| 1. |
In this Act, unless the context
indicates otherwise— "addressee", in respect of a data message, means a person who is intended by the originator to receive the data message, but not a person acting as an intermediary in respect of that data message; "advanced electronic signature" means an electronic signature which results from a process which has been accredited by the Authority as provided for in section 37; "authentication products or services" means products or services designed to identify the holder of an electronic signature to other persons; "authentication service provider" means a person whose authentication products or services have been accredited by the Accreditation Authority under section 37 or recognised under section 40; "Authority" means the .za Domain Name Authority; "automated transaction" means an electronic transaction conducted or performed, in whole or in part, by means of data messages in which the conduct or data messages of one or both parties are not reviewed by a natural person in the ordinary course of such natural person's business or employment; "browser" means a computer program which allows a person to read hyperlinked data messages; "cache" means high speed memory that stores data for relatively short periods of time, under computer control, in order to speed up data transmission or processing; "ccTLD" means country code domain at the top level of the Internet's domain name system assigned according to the two-letter codes in the International Standard ISO 3166-1 (Codes for Representation of Names of Countries and their Subdivision); "certification service provider" means a person providing an authentication product or service in the form of a digital certificate attached to, incorporated in or logically associated with a data message; "consumer" means any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier; "Consumer Affairs Committee" means the Consumer Affairs Committee established by section 2 of the Consumer Affairs (Unfair Business Practices) Act, 1988 (Act No. 71 of 1988); "critical data" means data that is declared by the Minister in terms of section 53 to be of importance to the protection of the national security of the Republic or the economic and social well-being of its citizens; "critical database" means a collection of critical data in electronic form from where it may be accessed, reproduced or extracted; "critical database administrator" means the person responsible for the management and control of a critical database; "cryptography product" means any product that makes use of cryptographic techniques and is used by a sender or recipient of data messages for the purposes of ensuring— (a) that such data
can be accessed only by relevant persons;
"cryptography provider" means
any person who provides or who proposes to
provide cryptography services or
products in
the Republic;(b) the authenticity of the data; (c) the integrity of the data; or (d) that the source of the data can be correctly ascertained; "cryptography service" means any service which is provided to a sender or a recipient of a data message or to anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring— (a) that such data
or data message can be accessed or can be
put into an intelligible form only by certain persons;
"cyber
inspector" means an
inspector referred to in Chapter XII;(b) that the authenticity or integrity of such data or data message is capable of being ascertained; (c) the integrity of the data or data message; or (d) that the source of the data or data message can be correctly ascertained; "data" means electronic representations of information in any form; "data controller" means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject; "data message" means data generated, sent, received or stored by electronic means and includes— "data subject" means any natural person from or in respect of whom personal information has been requested, collected, collated, processed or stored, after the commencement of this Act; "Department" means the Department of Communications; "Director-General" means the Director-General of the Department; "domain name" means an alphanumeric designation that is registered or assigned in respect of an electronic address or other resource on the Internet; "domain name system" means a system to translate domain names into IP addresses or other information; "e-government services" means any public service provided by electronic means by any public body in the Republic; "electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to data messages or performances in whole or in part, in an automated transaction; "electronic communication" means a communication by means of data messages; "electronic signature" means data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature; "e-mail" means electronic mail, a data message used or intended to be used as a mail message between the originator and addressee in an electronic communication; "home page" means the primary entry point web page of a web site; "hyperlink" means a reference or link from some point in one data message directing a browser or other technology or functionality to another data message or point therein or to another place in the same data message; "ICANN" means the Internet Corporation for Assigned Names and Numbers, a California non-profit public benefit corporation established in terms of the laws of the state of California in the United States of America; "information system" means a system for generating, sending, receiving, storing, displaying or otherwise processing data messages and includes the Internet; "information system services" includes the provision of connections, the operation of facilities for information systems, the provision of access to information systems, the transmission or routing of data messages between or among points specified by a user and the processing and storage of data, at the individual request of the recipient of the service; "intermediary" means a person who, on behalf of another person, whether as agent or not, sends, receives or stores a particular data message or provides other services with respect to that data message; "Internet" means the interconnected system of networks that connects computers around the world using the TCP/IP and includes future versions thereof; "IP address" means the number identifying the point of connection of a computer or other device to the Internet; "Minister" means the Minister of Communications; "originator" means a person by whom, or on whose behalf, a data message purports to have been sent or generated prior to storage, if any, but does not include a person acting as an intermediary with respect to that data message; "person" includes a public body; "personal information" means information about an identifiable individual, including, but not limited to— (a) information relating to the
race, gender, sex, pregnancy, marital status, national, ethnic or
social
origin, colour, sexual orientation, age, physical or mental health,
well-being, disability, religion, conscience, belief, culture, language
and birth of the individual;
but excludes information about an individual who has been dead for more
than 20 years;(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; (c) any identifying number, symbol, or other particular assigned to the individual; (d) the address, fingerprints or blood type of the individual; (e) the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual; (f) correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the individual; (h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and (i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual, "prescribe" means prescribe by regulation under this Act; "private body" means— (a) a natural person who carries
