Electronic Communications and Transaction Bill submission Internet Service Providers’ Association Ant Brooks (ant@ispa.org.za)

About ISPA Internet Service Providers’ Association Industry body not for gain Founded in 1996 Currently has 45 members includes small, medium-sized and large companies includes NGOs and educational networks Provides a forum for industry co-operation Participates actively in policy development processes

General comments ISPA supports the bill. There is a need for legislation in this highly technical area of law. ISPA’s view is that legislation should: Only remove existing barriers for electronic commerce. Avoid creating new structures or processes where these are not necessary. Be “light touch” and allow for self-regulation where appropriate. Some chapters introduce excessive state involvement where a monitoring function would be more appropriate. Bill also lack clear universal service targets for bridging the digital divide. May be dealt with in subordinate legislation.

Chapter XIV: General provisions Suggestion: "Electronic Commerce Act" would be a more appropriate title.

Chapter XIII: Cyber crime ISPA welcomes these provisions They will enable effective action against destructive Internet activity Penalties stated in the bill may be too lenient for some crimes. (Section 93) The exact penalties should perhaps be left to the presiding judicial officer to determine.

Chapter XII: Cyber inspectors ISPA understands the need to have technically competent persons investigating and enforcing electronic commerce activities. However, the creation of a separate resource to do this does not seem efficient. Instead, existing entities (SAPS, NIA, F&PB, SABS) should be trained to fulfil this role.

Chapter XI: Limitation of liability of service providers ISPA strongly supports the balanced and measured approach reflected in the bill, subject to a few concerns. ISPA believes that it can meet the requirements for an industry representative body. (Section 75) Discrepancies between the limitations of liability caching and mere conduit (Sections 77 and 78) covers criminal and civil liability hosting and information location tools (Sections 79 and 80) covers only civil claims All sections should covers both civil and criminal liability Example: Currently, an ISP hosting a search engine with a link to an illegal web page could still be criminally liable for the link

Chapter XI: Limitation of liability of service providers Take down notification (Section 81) Who will be authorised to issue the take down notice? It doesn’t help for the notifying party to indemnify the ISP from liability. What happens if an ISP takes down content and is then sued by the owner of that content? Blanket indemnity needs to be included in the legislation for ISPs following legislated take down procedures. No general obligation to monitor (Section 82) Minister can force ISPs to provide information, but the ISPs can still be sued. Again, a general indemnity clause is needed. Savings (Section 83) Potential clash with proposed amendments to the Film and Publications Act. Closer co-ordination is encouraged.

Chapter X: Domain name authority and administration Chapter appears to be completely unnecessary Seeks to replace a functioning, self-funding organisation with an untested, government body funded (in part) by tax-payers money. Why? Change to a critical system is proposed The domain name system is of crucial importance to the future of electronic commerce in South Africa. Any change to the established DNS administration could seriously impact the functioning of the Internet in SA. Changes to the existing set-up should only take place following extensive consultation with the Internet industry and existing domain name administrators. It is ISPA's view that no such consultation has taken place.

Chapter X: Domain name authority and administration ISPs represent the single largest group of domain name registrants in South Africa The majority of domain names registered in .ZA are registered by ISPs (mostly on behalf of clients). In ISPA's view, this chapter should be deleted entirely. Alternative approaches to government involvement in domain name issues should be investigated.

Chapter IX: Protection of critical databases ISPA applauds the goal of this chapter the protection of critical databases from unscrupulous exploitation and the protection of national security. Unfortunately, the result is so broad as to possibly be unconstitutional Minister's unilateral ability to make declarations and determine "minimum standards or prohibitions" is cause for concern. Cabinet Members must be consulted on regulations that affect them, but no such opportunity is accorded the private sector.

Chapter VIII: Protection of personal information This chapter seeks to remedy the lack of protection of personal information in SA legislation on an interim basis pending work by the Law Commission on final legislation. Although this section is purely voluntary, there are still some concerns. Self-regulation may be more appropriate that legislative intervention. A number of self-regulation programs already exist globally.

Chapter VII: Consumer protection The requirements of this chapter are extremely onerous This will likely inhibit the growth of e-commerce in South Africa It will also make SA a less attractive market internationally Self-regulation would be a far better option Example: GBDe’s trustmark program Clashes with existing consumer protection legislation Consumer Affairs (Harmful Business Practices) Act 71 of 1988 Extra-territoriality problematic (Section 48) Could limit consumers, not enforceable SPAM -- unsolicited communications (Section 46) The legislation does not go far enough in dealing with SPAM (unsolicited bulk email). An opt-out provision is insufficient.

Chapter VI: Authentication service providers Who should be the Authentication Authority? Is the Director-General best qualified to act as the Accreditation Authority? Wouldn't the SABS or ICASA be more appropriate for this highly technical role? More consultation needed with the private sector The Authority should be required to consult with the private sector on authentication issues and should not be purely prescriptive. Similarly, the Minister should be required to consult broadly prior to making regulations relating to accreditation.

Chapter V: Cryptography providers This chapter is poorly written and confuses many issues. Serious problems with basic definitions -- overly broad. These impact the substantive law, making it unfeasible. Who must register? As currently written, the law could require public libraries to register as cryptography providers if they contain any books on secret codes or cryptography. This Chapter relates to the consequences of the Monitoring and Interception Prohibition Act, and would probably be better dealt with there. Timing of implementation is similar

Chapter III: Facilitating electronic transactions This chapter is the meat of the Bill, and is very welcome. Evidence (Section 15) The continued existence of the Computer Evidence Act may impede the adoption of this section. That Act should be amended or repeal simultaneously with the passing of the Bill. Production of documentation (Section 17) Should not only apply to documents required by law, but also to other documents not specifically required by law, including contracts.

Chapter II: Maximising benefits and policy framework Objectives of a national e-strategy are commendable and will commit government to research and set objectives. More consultation with the private sector required Especially on universal access, human resources and SMMEs

Chapter I: Interpretation, objects and application Definitions (Section 1) There are many problematic definitions, particularly those relating to cryptography and domain name issues ISPA strongly advises that all of the definitions be carefully reviewed, especially where public comment has drawn attention to potential problems.

Summary What should be scrapped? What needs a major overhaul? Cryptography, Domain name authority What needs a major overhaul? Definitions, Consumer protection, Protection of critical databases, Cyber inspectors What needs some minor adjustments? Maximising benefits, Facilitating electronic transactions, Authentication providers, Protection of personal information, Limitation of liability Fine as is E-government, Cyber crime, General provisions