Has the four-year evolution of South Africa’s Cybercrimes Bill delivered the internet we want?

What is the internet we want? This was a question posed by one of the panels at the 7th African Internet Governance Forum (AfIGF), held from the 4-6 November 2018 in Khartoum, Sudan. The question is increasingly important as the development of cybercrimes and cybersecurity legislation becomes a priority for many African governments. The 2014 African Union Convention on Cyberspace Security and Protection of Personal Data or “Malabo Convention” represents political commitment by African states to take measures on a range of issues, including cybercrime. While ratification of the convention has been slow, the rapid evolution of cyberspace and new threats that have emerged and continue to arise online has infused this process with a new urgency. However, as panelists observed, we need to consider what these new laws mean for the internet that we (the public) want.

Is this focus on securing the internet making it a less open and democratic space? Are some legislative measures being weaponised by states against their citizens? Does the cybercrimes legislation address gender-based violence and harassment online? An extensive multi-stakeholder process for South Africa’s new Cybercrimes Bill is coming to its conclusion in the country. Whether it has led to the kind of internet that serves the public interest is worth reflecting upon. This article unpacks the four-year process in South Africa. It assesses whether the process holds any promise in achieving correct balance between securing the internet against cybercrimes while upholding fundamental freedoms, including the freedom of expression, access to information and privacy online.

An initial public outcry over attempts to “police the internet”

The public first caught sight of the voluminous 123-page draft Cybercrimes and Cybersecurity Bill for South Africa in August 2015. At the time, it was widely agreed to be long overdue. The South African Banking Risk Information Centre (SABRIC) ranks South Africa as having the third highest number of cybercrime victims worldwide, resulting in a loss of about R2.2 billion (approximately 1.5 million USD) each year to cyber attacks. The International Telecommunications Union (ITU) Global Cybersecurity Index has marked the country with an overall medium “yellow” rating. The country ranks 58th globally, and 6th in the African region on the ITU cybersecurity compliance index.

Yet, the draft bill was received with much public criticism and was seen as an attempt by the government to exert undue control over the internet. One of the few exceptions to this was the welcomed inclusion of an express criminal sanction for the non-consensual distribution of “data messages of intimate images” or “revenge porn”, a practice which disproportionately affects women online. Controversially, the draft bill incorporated many aspects of the Protection of State Information Bill (POSIB), a law which, if signed, would curtail fundamental freedoms and remains unsigned on the President’s desk five years after its drafting. Despite the embattled passage of POSIB, the earliest draft of the Cybercrimes Bill relied heavily on provisions from this law. Safeguards in POSIB were lost in the replication process. For example, the simple possession of classified content was deemed a criminal offence. The 2013 Global Principles on National Security and the Right to Information, known as the “Tswane Principles”, protect against sanctions for the possession and dissemination of classified information. This is a crucial protection for whistleblowers, investigative journalists and others making disclosures in the public interest.

Chapter 3 of the draft bill, which contains sanctions for malicious communication, included a criminal penalty for dissemination of what is vaguely defined as “fake news”. The Electronic Frontier Foundation (EFF) raised concern about the draft bill’s unrealistic provision to criminalise essentially any infringement of copyright online. More fundamentally, numerous civil society organisations raised alarms in response to the draft bill’s shift from civilian governance of the internet to oversight by the state intelligence agency. This full set of egregious provisions quickly became known as the “seven deadly sins” of the Cybercrimes Bill, a term coined by South African organisation Right2Know, a civil society group that focuses on access to information and freedom of expression. Concerns about how the Cybercrimes Bill attempts to police the internet were aggravated by the bill’s release coinciding with the Film and Publication Board Amendment Bill to regulate online content. Public trust in the state’s plans for internet regulation plummeted and the two bills have jointly become popularly known as “internet censorship bills”.