or has carried on any trade, business or profession, but only in such
capacity;
but not a public body;(b) a partnership which carries or has carried on any trade, business or profession; or (c) any former or existing juristic person, "public body" means— (a) any department of state
or administration in the national or provincial sphere of government or
any municipality in the local sphere of government; or
"registrant"
means an applicant for or
holder of a domain name;(b) any other functionary or institution when— (i) exercising a power or
performing a duty in terms of the Constitution or a provincial
constitution; or
(ii) exercising a power or performing a function in terms of any legislation; "registrar" means an entity which is licensed by the Authority to update a repository; "registry" means an entity licensed by the Authority to manage and administer a specific subdomain; "repository" means the primary register of the information maintained by a registry; "second level domain" means the subdomain immediately following the ccTLD; "SMMEs" means Small, Medium and Micro Enterprises contemplated in the Schedules to the Small Business Development Act, 1996 (Act No. 102 of 1996); "subdomain" means any subdivision of the .za domain name space which begins at the second level domain; "TCP/IP" means the Transmission Control Protocol Internet Protocol used by an information system to connect to the Internet; "TLD" means a top level domain of the domain name system; "third party", in relation to a service provider, means a subscriber to the service provider's services or any other user of the service provider's services or a user of information systems; "transaction" means a transaction of either a commercial or non-commercial nature, and includes the provision of information and e-government services; "universal access" means access by all citizens of the Republic to Internet connectivity and electronic transactions; "WAP" means Wireless Application Protocol, an open international standard developed by the Wireless Application Protocol Forum Limited, a company incorporated in terms of the laws of the United Kingdom, for applications that use wireless communication and includes Internet access from a mobile phone; "web page" means a data message on the World Wide Web; "web site" means any location on the Internet containing a home page or web page; "World Wide Web" means an information browsing framework that allows a user to locate and access information stored on a remote computer and to follow references from one computer to related information on another computer; and ".za domain name space" means the .za ccTLD assigned to the Republic according to the two-letter codes in the International Standard ISO 3166-1. |
| 2. |
(1) The objects of this Act are
to enable and facilitate electronic
communications and transactions in the
public interest, and for that purpose to— (a) recognise the
importance
of the information economy for the economic and social prosperity of
the
Republic;
(b) promote universal access primarily in underserviced areas; (c) promote the understanding and, acceptance of and growth in the number of electronic transactions in the Republic; (d) remove and prevent barriers to electronic communications and transactions in the Republic; (e) promote legal certainty and confidence in respect of electronic communications and transactions; (f) promote technology neutrality in the application of legislation to electronic communications and transactions; (g) promote e-government services and electronic communications and transactions with public and private bodies, institutions and citizens; (h) ensure that electronic transactions in the Republic conform to the highest international standards; (i) encourage investment and innovation in respect of electronic transactions in the Republic; (j) develop a safe, secure and effective environment for the consumer, business and the Government to conduct and use electronic transactions; (k) promote the development of electronic transactions services which are responsive to the needs of users and consumers; (l) ensure that, in relation to the provision of electronic transactions services, the special needs of particular communities and, areas and the disabled are duly taken into account; (m) ensure compliance with accepted International technical standards in the provision and development of electronic communications and transactions; (n) promote the stability of electronic transactions in the Republic; (o) promote the development of human resources in the electronic transactions environment; (p) promote SMMEs within the electronic transactions environment; (q) ensure efficient use and management of the .za domain name space; and (r) ensure that the national interest of the Republic is not compromised through the use of electronic communications. |
| 3. |
This Act must not be interpreted so as to exclude any statutory law or the common law from being applied to, recognising or accommodating electronic transactions,data messages or any other matter provided for in this Act. |
| 4. |
(1) Subject to any contrary
provision in this section, this Act applies in respect of any
electronic transaction or data
message. (2) This Act must not be construed as— (a) requiring any person to generate, communicate, produce, process,
send, receive, record, retain, store or display any information,
document or signature by or in electronic form; or
(3) The sections of this Act mentioned in Column B of Schedule 1 do not apply to the laws mentioned
in
Column A of that Schedule.(b) prohibiting a person from establishing requirements in respect of the manner in which that person will accept data messages. (4) This Act must not be construed as giving validity to any transaction mentioned in Schedule 2. (5) This Act does not limit the operation of any law that expressly authorises, prohibits or regulates the use of data messages, including any requirement by or under a law for information to be posted or displayed in a specified manner, or for any information or document to be transmitted by a specified method. |
| 5. |
(1) The Minister
must, within 24 months after the promulgation of this Act, develop a
three-year national e-strategy for the Republic, which must be
submitted
to the Cabinet for approval. (2) The Cabinet must, on acceptance of the national e-strategy, declare the implementation of the national e-strategy as a national priority. (3) The Minister, in developing the national e-strategy as envisaged in subsection (1)— (a) must determine all
matters involving e-govemment services in consultation with the
Minister
for the Public Service and Administration;
(4)(b) must determine the roles of each person, entity or sector in the implementation of the national e-strategy; (c) must act as the responsible Minister for co-ordinating and monitoring the implementation of the national e-strategy; (d) may make such investigations as he or she may consider necessary; (e) may conduct research into and keep abreast of developments relevant to electronic communications and transactions in the Republic and internationally; (f) must continually survey and evaluate the extent to which the objectives of the national e-strategy have been achieved; (g) may liaise, consult and cooperate with public bodies, the private sector or any other person; and (h) may, in consultation with the Minister of Finance, appoint experts and other consultants on such conditions as the Minister may determine. (a) The Minister
must, in consultation with other members of the Cabinet, determine the
subject matters to be addressed in the national e-strategy and the
principles that must govern the implementation thereof.
