THE BANKING COUNCIL
ELECTRONIC COMMUNICATIONS AND TRANSACTION BILL
1. Introduction
The genesis of the abovementioned Bill has gone through one of the most extensive and intensive consultation processes, first in preparation of the Green Paper C eCommerce, secondly in comment on the Green Paper and now on the Draft Bill. A involved expert has noted that this is the most expensive consultation expertise ever provided to government, for free! Evaluation and analysis of this history will highlight certain common themes, including in this presentation.
The conversion of "paper-based" systems to fully electronic ones holds certain concern and fears, and it is understandable that governments all over the world have tried legislate to ensure a smooth transition, and to provide "legal certainty" for electron transactions. However, it should be noted that the existing paper-based systems do n have legislation governing things like a signature - a contract can be entered in verbally, by action, by signature, by thumbprint, by an "x". And the system has been working like this for centuries. In this context, any legislation to provide "legal certainty to electronic transactions must be drafted and reviewed with extreme care, specifically to ensure that unforeseen or unintended disruptive consequences do not occur.
Electronic transactions and eCommerce are nothing new. Electronic banking are business-to-business electronic data interchange have been operating under t~ common law for a couple of decades. Again, care must be taken that the proposed legislation, while well intended, does not disrupt the effective and efficient functioning the existing markets by introducing legislative rigidity, or more specifically, bureaucratic ineptitude and red tape.
Within this context, this submission makes a few general comments, and then specific comments on the detailed provisions of the Bill. Textual and spelling errors have n been highlighted except where they have a material impact on the content of the section.
2. General Comments
As noted above, eCommerce and electronic transactions are already functioning well in the market, and care must be taken to ensure that the new Bill does not disrupt this. It is with respect, therefore, that we must strongly recommend significant amendments to the proposed Bill, where whole sections should be deleted to ensure that government does not interfere unnecessarily with the market. In particular, we recommend that:
2.1 Government's attempt to nationalise and control the electronic signature and domain name administration (Chapters VI and X respectively) is deleted totally. Every experience to date would tend to confirm that the proposed actions are likely to seriously disrupt the existing effective and efficient functioning of the market (e.g. the hopelessly out-of-date companies register; the bureaucratic frustrations in trying to register new company and cc names).
2.2 The proposals to determine and control "critical databases" be rejected, as this can only be targeted at databases in the private sector, given government's existing control of its own and other public body databases. The legal concepts of "national security" and in particular of "economic and social well-being of its (i.e. the Republic's) citizens" are far too vague to give the Minister the wide-ranging, almost draconian, powers proposed in Chapter IX.
2.3 Chapter XII relating to Cyber Inspectors also be deleted, as this creates an intelligence and investigation service, under very vague statute, outside the scope and control of the SA Police Services. The country would, we believe, be better served by ensuring that appropriate resources are made available by the SAPS and Justice to fulfil these functions, thereby avoiding duplication of infrastructure and overheads.
2.4 Finally, a specific provision may need to be brought into the Bill to ensure that its far-reaching impact does not have any retrospective effect, e.g. on existing contracts. A phase in period will also be required to ensure that existing electronic transactions, processes, websites etc., are upgraded to comply with the new requirements, particularly those relating to consumer protection.
3. Specific Comments on the provisions contained in the Bill
3.1 Section 1 - Definitions
We presume that the word "retracted" in the definition of "critical database' should read "extracted."
The definition of and use of the concept "data message" to include all data generated, sent, received or stored by electronic means is likely to cause market confusion as its current/traditional use outside of this Bill refers to the format or electronic construction of data to be transmitted electronically. It generally doe not refer to data being stored. It is also unclear whether the concept "voice" will include SMS messages.
The definition of "electronic agent" could cause legal uncertainty, as by definition an agent acts on behalf of another party. It is there unclear how the electronic agent is required to be used 'independently." Presumably what is meant "automatically, without human intervention" rather than "independently."
The definition of "data subject" clearly restricts the ambit of the Bill to actions "after the commencement of the Act." However, it is not clear what is the status of data on data subjects before the commencement of the Act, nor how or why a separation pre- and post-Act should be maintained.
The definition of "person" includes "a public body" (which is also defined), but does not clearly include a legal entity or trust; it is recommended that the definition of "person't is amended to read "includes any legal entity, trust or public body."