 The redraft: Enter the Cybercrimes Expert Committee

A responsive state is crucial in these moments of legislative impasse. The Department of Justice and Constitutional Development answered these criticisms with a redrafting process. In March 2016, an expert panel was established to review the bill in response to public submissions received. While the panel was not fully representative of a range of sectors and experiences, particularly the human rights sector as pointed out by Right2Know, the process did result in important amendments, breaking the deadlock with the public. The POSIB-related offences for accessing classified information and copyright infringement were removed. At the same time, however, certain controversial aspects were retained in the redraft, including the “fake news” malicious communication sections and overlapping sections with other laws, such as South Africa’s data protection law, the Protection of Personal Information Act (POPIA) and surveillance laws. In addition, the bill continues to include a provision giving the state intelligence agency a direct role in governance of the internet.

Towards consensus: The parliamentary process

 The bill, as amended by the expert panel and approved by the cabinet, was tabled before the national parliament in February 2017. The legislative process in South Africa begins with a department-led public participation process on a draft bill. The draft bill is subsequently adopted by cabinet and tabled before an open parliament for further public consultation and adoption by both houses of parliament: the National Assembly and the National Council of Provinces (NCOP). The final bill is then submitted to the President for signing into law. This is in fulfillment of the constitutional requirement for meaningful public participation in an open democracy. Further public submissions were made before the Portfolio Committee On Justice and Constitutional Development and correctional services in parliament by a wide range of stakeholders. This process did little to address the remaining substantive concerns.

In response, the Department of Justice reworked a second draft of the bill, over a year after the bill was first tabled before parliament. This has ultimately resulted in a radically amended version of the bill being presented to the Portfolio Committee On Justice and Constitutional Development on 23 October 2018. The biggest shift is the removal of provisions relating to cybersecurity, necessitating the renaming of the bill from the “Cybercrimes and Cybersecurity Bill” to the “Cybercrimes Bill”. The contentious sections criminalising false news under the malicious communications chapter are significantly amended to bring them in line with constitutional limitations to freedom of expression. The structures dealing with cybercrime are simplified and critical information infrastructure sections removed, to be included in alternative legislation. Some overlap between the data protection law and the surveillance law remains. The provisions for cybersecurity will be dealt with in a separate piece of legislation. The Portfolio Committee adopted the amended bill on the 7 November 2018. The bill will now go for debate at the National Assembly before it proceeds to the NCOP for concurrence and further public consultation.

Has this four-year journey resulted in ensuring an internet we want?

Panellists at the 7th AfIGF argued for the importance of a rights-based approach to cybercrimes and cybersecurity. This, they suggested, must involve an emphasis on more transparent legislature drafting processes with full public participation. Such an open and participatory approach, they argued, is fundamental to effectively addressing contentious issues such as defining cybercrimes, determining respective responsibilities for tackling cybercrime, and ensuring that coordinating structures such a cybersecurity advisory council are fully representative of all stakeholders, including the human rights community.

Procedurally, the almost final Cybercrimes Bill for South Africa has embodied a reasonably transparent and democratic public participation process. This has not been without a fair amount of advocacy by media, civil society and industry groups to ensure meaningful process.

The result is that, four years later, the present version of the Cybercrimes Bill is a vastly improved, though not perfect, reflection of the views of a wide range of stakeholders which contains due consideration for constitutional rights and freedoms.

Karabo Rajuili is an AfriSig 2018 fellow and participated in the 7th AfIGF as an ICANN/APC-sponsored participant. She is a volunteer activist with the Right2Know Campaign and participated in and made submissions on the Cybercrimes Bill as part of the Right2Know Campaign and the amaBhungane Centre for Investigative Journalism.

 

Karabo Rajuili is the advocacy coordinator at the amaBhungane Centre for Investigative Journalism.  amaBhungane seeks to secure information rights  and mitigate threats to the free flow of information  in the interest of investigative journalism, and wherever possible the wider media and public, through analysis, advice, lobbying, campaigning and litigation. Karabo’s particular interest in internet governance is in cyber security legislation, state surveillance technologies and privacy laws and how these impact on the journalism and digital activism in southern Africa and the region.  Karabo serves on the board of a feminist organisation, the Saartjie Baartman Centre for Women and Children