(5) Upon approval by the Cabinet, the Minister
must publish the national e-strategy in the Gazette.(b) Prior to prescribing any subject matter and principles provided for in paragraph (a), the Minister must invite comments from all interested parties by notice in the Gazette and consider any comments received. (c) The national e-strategy must, amongst others, set out— (i) the electronic transactions strategy of the Republic,
distinguishing between regional, national, continental and
international
strategies;
(ii) programmes and means to achieve universal access, human resource development and development of SMMEs as provided for in this Part; (iii) programmes and means to promote the overall readiness of the Republic in respect of electronic transactions; (iv) ways to promote the Republic as a preferred provider and user of electronic transactions in the international market; (v) existing government initiatives directly or indirectly relevant to or impacting on the national e-strategy and, if applicable, how such initiatives are to be utilised in attaining the objectives of the national e-strategy; (vi) the role expected to be performed by the private sector in the implementation of the national e-strategy and how government can solicit the participation of the private sector to perform such role; (vii) the defined objectives, including time frames within which the objectives are to be achieved; and (viii) the resources required to achieve the objectives provided for in the national e-strategy. (6) For purposes of achieving the objectives of the national e-strategy, the Minister may, in consultation with the Minister of Finance— (a) procure funding from sources
other than the State;
(7) The Minister must annually report to the
Cabinet on progress made and objectives(b) allocate funds for implementation of the national e-strategy to such institutions and persons as are responsible for delivery in terms of the national e-strategy and supervise the execution of their mandate; and (c) take any steps necessary to enable all relevant parties to carry out their respective obligations. achieved or outstanding and may include any other matter the Minister deems relevant. (8) The Minister must annually review the national e-strategy and where necessary make amendments thereto in consultation with all relevant members of the Cabinet. (9) No amendment or adaptation of the national e-strategy is effective unless approved by the Cabinet. (10) The Minister must publish any material revision of the national e-strategy in the Gazette. (11) The Minister must table an annual report in Parliament regarding the progress made in the implementation of the national e-strategy. |
| 6. |
In respect of universal access, the national e-strategy
must outline strategies and programmes to— (a) provide Internet
connectivity to disadvantaged communities;
(b) encourage the private sector to initiate schemes to provide universal access; (c) foster the adoption and use of new technologies for attaining universal access; and (d) stimulate public awareness, understanding and acceptance of the benefits of Internet connectivity and electronic transacting. |
| 7. |
The Minister,
in developing the national e-strategy, must provide for ways of
maximising the benefits of electronic transactions
to historically disadvantaged persons and
communities, including, but not limited to— (a) making facilities and
infrastructure available or accessible to such persons
and communities to enable the marketing and sale of their goods or
services by way of electronic transactions;
(b) providing or securing support services for such facilities and infrastructure to assist with the efficient execution of electronic transactions; and (c) rendering assistance and advice to such persons and communities on ways to adopt and utilise electronic transactions efficiently. |
| 8. |
(1) The Minister,
in developing the national e-strategy, must provide for ways of
promoting development of human resources set out in this section within
the context of the government's integrated human resource development
strategies, having regard to structures and programmes that have been
established under existing laws. (2) The Minister must consult with the Ministers of Labour and Education on existing facilities, programmes and structures for education, training and human resource development in the information technology sector relevant to the objects of this Act. (3) Subject to subsections (1) and (2), the Minister must promote skills development in the areas of— (a) information technology
products and services in support of electronic transactions;
(b) business strategies for SMMEs and other businesses to utilise electronic transactions; (c) sectoral, regional, national, continental and international policy formulation for electronic transactions; (d) project management on public and private sector implementation of electronic transactions; (e) the management of the .za domain name space; (f) the management of the IP address system for the African continent in consultation with other African states; (g) convergence between communication technologies affecting electronic transactions; (h) technology and business standards for electronic transactions; (i) education on the nature, scope, impact, operation, use and benefits of electronic transactions; and (j) any other matter relevant to electronic transactions. |
| 9. |
The Minister
must, in consultation with the Minister of Trade and Industry, evaluate
the adequacy of any existing processes, programmes and infrastructure
providing for the utilisation by SMMEs of
electronic transactions and, pursuant to
such evaluation, may— (a) establish or facilitate the
establishment of electronic
communication centres for SMMEs;
(b) facilitate the development of web sites or web site portals that will enable SMMEs to transact electronically and obtain information about markets, products and technical assistance; and (c) facilitate the provision of such professional and expert assistance and advice to SMMEs on ways to utilise electronic transacting efficiently for their development. |
| 10. |
(1) The Minister
must, subject to this Act, formulate electronic transactions
