By Divashnee Naidoo
The Cybercrimes Act has the potential to protect South Africans from online harms and legally increase the responsibility of online platforms to better monitor and regulate their content - if only it was proclaimed in full by President Cyril Ramaphosa.
The first thing to note about this legislation is that the Cybercrimes Act was six years in the making, being first published as a Bill in 2015. The second, and more important, thing to note is that only certain provisions of the act have commenced, as announced by Ramaphosa at the time.
This poses two primary problems: implications for the democratic rule of law and legislative process; and the reality of leaving those whom the full extent of the Act could protect, vulnerable and exposed.
Under democratic rule the legislative arm of government is embodied by Parliament, whose members are elected by voters and are thus their direct representatives. Parliament seeks to create, amend, and repeal the laws of the land, among other duties. This is a rigorous process under South African law, including sometimes multiple rounds of public participation in scrutinising and commenting on Bills. Only when both houses of Parliament - the National Assembly and the National Council of Provinces - have passed the Bill is it sent to the president to sign into law.
The President does have some discretion as to when he can sign a Bill - and even only certain of its provisions - into law. However, the fundamental democratic principle remains that as Bills represent a lengthy process taken by the representatives of the people, he should limit the use of his discretion when effectively deciding when to override them by, for example, not proclaiming certain sections as in the case of the Cybercrimes Act.
The counter-argument to this is that the president as the head of the Executive must consider other matters of policy and/or national interest which would undermine his ability to fully proclaim all provisions of an Act. This may include provisions which might introduce new bureaucratic mechanisms for which there is no budget or, as in this case, may limit the operation and investment of big business.
Disincentivising with fines
Section 54 of the Cybercrimes Act places reporting obligations on online platforms to monitor and report the cybercrimes identified in the Act to the South African Police Service within 72 hours of them becoming aware of it. They are further charged with preserving information which may assist the police in any subsequent investigation. Should they not comply, the online platforms stand to be liable of a fine up to R50 000.
One can understand how this would disincetivise businesses to operate for fear of being fined. But should South Africa not take such progressive steps in combating the impunity otherwise held by perpetrators of cybercrimes and in doing so, protecting South Africans from online harms?
Section 54 of the Cybercrimes Act, which promotes better content regulation by online platforms,has not been proclaimed. Yet fines for online platforms are not a novel regulatory measure. Australia was the first to launch an independent government institution solely empowered to safeguard Australians from online harms such as cyberbullying, image-based abuse, and illegal and harmful online content - the eSafety Commissioner.
Last June the eSafety Commissioner issued a legal note to Twitter/X demanding answers as to how it was tackling and aimed to tackle online hate, after receiving a significant uptake in public complaints about the platform compared to other online platforms. Twitter/X was given 28 days to respond and thereafter faced the possibility of being fined AUD700 000 per day for any continuing breach of its duty to protect users. No fines arose out of this inquiry by the eSafety Commissioner, but in October 2023 Twitter/X was the first platform to be fined by the Commissioner under the Australian Online Safety Act. The fine amounted to AUD610 500 for failing to answer questions on the steps it was taking to tackle child sexual exploitation material and consequently non-compliance with the Australian regulatory scheme.
South Africa behind in online user safety oversight
South Africa does have independent regulatory oversight institutions like the Information Regulator, which oversees the protection of personal information and access to public and private information. Or the Film and Publication Board which aims to protect consumers by regulating films, games, and other publications.
However, no South African institution similarly exists or is empowered to oversee user safety and content regulation on online platforms like the Australian eSafety Commissioner or as under the European Union’s Digital Service Act.
In December last year the European Commission opened formal proceedings against Twitter/X for the platform’s alleged non-compliance with that region’s Digital Services Act. Some of the inquiries by the European regional authority included Twitter/X’s obligations to counter disseminating illegal content and their effectiveness in combating information manipulation on the platform. While these proceedings are still in the investigation stage, it should be recognised that Australia is not alone in its cognisance of the variety of harms occurring on online platforms and the subsequent need for tech platforms to account for them.
A catalyst for the creation of legislative oversight has been the rise of online hate and abuse experienced by platform users on all social media platforms. Chapter 2, Part II of the domestic Cybercrimes Act, which has been proclaimed, makes spreading malicious communications online a criminal offence. Specifically, the offence includes sending data messages with the intention to incite causing damage to property or violence towards people. These provisions could pull individuals or groups who harass or intimidate others online out of the shadows of the internet and into the light of justice where, upon conviction, such perpetrators could face a fine and/or imprisonment for up to three years.
Protecting human rights defenders
Such recourse is sorely needed to protect human rights defenders in the civic space who currently face increasing amounts of online vitriol for their advocacy and are left abandoned by the lack of adequate enforcement of community guidelines by big tech platforms like Twitter/X and Meta.
Make no mistake, the harms of such online abuse are not confined solely to one’s mental health and psychological safety. Doxing - the public release of one’s personal or identifying information without consent - lifts online threats out of the virtual world and into the proverbial outside world. This can severely compromise the bodily security of human rights defenders and their families. One needs only to look at repeated threats of necklacing, death, office burning, and other similar violent threats faced by the Socio-Economic Rights Institute and Helen Suzman Foundation last year in their respective advocacy pursuits for those marginalised and vulnerable in society.
This ferocity of online abuse is experienced by many South Africans online and not only human rights defenders. It is then paradoxical that the president has proclaimed such malicious comments as a criminal offence but not gone so far as to proclaim those sections under Part VI of Chapter 2 which would allow complainants fuller protection from these harmful actions. This includes applying to a Magistrate's court for a desist order from the alleged perpetrator and subsequently ordering the relevant online platform to remove the impugned message or communication.
Additionally not proclaimed is the ability to call on online platforms to assist with such desist orders by disclosing identifying details of the alleged perpetrator and the impugned communication. Neither is section 22 proclaimed, which would allow courts to issue protection orders against perpetrators. Not proclaiming these provisions hamstrings the court’s ability to order online platforms to cooperate in the criminal investigation of cybercrimes. It also, more pertinently, reduces the court’s powers to protect complainants which is, ostensibly, a primary intention of the Act.
The Cybercrimes Act, if fully proclaimed, is an opportunity for South Africa to take one of its first policy steps in increasing online platform accountability and expanding the purview of the law to protect South Africans in the wild west that is the online world.
The Act instead has left victims only partially protected with the added cruelty of seeing what better protection could be like but placing it firmly out of reach. This situation could be easily remedied if only the president would proclaim it.
Comments