The phrase "economic and social well-being" is dangerously broad: almost any database, from hospital patient information to a list of companies supplying particular goods or services, could conceivably be construed as important to the economic and social well-being of SA citizens. Given the scope of Ministerial powers over critical databases proposed in the Bill, this creates an opportunity for arbitrary decision-making and damaging levels of government control over information.

If this phrase must be included, the Draft Bill must at least also require the Minister to furnish reasons for his or her declarations, and create an appeal mechanism for the owners of disputed databases.

(k) promote the development of electronic transactions services which are responsive to the needs of users and consumers;

(l) ensure that, in relation to the provision of electronic transactions services, the special needs of particular communities, areas and the disabled are duly taken into account;

(n) promote the stability of electronic transactions in the Republic;

(o) promote the development of human resources in the electronic transactions environment;

Subsection (l) is simply a repetition of (k) – services that are responsive to the needs of users and consumers are surely also services that are responsive to the needs of the named groups. In addition, the notion of "particular communities, areas and the disabled" is given no further content in the Draft Bill – nor do any of the provisions of the Draft Bill address this object. We believe that "lip-service" clauses carry the danger of undermining public confidence in legislation and should be avoided.

(m) is not within the scope of legislation to achieve without unduly intrusive measures. Either this clause is empty, or it holds the danger of stifling the development and adoption of new standards.

(n) and (o) are to be commended for enabling electronic transactions in SA and promoting appropriate capacity building.

(p) is empty, as none of the provisions of the Bill address this objective – indeed, some of them will tend to reduce the involvement of SMMEs.

We do not believe (q) should be a function of government alone – see comments under the appropriate chapter below.

Delete entire chapter.

ALTERNATIVELY, as a second-best option, change as follows:

5. (1) The Minister, in consultation with the Ministers for Public Service and Administration, Trade and Industry, Arts, Culture, Science and Technology, Labour and Education, must, within 24 months after the promulgation of this Act, develop a five-year national e-Strategy for the Republic, which must be submitted to the Cabinet for approval.

(3) The Minister, in developing the national e-Strategy as envisaged in subsection (1)—

(a) must determine all matters involving e-Government services in consultation with the Ministers for Public Service and Administration, Trade and Industry, Arts, Culture, Science and Technology, Labour and Education;

(b) must, in consultation with the other Ministers named in subsection (3a), determine the roles and obligations of each person, entity or sector of the relevant departments in the implementation of the national e-Strategy;

(c) must act as the responsible Minister for co-ordinating and monitoring the implementation of the national e-Strategy;

(d) may make such investigations as he or she, in consultation with the other Ministers named in subsection (3a), may consider necessary;

(e) may conduct research into and keep abreast of developments relevant to electronic communications and transactions in the Republic and internationally;

(f) must continually survey and evaluate the extent to which the objectives of the national e-Strategy have been achieved;

(g) may must liaise, consult and cooperate with public bodies, the private sector or any other person other relevant stakeholders; and

(h) may, in consultation with the Minister of Finance, appoint experts and other consultants on such conditions as the Minister may determine;

While we believe that a national e-Strategy is an excellent idea, we also believe:

1. That the development of such a strategy should not be the exclusive responsibility of the Department of Communications;
2. That matters of ongoing policy development, such as a national e-Strategy, should not be legislated for, but are more appropriately dealt with in White Papers; and
3. That the e-Strategy as suggested in the Draft Bill risks duplicating work already being done by other departmental initiatives, such as SAITIS.

In general, this section creates the impression that the Department of Communications is attempting to "own" everything to do with electronic transactions and communications in the Republic. We believe very strongly that this would not be enabling nor progressive policy-making and legislation – not because of any deficiency on the part of the DoC, but rather because the move to electronic transacting potentially affects every aspect of our economy and daily life, and requires a more broad-based and inclusive policy development programme.

It is absolutely essential, if this e-Strategy is not to be yet another time- and resource-wasting paper exercise, that the policy development and decision-making process be co-ordinated, transparent and as far as possible consensual.

We would suggest that the development of a national e-Strategy be the responsibility of an inter-departmental or inter-ministerial committee, including at minimum the Departments of Communications, Trade and Industry, Arts, Culture, Science and Technology, Labour and Education.