policy. (2) In formulating the policy contemplated in subsection (1), the Minister must— (a) act in consultation
with
members of the Cabinet directly affected by such policy formulation or
the consequences thereof;
(3) The Minister must publish policy
guidelines
in the Gazette on issues
relevant to electronic transactions in the
Republic.(b) have due regard to— (i) the objects of this Act;
(ii) the nature, scope and impact of electronic transactions; (iii) international best practice and conformity with the law and guidelines of other jurisdictions and international bodies; and (iv) existing laws and their administration in the Republic. (4) In implementing this Chapter, the Minister must encourage the development of innovative information systems and the growth of related industry. |
| 11. |
(1) lnformation is not without
legal force and effect merely on the grounds that it is wholly or
partly
in the form of a data message. (2) Information is not without legal force and effect merely on the grounds that it is not contained in the data message purporting to give rise to such legal force and effect, but is merely referred to in such data message. (3) Information incorporated into an agreement and that is not in the public domain is regarded as having been incorporated into a data message if such information is— (a) referred to in a way in
which
a reasonable person would have noticed the
reference thereto and incorporation thereof; and
(b) accessible in a form in which it may be read, stored and retrieved by the other party, whether electronically or as a computer printout as long as such information is reasonably capable of being reduced to electronic form by the party incorporating it. |
| 12. |
A requirement in law that a
document or Information must be in writing is met if the document or
Information is— (a) in the form of a data message; and
(b) accessible in a manner usable for subsequent reference. |
| 13. |
(1) Where the signature of a person is required by law and such law does not
specify the type of signature, that requirement in relation to a data message is met only if an advanced electronic signature is used. (2) Subject to subsection (1), an electronic signature is not without legal force and effect merely on the grounds that it is in electronic form. (3) Where an electronic signature is required by the parties to an electronic transaction and the parties have not agreed on the type of electronic signature to be used, that requirement is met in relation to a data message if— (a) a method is used to
identify the person and to indicate the person's approval of the information communicated;
and
(4) Where an advanced
electronic signature has been used, such signature is regarded as
being a valid electronic signature
and to have been applied properly, unless the contrary is proved.(b) having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated. (5) Where an electronic signature is not required by the parties to an electronic transaction, an expression of intent or other statement is not without legal force and effect merely on the grounds that— (a) it is in the form of a data message; or
(b) it is not evidenced by an electronic signature but is evidenced by other means from which such person's intent or other statement can be inferred. |
| 14. |
(1) Where a law requires
information to be presented or retained in its original form, that
requirement is met by a data message if— (a) the integrity of the
information from the time when it was first generated in its final form
as a data message or otherwise has passed
assessment in terms of subsection (2); and
(2) For the purposes of subsection 1(a), the integrity must be
assessed—(b) that information is capable of being displayed or produced to the person to whom it is to be presented. (a) by considering whether the
information has remained complete and unaltered, except for the
addition
of any endorsement and any change which arises in the normal course of
communication, storage and display;
(b) in the light of the purpose for which the information was generated; and (c) having regard to all other relevant circumstances. |
| 15. |
(1) In any legal proceedings,
the rules of evidence must not be applied so as to deny the
admissibility of a data message, in
evidence— (a) on the mere grounds that it
is constituted by a data message; or
(2) Information in the form of a data message
must be given due evidential weight.(b) if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form. (3) In assessing the evidential weight of a data message, regard must be had to— (a) the reliability of the
manner
in which the data message was generated,
stored or communicated;
(4) A data message made by a person in the ordinary course of business, or a
copy
or printout of or an extract from such data
message certified to be correct by an officer in the service of
such person, is on its mere production in any
civil,
criminal, administrative or disciplinary proceedings under any law, the
rules of a self regulatory organisation or any other law or the common
law, admissible in evidence against any person
and
rebuttable proof of the facts contained in such record, copy, printout
or extract.(b) the reliability of the manner in which the integrity of the data message was maintained; (c) the manner in which its originator was identified; and (d) any other relevant factor. |
| 16. |
(1) Where a law requires
information to be retained, that requirement is met by retaining such
information in the form of a data message,
if— (a) the information
contained in the data message is
accessible
so as to be usable for subsequent reference;
(2) The obligation to retain information as contemplated in subsection
(1) does not extend to any information the sole purpose of which is to
enable the message to be sent or received.(b) the data message is in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; and (c) the origin and destination of that data message and the date and time it was sent or received can be determined. |
| 17. |
(1) Subject to section
28, where a law requires a person to produce
a document or information, that requirement is met if the person produces, by means of a data message, an electronic form of that