It is unclear why, in the definition of "personal information", section (e) excludes personal opinions, views or preferences "where they are about another individual or about a proposal for grant, an award or a prize to be made to another individual." It would seem that these excepted opinions or views are not "personal", and must be open to all in the context of the definition.
It is also unclear why "personal information" should include under (g) "The views or opinions of another individual about the individual." This could present critical problems where employees or institutions are required to form opinions on a specific individual e.g. an applicant for employment, an applicant for a loan, -and those opinions are now, by law, part of that person's "personal information" to which he or she will have access. It is recommended that sub-section (g) be deleted so that these administrative "adjudication" processes can proceed unhindered.
The definition of "private body" should be amended to include trusts, as case law tends to treat trusts as different from other juristic persons.
It would appear that the Bill is attempting to redefine common domain name procedures, at odds with the rest of the world. The Bill defines "second level domain" as the sub-domain "immediately following the ccTLD, signifying a category or type of domain name." We have been informed that this is incorrect/misleading, and that the second level domain is that portion of the domain name that appears immediately to the left of the top level domain, e.g. the "banking" in "banking.co.za."
Similarly, the Bill would seem to err in defining "sub-domain" as "any subdivision of the .za domain name space which begins at the second level domain." In the DNS hierarchy used internationally a sub-domain is a domain that is part of a larger domain name; DNS hierarchy consists of the root level domain at the top, underneath which are the TLD's, followed by the second level domains and finally sub-domains; e.g. in the domain name positions.banking.co.za "positions" is a sub-domain of the larger second level domain "banking."
3.2 Section 4 - Sphere of application
The exclusions in sections 4(3) and 4(4) present one of the "unintended consequences" mentioned earlier. While one can understand the need, In the identified circumstances, to retain traditional paper/signature process, the blanket exclusions restrict the ability of the market to innovate, and to move certain components from paper-based to electronic-based processes (e.g. the imaging of presented cheques and subsequent digital processing of the payment instructions).
Similarly, certain agreements (including electronically-concluded agreements such as "wheels" hire purchase), require stamp duty to be paid. The banks have obtained a dispensation from SARS under section 5(1)(iii) of the Stamp Duties Act to use "pre-printed" revenue stamps (i.e. electronic) on the face of their electronic contracts. However, in terms of proposed section 4(3) this practice would no longer be allowed, and the banks would have to revert to written, paper based contracts purely to incorporate an original revenue stamp for the stamp duty required. Clearly this could not be the intention of the Bill designed to further electronic communications and transactions.
The "transitional" aspect of moving from paper-based to electronic process is clearly complex and requires appropriate flexibility. We propose that section 4(3) of the Bill be amended to read:
"The sections of this Act mentioned in Column B of Schedule 1 do not apply to the laws mentioned in Column A of that Schedule, except as exempted by Notice in the Government Gazette by the relevant Ministers responsible for administering these laws
This should enable the responsible Ministers (e.g. the Minister of Finance in the stamp duties example), by notice in the Government Gazette, to facilitate electronic transactions in the scheduled exempted areas as the stakeholders are able to accommodate them without undue disruptions to the certainties required under those laws.
3.3 Section 5 - National e-Strategy
Section 5(2) dictates that the "Cabinet must, on acceptance of the national eStrategy, declare the implementation of the national e-Strategy a national priority." This dictate in law would seem to remove Cabinet's executive discretion to determine policy according to circumstances prevalent at the time. The dictate could also imply financial and other resource allocations which could be inappropriate at that stage. It is recommended that this section be deleted as it would be up to be Minister to motivate appropriate priorities in competition with other priorities at that time.
Section 5(3) (b) dictates that the Minister "must determine the roles and obligations of each person, entity or sector in the implementation of the national e-Strategy". With due respect to the Minister, this is an impossible task, and would present severe organisational and jurisdictional challenges. It is recommended that the section be deleted, alternatively amended to read, may make recommendations concerning the roles and obligations.
Given the prescriptive nature of much of section 5. it is noteworthy that section 5(3) (g) states that the Minister "may liaise, consult arid co-operate with public bodies, the private sector or any other persons." Given that e-Commerce is driven by the private sector we would expect that the Minister "must" or "should" consult, and recommend that the word "may" be replaced with "must" to ensure that appropriate private and public sector inputs are considered.
