Authored By: Inako Sikhulume
University of Fort Hare
- Introduction
When South Africa’s Constitutional Court declared key provisions of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RICA) unconstitutional in Amabhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services, it sent an unambiguous message: the state’s digital surveillance powers must be reconciled with the Constitution.[1] The judgment established that bulk surveillance authorised on a low threshold, without adequate procedural safeguards or post-surveillance notification, constitutes an unjustifiable limitation of the right to privacy. Yet within months of that ruling, the Cybercrimes Act 19 of 2020 (the Act) came into full effect, introducing sweeping powers of search and seizure alongside new criminal offences that raise comparable constitutional concerns.[2]
This article argues that while the Act is an indispensable instrument for combating cybercrime, its broadly worded provisions particularly those relating to state investigative powers, the compelled disclosure obligations imposed on electronic communications service providers (ECSPs), and the criminalisation of online speech ,create a disproportionate tension with the constitutional rights to privacy and freedom of expression enshrined in sections 14 and 16 of the Constitution of the Republic of South Africa, 1996.[3] This article proceeds by setting out the applicable legal framework, analysing the specific provisions in issue, and proposing targeted legislative reform.
- The Legal Framework.
South Africa’s constitutional framework provides robust protections for individuals in the digital space. Section 14 of the Constitution guarantees every person the right to privacy, which the courts have interpreted to include informational privacy and the protection of personal data.[4] Section 16 protects freedom of expression, encompassing the right to receive and impart information and ideas.[5] These rights are not absolute; section 36 of the Constitution
permits limitations that are reasonable and justifiable in an open and democratic society, having regard, among other factors, to the nature of the right, the importance of the purpose of the limitation, and the proportionality between the limitation and its purpose.[6]
Against this constitutional backdrop, the primary legislative instruments governing South Africa’s digital environment are the Electronic Communications and Transactions Act 25 of 2002 (ECT Act), RICA, the Protection of Personal Information Act 4 of 2013 (POPIA), and the Cybercrimes Act. POPIA, which became fully operational in July 2021, imposes eight conditions for the lawful processing of personal information and is administered by the Information Regulator.[7] The Cybercrimes Act represents the most recent and most expansive addition to this framework, creating criminal offences relating to unlawful access to data, cyber fraud, cyber forgery, and malicious communications, whilst conferring significant investigative powers on law enforcement agencies.[8] Together, these instruments form the architecture within which any analysis of state cyber powers must proceed.
- Privacy Under Pressure: Investigative Powers and Compelled Disclosure.
The most constitutionally contentious provisions of the Act relate to state investigative powers. Section 27 empowers a judge or magistrate to authorise the search and seizure of a “computer data storage medium” on the basis of a sworn statement that a cybercrime has been or is likely to be committed.[9] While the requirement of judicial authorisation is a meaningful safeguard, the threshold for that authorisation is arguably insufficient. The standard of a “reasonable ground” to believe that relevant data exists mirrors the impugned provisions of RICA that the Constitutional Court found wanting in Amabhungane.[10] In that case, the Court held that authorisation on a low threshold, without ex post notification to persons whose communications had been intercepted, constituted a disproportionate limitation of the right to privacy.[11] The absence of any equivalent notification obligation in section 27 of the Act exposes it to the same constitutional objection.
Section 54 of the Act, which has not yet been brought into force, is more troubling still. It imposes a duty on ECSPs to report cybercrimes to the South African Police Service and grants the state broad access to subscriber and traffic data.[12] When read alongside POPIA’s requirements of lawful processing and data minimisation, a systemic tension emerges: whilst POPIA restricts the collection and disclosure of personal information without the data subject’s consent, section 54 compels ECSPs to share data with the state, potentially without the subscriber’s knowledge.[13] The provision contains no defined data minimisation obligation, no mandatory notification requirement, and no mechanism for a data subject to challenge the disclosure. It is submitted that, absent legislative amendment introducing explicit notification procedures and robust oversight, section 54 will not survive constitutional scrutiny on proportionality grounds.
4. Freedom of Expression and the Criminalisation of Online Speech.
The Act raises equally significant concerns for freedom of expression through its criminalisation of “malicious communications.” Section 14 criminalises the publication of a data message that incites violence or damage to property, while section 16 proscribes the non-consensual disclosure of intimate images.[14] The latter provision,commonly termed the “revenge porn” offence serves a legitimate and pressing social purpose that is recognised across comparative jurisdictions and warrants no criticism.[15] Section 14, however, presents a more complex picture.