Alternatively, we would ask the Portfolio Committee on Communications to amend the Draft Bill appropriately to require greater consultation and co-ordination between different government departments.

The only recommended change is to the final section 21, Automated Transactions:

The italicised section makes no sense and should be revised.

(21) (e) no agreement is formed where a natural person interacts directly with the electronic agent of another person made a material error during the creation of a data message and—

(i) the electronic agent did not provide that person with an opportunity to prevent or correct the error;

(ii) that person notifies the other person of the error as soon as practicable after that person has learned of it;

(iii) that person takes reasonable steps, including steps that conform to the other person's instructions to return the performance received, if any, as a result of the error or, if instructed to do so, to destroy that performance; and

The CTUF believes Chapter 3 of the Draft Bill, dealing with the facilitation of electronic transactions, appropriately fulfils the objects of the legislation. It is problem-solving, provides the required clarity and certainty, and adequately defines the scope of the regulatory environment.

The CTUF acknowledges the importance for crime prevention and national security of ensuring that law enforcement agencies, among others, have the necessary tools with which to carry out their duties. However, we believe this Chapter of the draft is inappropriate for several reasons:

1. There is danger that the chapter will result in over-regulation of an arena already governed by existing or proposed legislation, including the Interception and Monitoring Bill.
2. It extremely unlikely that anybody engaged in the provision of cryptography for criminal or terrorist purposes will comply with this legislation. Its only effect, in that case, will be to impose additional administrative burdens – and associated costs – on legitimate users.
3. The definition of a cryptography provider includes any person that is providing a credit card payment form with appropriate levels of standard online security. Since credit card information must be encrypted for security across the Internet, all bone fide online merchants are included. Again, this legislation if passed will impose additional burdens on people engaged in e-commerce and may tend to stifle participation, especially by SMMEs. This is contrary to the objectives of the Bill.
4. Even worse, the Chapter makes no distinction between cryptography providers located inside and outside South Africa, but stipulates that its provisions apply whenever a cryptography product or service is used by a person in the Republic (Section 31). This could lead to the following scenario:

An internet retailer which is located outside South Africa, but which serves customers around the world including South Africans (Amazon.com is one example), relies on cryptographic services to ensure the security of online credit card transactions. The retailer is informed that, in order to provide its services to South Africans legally, it (or its cryptography service provider) must register and pay a fee to the SA government. The most likely outcome is not that the retailer will comply, but rather that it will refuse to do business with South Africans so as to spare itself expense and possible legal trouble.

In other words, a Bill intended to bring the benefits of e-commerce to all South Africans could have the unintended consequence of South Africans being denied those benefits because they impose unreasonable demands on foreign entities.

5. As a further consequence of the above, the Bill will be unenforceable.

The CTUF is unclear as to the purpose and usefulness of this chapter. If accreditation is purely voluntary, there is no reason for any authentication service provider to seek it unless its own competitiveness as a business is thereby enhanced. Reliable authentication services are vital to successful e-commerce and in general we believe this is an area where self-regulation is likely to work well: unreliable service providers will soon find themselves out of business.

We are also concerned that the requirements for accreditation may be unnecessarily stringent, and likely to stifle innovation and new technology development, especially by small and medium enterprises (we wonder, for example, whether Thawte could have met all these conditions).

In addition, the administration of such an accreditation scheme is likely to require specialised skills, which could surely be put to better use than in administering what could become a considerable bureaucracy.

Unsolicited goods, services or communications

46. (1) No person may send unsolicited commercial communications to any consumer unless all of the following conditions are met: Any person who sends unsolicited commercial communications to consumers, must provide the consumer—

1. that consumer has previously indicated his or her willingness to receive unsolicited messages from that person;
2. (a) the consumer is provided with the option to cancel his or her subscription to the mailing list of that person; and
3. (b) the consumer is provided with the identifying particulars of the source from which that person obtained the consumer's personal information, on request of the consumer.

(2) No agreement is concluded where a consumer has failed to respond to an unsolicited communication.

CTUF recognises the need to uphold consumer rights in the new economy and welcomes the steps taken in this chapter to meet this objective.

