A REVIEW OF THE SOUTH AFRICAN ICT LAW IN

CONTRAST WITH THE NIGERIAN ICT LAW

Presented by Group 7

Group Members Matric No

Chikezie, Kalu David 189074074
Okhamena,Sekinat Ochuwa 189074068
Kudehinbu,Morayo Olayiwade 189074069
Uche,Ugochukwu Emmanuel 189074070
Adeseyoju,Ayotunde Jeremiah 189074071
Akerele,Adeola Olakunle 189074073
Onyejesi,Michael Chibuzor 189074075
Emeka,Ifeanyi Ambrose 189074076
Ogundele,Oladimeji Emmanuel 189074077
 TABLE OF CONTENT
Abstract 4

1.0 NIGERIA’S CYBERCRIME ACT 2015 5

1.1 A BRIEF BREAKDOWN OF THE NIGERIAN CYBERCRIME ACT 5

2.0 South African Information Technology Law 7

2.1 OVERVIEW OF THE POPI ACT 7

2.2 THE EIGHT PRINCIPLES OF THE POPIA ACT 8

2.3 OFFENCES AND PENALTIES REGARDS DATA PRIVACY IN SOUTH

AFRICA 8

3.0 CASE STUDY 9

4.0 COMPARING AND CONTRASTING THE NIGERIAN WITH THE SOUTH

AFRICAN LAW 10

4.1 NIGERIA AND SOUTH AFRICA LAW ON DENIAL OF SERVICE

ATTACKS 10

4.2 ICT LAW IN NIGERIA AND SOUTH AFRICA 10

4.3 NIGERIAN AND SOUTH AFRICAN LAW ON PHISHING 10

5.0 APPENDIX 11

REFERENCES 12
 ABSTRACT

The rise in cybercrime has led to African countries creating Cyber/Internet Crime Acts

to prohibit the increase in Internet related crimes, prevent these kinds of activities,

protect her citizens, detect, and prosecute offending parties. This study analyses the ICT

laws of Nigeria and South Africa, and exposes their strengths and weaknesses.
1.0 NIGERIA’S CYBERCRIME ACT 2015

The Nigerian Cyber Crime Act was enacted by the National Assembly of the Federal
Republic of Nigeria to

(a) Provide an effective and unified legal, regulatory and institutional framework for
the prohibition, prevention, detection, prosecution and punishment of cybercrimes in
Nigeria;

(b) Ensure the protection of critical national information infrastructure; and

(c) Promote cyber security and the protection of computer systems and networks,
electronic communications; data and computer programs, intellectual property and
privacy rights.

1.1 A BRIEF BREAKDOWN OF THE NIGERIA CYBERCRIME ACT

1. The Nigerian Cybercrime Act 2015 empowers the President to

discretionarily designate computer systems, networks and information infrastructure
as vital to the national security of Nigeria or the economic and social well-being of its
citizens. Examples of systems, which could be designated as such, include transport,
communication, banking etc.

2. “The death penalty for an offence committed against a system or network that
has been designated critical national infrastructure of Nigeria that results in the death of
an individual” as quoted by the Nigerian Cybercrime Act 2015 (amongst other
punishments for lesser crimes).

3. In Nigeria, hackers, if found guilty, of unlawfully caught using a computer

system or network, “are liable to a fine of up to N10 million or a term of imprisonment
of 5 years” as quoted by cybercrime Act 2015.

4. The Cybercrime Act 2015 made a provision for identity theft, as it provides a
strict punishment of imprisonment for a term of not less than 3 years or a fine of not
less than N7 million or to both fine and imprisonment.

An example of identity fraud would be the individual who impersonated Chief Bola
Ahmed Tinubu on Facebook and was apprehended recently by the police.
5. For offences related to child-pornography, the act stipulates punishments of
imprisonment for a term of 10 years or a fine of not less than N20 million or to both
fine and imprisonment, depending on the nature of the offence and the act carried out
by the accused persons. The offences are: producing, procuring, distributing, and
possession of child pornography.

6. “Outlaws Cyber-stalking and Cyber-bullying and prescribes punishment ranging

from a fine of not less than N2 million or imprisonment for a term of not less than 1
year or to both fine and imprisonment, up to a term of not less than 10 years or a fine of
not less than N25 million or to both fine and imprisonment; depending on the severity
of the offence” as quoted by cybercrime act 2015.

7. The Nigerian Cybercrime Act 2015 prohibits using an Internet domain name
with bad faith intent to profit from the popularity of a trademark belonging to someone
else, or to profit by selling to its original owner.

“Individuals who engage in this are liable on conviction to imprisonment for a term of
not less than 2 years or a fine of not less than N5 million or to both fine and
imprisonment” as quoted in the Nigerian Cybercrime Act 2015.