3.4 Section 10 - Electronic transactions policy
The purpose of section 10(4) is unclear. The impact of official government policy, by definition, imposes obligations on government departments and other public bodies. The section as worded implies that even the Department of Communications has no obligations under its own policy (see the definitions of "person" and of "public body."). It is recommended that this section be deleted.
3.5 Section 11 - Legal recognition of data messages
This is a critical section governing the transition between traditional "hard copy" legacy systems and providing legal recognition for electronic transactions. It is therefore essential that the legislation is clear to prevent any unintended (statutory) consequences, as opposed to the common law which is more able to accommodate the uncertainties and flexibilities of a highly dynamic environment.
Section 11 (2) infers legal status on information which is "merely referred to in such data message" (where the data message itself could be a legal document or contract). We all know about problems caused by hiding information "in the fine print" of written contracts, and nowadays consumer protection requires that critical contract clauses are clearly highlighted in any contract. It would therefore seem appropriate that this section be amended to ensure that all critical conditions of contract or information are not "merely referred to" but are clearly highlighted for attention in the relevant data message. The use of electronic transactions should not re-open the door to "electronic fine print."
It is foreseen that sections 11(2) and (3) could cause considerable legal uncertainty when electronic contracts are compared to the requirements of written contracts, as discussed above. It may be advisable, therefore, for these 2 sections to be deleted, in which case the courts would be guided by the transparency and informational requirements of "hard copy" documentation when called upon to determine whether electronic contracts complied with the required norms of openness and transparency. Inclusion of these 2 sections could result in different norms for electronic vs paper systems.
Similarly, section 11 (3)(a) infers that a "reasonable person" should be able to have noticed the inclusion or reference to any information included in the data message. The experience with "hard copy contracts" is that there is no such reasonable person, and in many cases the law requires clear, up-front notification of certain information, often also requiring the client/customer to acknowledge having been informed of certain conditions or rights. The Bill should not allow electronic transactions to obscure this critical part of existing consumer protection and transparency.
Section 11 (3)(b) also creates a potentially confusing situation, where information is presumed to be part of an electronic agreement on the basis that it is "accessible in a form in which it may be read, stored and retrieved by the other party...". There is no evidence that that other party could actually retrieve and read it, or whether that party did. Experience with current systems incompatibilities highlights the dangers in the presumptions, e.g. a data message being rejected because the attachment is "too big", or scanned documents (e.g. tif files) not being read by the recipient, etc. This is another reason for deleting this section.
3.6 Section 12 - Writing
It is not totally clear whether the reference to "under law" includes both statutory and common law. It is therefore recommended that the term "law" be defined to clarify the exact extent of the intention of the legislature.
While the intent of this section is supported, there is likely to be considerable debate and legal challenge around the concept "accessible" contained in section 12(b). Accessible to who? How easy or universal must the accessibility be? How permanent must this accessibility be? We all have many experiences with "unable to open" responses to data messages or files due to systems incompatibilities. Further consideration of the consequences of this important section may be necessary.
3.7 Section 13-Signature
The issue of "advanced" vs "normal" electronic signatures needs to be debated further. While there is clearly a need for a hierarchy of "signatures" as currently operating in the paper environment (e.g. commissioners of oaths, notaries) these have additional requirements which negate the whole concept of electronic transactions - specifically that the individual concerned and the original documentation must be physically present for attestation to take place. It is not practical for any "advanced" electronic signature official to put his or her personal integrity on the line by attesting to an email or data message without proper physical identification of the person and/or the underlying original.
It should also be noted that the concept of "advanced electronic signatures" already functions internationally, e.g. in the international messaging and payments systems operated by the "SWIFT" organisation. Care must be taken to ensure that the Bill does not disturb these existing systems.
Given the clear need for attesting to or certifying certain "documents" or "electronic transactions", it is recommended that the concept of "advanced electronic signatures" be changed to "attesting electronic signatures" and that this be defined as the specific electronic signatures of commissioners of oaths and notaries. These special electronic signatures can then be attached, according to specified regulations, to certain data messages where required by law. The regulations would then determine how this could be done.
Section 13(1) refers to a signature required "by law". As noted previously (see point (3.6) above). it is not clear whether this includes the common law or not, although the context of advanced signatures would indicate that it does not. Clarity is required to avoid any legal uncertainty.
