasons of flexibility and accuracy we consider this to be a more sensible approach.

2.2 The International Telecommunications Union (ITU) has identified the following categories of e-commerce;
- Subscription and usage-based telephony, online, and Internet access services
- Subscription or transaction-based information services and software sales
- Consumer retail sales
- Business-to-business wholesale and retail services and sales
- Advertising and marketing services
- Financial services and transactions
- Government services and information; and
- Ancillary functions contributing to business/commercial activities.

With this in mind we have proposed a new definition of "electronic transactions" which includes commercial and non-commercial transactions.

This definition is based largely on the definitions of "consideration",
"supplier" and "transaction" from the Consumer Protection Act, 2008 (CPA), for consistency. These definitions are important when it comes to unsolicited communications, dealt with in Chapter VII.

2.3 We have also had regard to the definitions advanced by the OECD, other jurisdictions, and the ITU. In particular we note the ITU's guidelines in the context of a review of e-commerce in Caribbean countries in 2011, http://www.itu.lnt/ITUD/projects/IT...A_Assessment_Electronic_Transactions_V2-E.pdf, which are generally applicable. The guidelines feature eight categories of general principles which are:

(i) Transparent and Effective Protection for Consumers which is not less than the level of protection afforded in other forms of commerce.
(ii) Fair Business, Advertising and Marketing Practices by businesses engaged in electronic commerce.
(iii) Online Disclosures - Clear and obvious disclosures.
(iv) Confirmation Process included in the electronic transaction affording the consumer an opportunity to express an informed and deliberate consent to the purchase; and retain a complete and accurate record of the transaction.
(v) Secure Payment mechanisms, including information on the level of security such mechanisms afford.
(vi) Dispute Resolution alternatives accessible in a timely manner without undue cost or burden
(vii) Privacy in accordance with the recognized privacy principles set out in the OECD Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data (1980) to provide appropriate and effective protection for consumers.
(viii) Education and Awareness to educate consumers about electronic commerce, to foster informed decision-making by consumers and to increase business and consumer awareness of the consumer protection framework that applies to their online activities.

2.4 We have noted these principles in proposing other changes to the Act.

2.5 To remove confusion regarding the different "authorities" in the Act, we have defined the Authority responsible for accreditation of authentication products as the "Accreditation Authority" and the Domain Name Authority is simply called ".zadna".

2.6 The definition of a "cryptography provider" is broad and can be construed to mean that even a person who installs software in a computer could be a cryptography provider. This clause in the Act was meant to refer only to people or entities that develop cryptography products and services. The phrase has been reviewed to define "cryptography providers" as entities or individuals that develop cryptography products and service and not end users.

2.7 "critical information databases" are now being referred to as "critical information infrastructure" in terms of both international texts and conventions on cyber security, and our own National Cyber Security Policy Framework of March 2012 (the Framework). We have therefore replaced "database" in this term with "infrastructure". In addition, the Framework distinguishes between "national" and other critical information infrastructure, "national" having reference to information that is of national importance, such as security information. We have amended both the definitions and Chapter IX in this regard.

2.8 The ECT Act contains a definition of the Internet' which the SALRC suggests has been superseded by technical revisions determined by engineers and developers, and case law. The suggested amendment describes the internet as binary code, or data, communicated through a network made up of electronic communications facilities using packet switching technology and communicating through TCP/IP, and as including future versions.

2.9 New entities such as the "National Consumer Commission" have been inserted to refer to the regulatory authority established by the CPA. The "JCPS cluster" refers to the cluster of Ministries tasked with Justice, Crime Prevention and Security, which Ministries are important in relation to the protection of South African networks and information, specifically in relation to cyber security. The Bill refers to this Cluster and to the Framework throughout - this is important to enable co-operation and joined up working to ensure that our information and communications systems are protected in a uniform way.

2.10 Although some changes have been made to the definition of "personal information", these have been made in the hope that this particular definition will not change in the final version of the
Protection of Personal Information Bill when it is finally approved. However, other clauses and provisions of that Bill have not been included because we understand that the Bill, when passed, will take precedence over any provisions pertaining to personal information in the ECT Act in any event. The definition of "personal information" has proved to be relatively uncontroversial and is not likely to change. It remains valid and important to the operation of the remainder of the ECT Act however, even if no other changes are made.