document or information, and if— (a) considering all the relevant
circumstances at the time that the data message
was sent, the method of generating the electronic form of that document
provided a reliable means of assuring the maintenance of the integrity
of the information contained in that document; and
(2) For the purposes of subsection (1), the integrity of the
information contained in a document is maintained if the information
has
remained complete and unaltered, except for—(b) at the time the data message was sent, it was reasonable to expect that the information contained therein would be readily accessible so as to be usable for subsequent reference. (a) the addition of any
endorsement; or
(b) any immaterial change, which arises in the normal course of communication, storage or display. |
| 18. |
(1) Where a law requires a
signature, statement or document to be notarised, acknowledged,
verified
or made under oath, that requirement is met if the advanced electronic signature
of the person authorised to perform those acts
is
attached to, incorporated in or logically associated with the electronic signature or data message. (2) Where a law requires or permits a person to provide a certified copy of a document and the document exists in electronic form, that requirement is met if the person provides a print-out certified to be a true reproduction of the document or information. (3) Where a law requires or permits a person to provide a certified copy of a document and the document exists in paper or other physical form, that requirement is met if an electronic copy of the document is certified to be a true copy thereof and the certification is confirmed by the use of an advanced electronic signature. |
| 19. |
(1) A requirement in a law for
multiple copies of a document to be submitted to a single addressee at the same time, is satisfied by the
submission of a single data message that
is
capable of being reproduced by that addressee. (2) An expression in a law, whether used as a noun or verb, including the terms "document", "record", "file", "submit", "lodge", "deliver", "issue", "publish", "write in", "print" or words or expressions of similar effect, must be interpreted so as to include or permit such form, format or action in relation to a data message unless otherwise provided for in this Act. (3) Where a seal is required by law to be affixed to a document and such law does not prescribe the method or form by which such document may be sealed by electronic means, that requirement is met if the document indicates that it is required to be under seal and it includes the advanced electronic signature of the person by whom it is required to be sealed. (4) Where any law requires or permits a person to send a document or information by registered or certified post or similar service, that requirement is met if an electronic copy of the document or information is sent to the South African Post Office Limited, is registered by the said Post Office and sent by that Post Office to the electronic address provided by the sender. |
| 20. |
In an automated transaction— (a) an agreement may be
formed where an electronic agent performs an action required by law for
agreement formation;
(b) an agreement may be formed where all parties to a transaction or either one of them uses an electronic agent; (c) a party using an electronic agent to form an agreement is, subject to paragraph (d), presumed to be bound by the terms of that agreement irrespective of whether that person reviewed the actions of the electronic agent or the terms of the agreement; (d) A party interacting with an electronic agent to form an agreement is not bound by the terms of the agreement unless those terms were capable of being reviewed by a natural person representing that party prior to agreement formation. (e) no agreement is formed where a natural person interacts directly with the electronic agent of another person and has made a material error during the creation of a data message and— (i) the electronic agent did not provide that person with an opportunity to prevent or correct
the
error;
(ii) that person notifies the other person of the error as soon as practicable after that person has learned of it; (iii) that person takes reasonable steps, including steps that conform to the other person's instructions to return any performance received, or, if instructed to do so, to destroy that performance; and (iv) that person has not used or received any material benefit or value from any performance received from the other person. |
| 21. |
This Part only applies if the parties involved in generating, sending, receiving, storing or otherwise processing data messages have not reached agreement on the issues provided for therein. |
| 22. |
(1) An agreement is not without
legal force and effect merely because it was concluded partly or in
whole by means of data messages. (2) An agreement concluded between parties by means of data messages is concluded at the time when and place where the acceptance ofthe offer was received by the offeror. |
| 23. |
A data
message— (a) used in the conclusion or
performance of an agreement must be regarded as having been sent by the
originator when it enters an information system outside the control
of the originator or, if the originator and addressee
are in the same information system,
when it is capable of being retrieved by the addressee;
(b) must be regarded as having been received by the addressee when the complete data message enters an information system designated or used for that purpose by the addressee and is capable of being retrieved and processed by the addressee; and (c) must be regarded as having been sent from the originator's usual place of business or residence and as having been received at the addressee's usual place of business or residence. |
| 24. |
As between the originator and the addressee
of a data message an expression of intent
or
other statement is not without legal force and effect merely on the
grounds that— (a) it is in the form of a data message; or
(b) it is not evidenced by an electronic signature but by other
means from which such person's intent or other
statement can be inferred.