3.8 Section 14-Original
Section 14(1)(a) refers to information "when it 'was first generated in its final form as a data message or otherwise has passed assessment in terms of subsection (2)." This definition is critical, as it relates to the legal requirement of "original form." However, it is not absolutely clear:
- when or how the "final form as a data message" is reached, given the wide definition of data message
- whether this relates only to electronic transactions, or would also apply where existing paper documents are converted to new electronic format.
Paper storage has become very expensive. The facility to legally convert "original" documents into "original" electronic data messages is essential. The section should be amended to clearly include this conversion of "original" to "original", subject to the specified criteria.
3.9 Section 15 - Admissibility and evidential weight of data messages
If electronic transactions are to really replace paper, especially where the law calls for "written" documentation, it is critical that data messages are accepted equally by the courts. There have been complaints about the inadequacy of the Computer Evidence Act for many years. Given this section, which purports to give data messages full evidentiary weight, it is recommended that the Computer Evidence Act be repealed by this Bill.
3.10 Section 16-Retention
Section 14 relating to Original refers to the retention of data messages, and prescribes inter alia certain reliability/integrity checks. Section 16 relating to Retention is silent on the question of the reliability/integrity of the retention or storage system. It is recommended that the section be amended to address integrity in line with other sections.
3.11 Section 18 - Notarisation, acknowledgement and certification
As noted above (see point 3.7) trying to replicate the existing paper-based system of notarisation, acknowledgement and certification in an electronic transaction environment presents certain practical challenges, specifically relating to how this will be done without face-to-lace identification and sight of originals. Of concern is that this section of the Bill could result in unintended consequences which undermine the integrity of the whole system of notarisation, acknowledgement and certification. Further debate on the practical implementation of this particular section is required, alternatively the section should be deleted in the short term to allow the market to develop solutions to the practical difficulties.
3.12 Section 19 - Other requirements
In order to ensure statutory consistency the words "receive" and "retain" should be added to the list of words highlighted in section 19(2).
3.13 Section 21-Automated transactions
The key to interpreting this section is the definitions of "automated transaction" and "electronic agent" (see the comments on this definition in point 3.1 above). The essence is automated action and/or response by computer, according to pre-programmed decision rules. Section 21 (c) correctly holds a person using an electronic agent, without that person's physical intervention, to the performance of that electronic agent. However. we have a difficulty with subsection 21(d) (and its reference in 21(c)), in that this provides that any party using an electronic agent to form an agreement (an automated transaction.) "is not bound by the terms of that agreement unless those terms were capable of being reviewed by a natural person prior to agreement formation". This seems to be an anomaly - a party uses an automated process (including an "electronic agent" -- see definition) to enter into an agreement, but is not bound by that agreement unless that party has the opportunity to review the terms of the agreement by a natural person prior to agreement formation. If prior human intervention is required then the party should not make use of an electronic agent.
Alternatively, the intent could have been to protect a consumer who interacts with an electronic agent in the course of an automated transaction (see definitions). Under these circumstances, that party should have the opportunity of reviewing the terms of the agreement prior to the formation of the agreement. In this case, the section should be amended as follows:
"(d) a party [using] interacting with an electronic agent of being reviewed by a natural person representing that party prior to agreement formation;"
Alternatively, if the intent is to provide for fully automated transaction processing, the section must be amended to provide for the two contracting parties to "opt out" of the requirements of subsection 21(d), as follows
"(d) a party using an electronic agent prior to agreement formation, unless agreed to otherwise by the contracting parties;'
It should be noted that the provisions of subsection 21(e) - voiding of a contract where a natural person interacts with an electronic agent under certain conditions, are restricted to interaction by a natural person. Anybody choosing to interact with an electronic agent via an electronic agent will be liable for an errors caused (see subsections (a), (b) and (c)).
3.14 Section 24-time and place of communications, despatch and receipt
This section creates certain anomalies in law which are likely to have unintended consequences, especially for an environment based on existing (paper based) systems:
- subsection 24(a) provides that an agreement can be concluded or performance delivered once the relevant data message "enters an information system outside the control of the originator...." This presumption of delivery to the other contracting party is the same as saying that summons is served on an individual once that summons has been dropped into the post box. While 2 contracting parties could contract to this effect, it would seem inappropriate for the law to create such a statutory presumption.