2.11 The ECT Act contains definitions of 'registry' and 'registrar' that do not include the.za Domain Name Authority (.zaDNA) as a registrar and registry or registry operator, as they are known in practice. We agree that the relevant authority or the country code top-level domain (ccTLD) administrator, like.zaDNA, should have the same responsibilities as registries or registrars operators with respect to updating repositories and the second-level domain administration. We have made consequential amendments to Chapter X and amendments to these definitions to address this. Furthermore we agree that an applicant for a domain name should remain an applicant until their application is approved and we have amended the definition of "registrant" accordingly. Finally, changes are also proposed to "repository" to reflect its nature as more accurately a registry database.

2.12 New definitions have been proposed including to define domain data as being data specifically used in and with relevance to the domain name registration process and the holding of a domain name. We propose to refer here to "registry data" including domain names, registrant names and contact details, zone records, registration and renewal dates, and any other data as may be prescribed.

2.13 The definition of 'Universal Access' differs in the ECT Act and ECA. In addition, section 82(3) of the ECA empowers the Minister of Communications (Minister) to further determine what constitutes universal service and access, upon the recommendations of the Universal Service and Access Agency of South Africa (USAASA), We propose to remove the definition from the ECT Act which should focus more on transactions, security and use of the internet, than policy goals such as universal service. This belongs more properly in the ECA.

2.14 "Unsolicited communications" are now unlawful unless the recipient has consented to receiving them - the so-called "opt-in" regime now applies. The definition of this term has been guided by the provisions of the CPA. The dti has been consulted in this regard. No consequential changes need to be made to the CPA.

2.15 Because service providers now include not only internet service providers but also wireless application service providers (WASPs), we have included definitions that allow for the recognition of these WASPs and their representative organization.

2.16 As a general matter we note that our review of the legislation has led us to review the penalty and remedy clauses within the Act. Throughout the Act we have replaced reference to a general or specific offence and associated cross-reference to section 85, with specific penalties or remedies for each Chapter. The loss of civil liberty should be a greater deterrent to potential wrongdoers than a financial penalty, therefore we have suggested either a fine up to a maximum or imprisonment with a maximum term, and in the case of service providers, a notice and take down procedure with a notice period. The severity of each offence will be judged on its merits and the adjudicating body or judge as the case may be, will be able to apply the remedy or the fine or imprisonment (as the case may be) to the maximum, in their discretion.

 

[ellipsis]

Explanatory Memo - Policy

3. CHAPTER II: Maximising Benefit and Policy Framework

3.1 This chapter is intended to enable use of the internet (among other things) to help to bridge the digital divide. The Act currently requires the development of a National e-Strategy by the Minister of
Communications, in consultation with other Ministers. The national e-Strategy must include detailed plans and programmes, with clear deliverables and timeframes, and must address the development of an e-transactions policy, the promotion of universal access and e-readiness, SMME development, empowerment of previously disadvantaged persons and communities, human resource development, education and training in the ICT sector.

3.2 This strategy has not yet been developed, however the Minister considers that it is necessary and will prioritise the development of such a strategy within 24 months after the promulgation of this Amendment Act. The strategy must deal with those matters that are globally being addressed, and in which endeavours South Africa is participating. These matters will include e-commerce for businesses, e-government, and security issues. The reference to the e-strategy has been amended in this regard. The strategy should address a 3-year period and should be approved by Cabinet. Some of the issues previously forming part of the content of policy should form part of the e-strategy including the need to take account of international best practice. In the same vein, certain of the human resource issues provided for in relation to the e-strategy can be situated within the ambit of the policy that the Minister may make for the sector.

3.3 The Minister therefore considers it appropriate to also provide for the making of policy in this Act, in the same way as the Minister makes policy under the ECA. However, the 2 Acts need to deal with different policies - this Amendment Act should address policy that is necessary in relation to e-readiness, SMME development, human resource development, education and training in the ICT sector. The current references to matters that are related in part or whole to universal service and access are proposed to be deleted in this Amendment Act.