The above is just a high-level overview of certain interesting provisions in the newly
passed legislation.

The Act itself contains 43 sections, and is a very important piece of legislation to foster
the development of the nascent ICT sector in Nigeria.
2.0 SOUTH AFRICAN INFORMATION TECHNOLOGY LAW

South Africa has one of the largest information and communications technology (ICT)
markets in Africa by value. It shows technological leadership in the mobile software
field, security software as well as electronic banking services.

As an increasingly important contributor to South Africa's GDP, the country's ICT and
electronics sector is both sophisticated and developing.

Several international corporates operate subsidiaries from South Africa, including IBM,
Unisys, Microsoft, Intel, Systems Application Protocol (SAP), Dell, Novell and
Compaq. It is seen as a regional hub and a supply base for neighbouring countries.

The South African market is price-sensitive, also on the capital goods’ side.

What is the law regards data privacy or data protection in South Africa? Does South
Africa have a Data Protection Act?

In terms of South African law, the right to privacy is protected in terms of the common
law and section 14 of the Constitution of South Africa 1996.

“In both instances, the right to privacy is limited, and to prove an infringement will most
probably be fairly difficult. There is also established case law on:

 bodily privacy,
 the privacy of communications, and
 territorial privacy”

as quoted in section 14 of the 1996 constitution of south Africa.

The Protection of Personal Information Act (called the POPI Act or POPIA) brings an
end to the uncertainty regarding the law on the use and processing of personal
information. POPIA is essentially the South African Data Protection Bill or Data
Protection Act.

2.1 OVERVIEW OF THE POPI ACT

The POPI Act recognises the right to privacy enshrined in the Constitution and gives
effect to this right by mandatory procedures and mechanisms for the handling and
processing of personal information.

The POPI Act is in line with current international trends and laws on privacy.
‘Processing’ is widely defined, including the ‘collection, recording, organisation,
storage, updating or modification, retrieval, consultation, use, dissemination by means
of transmission, distribution or making available in any other form, merging, linking,
as well as blocking, erasure or destruction of personal information.’

The POPI Act provides eight information protection principles to govern the processing
of personal information. There are specific provisions for:
 a) Direct marketing,
b) Automated decision making,
c) The processing of cross-border flows of data.

2.2 THE EIGHT PRINCIPLES OF THE POPIA ACT

People often provide information for one reason and do not realise that it may be used
for other purposes as well, therefore POPIA prescribes eight specific principles for the
lawful processing and use of personal information. In a nutshell, the POPIA principles
are:

1. The processing of information is limited which means that personal information

must be obtained in a lawfully and fair manner.
2. The information can only be used for the specified purpose it was originally
obtained for.
3. The POPI Act limits the further processing of personal information. If the
processing takes place for purposes beyond the original scope that was agreed to
by the data subject, the processing is prohibited.
4. The person who processes the information must ensure the quality of the
information by taking reasonable steps to ensure that the information is
complete, not misleading, up to date and accurate.
5. The person processing the personal information should have a degree of
openness. The data subject and the Information Regulator must be notified that
data is being processed.
6. The person processing data must ensure that the proper security safeguards and
measures to safeguard against loss, damage, destruction and unauthorised or
unlawful access or processing of the information, has been put in place.
7. The data subject must be able to participate. The data subject must be able to
access the personal information that a responsible party has on them and must be
able to correct the information.
8. The person processing the data is accountable to ensure that the measures that
give effect to these principles are complied with when processing personal
information.

2.3 OFFENCES AND PENALTIES REGARDS DATA PRIVACY IN SOUTH

AFRICA

“The offences and penalties in POPIA quite limited. For example, one directed against
the hindering and obstruction of the Information Regulator in the execution of its
obligations and duties.

Another important one is failing to protect an account number. A person convicted of

these offences will be subject to a fine or to imprisonment for a period not exceeding
10 years, or to both a fine and imprisonment”.
3.0 CASE STUDY

This case was culled from IOL news in 2004 (referenced below)

Site-https://www.iol.co.za/news/south-africa/hackers-vandalise-45-south-african-
websites-121014

A group of South African hackers known as ‘spykids’ hacked about 45 prominent

businesses on 12th January, 2004

Reinhardt Buys, an Internet lawyer in Cape Town granted an interview to IOL news
and said the following;

"On Thursday last week, a hacker group referring to itself as Spykids hacked into
websites located in Cape Town and Stellenbosch," Buys said as quoted by

"The fact that all the websites are in the Western Cape seems to show the hackers
broke into a single server and therefore had access to all the websites hosted on that
server."

The defaced websites used Microsoft Windows 2000.

“Buys said many businesses in South Africa were too embarrassed to say their sites
had been hacked into and often did not report cases to the Directorate of Special
Investigations” as quoted by www.iol.com

A Scorpions spokesperson said on Sunday no charges had been laid in connection

with the “Spykids”.