- subsection 24(b) creates the presumption that once a data message "is capable of being retrieved and processed by the addressee" it has in fact so been retrieved and read. The equivalent analogy would be that once a posted summons has been delivered to the addressee's post box summons has been served. It would again seem inappropriate for this presumption to be codified in law.
- it is unclear how section 24 will impact SMS messages, or mobile/cell communications; clarity is required.
These presumptions of performance/conclusion, or of receipt of that performance/conclusion, and of "usual place of business" have serious consequences, and further debate is necessary on their implications and practicalities to ensure that consumers are not prejudiced.
3.15 Section 26 - Attribution of data messages to originator
This section creates certain presumptions concerning the originator of any data message. However, in most electronic transactions all that can be ascertained without doubt is that a certain machine was used to transact electronically. In the absence of a complementary biometric or password/PIN control system, there is never any assurance as to exactly who is operating any specific computer (e.g. the TV advert of the teenager who orders his father a fancy sports oar via the internet).
The section also makes no provision for the compulsory certification by a trusted third party, as is currently available in the market (i.e. to certify that the computer is what it says it is).
The impact of this presumption is likely to cause considerable legal uncertainty, rather than less (i.e. the duty of care on parties to ensure who they are transacting with is removed). It is recommended that this section be deleted.
3.16 Section 27 - Acknowledgement of receipt of data message
Given the Bill's provisions for "time and place of communication" (section 24), section 27(a) confirms that an electronic agreement can be entered into with one or both parties unaware if the other has actually received or read the message (as confirmed by an acknowledgement of receipt). This is likely to lead to legal uncertainty.
3.17Section 29 - Requirements may be specified
While we understand the necessity for every public body to be able to specify the "manner and format" in which it will conduct e-Government, this should occur within a standardised, openly accessible technological platform. Failure to do so could lead to a proliferation of incompatible technological platforms which will hinder rather than promote c-Government. It is therefore recommended that section 29 be amended as follows:
"29. In any case where a public body decides to perform any of the functions referred to in section 28, such body must do so within a standardised. openly accessible technological platform as approved by the Minister, and may specify by notice in the Gazette..."
3.18 Section 30 - Register of cryptography providers
This section dictates that all cryptography providers must register with the Department before trading in the Republic. We presume that this is a purely administrative action (per the data in subsection 30(2) and (3)), and that there is no intention of approving (or disapproving) of certain suppliers. It is critical that the Department does not attempt to do so, but rather leaves it to the market to weed out the weak/inferior systems.
It should be noted that the register of cryptography applies only to data messages (i.e. it would not apply to other communications media such as voice/telephone scrambling, hard copy writing).
3.19 Sections 34 - 42 Chapter VI - Authentication Service Providers
Authentication service providers have been operating, and continue to operate, in the market without any problem. There is absolutely no need for government to "nationalise" this function, and it is highly likely that, given its performance in other areas, this nationalisation will actually hinder the efficient and effective provision of trusted authentication service providers.
We therefore recommend that the entire chapter, sections 34 42, be deleted from the Bill.
3.20 Section 43 - Scope of application
We welcome the intent of improving consumer protection. However, by nature eCommerce is a "virtual" market, and will involve cross-border transactions. It is therefore critical that local service providers are not adversely regulated in comparison to their foreign competitors, otherwise these services will just relocate "offshore".
3.21 Section 44 - Information to be provided
Section 44(1)(i) requires that "the full price of the goods or services, including transport costs, taxes and any other fees or costs" must be stated up front. In many cases prices are quoted "free on board", with transport and/or delivery costs for the customer's account (especially in cross-border transactions), or the supplier may be unaware of local import taxes, or the price may fluctuate. The section should therefore be deleted, and a new section included to provide for greater flexibility:
"(i) the price of the goods, clearly stating whether the price is fixed and if so for how long, what other charges are included or may be required to be paid by the customer, and what local taxes are included or need to be paid by the customer."
Section 44(1) should be amended to include
"(s) The contact details of the Consumer Affairs Committee referred to in section 50."
