Background

The Electronic Communications and Transactions (ECT) Bill is the result of a democratic and consultative process that began in 1999 with the publication of a Discussion Paper designed to stimulate discussion and debate. This was followed in November 2000 by the publication of a Green Paper that highlighted the numerous legal and practical issues that would need to be addressed in a Bill. In order to fast-track the process, the Department of Communications (DoC) decided to dispense with the normal procedure of publishing of a White Paper -- which would have allowed for further consultation -- and tabled the current Bill as it stands, inviting only final public comments. The deadline for submitting comments was 8 May 2002 (see bridges.org's comments to the Government at http://www.bridges.org/e-policy/sa/ect/ ).

General comments

As drafted, the Bill represents a major step forward in the facilitation of electronic commerce in South Africa, and an effort by the Government to implement enabling legislation. It will help expand the growing ICT sector and also boost economic growth, and can be seen as part of a portfolio of legislation that impacts on the use of ICT in its widest sense, and that will lessen the digital divide within South Africa and between South Africa and the more developed countries.

The Bill has far-reaching implications for the way that South Africans will work, transact and share information; indeed it has been described as the "second constitution" because of the wide impact that it will have. The Bill demonstrates that the Government has studied international best practice in terms of electronic commerce legislation and many of those practices are represented in the legislation, such as ensuring that electronic signatures are granted the same evidential weight as "wet" or conventional signatures. However, whilst the Bill does achieve its primary objective of facilitating electronic transactions, it also raises a number of serious questions, particularly in relation to some of the definitions used, and the intentions to regulate the provision of cryptography services, privacy of information, unsolicited communications and the protection of critical databases.

We have a concern about the degree to which responsibility for much of the ensuing regulation is vested in the Department of Communications. Whilst the DoC has to play a pivotal role because of its responsibility for managing the telecommunications infrastructure, electronic transactions will impact on the work of a broad spectrum of Government departments, including Treasury, Home Affairs, Trade and Industry and National Security. These departments -- and others -- should be given a more active role in the drafting and implementation of further related legislation and regulations. Best practice elsewhere shows that a cross-cutting body which oversees legislation of this nature is an effective way to ensure that the widest possible range of stakeholders play a part, including the private sector and civil society.

Another concern is that the Bill has too much regulation that will discourage private sector investment and create an unnecessary burden on Government, which the taxpayer will have to pay for ultimately. Whilst there is a need for standards and registration for the provision of some of the services outlined in the Bill, service providers should be given the chance to demonstrate to Government that they are capable of, and are willing to, regulate their own affairs. For example, in order to ensure that adequate self-regulation is in place, the Government could insert a " sunset " clause in the Bill that would require the service providers to have self-regulation in place by two years after the Bill's enactment, otherwise the Government would have the right to impose its own regulatory body. This would be a more effective -- and less expensive -- way to achieve the desired goals.

Objectives of the Bill

The Bill aims to achieve the following objectives:

• develop a National e-Strategy for South Africa that will bridge the digital divide;
• ensure legal recognition and functional equivalence between electronic and paper-based transactions;
• promote public confidence and trust in electronic transactions; and,
• provide supervision and regulation of certain service providers.

Bill synopsis and specific bridges.org comments

Chapter I: Interpretation, Objects and Application

This chapter sets out that the Bill applies to almost all forms on online activity and to the use of electronic communications to the extent that it may have legal implications.

The concept of technology neutrality allows the Bill to be effective over a greater span of time. However, some of the definitions used, such as "critical data", "data message", and "world wide web" are either too proscriptive or too far-reaching and should be tightened so as to avoid excessive and stifling regulation.

Chapter II: Maximising Benefits and Electronic Policy

This chapter promotes universal and affordable access to ICT for all South African citizens. It requires the development of a national e-Strategy by the Minister of Communications, in consultation with members of Cabinet. The e-Strategy must include detailed plans and programmes that will address the development of a national e-transactions strategy, the promotion of universal access and e-readiness, SMME development, empowerment of previously disadvantaged persons and communities, human resource development, and contain definable objects and timeframes.

The development of a national e-Strategy is a good idea, but the responsibility for it should rest with an e-Minister rather than the Minister of any one particular department. This would not necessarily require the establishment of a new Ministry, but a representative body could be formed that would invite stakeholders (government departments, private sector, civil society) to participate as needed. Among other benefits, this would help ensure broad support for the process and representation of the varied views. The inclusion of human resource development in this chapter is a key element in the national e-Strategy. However, the universal service and access concepts should be extended to include the development of locally relevant content in local languages in media that can be used by all, including those who are illiterate or physically impaired (important in the South African context).

