Tension Mounts on South Africa's Cybersecurity Law
To summarise, it indicates that there needs to be clarity relating to government’s authority, roles, responsibilities and goals and that these should be balanced against public interest infringing on constitutional rights. It emphasises that the provisions of the proposed law are “vague and far-reaching” and broad definitions could unintentionally criminalise perfectly legitimate acts.
In dealing with the powers of State it indicates that until people understand how their information may be abused business and others will remain uninterested and uninformed.
The Bill, in providing for overbroad powers similar to the Protection of State Information Bill, is also commented upon in conjunction with the protections which should be afforded to citizens of South Africa in terms of the Protection of Personal Information Act, which remains unimplemented. A commentator is quoted as saying “There is little doubt that cybercrime and data privacy breaches will continue to rise exponentially, unchecked and unabated” until we establish appropriate law and create the capacity and competence to both administer the law properly and guard against cyber-attacks.
It is not helpful when senior spokesmen for the State, including the Minister of State Security, make statements claiming that government is “secure”. This is simply not true as has been evidenced by the hacks by “Anonymous” on government information infrastructure. This merely puts a target on the back of South Africa and South Africans and the well-publicised success of Anonymous’ intrusions into government infrastructure will make South Africa an attractive target for organised crime which will have more nefarious intent than “Anonymous”.
Further comment is made that “From an online perspective the government seems to have demonstrated an ignorance to the online space and how it is to be managed”. The commentator indicates that this is a risk for doing business in South Africa. From my experience this has proved to be true and that over the past number of years there have been 3 different occasions where I have been requested to advise potential investors in South Africa on privacy laws. In each of these instances the failure to have operative privacy laws has dissuaded the investors, one investor in particular of global renown, from investing in South Africa.
Appropriate regulation to address cybersecurity and combat cybercrime in South Africa has been championed by me for at least 15 years. However, as the article aptly demonstrates, while “getting it right” would be hugely beneficial to South African society and its economy, “getting it wrong” will be disastrous. It is essential that we avoid another example of legislation being developed to support political rhetoric that is ill-conceived, impractical and in some instances unconstitutional.
To read the full article published in Bloomberg BNA follow this link: Link to Bloomberg BNA article
Over the past couple of weeks I have become aware that the Deputy Minister of Justice has been proactive in taking steps to take account of public comment and to ensure that the Bill is amended to address the criticisms that have been levelled against it at this time. The Deputy Minister’s efforts are refreshing in that they indicate a willingness to listen to and take seriously the comment that has been provided. While it may be necessary to redraft specific sections of the Bill, it is also critical to understand that cybersecurity is not a government issue. Cybersecurity, if it is to be effective, must be a broad-based approach in which the private sector will play a considerable role. The failure of policy makers and drafters to properly consult the private sector and civil society to date is a fatal flaw in the Bill as it stands. Allied to this is the necessity to establish appropriate public/private sector partnerships. Again one of the fundamental criticisms of the Bill is that it fails to do this. It will also be important that the private sector accepts its responsibility and is prepared to engage and cooperate with government in devoting time and energy to cybersecurity.
Finally, privacy is recognised globally in democratic countries as a non-negotiable balance between the practices of big business (which are in many instances unscrupulous) and the excesses of government. Against this background the failure to properly implement the Protection of Personal Information Act and appoint the Information Regulator, which is central to its working and efficacy, constitutes a barrier to the promulgation of appropriate legislation governing cybersecurity. In view of the fact that the State President indicated in the state of the nation address that this legislation would be placed before Parliament in the first half of 2016, an enormous amount of work is required on the part of government and others if this is to be achieved. One hopes that the political will and the provision of the wherewithal to ensure that government starts to fulfil its duty to protect South African citizens can eventually begin to be discharged.
©Mark Heyink 2016