The incoming Cybercrimes Bill is set to change the way in which online piracy is policed in South Africa.

The new legislation comprises various laws which refer directly to issues such as copyright infringement.

One of the provisions in the bill is that ISPs in South Africa could be obligated to report offences within 72 hours or face a hefty fine.

The basics of the Cybercrimes Bill are detailed below, along with information regarding the collection and release of customer information by ISPs.

Cybercrimes Bill

Following the excision of the cybersecurity section, the Cybercrimes Bill now deals purely with offences relating to cybercrimes, seizure and access, evidence gathering, and reporting obligations and penalties.

When it comes to the policing of online piracy, the following clauses are applicable:

New offences – Includes the distribution of a data message of an intimate image, the infringement of copyright by peer-to-peer sharing, and sending hate speech messages.

– Includes the distribution of a data message of an intimate image, the infringement of copyright by peer-to-peer sharing, and sending hate speech messages. Jurisdiction – South African courts will have extraterritorial jurisdiction, even when certain offences are committed outside of South Africa.

– South African courts will have extraterritorial jurisdiction, even when certain offences are committed outside of South Africa. Prison time – Provisions which provide for a maximum penalty of up to 15 years imprisonment.

– Provisions which provide for a maximum penalty of up to 15 years imprisonment. Obligations – Electronic communications service providers and financial institutions must report offences they become aware of within 72 hours.

Fatima Ameer-Mia, a director at Cliffe Dekker Hofmeyr, stated that once ISPs become aware of an instance of piracy they have a duty to report it to the SAPS and to preserve any information which may be of assistance to law enforcement agencies.

“It is unlikely that these companies would proactively hand over information, but if a cybercrime or one of these offences become public then I think for reputational reasons they will have to comply,” Ameer-Mia said.

“This reporting must be done without undue delay and, where feasible, not later than 72 hours after they become aware of the offence.”

Policies

MyBroadband asked multiple local ISPs about the potential effect of the Cybercrimes Bill on the way they approach customer privacy.

Most service providers did not provide comment or pointed us towards their privacy policies, but Cybersmart CTO Laurie Fialkov outlined the service provider’s general approach to the disclosure of customer information.

“We currently only release customer information on court order or subpoena,” Fialkov said.

“There is also limited information that we can disclose in terms of the PROATIA Act, which requires a particular form to be completed at the police station.”

This is standard practice for many local ISPs and Fialkov said that the new Bill’s requirement for ISPs to report instances of copyright infringement is relatively vague – and should not alter this procedure.

“It doesn’t appear that we are actively required to police copyright infringement, only that we need to report it,” Fialkov said.

Using MWEB’s privacy policy as an example, the document states that “MWEB will protect the confidentiality of its subscribers’ information, and use its subscribers’ information only for the purpose permitted or required”.

This means that the ISP will only provide subscriber information to third parties under certain conditions, including:

When directed by the written instruction of the subscriber.

When directed by an order of court.

Where it is necessary to properly deal with and comply with any legislative enactment or regulation.

MWEB’s privacy policy policy adds that while it does collect information such as domains visited, it does not inspect identifying information.

“You can browse sites without telling us who you are, or revealing any of your personal information,” the ISP’s policy states.

“We do track the Internet address of the domains of visitors and analyse such for trends and statistics. The individual user remains anonymous.”

Many other ISPs in South Africa adopt similar policies when it comes to user privacy.

Protecting user privacy at all costs

Fialkov told MyBroadband that ISPs should protect user privacy at all costs, as well as assist the authorities in prosecuting criminals.

“I do believe that ISPs have certain responsibilities, and that responsibility is not only to protect user privacy at all costs,” Fialkov said.

“I believe that it is important to have a legal framework where if criminal activity of any form is happening on an ISP’s network, a process exists to assist the authorities in bringing the perpetrator to justice.”

“I think this Bill to a large extent addresses this. Of course, there are people who are going to say that there are issues with it, but with any new Bill there are things that are not right. That is why we have amendments, so that over time these issues get fixed.”