|
| 25. |
A data
message is that of the originator if it
was sent by— (a) the originator
personally;
(b) a person who had authority to act on behalf of the originator in respect of that data message; or (c) an information system programmed by or on behalf of the originator to operate automatically unless it is proved that the information system did not properly execute such programming. |
| 26. |
(1) An acknowledgement of
receipt of a data message is not necessary
to give legal effect to that message. (2) An acknowledgement of receipt may be given by— (a) any communication by the addressee, whether automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the data message has been received. |
| 27. |
Any public
body that, pursuant to any law— (a) accepts the filing of
documents, or requires that documents be created or retained;
may, notwithstanding anything to the contrary in such law—(b) issues any pennit, licence or approval; or (c) provides for a manner of payment, (i) accept the filing of
such documents, or the creation or retention of such documents in the
fonn of data messages;
(ii) issue such pennit, licence or approval in the fonn of a data message; or (iii) make or receive payment in electronic form or by electronic means. |
| 28. |
(1) In any case where a public body perfonns any of the functions
referred to in section 27, such body may specify by
notice in the Gazette— (a) the manner and fonnat
in
which the data messages must be filed,
created, retained or issued;
(2) For the purposes of subsection (1)(d) the South African Post Office
Limited is a preferred authentication
service provider and the Minister may
designate any other authentication
service provider as a preferred authentication service provider
based on such authentication
service provider's obligations in respect of the provision of universal access.(b) in cases where the data message has to be signed, the type of electronic signature required; (c) the manner and fonnat in which such electronic signature must be attached to, incorporated in or otherwise associated with the data message; (d) the identity of or criteria that must be met by any authentication service provider used by the person filing the data message or that such authentication service provider must be a preferred authentication service provider; (e) the appropriate control processes and procedures to ensure adequate integrity, security and confidentiality of data messages or payments; and (f) any other requirements for data messages or payments. |
| 29. |
(1) The Director-General must establish and maintain a register
of cryptography providers. (2) The Director-General must record the following particulars in respect of a cryptography provider in that register: (a) The name and address of the cryptography provider;
(3) A cryptography provider is
not
required to disclose confidential information or trade secrets in
respect of its cryptography products
or services.(b) a description of the type of cryptography service or cryptography product being provided; and (c) such other particulars as may be prescribed to identify and locate the cryptography provider or its products or services adequately. |
| 30. |
(1) No person
may provide cryptography services
or cryptography products in the
Republic until the particulars referred to in section 29
in respect of that person have been recorded in
the register contemplated in section 29. (2) A cryptography provider must in the prescribed manner furnish the Director General with the information required and pay the prescribed administrative fee. (3) A cryptography service or cryptography product is regarded as being provided in the Republic if it is provided— |
| 31. |
(1) Information contained in the
register provided for in section 29 must not be
disclosed to any person other than to employees
of
the Department who are responsible for the
keeping of the register. (2) Subsection (1) does not apply in respect of information which is disclosed— (a) to a relevant authority
which
investigates a criminal offence or for the purposes of any criminal
proceedings;
(b) to government agencies responsible for safety and security in the Republic, pursuant to an official request; (c) to a cyber inspector; (d) pursuant to section 11 or 30 of the Promotion of Access to Information Act, (Act No.2 of 2000); or (e) for the purposes of any civil proceedings which relate to the provision of cryptography services or cryptography products and to which a cryptography provider is a party. |
| 32. |
(1) The provisions of this
Chapter do not apply to the National Intelligence Agency established in
terms of section 3 of the Intelligence Services Act, 1994 (Act No. 38
of
1994). (2) A person who contravenes or fails to comply with a provision of this Chapter is guilty of an offence and liable on conviction to a fine or to imprisonment for a period not exceeding two years. |
| 33. |
In this Chapter, unless the
context indicates otherwise— "accreditation" means recognition of an authentication product or service by the Accreditation Authority. |
| 34. |
(1) For the purposes of this
Chapter the Director-General must act
as
the Accreditation Authority. (2) The Accreditation Authority, after consultation with the Minister, may appoint employees of the Department as Deputy Accreditation Authorities and officers. |
| 35. |
Subject to section
30, a person may, without the prior
authority
of any other person, sell or provide authentication products or
services in the Republic. |
| 36. |
(1) The Accreditation Authority
may— (a) monitor the conduct, systems
and operations of an authentication
service provider to ensure its compliance with section
38 and the other obligations of authentication service providers
in terms of this Act;
(2) The Accreditation Authority must maintain a publicly accessible
database in respect of—(b) temporarily suspend or revoke the accreditation of an authentication product or service; and (c) appoint an independent auditing firm to conduct periodic audits of the authentication service provider to ensure its compliance with section 38 and the other obligations of authentication service providers in terms of this Act. (a) authentication products or
services accredited in terms of section 37;
(b) authentication products and services recognised in terms of section 40; (c) revoked accreditations or recognitions; and (d) such other information as may be prescribed. |
| 37. |
(1) The Accreditation Authority
may accredit authentication products and services in support of advanced electronic signatures. (2) An application for accreditation must— (a) be made to the Accreditation
Authority in the prescribed manner supported
by the prescribed information; and