Although SMME development may be considered to fall within the ambit of the ECA and particularly section 9 of the ECA, given that the Minister may in terms of section 3(1)(g) make policy in relation to the mechanisms to promote SMME participation in the ICT sector, the Minister considers this objective to be so important as to provide for it in the context of both electronic communications (within the ECA) and transactions using electronic communications (within this Act).

3.4 In making policy the Minister should have regard to the Framework for Cyber Security and issues that arise under Chapter XIII (cyber crime).

 

[ellipsis]

Explanatory Memo - Electronic Transactions

4. CHAPTER III: Facilitating Electronic Transactions

4.1 This chapter deals with removal of social and legal barriers to electronic transacting.

4.2 Part 1 provides for the legal recognition to data messages and records. Data messages are regarded as the functional equivalent of traditional "writing". Provision is made for the legal recognition of electronic signatures and "advanced electronic signatures" - a secure form of electronic signing. It is necessary to refer to the e-strategy and public key infrastructure strategy that may be developed by the committee to be established pursuant to the Framework, as this will have to be taken into account when regulating electronic transactions.

4.3 Part 2 deals with the rights and obligations that follow from the communication of data messages, namely contract formation. The time and place of sending and receiving data messages, as well as the time and place where a contract is deemed to be formed by means of data messages are provided for. The Act also provides for the validity of sending notices and other declarations of intent through data messages. In summary, this chapter addresses the admissibility of online communication as evidence in the court of law and what constitutes a contract. It introduces the concept of the advanced electronic signature, which subject to certain conditions, will have the same commercial weight as the traditional signature.

4.4 This chapter was reviewed by the SALRC with a view to determining how to ensure that electronic signatures can also have evidentiary weight. Very few changes are recommended to this chapter, as it is broadly in line with UNICTRAL rules and the position in the international community.

4.5 In general therefore, this chapter is considered to have taken account of international trends in adopting electronic signatures for the purpose of creating binding documents that can be relied upon in court.

 

[ellipsis]

Explanatory Memo - eGovernment Services

5. CHAPTER IV: e-Government Service

5.1 This chapter facilitates e-filing, the requirements for the production of electronic documents and the integrity of information. Provision is made for any Department or Ministry to accept and transmit documents in the form of electronic data messages, to issue permits or licences in the form of a data message or make or receive payment in electronic form.

5.2 The Minister has noted that the Department of Public Service and Administration (DPSA) is already acting in terms of this chapter and is consulting with the DPSA.

 

[ellipsis]

Explanatory Memo - Cryptography

6. CHAPTER V: Cryptography Providers

6.1 This chapter creates a framework for the registration of cryptography products and service, and for cryptography providers by the establishment and maintenance of a Cryptography Provider Register by the Department. The objective is to assist law enforcement in their investigations. This chapter should be read with Chapter 11 of the Regulation of Interception of Communications and Provision of Communications-Related Information Act, 2002 (as amended) (RICA).

6.2 However the chapter did not go far enough to require cryptography providers to provide information that will or could enable the Director General to determine whether or not that provider or those products and services as the case may be, could pose a threat to national security or prejudice the public interest.

6.3 The chapter has been amended to introduce specific objectives in relation to cryptography providers and their services and products, and obligations on those providers to renew their registration every 2 years. Other changes have been made to bring the chapter in line with international trends and requirements in relation to cryptography. This is unfortunately, one of the ways in which cyber criminals can access and destroy or interference or remove information stored or transmitted electronically and it is therefore receiving more attention and being made subject to stronger controls.

6.4 The objectives are to:
6.4.1 enable responses to requests for mandatory and lawful access to encrypted realtime communications or encrypted stored data;
6.4.2 address the challenges posed by the international use of cryptography products when seeking to gather security-related information of national importance; and
6.4.3 enable liaison with the JCPS cluster in relation to the development of capacity and standards in this regard.

