Changing the electronic communications landscape
As a result of the population's ever-increasing dependence on the Internet, there has been a significant rise in hacking, security breaches, misuse of personal information, cyber security threats and cyber crime. As a result of these trends, and in an attempt to ensure that South Africa measures up to international best practice, the Minister of Communications, on 26 October, 2012, published the Electronic Communications and Transactions Amendment Bill (Bill) inviting the public to submit written comments to the proposed amendments to the Electronic Communications and Transactions Act, No 25 of 2002 (Act).
The Bill seeks to align our legislation with international standards and trends. A notable effort has also been made to align the Bill with the provisions of recent developments in our law, specifically the promulgation of the Consumer Protection Act, No 68 of 2008 and anticipated data protection legislation.
This article focuses on the more noteworthy amendments proposed under the Bill.
New definitions
Several new definitions have been included in the Bill. The definition of "electronic transactions" has been expanded to include both commercial and non-commercial transactions. This feeds into the new definition of "unsolicited communications". A communication regarding any electronic transaction will be regarded as unsolicited unless the communication has been requested by the recipient.
The definition of "service provider" presently incorporates only Internet service providers. The Bill proposes extending the definition to include wireless application service providers that, in addition to being expressly subjected to the provision of the Act, will also, to the extent that they act as mere conduits for communications, benefit from the limitation of liability contained in the Act.
The definition of "cryptography provider" has been streamlined to clarify the legislature's requirement that only people who are entities that develop cryptography products and services will be regarded as a "cryptography providers". The ambiguity that allowed for end-users and installers of encryption software to be regarded as cryptography providers will be removed.
Spam
A specific object of the Bill is to minimise or eradicate spam. For this reason the new definition of unsolicited communications has been incorporated. Notably, Internet and wireless application service providers that send data messages to persons who have not implicitly or expressly requested the messages could face tough criminal sanctions in future.
Compliance with data-protection principles
In terms of the Act as it stands, a data controller - any person who electronically requests, collects, collates, processes or stores personal information - may voluntarily comply with the principles governing the processes of electronically collected personal information. The Bill suggests that, in future, all data controllers be required to subscribe to the principles and record the fact that they have done so in an agreement with the data subject.
e-strategy development
The draft legislation seeks to task the Minister with the responsibility of developing the national e-strategy and proposes that the Minister take account of international best practice and the laws and guidelines of other jurisdictions and international bodies, as well as existing laws within the Republic. The national e-strategy will focus on e-readiness, SMME development, human resource development and education and training in the ICT sector. This will greatly assist in enabling use of the Internet and bridging the current digital divide.
e-evidence and contracts
The provisions pertaining to the admissibility of online communications as evidence in a court and what constitutes a contract is broadly in line with the rules developed by United Nations Commission on International Trade Law and the position broadly adopted by the international community. In determining the evidentiary weight of a data message, the Bill requires that regard must be had to the manner in which its originator was identified. The Bill proposes that the Act be expanded to include identification by way of an electronic signature.
Cryptography providers
The Bill proposes the introduction of specific objectives in relation to cryptography providers and their services and products. The Bill provides that cryptography providers should ensure conformance with all decryption directions under the Regulation of Interception of Communications and Provision of Communication-related Information Act, or any other laws of the Republic, as well as renew their cryptography provider registration every two years.
Accreditation Authority
The Bill introduces the establishment of an Accreditation Authority to accredit certain types of electronic transaction service providers. The Accreditation Authority will also monitor compliance with the Act.
The Bill proposes the introduction of mandatory registration of authentication service providers, products and services.
At present only South African accredited "certification service providers" can issue advanced electronic signatures. The Bill provides that electronic signatures accredited in a foreign jurisdiction be recognised in South Africa provided there is a recognition agreement in place.
Deemed recognition of representative bodies
The Act currently excludes liability on the part of a service provider to act as mere conduits of information. In order for a service provider (which, if the Bill is passed, would include wireless application service providers) to benefit from the limitation of liability provisions in the Act, they are required to belong to an industry representative body recognised by the Minister and must subscribe to the code of conduct of that representative body.
In order to facilitate the recognition of industry representative bodies, the Bill suggests that representative bodies be deemed recognised if, after a period of 12 months after application has been made for recognition, the Minister has not responded to the application.
Cyber security hub
The Bill proposes that the Minister establish a cyber-security hub for creating, amongst other things, awareness of threats to electronic communications networks and communications from cyber-crime.
The aim of the hub would be to respond to cyber security incidents, creating guidelines to educate persons about cyber crime, centralising co-ordination of cyber security activities, conducting cyber security audits, and fostering and promoting cooperation between the government and interest groups in implementing cyber security standards.
Penalties
A number of hefty penalties for contravention of the Act are proposed in the Bill:
- A person who transmits unsolicited communications may be liable of a fine up to R1 million or a period of imprisonment not exceeding one year.
- A person providing cryptography products or services without registering with the Department of Communications or failing to provide information may be subject to a fine up to a maximum of R2 million.
- A person falsely holding out that their products or services have been accredited may be subject to a fine of not more than R2 million or a prison term of not more than two years.
- A person who discloses information that is declared by the Minister to be of importance to the protection of national security or the economic and social well-being of its citizens, such as "critical information", may be fined up to R5 million or imprisonment of three years.
- A person who, without authorisation, accesses or intercepts data is liable to conviction of a fine not exceeding R10 million or imprisonment of 10 years - this includes a person who after becoming aware of the fact that he is not authorised to access the data continues to access or use that data.
The Bill is a significant piece of legislation and will affect, in particular, the businesses of Internet service providers and wireless application service providers. In our view, the drafters of the Bill should be commended for incorporating many of the amendments proposed by the South African Law Reform Commission in 2011, as well as attempting to harmonise the Act with other South African legislation and international best practice.
Written representations were due on or before 7 December, 2012. This deadline may be changed if the Department of Communications is amenable to the representations made by various industry organisations to the effect that the deadline be extended until January 2013.