A Listening Government?
"It's now 10 years since the fall of the apartheid government and we cannot blame apartheid for being tardy."
In 1994, while they certainly existed, issues of information security (cybersecurity was not a term used at that time) and data protection were relatively new. The risks of cybercrime and other abuses of the new phenomenon of the Internet on a commercial and social level was relatively low. The explosion of the Internet, its applications, uses, the rapid improvement of mobile communications and the advent of social media has changed this irretrievably. The risk of the compromise of information security, abuse of personal information and the perpetration of cybercrimes, particularly by organised criminal syndicates, has increased alarmingly. It is undeniable that these events have occurred under the watch of the ruling party. Equally undeniable is that, at best, it has been tardy in addressing these critically important 21st century issues.
While the risks have now increased exponentially, they have been manifest for a long time. Indeed, in 2002, we saw the advent of the first cybercrimes in the Electronic Communications and Transactions Act. Also included in that Act were voluntary provisions that addressed the issue of protection of personal information. These were important developments. There were also numerous impractical and non-sensical provisions included in the Bill. Regrettably, Parliament chose to ignore the representations that were well-considered by experts in various fields and that would have resulted in a far better Act. These warnings, if they were listened to, were not heeded. Instead the only meaningful amendment that was made to the Bill prior to its enactment were amendments which allowed the South African Post Office to have a preferred role in the provision of advanced electronic signatures.
It is submitted that had the experts been listened to rather than only addressing amendments that were politically expedient we would not have had an Electronic Communications & Transactions Act that save for Chapter III, which was modelled on international model laws, is largely impractical and ignored. The failures to the ECT Act were quickly evident, yet 15 years later, despite these deficiencies, no effort has been made to address the problems created by bad law and rectify the deficiencies.
Turning to the present, comment was made on the Cybercrimes & Cybersecurity Bill and oral representations made in October of this year. The failure to pay heed to expert comment and the problems relating to the Electronic Communications & Transactions Act was recounted to the Parliamentary Portfolio Committee for Justice. It was urged to take into account comment and not simply pay lip service to the process of receiving comment as has been the case with the ECT Act. The Honourable Chairman's response was that government is a "listening government" and the fact that amendments to draft legislation are not made was not because they were not heard but because they were not agreed with. That rationalisation does not bear scrutiny and scratching the veneer will evidence that the ruling party has done what is politically expedient rather than protect the interests of citizens.
The Department of Justice (DOJ) was requested to respond to comments that were made by commentators to the Parliamentary Portfolio Committee. In reading the responses by the Department I have to profess a distinct sense of de jevu. The Department has chosen to sidestep important issues that were raised and in certain circumstances has responded to the comment made to the Parliamentary Portfolio Committee in a manner that has little regard for the facts.
In this regard I refer to 3 of the points that were raised by me and endorsed by numerous others as well as the representations that were made by the Information Regulator.
The first is that the Bill does not take into account the status of privacy and the protection of personal information in South Africa in the context of global developments in this regard. The DOJ’s response is that privacy is comprehensively dealt with in PoPIA. That may be true, but two issues are studiously avoided in providing this response. The first is that nowhere is the position of the Information Regulator recognised in the Bill as it currently stands. This stubborn failure by the DOJ to recognise the importance of the Information Regulator in a cybersecurity context betrays the, seemingly wilful, misunderstanding of the role of the Information Regulator despite the clear requirements of PoPIA and the constitutional duty to protect privacy. This attitude is in line with the utterances of the new Minister of State Security, who was a member of the Parliamentary Portfolio Committee for Justice, and who indicated that privacy was unimportant in the context of cybersecurity.
The second issue is that PoPIA is not yet close to commencement. Despite the fact that PoPIA is the responsibility of the DOJ, the drafters of the Bill and the DOJ's legal advisors being fully aware of this fact, in concluding comments relating to PoPIA the DOJ has had the temerity to state:
"It will be fallacious to argue that the Bill does not take the status of privacy and protection of information into account."
The real fallacy and disingenuity is the DOJ's avoidance of the facts. It does appear that the DOJ has simply sacrificed the civil rights of citizens, some of which are contained in PoPIA of which it is the custodian, on the altar of State Security. Whatever the motivations of the DOJ are, its attitude to privacy betrays the fact that it appears to put party politics above the interests of citizens.
Turning to the issue of cybersecurity and structures for cybersecurity, the DOJ again simply ignores the fact that policy relating to cybersecurity and the measures that could easily have been taken to improve information security within government, without legislation, have simply been neglected. This duty, vested initially in the National Intelligence Agency and now the State Security Agency, neither of which have done anything to advance information security within government. If this were not the case how does the DOJ explain the Minimum Information Security Standard published in 1996 and that has never been amended, still governs information security in the public sector?
The facts stare the DOJ in the face. Yet it appears quite happy, despite the incompetence, tardiness and concerns about the independence of the State Security Agency, to empower the State Security Agency to prescribe information security measures in the private sector. This position is nothing less than ludicrous and the DOJ’s failure to recognise this and look beyond policy documents to ensure that legislation is practical and protects South African citizens, is a grievous blow to the constitutional right of privacy.
Another example of the DOJ’s failure to take account of the facts is that it states in its response to comments that the Cybersecurity Hub has been established. Indeed, a Cybersecurity Hub has been established at great cost and equipped with expensive state of the art technologies intended to assist citizens. The Cybersecurity Hub was opened more than 2 years ago, however, had the DOJ bothered to make the enquiry, it would also establish that the Cybersecurity Hub remains dysfunctional, completely understaffed and that it does not provide the services that it was contemplated it would to citizens.
Creating legislation for the sake of legislation, without due regard for the facts or context, is simply dishonest. It is an attempt to paper over the cracks of the legacy of 23 years of neglect of important cybersecurity and privacy issues. Unfortunately, this will not succeed in remedying the failures that are evident to all but the politically blind. The indictment on the DOJ, as the custodian of privacy, in its neglect for ensuring the balance between cybersecurity and privacy is properly maintained, is profound and will have a detrimental effect on civil liberties in South Africa for many years to come.
©Mark Heyink 2017