(3) A person falsely holding out its products or
services to be accredited by the Accreditation Authority is guilty of
an
offence.(b) be accompanied by a non-refundable prescribed fee. |
| 38. |
(1) The Accreditation Authority
may not accredit authentication
products or services unless the Accreditation Authority is
satisfied
that an electronic signature to
which such authentication
products or services relate— (a) is uniquely linked to the
user;
(2) For purposes of subsection (1), the Accreditation Authority must
have regard to the following factors in respect of an authentication service provider
prior to accrediting authentication
products or services:(b) is capable of identifying that user; (c) is created using means that can be maintained under the sole control of that user; and (d) will be linked to the data or data message to which it relates in such a manner that any subsequent change of the data or data message is detectable; (e) is based on the face-to-face identification of the user. (a) Its financial and human
resources, including its assets;
(3) For the purposes of subsections (2)(b) and (c), the hardware and
software systems and procedures must at least—(b) the quality of its hardware and software systems; (c) its procedures for processing of products or services; (d) the availability of information to third parties relying on the authentication product or service; (e) the regularity and extent of audits by an independent body; (f) the factors referred to in subsection (4) where the products and services are rendered by a certification service provider; and (g) any other relevant factor which may be prescribed. (a) be reasonably secure from
intrusion and misuse;
(4) For the purposes of subsection (1), where the products or services
are provided by a certification
service provider, the Accreditation Authority may stipulate, prior
to accrediting authentication
products or services—(b) provide a reasonable level of availability, reliability and correct operation; (c) be reasonably suited to performing their intended functions; and (d) adhere to generally accepted security procedures. (a) the technical and other
requirements which certificates must meet;
(5) The Accreditation Authority may impose any conditions or
restrictions necessary when accrediting an authentication product or
service.(b) the requirements for issuing certificates; (c) the requirements for certification practice statements; (d) the responsibilities of the certification service provider; (e) the liability of the certification service provider; (f) the records to be kept and the manner in which and length of time for which they must be kept; (g) requirements as to adequate certificate suspension and revocation procedures; and (h) requirements as to adequate notification procedures relating to certificate suspension and revocation. |
| 39. |
(1) The Accreditation Authority
may suspend or revoke an accreditation if it is satisfied that the authentication service provider
has failed or ceases to meet any of the requirements, conditions or
restrictions subject to which accreditation was granted under section 38 or recognition was given in terms of section 40. (2) Subject to the provisions of subsection (3), the Accreditation Authority may not suspend or revoke the accreditation or recognition contemplated in subsection (1) unless it has— (a) notified the authentication service provider
in writing of its intention to do so;
(3) The Accreditation Authority may suspend accreditation granted under
section 38 or recognition given under section
40 with immediate effect for a period not exceeding 90 days,
pending
implementation of the procedures required by subsection (2), if the
continued accreditation or recognition of the authentication service provider
is reasonably likely to result in irreparable harm to consumers or any person
involved in an electronic transaction in
the
Republic.(b) given a description of the alleged breach of any of the requirements, conditions or restrictions subject to which accreditation was granted under section 38 or recognition was given in terms of section 40; and (c) afforded the authentication service provider the opportunity to— (i) respond to the
allegations in writing; and
(ii) remedy the alleged breach within a reasonable time. (4) An authentication service provider whose products or services have been accredited in terms of this Chapter may terminate such accreditation at any time, subject to such conditions as may be agreed to at the time of accreditation or thereafter. |
| 40. |
(1) The Minister
may, by notice in the Gazette
and subject to such conditions as may be determined by him or her,
recognise the accreditation or similar recognition granted to any authentication service provider
or its authentication
products or services in any foreign jurisdiction. (2) An authentication service provider falsely holding out its products or services to have been recognised by the Minister in terms of subsection (1), is guilty of an offence. |
| 41. |
The Minister
may make regulations in respect of— (a) the rights and
obligations of persons relating to the provision
of accredited products and services;
(b) the manner in which the Accreditation Authority must administer and supervise compliance with those obligations; (c) the procedure pertaining to the granting, suspension and revocation of accreditation; (d) fees to be paid; (e) information security requirements or guidelines; and (f) any other relevant matter which it is necessary or expedient to prescribe for the proper implementation of this Chapter. |
| 42. |
(1) This Chapter applies only to
electronic transactions. (2) Section 44 does not apply to an electronic transaction— (a) for financial services,
including but not limited to, investment services, insurance and
reinsurance operations, banking services and operations relating to
dealings in securities;
(3) This Chapter does not apply to a regulatory authority established
in terms of a law if that law prescribesconsumer protection provisions in respect of
electronic transactions.(b) by way of an auction; (c) for the supply of foodstuffs, beverages or other goods intended for everyday consumption supplied to the home, residence or workplace of the consumer; (d) for services which began with the consumer's consent before the end of the seven-day period referred to in section 44(1); (e) where the price for the supply of goods or services is dependent on fluctuations in the financial markets and which cannot be controlled by the supplier; (f) where the goods— (i) are made to the consumer's specifications;
(g) where audio or video recordings or computer software were unsealed
