Darryl Bernstein, Partner and Head of Dispute Resolution, and Janet MacKenzie, Partner and Head of Technology, Media and Telecommunications, Baker McKenzie Johannesburg
The pandemic has driven home the high value of personal data to the global economy, while also highlighting its vulnerability to abuse and attack. In response, governments around the world have been reviewing their data privacy and protections laws and regulations, including in South Africa. Global cybersecurity firm Kaspersky recently noted that cyberattacks are set to rise in African countries, especially in the key financial centres of South Africa, Kenya and Nigeria. The cybersecurity firm noted that rapidly evolving digital techniques had led to an increased risk of Advanced Persistent Threats and hacking-for-hire events in Africa.
In South Africa, the Cybercrimes and Cybersecurity Act (Act), was signed into law by South African President Cyril Ramaphosa in early June 2021, bringing the country’s cybersecurity legislation in line with global standards. The Act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cyber security breach, as defined by Act. They must, according to the Act, report such offences to the South African Police Service within 72 hours of becoming aware of the offence, and preserve any information which may be of assistance in the investigation. Non-compliance with this provision is a criminal offence and massive fines can be imposed.
The Act further criminalises harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. Data is broadly defined in the Act as “electronic representations of information in any form.” The Act also criminalises cyber fraud, extortion, forgery and the theft of incorporeal property. Also listed as an offence is the unlawful accessing of a computer system, data storage medium or personal data. Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.
In South Africa, data security is also governed by the Protection of Personal Information Act. On 1 July 2021, the substantive implementation of key provisions of POPIA will become enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
One of the conditions for lawful processing in terms of POPIA is the use of security safeguards, which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information. This is prescribed by POPIA in order to prevent loss, damage or unauthorised access to, or destruction of, personal information.
POPIA also creates a reporting duty on persons responsible for processing personal information, whereby they must report any unlawful access to personal information (a data breach) to the Information Regulator within a reasonable period of time. Like the Cybersecurity Act, POPIA brings South Africa in line with international data protection laws by regulating the processing of the personal information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information.
In terms of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party has to notify the Information Regulator, as well as the data subject, unless that person’s identity cannot be established.
The notification has to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation.
The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator. It must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise.
In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if there are reasonable grounds to believe that such publicity would protect a data subject.
An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.
In 2020, Ghana similarly passed its Cybersecurity Act 2020, to oversee the country’s response to the prevention and management of cybersecurity incidents. The Act establishes the Cyber Security Authority and provides for the protection of the critical information infrastructure of the country. The Act also regulates cybersecurity activities, oversees the protection of children on the internet and seeks to develop Ghana’s cybersecurity ecosystem.
Cybersecurity and Personal Data Convention
However, data privacy laws, which govern amongst other things, data security and breaches, are currently present in less than half of African countries. Regionally, the Southern African Development Community and the Economic Community of West African States have data protection policies in place and the continent is also covered by the African Union’s Convention of the African Union on Cybersecurity and Personal Data(2014) (Convention) . As of May 2020, the Convention had only been ratified by eight out of 55 AU members (Angola, Ghana, Guinea, Mauritius, Mozambique, Namibia, Rwanda and Senegal), while 14 countries had signed but not ratified it. South Africa, Kenya and Nigeria have not yet signed the Convention.
Legislation governing the digital economy is essential to protect African citizens in terms of both their digital privacy rights and cybersecurity threats, while at the same time also ensuring that their online freedoms are not threatened. The AU has been encouraging its member states to sign the Convention and implement balanced local legislation that is fully enforceable and that respects human rights.
To facilitate this process, consultations with stakeholders in government, businesses (local and international) and organisations representing wider society, would ensure a balanced approach during the drafting of these laws. International legislation should be considered alongside local laws, given the borderless nature of the online environment, and consulting with technology experts on policy means that due consideration can be given to the specific nature of this rapidly developing sector. Considering the current rapid move to digitally-focused business models, the implementation of these legal protections and guidance has become urgent for all African countries.