Section 44(5) places a statutory onus on a supplier to "utilise a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned." Payment systems are generally regulated by other bodies and / or statutes, and it is not within the scope of this Bill to interfere with that. The concept "sufficiently secure" is also vague and open to variable interpretation, e.g. it could be argued that cash is not a secure payment system given the prevalence of armed robberies and muggings.
It is also a moot point, but the customer is usually the one who selects his or her preferred payment system, with the supplier receiving the payment at the end of the payment transaction. In many cases this involves third parties in the payment transaction. Any supplier should therefore offer a range of payment services to meet the various customers needs.
It is recommended that this section be deleted, and replaced with:
"(5) The supplier must offer a number of payment options, all of which are regulated by national and/or international payments authorities."
Given the previous discussion, and the complex intermediaries involved in both payments and data message services, it is in appropriate for the Bill to hold (subsection 44(6)) the supplier "liable for any damage suffered by a consumer due to a failure" of the supplier to ensure a "sufficiently secure" payment system. The onus is incorrect in the first place, and the proposal of "any damage" far too wide. It is therefore recommended that subsection 44(6) be deleted, alternatively that the words "any damage" be replaced with "the direct damage or the actual payment."
3.22 Section 45 - Cooling off period
The concept "days" needs to be clarified to specify whether it is calendar or working/business days.
The restrictions on the cooling off period as specified in section 43(2) are noted. However, the current wording of subsection 45(2) would seem open the door for abuse, in that the customer could have had the use of product or service during the cooling off period, e.g. the customer may have bought a camping fridge by data message. Seven days after receipt h cancels the transaction "without reason and without penalty" but in the meantime he enjoyed the use of the product during a camping trip. Similarly, with the purchase of a new or used car, where the vehicle would have bee registered in the customer's name, and used over the 7 day period. It therefore recommended that subsection 45(2) be amended as follows:
"(2) The only charge that may be levied on the consumer is the direct cost of returning the goods, provided that, where the goods have bee -used or the "resale" price affected the consumer will be liable for charge for the use and/or any loss in resale price of the goods returned.
3.23 Section 46 - Unsolicited goods, services or communications
This section is important to eliminate unwanted "spam" or "junk mail." However, there is no mechanism to ensure that these provisions are complied with. It is recommended that the following amendment be included as section 46(3):
"(3) Failure to comply with this section is an offence, and liable on conviction to a fine of up to R1 million and/or a jail sentence of up to 5 years.
3.24 Section 48 - Applicability of foreign law
Cross-border transactions, including cross-border consumer protection, are a complex legal environment, generally regulated by international treaty, or multilateral or bilateral national agreements. The bland presumption that this Bill provides protection to consumers, "irrespective of the legal system applicable to the agreement in question", is unlikely to find much support in international law. It should be interesting to see a local aggrieved consumer trying to apply the Bill's consumer protection measures to an internet supplier resident in. say, the USA.
3.25 Section 51 - Scope of protection of personal information
We presume that the references to "Section 51" in subsections 51(2) and (3) should be to "section 52."
We are aware that the SA Law Commission is currently busy with an investigation into the issue of data privacy, which is obviously a far bigger issue than purely related to electronic transactions. We therefor recommend that, once any data privacy Bill is tabled for consideration, it also covers data privacy relating to electronic transactions, and that that Bill repeals sections 51 - 52 of the electronic Communications and Transaction Bill. Only with this proviso can we support the inclusion of sections 51 and 5 in this Bill.
3.26 Section 52 - Principles for electronically collecting personal information
Given the emphasis of this Bill on facilitating electronic data messages and replacing existing paper-based systems with data messages, it is unclear why the Bill specifies that certain matters must be
- "the express written permission" (subsections 52(1) and (4))
- "in writing" (subsections 52(3) and (6))
It is recommended that in these cases the words "written" and "in writing" be deleted.
Sections 52(5) and (7) specify periods of "at least one year thereafter." It presumed that this is the minimum (as evidenced by the words "at least"), and that data may be kept for longer. Note as well that there are other statutes which dictate how long personal data must be retained (e.g. the Financial Intelligence Centre Act - 5 years after the ending of a single transaction or business relationship). In this context, it is recommended that subsection 52(8) be deleted, as it is very difficult to determine when exactly, if at a personal information becomes obsolete. The destruction of "audit trail" data could have a serious impact on, for example, the FIC Act requirements.