6.5 The register must now record the country of origin of products of this sort.

6.6 Additional obligations may be imposed on cryptography service providers under regulations and these persons are reminded that they may have to comply with an order under RICA.

6.7 Because of the significance of the products that will be provided within the Republic, registration must be renewed every 2 years and application for renewal may be refused for example, for reasons of national security or poor or inadequate performance.

 

[ellipsis]

Explanatory Memo - Authentication

7. CHAPTER VI: Authentication Service Providers

7.1 This chapter provides for the establishment of an Accreditation Authority within the Department, to accredit certain types of electronic transaction service providers. The Accreditation Authority should also monitor compliance. The Accreditation Authority may temporarily suspend or revoke accreditations of an authentication product or service. Several of the provisions in this Chapter are now aligned with the preceding chapter on cryptography providers, such as registration of products and providers and renewal of registration.

7.2 The mandatory registration of these entities, products and services is new to this chapter. We consider that the significance of providing services and/or producing products requires mandatory registration. The tracking of manufacturers as well as providers will be possible through central registration.

7.3 The current definition of "authentication products and services" means any product or service designed to identify the holder of an electronic signature to other persons. The creation of an electronic signature is the result of a process involving a digital certificate (confirming the identity of the holder). The Accreditation Authority should also, in our view, create a register of products and services as well as service providers.

7.4 Registration should be mandatory in our view, not voluntary as is currently the case, because of the importance of the use of the products and services and the implications of their use by providers. We consider that registration of products and authentication service providers should extend to certification service providers, who may form a subset of authentication service providers, but may also simply provide certificates and not authentication products or services. They should therefore be obliged to register separately as well as where they are also authentication service providers.

7.5 Section 37 (3) provides for penalizing any person who falsely holds out its products or services. The extent of the penalty is not presently defined. The penalty should be such that it deters such behavior, and we have made amendments in this regard. A person falsely holding out its products or service to have been accredited by the Accreditation Authority should be guilty of an offence and fined or jailed in order to discourage falsification of products and services and the resulting prejudice to consumers.

7.6 Currently, only a South African accredited certification service provider can issue advanced electronic signatures, it is proposed that an electronic signature which is accredited in a foreign jurisdiction will only be recognised in South Africa and therefore eligible for registration, if there is an agreement of mutual recognition with that jurisdiction.

 

[ellipsis]

Explanatory Memo - Consumer Protection

8. CHAPTER VII: Consumer Protection

8.1 This chapter deals with consumer rights and issues pertaining to electronic transactions.

8.2 The CPA came into effect on 1 April 2011. The CPA clauses do not cover issues addressed by sections 43, 44 and 46 of this Act. Unless the CPA is amended so as to incorporate these provisions, they should be retained as is in the Act. The amendments proposed to this Act will however, replace the Consumer Affair Committee with the National Consumer Commission.

8.3 We have also given consideration to certain principles previously advanced by members of the public in relation to this Act. These have included suggestions to minimize the transmission of spam or prevent it altogether. The Minister is aware of the Code of Conduct prepared and enforced by the Wireless Application Services Provider Association (more about WASPA later). Having considered the provisions of the Act and the concerns, the Minister is of the view that certain changes will be useful:

8.3.1 The definition of "unsolicited communications" has been amended, taking into account the provisions of section 21 of the CPA, which section sets out in detail when a transaction or communication shall be considered to be "unsolicited". Unsolicited communications are not permitted without the specific and prior permission of the recipient, under section 45.

8.3.2 The Act now affords protection to both natural and legal persons.

8.4 The balance of the provisions of the chapter deal with the reception of messages, confidentiality, security and protection of the consumer, and should be read with the relevant provisions of the CPA.

 

[ellipsis]

Explanatory Memo - Personal Information

9. CHAPTER VIII: Protection of Personal Information

9.1 This chapter deals with the protection of personal information. However much work has been done in relation to new legislation to deal with personal information and privacy and the protection of state information. As a result, except as set out below, we have not amended this chapter and await the new legislation.