Our only suggestion is to enhance the protections granted to consumers from unwanted and unsolicited commercial communications, commonly known as "spam".

As it currently stands the draft bills allows "opt-out" spam, that is messages which have not been solicited but which provide the recipient with an option to request removal from the sender’s mailing list. Most spam, including pornographic spam, is of this variety. Since such messages tend not to be sent by legitimate businesses, the "opt-out" system is notoriously unreliable and untrustworthy: consumers who reply with a request for their removal thereby confirm the validity of their email addresses, and tend to find that the volume of unwanted communications increases. As it stands the bill provides no protection against such pseudocompliance. The costs of this spam to the consumer are high – unlike paper junk mail that can simply be thrown away, spam actually requires the consumer to bear the costs of receiving it – a particularly undesirable situation in South Africa where consumers must pay for their Internet connections to Telkom by the minute. It also wastes time and energy, and can be a source of considerable embarrassment and distress where its content is pornographic.

Our preference is for an "opt-in" system, where companies gather consumer email addresses in the course of their legitimate business – e.g. through the customer filling in a paper or electronic form, or responding to a promotion, etc – and specifically obtain permission to send further information to that customer. This is the option already pursued by most reputable businesses in any case.

This chapter address the privacy of personal information and the role of ‘data controllers’ in managing that information. The chapter fulfils the objects of the legislation by simply extending to the electronic domain already existing obligations in respect to personal privacy.

Our concern is that this chapter is imposing a far-reaching, costly and inappropriate solution to a problem that doesn’t really exist. It appears to ignore and render obsolete much work that has already been done by Namespace.za. It is surely better to work towards improving what already exists than to create a new and expensive bureaucracy.

The .za domain is an important infrastructure that has enabled the Internet to flourish in our country. It has successfully and efficiently operated on a not-for-profit basis for many years, providing cost-effective access to the .za namespace for all South Africans. It has been the most stable and functional top-level domain in Africa and one of the best in the world.

As the Internet grows and its management becomes more complex, it is appropriate that the State should be a partner in the care of this critical national resource, helping to ensure that it is appropriately managed, robust, scalable and reliable.

However, we believe it is not appropriate that the State should be the sole custodian of this resource, still less that it should be effectively under the total control of a single Minister. This is the implication of section 61(2), which provides that the State will be the only member and shareholder of the proposed Authority, and of section 63, which gives the Minister wide discretion to determine which directors are appointed, their tenure and the circumstances under which they may be dismissed. We are also concerned by sections 72 and 73, which confer upon the Minister wide powers to make regulations without consulting any stakeholders except, in the case of alternative dispute resolution in section 73, the Minister of Trade and Industry. This is not acceptable.

The background to this issue is as follows: namespace around the world is under the ultimate control of ICANN (Internet Corporation for Assigned Names and Numbers) and the US government, specifically the Department of Commerce. Since ICANN is a private company based in California, there is little chance that the proposed chapter is enforceable. Trying to enforce it may not only antagonise the US government, but will not gain the support of other governments.

ICANN guidelines and global best practice recommend a process that has already been followed in South Africa. The Namespace.za organisation was established last year to include representatives from all stakeholders in the local Internet community in its management and operations. Its founders recognised that the South African government wanted be directly involved and set aside Board representation for this purpose. This is different to other examples (including Canada, Australia, Belgium, Netherlands, Brazil and many others) where governments have preferred to play a "hands-off", oversight role.

The Board of Namespace.za has engaged with the DoC and the drafters of this bill in the rewriting of this Chapter – yet, according to our information from Namespace.za, none of this effort was included or even acknowledged in the final publishing of the Bill.

Hosting

79. (1) A service provider that provides a service that consists of the storage of data provided by a recipient of the service, is not liable for damages arising from data stored at the request of the recipient of the service, as long as the service provider—

1. does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of a third party; or
2. is not aware of facts or circumstances from which infringing activity or the infringing nature of the data message is apparent; and
3. upon receipt of a take down notification referred to in section 81, acts expeditiously to remove or to disable access to the data.