The offence under section 14(1)(a) applies to any data message that “threatens” a person with damage or loss.[16] The provision specifies no mens rea standard beyond a general intention to intimidate, and contains no express exclusion for satirical, hyperbolic, or artistic speech that might superficially appear threatening. In a constitutional democracy where robust criticism of public figures and institutions is constitutionally protected, the breadth of this formulation creates a chilling effect on online discourse. Speakers who engage in pointed political satire or provocative commentary may self-censor rather than risk criminal prosecution. Furthermore, the vagueness of the offence raises a fair trial concern: the Constitutional Court has affirmed that criminal offences must be defined with sufficient precision to enable persons to regulate their conduct accordingly.[17] A statutory narrowing construction importing a requirement of specific intent to cause fear of harm or an express legislative carve-out for protected speech would bring section 14 into proportionate alignment with section 36 of the Constitution.
- Conclusion.
This article has argued that the Cybercrimes Act 19 of 2020, whilst a necessary legislative response to the growing threat of digital crime in South Africa, contains provisions that impose disproportionate limitations on the constitutional rights to privacy and freedom of expression. The investigative powers under sections 27 and 54 lack the procedural safeguards demanded by the Constitutional Court’s jurisprudence on surveillance, and the malicious communications offence under section 14 is drafted in terms broad enough to chill lawful online speech.
These deficiencies are not fatal to the Act as a whole; they are amenable to targeted legislative remedy. It is submitted that Parliament should amend the Act to introduce mandatory post-collection notification obligations in line with the Amabhungane standard, explicit data minimisation requirements for ECSP disclosures under section 54, and a specific intent requirement for the section 14 malicious communications offence. Such reforms would not undermine the Act’s crime-combating purpose they would reinforce the constitutional legitimacy upon which that purpose ultimately depends. As the Constitutional Court has recognised, the imperatives of security and the imperatives of rights are not irreconcilable; proportionality is the mechanism by which each is given its due.
Bibliography
Primary Sources
Legislation
Constitution of the Republic of South Africa, 1996
Cybercrimes Act 19 of 2020 (SA)
Electronic Communications and Transactions Act 25 of 2002 (SA)
Protection of Personal Information Act 4 of 2013 (SA)
Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (SA)
Cases
Amabhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3 (CC)
Bernstein v Bester NO [1996] ZACC 2 (CC)
National Coalition for Gay and Lesbian Equality v Minister of Justice [1998] ZACC 15 (CC)
S v Smit [2006] ZASCA 51 (SCA)
Secondary Sources
Pierre de Vos and Warren Freedman (eds), South African Constitutional Law in Context (Oxford University Press 2014)
Sizwe Snail ka Mtuze, ‘Cyber Crime in South Africa — Hacking, Cracking, and Other Unlawful Online Activities’ (2009) 1 Journal of Information Law & Technology 1
Tana Pistorius, ‘Developing Countries and the Internet: An Overview of South African Cyber Laws’ (2006) 2 Journal of International Commercial Law and Technology 90
Reinhardt Buys and Isabel Coetzee, ‘The Cybercrimes Act 19 of 2020: A Critical Analysis’ (2022) 85 THRHR 1
[1]Amabhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3 (CC) (‘Amabhungane’).
[2]Cybercrimes Act 19 of 2020 (SA), commenced 1 December 2021, with the exception of s 54.
[3]Constitution of the Republic of South Africa, 1996, ss 14, 16.
[4]Bernstein v Bester NO [1996] ZACC 2 (CC) paras 67–68.
[5]Constitution s 16(1).
[6]Constitution s 36.
[7]Protection of Personal Information Act 4 of 2013 (SA) (POPIA), ss 4, 39.
[8]Cybercrimes Act ss 2–16, 27–45.
[9]Cybercrimes Act s 27(1).
[10]Amabhungane (n 1) paras 119–131.
[11]ibid para 134.
[12]Cybercrimes Act s 54.
[13]POPIA ss 11, 69.
[14]Cybercrimes Act ss 14, 16.
[15] Enhancing Online Safety Act 2015 (Cth).
[16]Cybercrimes Act .
[17]S v Smit [2006] ZASCA 51 (SCA) para 24..