9.2 Section 50(2) of the Act provides that the principles governing the processing of electronically collected personal information are voluntary. We have amended this section in order to make the principles obligatory because the voluntary principles do not give effect to the right to privacy provided for in the Constitution.

9.3 As indicated in relation to definitions, "personal information" has been amended to reflect the proposed definition in the new Bill on personal information.

 

[ellipsis]

Explanatory Memo - Protection of Critical Infrastructure

10. CHAPTER IX: Protection of Critical Information Infrastructure

10.1 This chapter makes provision for the Minister to prescribe minimum standards on how to manage and maintain critical databases.

10.2 Information and network infrastructure for example the electricity grid, the management of dams and so on and all security information is stored on what are now going to be classified as critical information infrastructure or "national" critical information infrastructure - databases that hold information that is important and even critical to the country, or certain sectors.

10.3 This trend in nomenclature is being adopted by the Department, along with other changes to reflect the importance of the infrastructure and the responsibility that is shouldered by the infrastructure administrator, as indicated by the level of fines and length of term of imprisonment proposed for contraventions or failures to comply with this chapter.

 

[ellipsis]

Explanatory Memo - Domain names

11. CHAPTER X: Domain Name Authority and Administration

11.1 This chapter established a.za domain name authority as a section 21 company. The objects, powers and matters incidental to the incorporation of the company are already provided for in the Act. The Minister is empowered to establish a national policy on the.za domain name space. The Authority's role and function is described and provision is also made for alternate dispute resolution in the event of disputes arising from abusive domain name registrations or other issues related to domain name registrations.

11.2 The Act was previously silent on the removal of a board member from the board. The amendments address the removal in section 62. The Minister appoints members therefore the Minister should remove board directors subject to the list of circumstances that may apply in this regard.

11.3 Several other changes are proposed in relation to the board composition, appointment and changes. These are in part to improve transparency and efficiency in administration, having regard to best practise in corporate governance and specifically the requirements of King 111.

11.4 Additional changes to the staffing provisions of the chapter are also proposed, including that the chief executive officer should appoint suitable staff and because of this s/he can be held accountable for staffs performance and actions. Members of the board should be appointed for 3 years but the chairperson will be appointed for 4 years which we hope will ensure that because they will be appointed at different times, continuity will result.

11.5 Several wide-ranging changes have been proposed over the years by zadna. The Minister has considered these and presents a number of them for consultation where they are in line with international approaches to domain name management and administration.

11.6 The Minister recognises too that there are a number of registry operators administering second-level domain names, such as UNIFORUM South Africa (.co.za), the state-owned State Information Technology Agency (.gov.za) and privately-owned Internet Solutions (Proprietary) Limited (.org.za). In addition to these entities, the Internet Corporation for Assigned Names and Numbers (ICANN) has overall responsibility for managing the Domain Naming System (DNS). It administers the root domain, delegating control over each Top Level Domain (TLD) to a ccTLD administrator, such as.za Domain Name Authority (DNA). Because the DNS is not centralized, the administration of the second-level domain is further delegated to above-mentioned registry operators who administer the DNS with a great degree of independence. Some countries have third and fourth level domain administrators.

11.7 To ensure the stability of the system,.zaDNA must take the final and overall responsibility of the DNS in its territory, therefore it must be able to perform the functions of the registrars and registry operators, as and when required.

11.8 Additional changes have been made to definitions as set out in the initial section of this note.

11.9 Section 60 requires zadna to accept any citizen as a member without the member complying with any formality. For a number of reasons of an administrative nature, and for purposes of security and accountability, we propose to require members or applicants to submit more detailed information prior to registration. There is no good reason why members could not be juristic or natural persons and changes have been made in this regard as well.

11.10 The funding of.zadna has been reconsidered. To the extent that.zadna does receive funds from National Revenue Fund or other government sources it should be required to report on them to Cabinet in the ordinary course, but this is an obligation that need not apply to funds that.zadna receives from other sources. The usual reporting and accounting obligations continue to apply, as these would to any other section 21 company.

