THE CYBERCRIMES AND CYBERSECURITY BILL - IMPROVED BUT STILL FLAWED
Part 1 - The Bill versus the right to freedom of expression
On 10 August 2017, the Centre for Constitutional Rights (CFCR) made a written submission on the redrafted Cybercrimes and Cybersecurity Bill (the Bill) to the Parliamentary Portfolio Committee on Justice and Correctional Services.
The Bill seeks to address the increase in cybercrimes and breaches in cybersecurity in today’s digital era. It is a technical piece of legislation which provides a range of new offences pertaining to cybercrime, as well as various new complex structures to monitor cybersecurity, while obliging electronic communications service providers and financial institutions to assist in investigations.
The CFCR restricted its comments to the impact of the prohibition of “malicious communications” on the right to freedom of expression and the impact of certain provisions on the State’s surveillance powers on the rights to privacy and access to the courts.
There are welcome amendments to the Bill since the first contentious draft of 2015. The controversial offence of “computer-related espionage” which left whistle-blowers and journalists in possession of “confidential” State information defenceless, has been removed. Furthermore, the “Personal information and financial offences”, the “Infringement of Copyright” and the “prohibition on dissemination of data messages which advocates, promotes or incites hate, discrimination or violence” have also been removed.
However, the redrafted Bill now provides for the prohibition of “malicious communications”, which includes the prohibition of a “data message which is harmful”. A person who is guilty of “unlawfully” and “intentionally” having made “available”, “broadcasting” or “distributing” a “data message” which is considered “harmful” in terms of the Bill, can face imprisonment of three years.
Section 16(2) of the Constitution stipulates that the right to freedom of expression does not include “propaganda for war; incitement of imminent violence; or advocacy of hatred that is based on race, ethnicity, gender or religion, and that constitutes incitement to cause harm.” Unless the prohibition of a “data message which is harmful” prohibits any of these forms of expression and relies on constitutionally-aligned terminology, it will infringe the right to freedom of expression. This infringement can then only be justified if it is considered reasonable in terms of the limitation inquiry. One must consider whether the nature and extent of the limitation is narrowly tailored to the purpose considering the importance of the right to freedom of expression.
The Bill creates various instances when a “data message” defined as “data generated, sent, received or stored by electronic means, where any output of the data is in an intelligible form” will be considered “harmful”. Reference is made to undefined terminology such as “to threaten a person or group of persons” with “violence against any identified person forming part of the group or who is associated with the group”. Section 16(2)(b) of the Constitution specifically prohibits expression which “constitutes incitement of imminent violence” which is associated with expression directed at causing lawless action. Therefore, the prohibition in the Bill falls outside the scope of section 16(2) of the Constitution and it is necessary to consider whether the prohibition can be reasonably justified.
The prohibition of a “data message which is harmful” will create confusion regarding what conduct is being prohibited. No definition is provided for crucial elements such as “to make available”, “broadcast” or “distribute”. Other proposed legislation such as the Films and Publication Amendment Bill must be considered to ensure uniform use of definitions. Furthermore, “to threaten” is not defined and it is unclear what the threshold would be. It is also unclear how a person will be “identified” as forming part of a group or be “associated with the group”. Does there need be a common characteristic between members of the group and if so, which common characteristic then?
A data message is also considered “harmful” for instance if it is “inherently false in nature and is aimed at causing mental, psychological, physical or economic harm to a specific person or group of persons”. This provision appears to be an attempt to limit ‘fake news’ but again no clarity is provided regarding what is considered “inherently false”. Furthermore, a person whose reputation for instance suffered harm would have existing remedies available, such as a civil claim for defamation or even the common law crime of crimen injuria, and it is not clear why there is a need to codify this offence. In general, it is also concerning that no statutory defences are stipulated for any of these specific offences, which contribute to an overbroad limitation on the right to freedom of expression.
It also appears the intention of the inclusion of “malicious communications” was to extend the scope of the Protection from Harassment Act (the Harassment Act) to cyber harassment and the Bill also provides for a protection order pending criminal proceedings. However, the Harassment Act only refers to “harm” which includes “mental, physiological, physical or economic harm” and the term “harmful” is not referred to. Nonetheless “harmful” is specifically used in the Promotion of Equality and Prevention of Unfair Discrimination Act (the Equality Act) in relation to ‘hate speech’. However, the Equality Act provides no definition for “harmful”. This again creates confusion and it is unclear what the interplay between these legislative measures will be. This all leads to the conclusion that the prohibition of a “data message which is harmful” is overbroad, vague and a sledgehammer approach to fighting cyber harassment.
South Africans should be vigilant and question any legislative provisions, even seemingly well-intended provisions, attempting to curb the right to freedom of expression. The drafters of the Bill must ensure that any proposed measures to curb cyber harassment will surpass the Constitutional limitation inquiry and clear definitions need to be provided for each element of the offence, which corresponds with other proposed legislation.
Furthermore, a reassessment of existing remedies need to be undertaken to justify the need to codify additional offences. Finally, if these additional offences are necessary, statutory defences should also be included in the proposed Bill, to ensure the limitation on the right to freedom of expression is narrowly tailored.
