Authored By: Oratile Khumo Lekalakala
University of South Africa
Introduction
The Cybercrimes Act 19 of 2020 was implemented to protect the people of the Republic from digital offences that relate to cyber crimes such as access to data acquired unlawfully and communications also being intercepted unlawfully.1 The case of AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others; Minister of Police v AmaBhungane Centre for Investigative Journalism NPC and Others2case and the Fourie v Van Der Spuy and De Jongh Inc.3case both concern themes surrounding breaches of privacy, confidential information that should be protected and balancing duties by professionals alongside constitutional rights. The Amabhungane case specifically seeks to highlight the risk of being under surveillance and that infringing on one’s constitutional rights and also protecting confidential information, and the Fourie case highlights the importance of due diligence and protection confidential information. The importance of these themes is that they the above two cases both concern the Cybercrimes Act 19 of 20204and the Act is built on a foundation that is founded on constitutional values and it seeks to criminalise those who intrude into the privacy of other persons and that can be natural or juristic persons, and it also seeks to protect confidential information, while recognising the need to balance human rights with the powers held by the State. Legislative history shows that older laws like Regulation of general Interception of Communications and Provision of Communication-related information Act 70 of 20025and Electronic Communications and Transactions Act 25 of 20026 were insufficient to protect breaches of privacy and confidentiality in the face of new digital threats.
Legal Framework
Before 2020 South Africa relied on the RICA and ECTA to deal with online crimes and surveillance. ECTA alongside RICA was enacted to provide for the facilitation and regulation of electronic communications and transactions; to provide for human resources development in electronic transactions; to prevent abuse of information system and to encourage the use of e-government services.7
RICA came into effect because due to the use of sources that were computer related, sources such as mobile phones, satellite communications, emails and so forth; as such Parliament found it necessary to implement RICA as a measure of combatting the crime and preventing it from happening further.8 However, exceptions do exist where interception of communication and monitoring of calls can take place with the consenting party involved in the process of where it can be carried out by law enforcement personnel in certain existing circumstances. The object of RICA is, in the first instance, to prohibit the interception of communications and, in the second instance, to regulate the exceptional circumstances under which communications may be intercepted.9
However, the Amabhungane case concerned interception and state surveillance without the permission of the applicants as RICA failed to provide adequate safeguards and as such infringed on the constitutional rights to privacy (sec. 14), freedom of expression (sec. 16), the rights of access to courts (sec.34)10 and legal privileges.11 RICA infringed on the rights of the individuals because it allowed interception of communications with inadequate oversight and even after the investigation ended, the individuals were not notified of them being under surveillance. The Constitutional Court (CC) highlighted how this was a reminder of the apartheid regime because “the history was characterised by the wanton invasion of the privacy of people by the state through searches and seizures, the interception of their communications and generally by spying on them in all manner of forms.”12 This is the reason why the right to privacy exists in the first place so that as a nation we do not repeat the cycle by respecting the rights afforded to every individual of the Republic.
RICA and ECTA were older pieces of legislation that were found to be insufficient to protect privacy and confidentiality in the rise of new digital threats. The constitutional principles developed in Amabhungane and Fourie shaped the need for reform, which culminated in the Cybercrimes Act. The Act seeks to address the themes raised in the Amabhungane case and the Fourie case, by criminalising harmful intrusions via interception of communications, protecting information that is confidential to natural and juristic persons, and demanding that the State remains consistent in enforcing the Bill of Rights.
Therefore, the Cybercrimes Act was enacted not only because RICA and ECTA were older pieces of legislation but also because of the above to cases. The Cybercrimes Act was enacted to “to create offences which have a bearing on cybercrime; to criminalise the disclosure of data messages which are harmful and to provide for interim protection orders; to impose obligations to report cybercrimes; to impose obligations to report cybercrimes.”13
Judicial Interpretation
The Fourie case is about the second respondent (Nicola van der Spuy) and her firm falling victim to a cybercrime of hackers acting as the applicant by wanting to change the banking details of the applicant and as such resulted in erroneous payments being made. The second respondent is the attorney of the applicant (Johan Andre Fourie). Previously the applicant instructed the attorney/second respondent to retain the trust funds in the trust account, but the attorney started to receive subsequent emails from the email of “the applicant” to notify them of their new banking details and instructed them to transfer the trust funds into a number of bank accounts. The problem starts here because even though the attorney is the principal of the trust accounts, meaning he is the primary person to handle those accounts with care and due diligence, they are still under obligation of their client, i.e. the owner of the trust account. The attorney transferred the funds as instructed but did not exercise the duty of care prescribed by her and was negligent in transferring these funds by not verifying the banking details, to try to call her client to check if this is really their decision to transfer or not, or even remembering the previous conversation she had with the applicant where the applicant explicitly told her to retain the funds in the account.