11.11 Section 68 provided that.zadna could make regulations with the approval of the Minister. This provoked some discomfort in that section 94 authorises the Minister specifically to make regulations. It was felt that.zadna ought not to have power to make regulations. However, it is our view that section 94 is not an exclusive provision but an authorizing provision - it does not say that only the Minister may make regulations. To allay any concerns about the appropriateness of.zadna making regulations we have reviewed the types of regulations that may be made and the content of them within section 68 and also provided that regulations must be made "subject to" the approval of the Minister, if the Minister has any concerns, then he or she will not approve the regulations. In this way the Minister retains the right to make regulations, whilst not having to propose their content which.zadna is better-placed to do in any event.

11.12 We understand that the regulations on alternative dispute resolution under section 69 have enabled the establishment of a successful mechanism in this regard, and we do not consider that any changes are required to this section.

11.13 Finally but importantly we have introduced new provisions in section 64 to address the registration by ICANN in the last few months of this year, of new generic domain names. This is for several reasons:

11.13.1 Domain names are beginning to take on importance that was previously not foreseen.

11.13.2 South African names that are intrinsically of national importance or relevance should be treated differently than corporate or brand names for reasons of public interest.

11.13.3 We propose that geographic or cultural gTLDs that are uniquely South African should not be registered without the permission of the Minister. These names might include for example, any reference to a South African national language, a South African place name, a South African heritage site, a South African historical event, a South African product or service, or a South African national team or national representative of any kind.

11.13.4 The registration of a South African language domain name such as .zulu by a non-South African for example, is innately wrong. The Minister wishes to promote the registration of this sort of domain name by entities associated with the protection and promotion of it or what it stands for and to prevent the arbitrary registration of important names or phrases which may be associated with our unique national heritage, by persons without an appropriate or justifiable reason.

11.14 Offenders under this chapter are liable for fines or imprisonment.

 

[ellipsis]

Explanatory Memo - ISP liability and Take Down Notices

12. CHAPTER XI: Limitation of Liability for Service Providers

12.1 This chapter creates a safe harbour for service providers who may be exposed to a wide variety of potential liability by virtue only of fulfilling their basic technical functions. The service providers may seek to limit their liability where they have acted as mere conduits for the transmission of data messages, provided the technical means for system caching, hosted data on an information system or where they have linked or referred users to an on-line location by the use of information location tools.

12.2 Chapter XI of ECTA deals with conditions under which the liability of service providers will be limited. One of the conditions is the membership of a service provider to an industry representative body recognised by the Minister. In the past applications have been made without response from the Department. We have recognised this as being an obstacle to the application of the Act. Once a representative body has requested recognition and received no response from the Minister within a period of 12 months, the industry body will be deemed to be recognised.

12.3 This chapter provided initially for the Internet Service Provider and at the time did not take into consideration Wireless Application Service Providers (WASPs). Amendments to the section now enable the application of it to WASPs as well. We have amended the section to refer to "information systems" and amended that definition as well. Although on the face of it the section may not apply to licensees under the ECA who are not "service providers", they should not be liable simply because they are categorized as licensees. Amendments are made in this regard so that any person providing service of the type that these service providers may or do provide, should fall within the section. This will require licensees wishing to benefit from the provisions to register with an industry body that is recognised by the Minister.

12.4 Liability will accrue nonetheless if any of the conditions set out in this chapter are not adhered to.

12.5 After further consideration, the Minister considers that any notice or take-down procedure should allow for the right of reply in accordance with the principle of administrative justice and the audi alteram partem rule. Changes have been proposed in this regard to section 77 and a new section 77A is proposed.

 

[ellipsis]

Explanatory Memo - Cyberinspectors

13. CHAPTER XII: Cyber Inspectors

13.1 This chapter makes provision for the Director-General to appoint cyber inspectors.

13.2 The cyber inspectors may monitor websites in the public domain. Cyber inspectors may also investigate whether cryptography service providers, authentication service providers and data controllers or information officers comply with the relevant provisions of this Act.