(2) The limitations on liability established by this section do not apply to a service provider unless it has designated an agent to receive notifications of infringement and has provided through its services, including on its web sites in locations accessible to the public, the name, address, phone number and e-mail address of the agent.

(3) Notwithstanding this section, a competent court may order a service provider to terminate or prevent unlawful activity in terms of any other law.

(4) Subsection (1) does not apply when the recipient of the service is acting under the authority or the control of the service provider.

Information location tools

80. A service provider is not liable for damages incurred by a person if the service provider refers or links users to a web page containing an infringing data message or infringing activity, by using information location tools, including a directory, index, reference, pointer, or hyperlink, where the service provider—

1. does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of that person;
2. is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data message is apparent;
3. does not receive a financial benefit directly attributable to the infringing activity; and
4. removes, or disables access to, the reference or link to the data message or activity within a reasonable time after being informed that the data message or the activity relating to such data message, infringes the rights of a person.

Take-down notification

81. For the purposes of this Chapter, a notification of unlawful activity must be in writing and be addressed to the service provider or its designated agent and must include—

1. the full names and address of the complainant;
2. the written or electronic signature of the complainant;
3. identification of the right that has allegedly been infringed;
4. identification of the material or activity that is claimed to be the subject of unlawful activity;
5. the remedial action required to be taken by the service provider in respect of the complaint;
6. telephonic and electronic contact details, if any, of the complainant;
7. a statement that the complainant is acting in good faith;
8. a statement by the complainant that the information in the take-down notification is to his or her knowledge true and correct; and

This chapter enables service providers to define their obligations in providing services, as well as describing the mechanism by which representative bodies can act in a self-regulatory capacity to enforce accepted industry standards and practices. It also protects service providers from being made unreasonably liable for damages arising from data they have little or no direct control over.

We are concerned, however, by sections 79 (Hosting), 80 (Information Location Tools) and 81 (Take-down notification), to the extent that they have potentially severe implications for freedom for speech. Our understanding of this chapter is that it could allow the following kinds of situation to arise:

1. An individual, community group or labour union constructs a website drawing attention to alleged abuses by a large multinational company – eg. dumping toxic chemicals into a rural water supply, or unfair labour practices. The multinational company alleges that this website "infringes its rights" and demands that the website be taken down – even though it has not yet sought or obtained any legal judgement that the site is libellous or otherwise illegal. The service provider, concerned to avoid liability for the hosting of this site, takes it down. There is no appeal mechanism specified in the Bill and the authors of the site cannot afford to take the multinational company and the service provider to court, so the site stays down and the information stays out of the public eye.
2. A single individual decides that a website infringes his or rights and issues a take-down notification, complying with all the requirements of section 81, to the service provider that hosts the website. Again, the service provider is now obliged to remove the website, and the authors of the website have no right of appeal against this decision.

The problems are:

1. Seemingly anyone can issue a take-down notification;
2. There is no mechanism for deciding whether a take-down notification is justified or not;
3. There is no system of appeal for the owners of websites or other services that are unjustly taken down.

• Specify what skills or qualifications are required for someone to be appointed as a cyber inspector;
• Specify what legal or police training will be provided to cyber inspectors;

The CTUF is unclear why the DoC should extend its powers into areas more appropriately dealt with by the police and other security agencies. It is certainly appropriate for the DoC, as well as the private sector, to lend their skills and support to the police services to help deal with criminal activity online – but this doesn’t require giving DoC staff police powers.

We are particularly concerned that the chapter makes no mention of what qualifications are required for someone to become a cyber inspector, nor does it mention what training in law and police practice these inspectors will be give.

It is also not clear to whom these cyber inspectors are to be accountable, apart from the Director General of Communications. The post of Director General already comes with huge responsibilities and we are concerned that no Director General will be able to function effectively as an overseer of cyber inspectors in addition to all his or her other, very important, functions.

Jurisdiction of courts

95. A court in the Republic trying an offence in terms of this Act has jurisdiction where—

1. the offence has been committed in the Republic;
2. any act of preparation towards the offence or any part of the offence has been committed in the Republic, or where any result of the offence has had an effect in the Republic;
3. the offence has been committed by a South African citizen or a person with permanent residence in the Republic or by a person carrying on business in the Republic; or