South African Law on Cybercrime

History of Cybercrime Legislation in South Africa

View the Full text of legislation and regulations affecting the internet in South Africa

View the Council of Europe’s Convention on Cybercrime (used as a guideline for developing SA’s national legislation)
More on CoE Cybercrime projects and framework for international cooperation

View the Definitions of Cybercrime

View the Electronic Communications and Transactions (ECT) Amendment Bill, 2012 [PDF 5.47MB] – Published October 2012

View the Cybercrimes and Cybersecurity Bill 2015 [PDF 839KB] – Draft Published for Comment, August 2015

View the Cybercrimes Bill history and progress as of 26 May 2021 signed into law by the President of South Africa as Act 19 of 2020, which seeks to:

  • Create offences which have a bearing on cybercrime
  • Criminalise the disclosure of data messages which are harmful and to provide for interim protection orders
  • Further regulate jurisdiction in respect of cybercrimes
  • Further regulate the powers to investigate cybercrimes
  • Further regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes
  • Provide for the establishment of a designated Point of Contact
  • Further provide for the proof of certain facts by affidavit
  • Impose obligations to report cybercrimes
  • Provide for capacity building
  • Provide that the Executive may enter into agreements with foreign States to promote measures aimed at the detection, prevention, mitigation and investigation of cybercrimes
  • Delete and amend provisions of certain laws
  • Provide for matters connected therewith

The Cybercrimes Act 19 of 2020, CHAPTER 2 (PART I and PART II) specifically address cybercrimes and malicious communications that include provisions relating to:

  • Unlawful access to, interception of, and interference with data or computer programs and systems
  • Cyber fraud, forgery and uttering, extortion, and aggravated offences
  • Dissemination of data message which incites or threatens persons with damage to property or violence, and disclosure of intimate images of a person.

The Electronic Communications and Transactions (ECT) Act 25 of 2002, CHAPTER XIII and CHAPTER VII was South Africa’s first legislative provisions relevant to cyber criminal offences:

CHAPTER XIII

CYBER CRIME

Definition

85.
In this Chapter, unless the context indicates otherwise—
“access” includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.

Unauthorised access to, interception of or interference with data

86.
(1) Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.
(2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
(3) A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.
(4) A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.
(5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.

Computer-related extortion, fraud and forgery

87.
(1) A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence.
(2) A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence.

Attempt, and aiding and abetting

88.
(1) A person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89(1) or (2), as the case may be.
(2) Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89(1) or (2), as the case may be.

Penalties

89.
(1) A person convicted of an offence referred to in sections 37(3), 40(2), 58(2), 80(5), 82(2) or 86(1), (2) or (3) is liable to a fine or imprisonment for a period not exceeding 12 months.
(2) A person convicted of an offence referred to in section 86(4) or (5) or section 87 is liable to a fine or imprisonment for a period not exceeding five years.

CHAPTER VII

CONSUMER PROTECTION

Unsolicited goods, services or communications

45.(1) Any person who sends unsolicited commercial communications to consumers, must provide the consumer
(a) with the option to cancel his or her subscription to the mailing list of that person; and
(b) with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer.
(2) No agreement is concluded where a consumer has failed to respond to an unsolicited communication.
(3) Any person who fails to comply with or contravenes subsection (1) is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).
(4) Any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).

Glossary of Terms

Adware Botnet Cracking Crimeware Cyberbullying Cybercrime Cyberstalking Cyberterrorism Data-Theft DoS-Attack Hacking Hoax-Email Identity-Theft Keylogging Madware Malware Pharming Phishing Ransomware Scareware Smishing Social-Engineering Spam Spyware Trojan Virus Vishing Website-Defacement Worm