Chapter III: Facilitating Electronic Transactions

This chapter is the heart of the Bill, effectively legislating the Government's overall aim of creating an environment conducive to electronic transactions. Part 1 provides for the legal recognition of data messages and records. Provision is made for the legal recognition of electronic signatures and "advanced" electronic signatures (bearing higher evidential value) as a secure form of electronic signing. Electronic data will, subject to certain conditions, be permitted for statutory record retention purposes and regarded as a "writing" or a true copy of an "original" record, and provision is made for the use of electronic data as evidence. Part 2 deals with the rights and obligations associated with data messages, namely contract formation, the time and place of sending and receiving, as well as the time and place where a contract is deemed to have been formed. The chapter also deals with the validity of sending notices and other expressions of intent.

The provisions of this chapter help create certainty and confidence in electronic transactions and encourage electronic contracting. The recognition of electronic documents, signatures and actions as the functional equivalent of paper based counterparts and the technology neutrality regarding electronic signatures (aside from the technical specifications required for an advanced electronic signature) are important.

Chapter IV: E-Government

The e-government chapter deals with electronic filing and lists the requirements for the production of electronic documents and the integrity of information. Provision is made for any Government Department or Ministry to (1) accept and transmit documents in the form of electronic data messages, (2) issue permits or licences in the form of a data message, or (3) make or receive payment in electronic form.

E-government initiatives help increase efficiencies between government departments and between departments and citizens. Moreover, government-to-citizen interaction offers an important opportunity for many citizens to use ICT for the first time so they can see how it benefits their lives.

Chapter V: Cryptography Providers

In an attempt to address security challenges posed by the Internet, this Chapter requires the suppliers of cryptography materials to register with the Department of Communications their names and addresses, product names, and a brief description of the product. This will allow investigative authorities to identify the suppliers of the encryption technologies intercepted by them under monitoring and interception laws, and will enable the authorities to approach these service providers to get assistance with deciphering encrypted messages. It also serves to impose regulation on the service providers.

The Government needs to have access to communications in order to prevent crime and to protect the security and economic well-being of South Africa, but the measures in this chapter do not achieve these goals. First, the Bill creates an unenforceable regime with an excessive level of regulation, at a time when countries such as the France, the United Kingdom and the United States have been forced to dismantle similar regimes. Second, the provisions are likely to dissuade legitimate service providers from setting up businesses in South Africa because of the onerous regulation. There could be a detrimental effect on existing electronic commerce that uses encryption technologies, such as the purchase of goods online where encryption is used to protect credit card details and other personal information. And business visitors to South Africa could be restricted from using personal laptops with encryption software. A more detailed definition of what constitutes a "cryptography product" (in terms of bit length for example) would help overcome these unintended consequences.

Chapter VI: Authentication Service Providers

This chapter provides for the establishment of an Accreditation Authority that will allow voluntary accreditation of electronic signature technologies in accordance with minimum standards. Once accredited, these "advanced" electronic signatures will carry a Government endorsement of authenticity.

This chapter introduces an unnecessary level of regulation in an area where it is in the service providers interests to regulate themselves. Service providers who provide unreliable or sub-standard services will soon go out of business, and the public will quickly distinguish the good from the bad. And as accreditation is voluntary, it seems unlikely that the better providers will need the status that accreditation offers them -- their commercial reputation will serve this purpose. This chapter could also have the effect of dissuading businesses from using electronic signatures. It is not clear why a business would go to the trouble of acquiring a local license to use electronic signatures when there is no fee for using a signature sent by fax or surface mail.

Chapter VII: Consumer Protection

Various measures to protect consumers are proposed in this Chapter. Vendors must provide consumers with a minimum set of information, including the price of the product or service, contact details and the right to withdraw from an electronic transaction before its completion. Consumers are also entitled, under certain circumstances, to a "cooling off" period within which they may cancel certain types of transactions concluded electronically without incurring any penalty. Consumers also have the right not to be bound to unsolicited communications (spam) offering goods or services. The chapter also requires businesses trading on-line to make use of sufficiently secure payment systems.

The Bill should include additional provisions that deal with the transmission of unsolicited communications. This activity, known as "spamming" uses up valuable and expensive bandwidth, and in the majority of cases it is the recipient who bears the cost. This is all the more unacceptable when Internet access costs are high, as is the case in South Africa. Bandwidth should be treated as a scarce resource and those who use it in this way should be penalised.

Chapter VIII: Personal Information and Privacy Protection

This chapter establishes a voluntary regime for the protection of personal information whereby data collectors may subscribe to a set of universally accepted data protection principles. It is envisaged that consumers will prefer to deal with only those data collectors that have subscribed to the stated principles. For those who voluntarily participate in the regime, the sanctions for breaching the data protection principles are left to the parties themselves to agree on. The South African Law Commission is currently developing specific data protection and/or privacy legislation that is expected to be enacted within 24 months.