The High Court stated as follows: “The 2nd Respondent was negligent and failed to exercise the requisite skill, knowledge and diligence expected of an average practising attorney and thus failed to discharge her fiduciary duty to the Applicant by transacting via e-mail whilst full-well knowing that fraud is prevalent in her profession and not employing any measures to ensure that neither she, nor the Applicant will fall victim to fraud.”14 The second respondent wanted to use the defence that the fraud that occurred released her from paying the applicant but the court held that it cannot be a defence because as principal she has to account for her clients funds, and indeed failed to do so.15
The result of this case was that the respondents (Nicola van der Spuy, Ludwig de Jongh and including their law firm) were jointly and severally liable to pay the applicant an amount of R1 744 599.45 with an interest rate of 10% per annum.16
The Amabhungane case on the other hand is about RICA being declared unconstitutional on several grounds and the main being failing to adequately protect the constitutional right to privacy and as such this case involved the interception of oral conversations, email, and mobile communications.17 The applicant (Mr Stephen Sole) suspected that his communications were being intercepted and after an inquest for reasons why his communications were being intercepted, he did not receive any information regarding the matter nor did he receive any information regarding the lawfulness of the interception. And as such the High Court to declare RICA unconstitutional on the following grounds:
- ‘provide for safeguards to ensure that a Judge designated in terms of section 1 is sufficiently independent;
- provide for notifying the subject of surveillance of the fact of her or his surveillance as soon as notification can be given without jeopardising the purpose of surveillance after surveillance has been terminated;
- adequately provide safeguards to address the fact that interception directions are sought and obtained ex parte;
- adequately prescribe procedures to ensure that data obtained pursuant to the interception of communications is managed lawfully and not used or interfered with unlawfully, including prescribing procedures to be followed for examining, copying, sharing, sorting through, using, storing or destroying the data; and
- provide adequate safeguards where the subject of surveillance is a practising lawyer or journalist.’18
The biggest problem is that RICA did not notify subjects about them being under surveillance, it failed to protect lawyers and journalists as they handle confidential information due to it being part of their job. The court stated that a post surveillance notification would not translate as an infringement of the constitutional rights to privacy and as such also infringing on their constitutional right the have access to the courts because they would not be able to take their matter to court.19
Recent Developments
Due to the rise of online criminal activities, Parliament saw it fit to create the Cybercrimes Act, as a measure of criminalising online crimes and for the State to ensure justice takes place even if the crime is committed in front of a screen, or behind a cell phone. Cybercrimes are stealthy because you won’t know who the perpetrator is and that is a very dangerous because not many people are tech savvy or are aware that such a thing as online crimes exist and that leads to many people taken advantage of by falling victim to scams, calls from the bank which tell them to “verify their banking details” and they end up sending their full account numbers, CVC codes, year of card expiry or even the pin to their banking apps. The Cybercrimes Act seeks to criminalise these offences.
Way Forward
The way in which society can move forward and change is by the Republic instituting measures in which society learns about these online crimes and teaches the people on measures that they themselves can take to ensure that they do not fall victim to these crimes. Another one is that the Republic should take it upon themselves to teach people about technology and if they receive any calls, messages or any sort of communication from someone they do not know, they should by all means ignore whatever is requested from the other end of the call, especially regarding monetary payments. And we should look out for the elderly too, its easy for them to be taken advantage of and the message that should be spread is the Republic protecting each other at all costs.