by the consumer;(ii) are clearly personalised; (iii) by reason of their nature cannot be returned; or (iv) are likely to deteriorate or expire rapidly; (h) for the sale of newspapers, periodicals, magazines and books; (i) for the provision of gaming and lottery services; or (j) for the provision of accommodation, transport, catering or leisure services and where the supplier undertakes, when the transaction is concluded, to provide these services on a specific date or within a specific period. |
| 43. |
(1) A supplier offering goods or
services for sale, for hire or for exchange by way of an electronic transaction must make the following
information
available to consumers on the web site where such goods or services are offered: (a) Its full name and legal
status;
(2) The supplier must provide a consumer with
an opportunity—(b) its physical address and telephone number; (c) its web site address and e-mail address; (d) membership of any self-regulatory or accreditation bodies to which that supplier belongs or subscribes and the contact details of that body; (e) any code of conduct to which that supplier subscribes and how that code of conduct may be accessed electronically by the consumer; (f) in the case of a legal person, its registration number, the names of its office bearers and its place of registration; (g) the physical address where that supplier will receive legal service of documents; (h) a sufficient description of the main characteristics of the goods or services offered by that supplier to enable a consumer to make an informed decision on the proposed electronic transaction; (i) the full price of the goods or services, including transport costs, taxes and any other fees or costs; (j) the manner of payment; (k) any terms of agreement, including any guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers; (l) the time within which the goods will be dispatched or delivered or within which the services will be rendered; (m) the manner and period within which consumers can access and maintain a full record of the transaction; (n) the return, exchange and refund policy of that supplier; (o) any alternative dispute resolution code to which that supplier subscribes and how the wording of that code may be accessed electronically by the consumer; (p) the security procedures and privacy policy of that supplier in respect of payment, payment information and personal information; (q) where appropriate, the minimum duration of the agreement in the case of agreements for the supply of products or services to be performed on an ongoing basis or recurrently; and (r) the rights of consumers in terms of section 44, where applicable. (a) to review the entire
electronic transaction;
(3) If a supplier fails to comply with the provisions of subsection (1)
or (2), the consumer may cancel the transaction within 14 days of receiving the
goods or services under the transaction.(b) to correct any mistakes; and (c) to withdraw from the transaction, before finally placing any order. (4) If a transaction is cancelled in terms of subsection (3)— (a) the consumer
must return the performance of the supplier or, where applicable, cease
using the services performed; and
(5) The supplier must utilise a payment system that is sufficiently
secure with reference to accepted technological standards at the time
of
the transaction and the type of transaction concerned.(b) the supplier must refund all payments made by the consumer minus the direct cost of returning the goods. (6) The supplier is liable for any damage suffered by a consumer due to a failure by the supplier to comply with subsection (5). |
| 44. |
(1) A consumer
is entitled to cancel without reason and without penalty any transaction and any related credit agreement
for the supply— (a) of goods within seven days
after the date of the receipt of the goods; or
(2) The only charge that may be levied on the consumer
is the direct cost of returning(b) of services within seven days after the date of the conclusion of the agreement. the goods. (3) If payment for the goods or services has been effected prior to a consumer exercising a right referred to in subsection (1), the consumer is entitled to a full refund of such payment, which refund must be made within 30 days of the date of cancellation. (4) This section must not be construed as prejudicing the rights of a consumer provided for in any other law. |
| 45. |
(1) Any person
who sends unsolicited commercial communications to consumers,
must provide the consumer— (a) with the option to cancel
his
or her subscription to the mailing list of that person;
and
(2) No agreement is concluded where a consumer
has failed to respond to an unsolicited communication.(b) with the identifying particulars of the source from which that person obtained the consumer'spersonal information, on request of the consumer. (3) Any person who fails to comply with or contravenes subsection (1) is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1). (4) Any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1). |
| 46. |
(1) The supplier must execute
the order within 30 days after the day on which the supplier received
the order, unless the parties have agreed otherwise. (2) Where a supplier has failed to execute the order within 30 days or within the agreed period, the consumer may cancel the agreement with seven days' written notice. (3) If a supplier is unable to perform in terms of the agreement on the grounds that the goods or services ordered are unavailable, the supplier must immediately notify the consumer of this fact and refund any payments within 30 days after the date of such notification. |
| 47. |
The protection provided to consumers in this Chapter, applies irrespective of the legal system applicable to the agreement in question. |
| 48. |
Any provision in an agreement which excludes any rights provided for in this Chapter is null and void. |
| 49. |
A consumer may lodge a complaint with the Consumer Affairs Committee in respect of any non-compliance with the provisions of this Chapter by a supplier. |
| 50. |
(1) This Chapter only applies to
personal information that has
been
obtained through electronic transactions. (2) A data controller may voluntarily subscribe to the principles outlined in section 51 by recording such fact in any agreement with a data subject. (3) A data controller must subscribe to all the principles outlined in section 51 and not merely to parts thereof. (4) The rights and obligations of the parties in respect of the breach of the principles outlined in section 51 are governed by the terms of any agreement between them. |
| 51. |
(1) A data controller must have the express written permission of the data subject for the collectio |