It is unclear whether "a party controlling personal information't in subsection 52(9) is the same as the "data controller" in the other subsections of this section.
3.27 Sections 53 - 59 Chapter IX Protection of Critical Databases
This whole section on "critical databases" must be deleted. With all due respect to the state, its management of its own "critical databases" (all of which are critical to the "national security" or the "economic and social wellbeing of its citizens") is totally inferior to that of the private sector (e.g. the well publicised stories of corruption in the Home Affairs ID database, the drivers licence database, the databases of pension and welfare grants, the out-of-date records in the companies and CC databases, national register of vehicles, etc., etc.).
If the section refers only to the databases of public bodies, there are already within the management and/or ownership control of government, so the chapter is unnecessary.
To the extent that the section is targeted at private sector owned and managed databases, it is difficult to see how any "national security" or economic and social well-being of its citizens" could ever justify the type of draconian action contemplated by this chapter.
We recommend that the whole chapter, sections 53 - 59, be deleted.
3.28 Section 60 - Establishment of Authority
The management of the .za domain name is already occurring, effectively and efficiently. On the other hand, anyone who has tried to register a company or cc name at the DTI's Companies Register will vouch for the absolute bureaucratic nightmare which is experienced. It is absolutely conceivable that, should the efforts of the Minister under Chapter X to nationalise the .za domain name space management be successful, the new authority will also deteriorate into the same frustrating, inefficient, red-tape driven bureaucracy.
We therefore recommend that the whole chapter, sections 60 - 73, be deleted, as there is more than enough evidence that government intervention and nationalisation of existing service providers is not required.
3.29 Section 75 - Recognition of representative body
This section (75(1)) refers to "an industry representative body for service providers", whereas section 76(a) refers to "the representative body referred to in section 75." Clarity is required as to whether there can be more than 1 recognised representative body for service providers.
3.30 Section 81 - Take-down notification
Section 81 requires certain notifications to be "in writing", which is at odds with the stated objectives of the Bill. It is recommended that the words "be in writing and" are deleted.
3.31 Sections 84 - 88 Chapter XII Cyber Inspectors
These sections create another "special policing service", thereby proliferating the dispersion of special investigative skills outside the standard SAPS. The sections are unclear on the qualifications, training or experience required, although "any employee" of the Department may be appointed as a cyber inspector (section 84(1)).
It is recommended that sections 84 - 88 be deleted, and that a new section 84 be included
"Criminal justice system"
"84(1) The Minister must liaise with the Ministers of Safety and Security and of Justice to ensure that the SA Police Services, the courts and the prosecutorial authorities develop the appropriate skills and expertise to enable them to uphold this Act."
"(2) The Ministers of Safety and Security and of Justice must ensure appropriate resources are allocated to the combating of cyber crime."
3.32 Section 90 - Unauthorised access to, interception of or interference with data.
Section 90(2) should be amended to more clearly criminalise unauthorised interference with data, as follows:
"(2) A person who intentionally and without authority to do so, interferes with data in [a] any way whatsoever which causes such data.."
3.33 Section 93 - Penalties
Section 33(2) already provides for a penalty (2 years) and this reference in section 93(1) should be deleted.
Section 86 (2) also makes certain actions an offence, so presumably it should also be referred to in section 93.
While we welcome the new offences, the penalties are very light in relation to the economic damage done by "cyber criminals" or hackers, and even the costs expended in protecting data systems against cyber crime. It is interesting to compare these insignificant penalties with those provided in the Prevention of Organised Crime Act or the Financial Intelligence Centre Act relating to money laundering. It is therefore recommended that the penalties in this Bill be increased on a par with those in the mentioned Acts.
3.34 Section 97 - Limitation of liability
Given the wide powers conferred on the Minister and the Department and the proposed nationalisation of certain currently-functioning private sector functions by the State in terms of the proposed Bill, this section indemnifies state officials from everything but gross negligence. It is recommended that the words "and without gross negligence" be deleted from the section.
4. Conclusion
As has been noted above this is a very important Bill, both in terms of clarifying "legal certainty" around electronic transactions, and in preventing unintended or unforeseen consequences from hampering the rapidly evolving eCommerce market. We trust that the comments made above will assist the Committee in its deliberations, and request an opportunity to present oral input during the public hearings on the Bill.