We should spread the message of every individual in the Republic knowing their constitutional rights especially after coming from an era where we were subordinated by the white supremacist government who did not even see people of colour to have rights to begin with, it becomes easy for the people of colour who grew up within such a dispensation to easily feel subordinated and that is exactly why we do not want a repetition of it. The right not be under surveillance without being notified of such surveillance is an invasion of privacy and this eerily reminds us of how the apartheid government and how every black had to be home at a specified time because if they were to be found on the streets, they would be put in jail or even abused if not killed.
Legislation is implemented so that we as a nation move forward but how can we properly move forward when our citizens aren’t being taught? As a nation we need to implement measures to educate, protect and uphold the nation and its people. Everyone should have access to electronic devices but what’s the point if they do not know how to properly use them? Due diligence should not only be exercised by professionals but also citizens of the Republic.
Conclusion
I chose to write on cyber law and cyber-crimes because I wanted to expand my knowledge into this field, and I had the pleasure of doing hours of research and having sleepless nights. As much as these cases concerned the corporate sphere, it made me reflect on the gap that exists between the people who took these cases to court and the normal people who might have fallen victim to cyber-crimes and they went unreported, and the sad reality is that most of these people do not know much on the use of technology and how they can be taken advantage of. As I end this I choose say that even though cyber crimes exist, measures should also be implemented to track these people down and to know your criminal, you must know their tactics such as what operating system they use, how do they hide themselves, what alias do they use, how to track their IP address and I think in such a case the victim must also specify the time when the time took place so that we can track their IP address which in turn can maybe give us their location and in my opinion I believe is how we will bring all the victims to justice. I of course do not work in Cyber law, but I gathered this information from what I have learned to media consumption.
Bibliography
Case law
AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others; Minister of Police v AmaBhungane Centre for Investigative Journalism NPC and Others
CCT 278/19 and CCT 279/19
Fourie v Van Der Spuy and De Jongh Inc. 2019 JDR 1801 (GP)
Legislation
The Constitution of the Republic of South Africa, 1996
Cybercrimes Act 19 of 2020
Electronic Communications and Transactions Act 25 of 2002
Regulation of general Interception of Communications and Provision of Communication related information Act 70 of 2002
Internet sources
Cliffe Dekker Hofmeyr (CDH), ‘Cybercrime in South Africa – attorneys fall victim to cyber fraud’ < Cybercrime in South Africa – attorneys fall victim to cyber fraud – Cliffe Dekker Hofmeyr > accessed 22 August 2025
Cliffe Dekker Hofmeyr (CDH), ‘An end to secret state surveillance under RICA’ < An end to secret state surveillance under RICA – Cliffe Dekker Hofmeyr > accessed 23 August 2025
Polity, ‘What is RICA?’ < What is RICA? > accessed 23 August 2025
1 Cybercrimes Act 19 of 2020 (preamble and long title).
2 AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others; Minister of Police v AmaBhungane Centre for Investigative Journalism NPC and Others CCT 278/19 and CCT 279/19 (hereafter referred to as The Amabhungane case).
3 Fourie v Van Der Spuy and De Jongh Inc. 2019 JDR 1801 (GP) (hereafter referred to as The Fourie case).
4 The Cybercrimes Act 19 of 2020 (hereafter referred to as The Cybercrimes Act).
5 Regulation of general Interception of Communications and Provision of Communication-related information Act 70 of 2002 (hereafter referred to as RICA).
6 Electronic Communications and Transactions Act 25 of 2002 (hereafter referred to as ECTA).
7In the long title of the act ECTA.
8 What is RICA?
9 The privacy of customers seemingly protected by RICA – Werksmans.
10 The Constitution of the Republic of South Africa, 1996 (hereafter referred to as The Constitution).
11 An end to secret state surveillance under RICA – Cliffe Dekker Hofmeyr.
12 The Amabhungane case (para. 26).
13 In the long title of the Cybercrimes act.
14 The Fourie case (para. 30).
15 The Fourie case (para. 31).
16 The Fourie case (below para. 31)
17 An end to secret state surveillance under RICA – Cliffe Dekker Hofmeyr.
18 The Amabhungane case (para. 157).
19 Sec. 34 of the Constitution.