In addition to disclosing the purpose for which any personal information is being "requested...or stored", data collectors should also be required to provide the information itself to the data subject if requested to do so in writing. Further, subscription to the data protection principles should be mandatory, not voluntary, and there may be a need to include additional principles at a later date. Provision for later amendment should be made in the legislation, especially since the Law Commission is currently developing specific data protection/privacy legislation that would (presumably) affect this chapter. This data protection/privacy legislation under development should also be fast-tracked so that it can keep pace with the provisions of this Bill.

Chapter IX: Protection of Critical Data

This chapter states that the Minister may prescribe matters relating to the registration of critical databases and require certain procedures and technological methods to be used in their storage and archiving. "Critical data" is defined as information that may pose a risk to the national security of the Republic or to the economic or social well being of its citizens if compromised.

The definition of "critical data" as it currently stands is too broad. Whilst it is essential to protect the economic well-being of the nation, data that is regarded as important for the protection of the economic well-being of citizens could come from almost any source. Furthermore, the reference to the protection of "social well-being" should be removed because it is too broad and could cover any source of data. Further, the protection of national security and the economic well-being of the nation are outside the remit of the Department of Communications, and these powers and provisions should rest with other Government agencies.

Chapter X: Domain Name Authority and Administration

This chapter states that a non-profit (section 21) company will be established, or an existing one approved, to manage the domain name space of South Africa. Its membership and governance structures must be representative of the general South African society, government and other stakeholders, and the chapter also sets out the objects, powers and functions of the Authority. Provision is also made for disputes involving domain names to be settled by means of alternative dispute resolution methods. The Minister is empowered to formulate national policy on the .za domain name space.

We are concerned about the provisions in this chapter that transfer authority over Internet domain names to the DoC. International best practice suggests that government should have a role in, but not responsibility for, this function. The .za domain is currently administered by Namespace, an organisation with a great deal of knowledge and experience in this area. It is unlikely that the Internet Corporation for Assigned Names and Numbers (ICANN) would agree to the transfer of domain name authority to the DoC, nor would such a move be supported by a number of other governments, including the United States. Whilst international views may not in themselves concern the South African Government, governance of the Internet is an international issue, and the Government should take note of how other countries approach this matter. The .za domain name is a national asset and should be administered in a way that allows all of those who use it to have a voice, and the Government should work in partnership with the current administrators to achieve national aims. Further, transferring this power to the Government would also require an additional, and expensive layer of bureaucracy to be created, which is not in the best interests of the South African taxpayer.

Chapter XI: Limitation of Liability of Service Providers

This chapter sets out limitations on the liability of service providers or "intermediaries" and creates a safe harbour for service providers that are currently exposed to a wide variety of potential liability by virtue of merely fulfilling basic technical functions. The service providers may limit their liability where they have acted as mere conduits for the transmission of data messages. In each situation the Bill provides specific requirements that service providers must meet in order to invoke the clause limiting liability.

The Bill includes important provisions that remove service provider liability for the content transmitted over networks. But we are concerned that there is no definition of "unlawful activity" as set out in this chapter. A clear definition should be included, as should the right of appeal or redress by the individual or organisation whose "activity" is deemed unlawful. As it stands, the "take-down" procedure is one-sided and could infringe freedom of speech and/or other civil rights.

Chapter XII: Cyber Inspectors

This chapter provides for the DoC to appoint "cyber inspectors" to monitor Internet websites in the public domain and investigate whether cryptography and authentication service providers comply with the relevant provisions. The inspectors are granted powers of search and seizure, subject to obtaining a warrant. Inspectors can also assist the police or other investigative bodies, on request.

It is not necessary to create a cadre of "cyber inspectors". If an individual or organisation is breaking the law then that is a matter for the police, the courts or the appropriate national agency. Consideration should be given to providing training and resources to members of the existing law enforcement community so that they can carry out this function. Again, international best practice indicates that providing specialised training to law enforcement officers in the complex technological and legal issues related to cyber crime is the most effective way to combat this problem, and many other countries who have already taken these steps would be willing to provide advice and training. Cyber crime knows no national boundaries and requires international cooperation to solve and prevent. Existing law enforcement agencies have procedures and relationships that can be built upon, and this would be the most effective and cost-efficient way to deal with this problem.

Chapter XIII: Cyber Crime

This chapter makes the first statutory provisions on cyber crime in South African jurisprudence. The Bill introduces statutory criminal offences relating to information systems, including: (a) unauthorised access to data; (b) interception of or interference with data; (c) computer-related extortion; (d) fraud; and (e) forgery. Any person aiding or abetting another in the performance of any of these crimes will be guilty as an accessory. The Bill prescribes the penalties for those convicted of offences.

This chapter effectively gives the Government the power to deal with criminal actions carried out electronically, and we have no comments to make.

Chapter XIV: General Provisions

This Chapter includes some general legal provisions to which we have no additional comments. They will not affect the facilitation of Electronic Communications and Transactions in any way.