ICT Law

A South African perspective

Information Security

• The days of the Wild West• Today …

• Corporate “legal” obligation

Cyber Crimes• unauthorised access or interception of data is a crime

– hacking, cracking, packet sniffing …• Unauthorised interference with data in a way that causes

data to be modified/destroyed/rendered ineffective is a crime – creation & spreading of viruses, Trojan horses, worms …

• Unlawful use of devices, designed to overcome security measures for protection of data– Creation and use of software used for cracking.

• International overloading of web servers with the intention of crashing them – Denial of service (DoS)

ICT

ICT keywords:• Information (or data) – in paper or electronic format• Communication – in person or electronically, in

writing or voice, telecommunications, and broadcasting

• Information Technology (IT) – hardware, software and electronics

• Communication technology – protocols, software and hardware

What is ICT law?Topics of ICT law:• Information• Communication• Hardware – computers, cell phones …• Software• The Internet –and web sites• Electronic commerce – online stores• Media – print, social, digital media• Email• Biotechnology• Games and entertainment• Internet gaming• Digital marketing – also direct marketing

Laws directly related to ICT• Electronic Communications and Transactions Act– (ECT Act) 25 of 2002

• Promotion of Access to Information Act – (PAI Act) 2 of 2000

• Protection of Personal Information Bill – (PPI Bill) also referred to as POPI Bill [B9-2009]

• Regulation of Interception of Communications and Provision of Communication-Related Information Act– (RICA) 70 of 2002

• new Companies Act no 71 of 2008

Electronic Communications and Transactions (ECT) Act - 2002

To be guilty of an offence i.t.o ECT Act, you must have the intent to commit the crime

• To provide for the facilitation and regulation of electronic communications and transactions;

• to provide for the development of a national e-strategy for the Republic;

• to promote universal access to electronic communications and transactions and the use of electronic transactions by SMMEs;

• to provide for human resource development in electronic transactions;

• to prevent abuse of information systems;• to encourage the use of e-government services; and • to provide for matters connected therewith.

Promotion of Access to Information (PAI) Act - 2000

To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise

or protection of any rights; and to provide for matters connected therewith.

Regulation of Interception of Communications and Provision of

Communication-Related Information (RICA) Act - 2002

• Independent Communications Authority of South Africa (ICASA)– Regulates the use of encryption over

telecommunications facilities

RICA• To regulate the interception of certain communications, the monitoring of certain

signals and radio frequency spectrums and the provision of certain communication-related information;

• to regulate the making of applications for, and the issuing of, directions authorising the interception of communications and the provision of communication-related information under certain circumstances;

• to regulate the execution of directions and entry warrants by law enforcement officers and the assistance to be given by postal service providers, telecommunication service providers and decryptionk ey holders in the execution of such directions and entry warrants;

• to prohibit the provision of telecommunication services which do not have the capability to be intercepted;

• to provide for certain costs to be borne by certain telecommunication service providers;

• to provide for the establishment of interception centres, the Office for Interception Centres and the Internet Service Providers Assistance Fund; to prohibit the manufacturing, assembling, possessing, selling, purchasing or advertising of certain equipment; to create offences; and

• to prescribe penalties for such offences; and to provide for matters connected therewith.

Protection of Personal Information (PPI) Bill - [B9-2009]

• Cabinet passes POPI – 14 August 2009– POPI is not a yet law, merely approved by Cabinet

• To become law …

Life Cycle of an Act of Parliament1. Tabled in Parliament2. Comments invited by Parliamentary Portfolio Committee

on Justice3. Forwarded to National Council of Provinces for approval4. Forwarded to National Assembly for approval 5. Sent to the President for signature6. Published in Government Gazette

Brief Summary of POPIEffective handling of PI & respecting the interest of data subjects

The purpose of the Bill is to (i) Protect the right to privacy with regard to processing of personal information; and(ii) Balance the right to privacy against other rights, such as the right of access to

information.

• No processing of children’s PI• Prohibits processing of:

– special personal information – “religious or philosophical beliefs, race or ethnic origin, trade union membership, political

opinions, health, sexual life or criminal behaviour”• Information Security legalised

– First time that information security has directly been addressed in any South African law.– Includes requirements regarding security measures having to be introduced

• to secure the integrity of personal information• to notify third parties of a breach of security

• No more (or less?) spam– Spam was addressed in ECT Act, but not too successfully– Regulates:

• “unsolicited electronic communications”• “directories”; and• “automated decision making”.

Privacy

• Risks to Organisations– Lose customers due to loss of trust– Fail to attract new customers– Bad publicity = damage to reputation– Civil action for damages – class action suits– Regulatory investigations and enforcement notice

• Fines– Liable for the actions of your operator– Your main business activity becomes unlawful

Privacy

• Risks for the Individual– A fine or jail sentence– You could get fired– You could be held personally liable for damages

suffered by data subjects

Forms of Privacy• Bodily privacy

– Concerned with protecting yourself against invasive procedures – drug testing

• Privacy of communications– Covers the security and privacy of mail, e-mail, telephones …

• Territorial privacy– Concerns the setting of limits on intrusion into the domestic

environment and workplace – searches, video surveillance and ID checks

• Information/data privacy– Deals with rules governing the collection and handling of personal

data – financial information and medical information

Constitutional Right to Privacy

• “everyone has the right to privacy, which includes the right not to have:– their person or home searched– their property searched– their possessions seized– the privacy of their communications infringed”

• “data privacy legislation will have to find balance between the data subject’s fundamental right to privacy (as set out in Constitution, and other persons’ legitimate needs to obtain information about the data subject”.

Common law Right to Privacy

• Independent personality right “every person (natural or juristic) has rights to physical integrity, freedom, reputation, dignity and privacy”.

• May be infringed by:– Unauthorized intrusion – aquaintence with

another’s private facts– Disclosure (publication) of private facts

The King Report on Corporate Governance – King III

“apply or explain” approach

• The third report on corporate governance in South Africa was necessitated by:– The new Companies Act no 71 of 2008; and– Changes in international governance trends

• Philosophy of the Report revolves around– Effective leadership: ethical values of responsibility,

accountability, fairness and transparency– Sustainability: economic, social and environmental

performance– Corporate citizenship: company is a person and should

operate in sustainable manner