Buys said he suspected the attacks were carried out from outside the country, "most
probably" from Brazil."

"Most hackers seem to be from Brazil because it has the least effective legislation in
place," he said.

Most owners of defaced websites in the United States tended not to file complaints
with the police, but to "claim their losses from the Internet Service Providers who host
the websites and who should have provided proper protections" as quoted by
www.iol.com

"They are just out for the boast and the more prestigious the company hacked, the
more the boasting rights."
4.0 COMPARING AND CONTRASTING THE NIGERIAN WITH THE
SOUTH AFRICAN LAW

4.1 NIGERIA AND SOUTH AFRICA LAW ON DENIAL OF SERVICE

ATTACKS

In Nigeria, it is a criminal offence for a person to intentionally commit an act without

proper approval of the rightful owner which leads to serious hindering of the functioning
of a computer system by inputting malicious data to prevent the computer system from
functioning rightly.

“The penalty is imprisonment for a term of not more than two years or a fine of not
more than five million naira or both fine and imprisonment” as quoted in section 8 of
the Cybercrimes Act

While in South Africa, under ECT Act, one who is caught in same act as stated for
Nigeria is liable to an undefined fine or imprisonment for a period of five years

4.2 ICT LAW IN NIGERIA AND SOUTH AFRICA

In Nigeria, it is an offence in the Advance Fee Fraud Act (AFF Act) for any internet
service provider not to register with the Economic and Financial Crime Commission
(EFCC) and the penalty for such lead to conviction to imprisonment for a term of not
less than three years without an option of a fine and in the case of continuing offence
leads to a fine of fifty thousand naira for each day the offence occur.

It also an offence in the Cybercrime Act on any person or institution who fails to report
an incident to the National Computer Emergency Response Team (CERT) within seven
days of its occurrence commits an offence and such a person or institution is liable to
denial of internet services and also will be fine with the sum of two million naira.

While in South Africa, there is no imposed duty law under the current legislative
framework to implement cyber security measures on organization but the Protection of
Personal Information Act 4 of 2013 was declared and has not yet started that responsible
parties (internet service provider) should implement reasonable technical and
organisational measures to guide their personal information against unauthorised access
such as cyber security measures.
4.3 NIGERIAN AND SOUTH AFRICAN LAW ON PHISHING

Under the Cybercrime Act of the Nigeria law, phishing such as masquerading in an
electronic communication like emails in such that a mail is sent to an individual or
groups of individuals to change their account details in an attempt to get confidential
information from such individual such as usernames, passwords bank card details for
the purpose of defrauding is liable to three years’ imprisonment or a fine of one million
naira or both fine and imprisonment.

While in South Africa, phishing is categories under common law of theft and the penalty
depend on the court that hears the case but the penalty under magistrate court fifteen
years’ imprisonment.
 APPENDIX

 A BRIEF BREAKDOWN OF NIGERIA’S CYBERCRIME ACT 2015- And

South African Information Technology Law, POPI and the Eight Principles

Contributed by Chikezie Kalu.

 South African laws on cybercrimes: Unauthorized access to, interception of or

interference with data By Uche,Emmanuel.

 Comparison on Nigeria and South Africa ICT Law, Law on Hackers, phishing

and Denial of Service by Akerele Adeola and Emeka Ifeanyi

 South African Gazette and Electronic Law By-Okhamena, Sekinat

 Failure of service provider to perform certain duties by Michael Onyejesi

 Reference sites and case scenario By Kudehinbu,Morayo and Oladimeji

Ogundele

 Abstract and Indexing by Adeseyoju Ayotunde

 REFERENCES
NIGERIAN CYBERCRIME ACT 2015

https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/nigeria

https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/south-africa

https://lawpadi.com/10-things-about -nigerias-cybercrime-act-2

https://www.michalsons.com/privacy-in-south-africa/150

https://www.iol.co.za/news/south-africa/hackers-vandalise-45-south-websites-121014

https://www.export.gov/article?south-africa-information-technology

https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/nigeria

https://researchspace.ukzn.ac.sequence=1

http://lawnigeria.com/LawsoftheFederation/Cyber-Crime-Act,-2015.html

https://www.iol.co.za/news/south-africa/hackers-vandalise-45-south-african-websites-
121014

https://www.michalsons.com/blog/data-privacy-in-south-africa/150

https://www.export.gov/article?id=South-Africa-information-technology

http://www.natlotregcom.gov.ng/downloads/NLA_2005.pdf

http://gfc-conference.eu/wp-
content/uploads/2017/01/MERAVIGLIA_Technology_and_counterfeiting-
friends_or_foes.pdf

http://www.ncc.gov.ng/index.php/docman-main/industry-statistics/research-
reports/682-understanding-the-concept-of-cyber-security/file