Part 2 - Failing to address legislative shortcomings on the State’s surveillance powers
The words “surveillance of communication”, “interception orders” and “national security” in the age of modern technology cause a sense of distrust, especially in a volatile democracy such as South Africa with its apartheid history of secrecy.
Most South Africans are aware that they are required to register their SIM card in terms of the Regulation of Interception of Communications and Provision of Communication-Related Information Act of 2002 (RICA). However, one wonders how many are aware of the RICA procedure, which allows the State to intercept an individual’s communications. It would be naïve to believe surveillance laws do not impact on ordinary law-abiding citizens and only concern the fighting of “terrorists” who pose a “national threat”. A case in point is the recent conviction of a Crime Intelligence Official who was found guilty of spying on two Sunday Times journalists in 2010 by supplying false names in the interception application.
Civil society organisations have cried out for the reform of RICA, especially regarding the lack of transparency. It is concerning that the redrafted Cybercrimes and Cybersecurity Bill (Bill) which extends the scope of RICA, fails to address these concerns. The Bill, to the extent it echoes and relies on these controversial RICA provisions, indirectly impacts on individuals’ constitutional rights to privacy and access to courts.
RICA provides the procedure for the interception by the State of a person’s “communication” and “communication-related information”. “Communication-related information” is basically the information behind a text message, for instance the location of the sender of a text message. Interception is justified on the reasonable belief that information will be obtained relating to a threat to “national security” or a “serious offence”, such as high treason.
The procedure for an interception order by a RICA judge is highly controversial as it excludes any notification of the application - even after the investigation has passed and the order has lapsed. Thus, the legality of the interception order cannot be reviewed by a Court. The question arises whether this is a reasonable infringement on the right to access to courts, especially as certain foreign jurisdictions do provide for notification (such as Japan and Germany). Furthermore, the International Principles on the Application of Human Rights to Communications Surveillance - launched by the United Nations Human Rights Commission, after global consultation with various stakeholders - requires notification of the application. Delay of notification would for instance only be justified if it would “seriously jeopardise” the purpose of the surveillance. This suggests that RICA, in this regard, falls short of international best practice.
The constitutionality of RICA’s prohibition of notification of an interception order forms one of the key issues currently challenged by amaBhungane Investigative Journalism (amaBhungane). In its High Court application, amaBhungane argues that certain provisions of RICA unduly infringe on an individual’s rights to privacy and access to courts. The application is supported by Mr Sam Sole, an investigative journalist. Mr Sole suspected that communication between himself and the senior prosecutor investigating charges against President Zuma in relation to the Arms deal in 2009 were intercepted. According to Mr Sole’s affidavit, extracts of the intercepted communication later became public in Court papers. Mr Sole, according to his affidavit, has never been provided with the initial interception order or the information that the RICA judge considered to grant the interception order.
The Bill is intricately linked to RICA’s contested procedures. Clause 38 of the Bill requires the interception of “data” defined as “electronic representations of information in any form” to be made in terms of RICA. It appears the intention was to ensure the interception of all information must be via RICA and to limit the abuse of section 205 of the Criminal Procedure Act of 1977 (CPA). Section 205 of the CPA allows for instance, a Magistrate to issue a warrant for telephone records as it may provide information of an alleged offence. This process occurs outside the more onerous prescribed RICA procedure by a designated RICA judge. Section 15 of RICA currently allows other legislative mechanisms to obtain “communication-related information” such as telephone records, and this has been a glaring legislative loophole. However, despite Clause 38’s intention, section 15 of RICA has still not been amended.
The Bill also provides for the strict prohibition of disclosure and it echoes RICA’s exceptions with the additional exception of “information sharing” as provided for in the Bill. This means electronic communications service providers are prohibited from informing their customers of the interception orders.
They are also prohibited from publishing the information for statistical reasons, which would inform the public of the prevalence of specific data requests. This not only impacts on the constitutional right to privacy but also raises questions as to the justifiability of the infringement on the right to access courts. Furthermore, the exception of “information sharing”, which provides for the sharing of information between new proposed State structures dealing with cybersecurity, is an additional threat to the right to privacy.
The above lack of transparency is even more concerning as the definition of a “serious offence” in RICA is extended by the Bill to include offences such as “cyber fraud”, “cyber forgery and uttering” and “cyber extortion”. The constitutional right to privacy is also threatened, with the additional requirement that electronic communication service providers who are not currently required in terms of RICA to store “communication-related-information”, such as internet service providers, will now be required in terms of the Bill to do so. No information is given on how this information should be stored, when and how it should be destroyed, and there is no independent oversight mechanism monitoring this. The lack of independent oversight on the storage of “communication-related information” by telecommunication-service providers is also currently being challenged by amaBhungane.
The State fervently defends the constitutionality of these RICA provisions in the amaBhungane matter and one wonders why there is a reluctance to consider alternatives.
What risk is there to review RICA together with the Bill, to consider the possibility of a conditional notification after the investigation or the implementation of an independent civilian oversight mechanism? One hopes the amaBhungane challenge will seriously address these RICA challenges as the matter becomes more urgent with the looming enactment of the Bill.
Ms Christine Botha: Legal Officer, Centre for Constitutional Rights, FW de Klerk Foundation.