The pandemic has driven home the high value of personal data to the global economy, while also highlighting its vulnerability to abuse and attack.
In response, governments around the world have been reviewing their data privacy and protection laws and regulations, including in South Africa and Ghana.
Global cybersecurity firm Kaspersky recently noted that cyberattacks are set to rise in African countries, especially in the key financial centres of South Africa, Kenya and Nigeria.
The cybersecurity firm noted that rapidly evolving digital techniques had led to an increased risk of Advanced Persistent Threats and hacking-for-hire events in Africa.
In South Africa, the Cybercrimes and Cybersecurity Act was signed into law by South African President Cyril Ramaphosa in early June 2021, bringing the country’s cybersecurity legislation in line with global standards.
The Act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cybersecurity breach, as defined by Act.
They must report such offences to the South African Police Service within 72 hours of becoming aware of the offence, and preserve any information which may be of assistance in the investigation. Non-compliance with this provision is a criminal offence and massive fines can be imposed.
The Act further criminalises harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. Data is broadly defined in the Act as “electronic representations of information in any form.” The Act also criminalises cyber fraud, extortion, forgery and the theft of incorporeal property.
Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.
In South Africa, data security is also governed by the Protection of Personal Information Act.
On 1 July 2021, the substantive implementation of key provisions of POPIA will become enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
One of the conditions for lawful processing in terms of POPIA is the use of security safeguards, which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information.
This is prescribed by POPIA in order to prevent loss, damage or unauthorised access to, or destruction of, personal information.
Like the Cybersecurity Act, POPIA brings South Africa in line with international data protection laws by regulating the processing of the personal information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information.
In terms of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party has to notify the Information Regulator, as well as the data subject, unless that person’s identity cannot be established.
The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.
It must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise.
In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if there are reasonable grounds to believe that such publicity would protect a data subject.
An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.
In 2020, Ghana similarly passed its Cybersecurity Act 2020, to oversee the country’s response to the prevention and management of cybersecurity incidents.
The Act establishes the Cyber Security Authority and provides for the protection of the critical information infrastructure of the country. The Act also regulates cybersecurity activities, oversees the protection of children on the internet and seeks to develop Ghana’s cybersecurity ecosystem.
Cybersecurity and Personal Data Legislation
Legislation governing the digital economy is essential to protect African citizens in terms of both their digital privacy rights and cybersecurity threats, while at the same time also ensuring that their online freedoms are not threatened.
The African Union has been encouraging its member states to sign its Convention on Cybersecurity and Personal Data and implement balanced local legislation that is fully enforceable and that respects human rights.
To facilitate this process, consultations with stakeholders in government, businesses (local and international) and organisations representing wider society, would ensure a balanced approach during the drafting of these laws.
International legislation should be considered alongside local laws, given the borderless nature of the online environment, and consulting with technology experts on policy means that due consideration can be given to the specific nature of this rapidly developing sector.
Considering the current rapid move to digitally-focused business models, the implementation of these legal protections and guidance has become urgent for all African countries.