Skip to main content

PLEASE NOTE: For everyone’s safety, Fasken recommends anyone on-site at our Canadian offices be familiar with the COVID-19 recommendations in place which may include one or more of the following: social distancing, hand sanitizing, wearing a mask in common areas and proof of full vaccination. These measures apply to lawyers, staff, clients, service providers and other visitors.


Decrypting and decoding the Cybercrimes Act in three key takeaways

Reading Time 4 minute read


The 21st century has hastened the cyberworld’s reaching of its zenith, with ceaseless innovations unfathomable to even the brightest modern day pioneer. With our society becoming more sophisticated by the hour, it is easily forgotten that the “underworld” is becoming just as sophisticated, or even more sophisticated than the world of law and order. Cybercrimes have thus posed as a challenge to traditional legal systems around the world requiring a robust approach to creating offences for crimes of the 21st century.

In addressing this global phenomenon, the South African Parliament passed the Cybercrimes Bill, which was assented to by President Cyril Ramaphosa and signed into law as the Cybercrimes Act on 26 May 2021. This piece of legislation is South Africa’s national and global effort to curb and criminalise theft and interference of data, thus bringing its cybersecurity laws in line with global legal and data protection trends.

The purpose of the Cybercrimes Act

The main purpose of the Cybercrimes Act are 1) the criminalisation of the disclosure of harmful data messages 2) the creation of new cyber and data related offences and 3) the imposition of penalties and the reporting obligations of financial institutions. We take a further look at these points below.

Takeaway 1: Criminalisation of the disclosure of harmful data messages (malicious communications)

The Act criminalises the disclosure of certain types of data messages in South Africa, namely those which are classified as harmful.[1] These data messages are often shared on social media platforms and other communication platforms on a regular basis. Data messages which are considered to be harmful in terms of the Act include, among others, data messages which:

  • incite damage to property or violence;
  • threaten persons with damage to property or violence; and
  • unlawfully contain an intimate image without the data subject’s consent.

Disclosure is broadly defined and includes (section 13):

  • sending the data message to the intended recipient or any other person;
  • storing the data message on an electronic communications network (such as WhatsApp), where the data message can be viewed, copied or downloaded; or
  • sending or making available a link to the data message that has been stored on an electronic communication network.

Criminalising the disclosure of harmful data messages acts as a lesson for the general public to “think before you click send, post or share” as there are severe penalties for disobeying the law by disclosing such data messages. It is therefore recommended that one errs on the side of caution and makes a value judgment on whether the disclosure of a particular data message would bring harm to anyone and thus contravene the Act. If this is the case, rather not disclose the data message.

Takeaway 2: The creation of further new cyber and data related offences

With criminals finding new ways to commit cybercrimes, unscathed by outdated laws, the Act creates further new offences and criminalises certain acts relating to cybercrime. Some of the new offences created by the Act relate to data, messages, computers and networks including, among others:

  • Hacking (unlawful and intentional access to data, a computer program, a computer data storage medium or a computer system) (section 2);
  • Unlawful interception of data (which includes acquiring, viewing, capturing or copying of data of a non-public nature through the use of hardware or software tools) (section 3);
  • Cyber fraud (fraud committed by means of data or a computer program or through any interference with data, a computer program, a computer data storage medium or a computer system) (section 8);
  • Cyber forgery (the unlawful and intentional creation of false data or a false computer program with the intention to defraud) (section 9(1));
  • Cyber uttering (the unlawful and intentional passing-off of false data or a false computer program with the intention to defraud) (section 9(2)); and
  • Malicious communications (the distribution of data messages with the intention to incite the causing of damage to any property belonging to, or to incite violence against, or to threaten a person or group of persons) (sections 13 to 16).

Takeaway 3: The imposition of penalties and reporting obligations of financial institutions

The Act prescribes penalties that offenders will be liable for on conviction of the cybercrimes created by the Act. These penalties include fines and/or imprisonment ranging up to 15 years of imprisonment.

In addition, the Act imposes obligations on financial institutions to assist in the investigation of cybercrimes by reporting offences to the South African Police Service. The Act provides that financial institutions who fail to report such offences are guilty of an offence and are liable to a fine not exceeding R50 000.


The Act will impact everyone in South Africa and the way in which we interact with data or use electronic devices. With the advent of the age of remote working emanating from the Covid-19 pandemic, cybercrime is rapidly becoming the latest “pandemic” and it takes a global and legal effort to “curb the spread” of cybercrime and breaches of cybersecurity.

This bulletin was prepared by partner Jesicca Rajpal, associate Emma Alimohammadi and candidate attorney Giscard Kotelo.

[1] See Chapter 2 (Cybercrimes, Malicious Communications, Sentencing and Orders to Protect Complainants from Harmful Effect of Malicious Communications) and more specifically, sections 13 to 16 of the Act.



    Receive email updates from our team