13.3 The power to inspect, search and seize has been granted to cyber inspectors, provided they obtain a warrant.

13.4 Section 84 (2) stipulates that "Any person who contravenes subsection (1) is guilty of an offence and liable conviction to a fine or to imprisonment for a period not exceeding six months". The clause does not currently stipulate how much the fine should be and the prison sentence of six months is not a deterrent. The amendments propose revisions here to increase the penalties that are possible in the event of a contravention of the section, for example, obstructing a cyber inspector or pretending to be one.

13.5 In addition, using information obtained pursuant to this section in contravention of its intended use or where confidentiality restrictions apply, will also render the offender liable to a penalty. This penalty is greater than the penalty referred to above, because the nature of the information may be of considerable importance, and in the case where it is of a personal nature, may expose the person to harm or prejudice. We have set out in a table attached to this note, an explanation of the existing and proposed penalty regime.

 

[ellipsis]

Explanatory Memo - Cyber Crime

14. CHAPTER VIII: Cyber Crime

14.1 This chapter introduces into the South African law statutory criminal offences relating to information systems. These crimes relate to the unauthorised access to, interception of or interference with data, and computer-related extortion, fraud or forgery. Any person aiding or abetting another to perform any of these crimes will be guilty as an accessory to the commission of that crime.

14.2 The provisions of this chapter have been aligned to moves internationally and particularly those anticipated in the Framework.

14.2.1 The Framework envisages that the JCPS cluster will take action in different ways to implement that policy, such as by criminalizing certain types of content (eg child pornography), making possession of certain types of malware an offence, introducing new measures to combat crime in general and cyber crime in particular, and requiring certain types of entities to adhere to a prescribed set of security parameters.

14.2.2 The Department is required to establish a Cyber Security Hub, which will have certain duties and powers. Its main function will be to co-ordinate the various activities and institutions involved in cyber security, and to educate the public and private sector about cyber security and cyber threats.

14.2.3 It will also publish guidelines on the steps that can be taken to protect electronic systems from cyber threats and cyber warfare, and if a "cyber incident" should occur, then this Hub will allocate resources to deal with it.

14.2.4 The Hub will also liaise with international counterparts on international trends and standards in cyber security and make these known within South Africa and within all Ministries with an interest in cyber security.

14.2.5 This is a crucially Important role. For this purpose the Department will create a new unit and this will need to be staffed. Technical skill will be a priority for this Hub and the policy to be produced by the Minister will outline the steps that we will take to prioritise skills development in this area.

14.2.6 The establishment of the Hub will begin immediately but will need to be developed alongside the development of other and related measures by the JCPS cluster. These endeavours will be ongoing. Information flows will be critical and the Department will focus on information-sharing and education as a first priority,

14.3 The ECT Act prescribes the penalties if a person is convicted of an offence in section 89 read with other sections of the Act.

14.3.1 In our view none of the current penalties are substantive and will not serve as a deterrent to criminals or potential wrongdoers, In the information society more emphasis needs to be placed on doing things correctly because of the reliance of us all on electronic communications and networks. Unfortunately deterrents are usually of a negative nature, and in South African law may take the form of specific remedies, or administrative fines, or prison terms, or more than one form of remedy.

14.3.2 Annexure A indicates what offences are identified under the Act as it stands, and what is proposed as a result of the changes and because more than a decade has passed since the offences and penalty regime under this Act was considered.

 

[ellipsis]

Comments are due by 7 December - internal deadline if mybb is to make a submission will be close of business on 4 December.

Just bumping the thread with a reminder of deadlines, if you're interested in mybb submitting comments on this.

 

[Junz]

thanks, very informative,

I would like to find out how the ECT act will affect my company which is based in Canada and has operations in South Africa, for regulatory purposes we have to revise our communications policy. what are the things i should be lookign out for and does canadian law apply to SA or vise versa ?

thank you

 

[dominic]

thanks, very informative,

I would like to find out how the ECT act will affect my company which is based in Canada and has operations in South Africa, for regulatory purposes we have to revise our communications policy. what are the things i should be lookign out for and does canadian law apply to SA or vise versa ?

thank you

Hi Junz

The ECT Act and the proposed amendment should not make too much difference to your company. Please drop me a private message with a link to company information and I will provide you with a more definite answer.