The Cybercrimes Bill had long been viewed as a potential threat to internet freedom, with clauses that might have enabled social media clampdowns or expanded government surveillance. (See previous analysis here and here)

But in early December, after sustained criticism, Parliament agreed to major drafting changes which stripped out almost every one of those clauses.

When the National Assembly finally voted in favour of the Bill, it felt like a news report that a meteor had just hurtled past Earth’s atmosphere would feel – you may not have known, but we narrowly escaped its catastrophic impact.

To understand the changes, we first have to look at what was in the Bill when it came to Parliament in 2017. (We won’t go into the 2015 draft Bill, which was shot to pieces for heavy-handed clauses on copyright and on state secrecy – these were withdrawn before the Bill got to Parliament.)

In 2017, the Bill had two main parts – the first half related to ‘cybercrimes’, and the second to ‘cybersecurity’. The section on ‘cybercrimes’ was driven by the Department of Justice, with the intention of updating definitions of various cyber-related crimes, such as online fraud, hacking, and data theft, and improving the state’s capacity to fight these. There were significant criticisms of certain provisions, but few people argued with the underlying need for updated cybercrimes policy.

The second half of the Bill – the ‘cybersecurity’ section – was driven by the state-security structures, and that’s where internet freedom was really put at risk. In the name of cybersecurity, these provisions would have transferred far-reaching powers to the State Security structures, then under former minister David Mahlobo, to get access to and oversee any network, database or device on the internet, if the Minister mandated it. In the style of ‘national key points’, the Minister could declare any part of the internet (network, device or server) to be subject to invasive vetting by State Security structures for national security reasons, at a time when the same state security structures were already displaying an appetite for unchecked spying and monitoring of the populace.

At the same time, Mahlobo famously proposed that the Bill would be needed to regulate ‘false narratives’ on social media. This specific proposal was realised with the insertion, by persons unknown, of a clause that would have made it a crime to post a message deemed to be “inherently false” and “aimed at causing mental, psychological, physical or economic harm”.

All of these proposals rightly raised the alarm that the Bill had provisions that could pose a serious threat to internet freedom and freedom of expression.

But after months of stalemate, in October and November, the Bill’s drafters took major steps to address those concerns.

In late October, the Department of Justice tabled a new version before Parliament which had the entire ‘cybersecurity’ section stripped out, removing every single proposal advanced by the Mahlobo’s State Security. This new version also offered key improvements to the ‘cybercrimes’ sections which sought to address concerns about freedom of expression. The National Assembly eventually voted in support of this new version of the Bill.

So, the year 2018 closes with at least a partial victory for internet freedom – no powers for State Security, no ‘fake news’ clauses, and (though the final version of the Bill is not above criticism) the promise of more effective policing of online crimes such as fraud, hacking, and ‘revenge porn’.

It’s worth celebrating.

Still, in 2019 we need much more. Far too many people don’t know this, but South Africa has an existing law that would protect millions of people from having their personal information misused or stolen online.

The Protection of Personal Information Act (POPI) was signed into law five years ago, but a series of baffling bureaucratic delays mean that it isn’t yet in force. If it were in force, any government or private entity that misused your personal information could be investigated and penalised by a new watchdog body called the Information Regulator. But, years after the law was passed, and after a plethora of major data breaches, the Information Regulator (now headed by Adv Pansy Tlakula) is still staffed by only a handful of people, and the full protections in the POPI law won’t come into effect until that changes.

Each arm of government seems to blame another for these delays, but for ordinary people, the effect is the same: our personal information can be stolen or leaked online at any time, and the watchdog that should be in place to protect us, isn’t.

The failure to bring this signature law into force is even more baffling as we head towards the 2019 elections, given evidence in the US, UK and elsewhere that the popular vote can be manipulated by those with unregulated access to people’s personal data.

So, the year closes with an overlooked legislative victory for your digital rights. But the next year opens with a major overlooked threat to those same rights. So get some rest this festive season – there’s a big battle still ahead of us. DM