How the Electronic Transactions Act will effect online business, cyber security firms

and web services companies in Namibia?


Introduction

Namibia has taken its first step, in a string of legislative actions, to regulate the online business environment in Namibia.


Up until this year, no laws existed that specifically regulated the online activities of companies in Namibia. However, on 16 March 2021 the Electronic Transactions Act 4 of 2019 (Herein referred to as the “Act”) came into force and set the initial barriers for the way online businesses is conducted.


The Act regulates the way online businesses provide goods or services online, addresses fraudulent activities by clients of web services companies and sets up new procedures for cyber security firms to operate in Namibia.


The Act is focused on developing a safe, secure and effective environment for consumers and businesses. It is also Namibia’s first major step towards consumer protection and it endeavours to keep consumers safe in online transactions.


Although the Act does address public sector issues and legal proceedings, this article will only focus on how The Act impacts the private sector.

This article is divided into three sections, namely:

1. How Will Online Businesses Be Affected?

2. How Will Cyber Security Firms Be Affected?

3. How Will Web Service Companies Be Affected?


[Readers may skip to whichever section is most relevant to them]


How Will Online Businesses Be Affected?

Over the past decade Namibia has had an increasing number of traditional brick & mortar businesses transition to providing services or products online. The COVID-19 pandemic has further necessitated this next step in the Namibian business environment.


Historically, Namibia has not burdened businesses with laws that regulate the way they interact with customers – especially as it relates to consumer protection. Chapter 4 of this act will be the first step towards placing requirements on business practice to protect users of these online platforms – not only with regards to customer satisfaction with products but also email marketing efforts to customers.


Consumer Protection

Section 34 of the Act places a duty on the online supplier of goods or services to make pertinent information available to the customer on the website. The information referred to includes, but is not limited to, a sufficient description of the goods or services, full price of the goods or services (including transport costs, taxes and any other fees) and the full contact details of the business.


Failure to comply with this information requirement allows customers to cancel transactions and receive a full refund of all payments made, including the direct cost of returning the goods - on the basis of insufficient information.

This section further requires the supplier to utilise a secure payment system and it holds the supplier liable for any damages suffered by a consumer due to the use of an unsecure payment system.


Section 35 regulates return and refund policies. It stipulates a seven (7) day time-frame within which a consumer can cancel a transaction (without reason and without penalty) and a thirty (30) timeframe within which a supplier must refund payment.


Email Marketing

Powerful email marketing tools have allowed businesses to collect customer emails and automate outreach. These efforts, for the first time, face regulation.

Section 36 of the Act regulates unsolicited communications, in particular email-marketing. It indicates the specific business information of the supplier that must be included in any communications with consumers and requires that an operational opt-out facility must be included in every email.


This section further stipulates that an opt-in to email marketing is not recognized unless it meets requirements. For an opt-in to be valid, the entity writing the marketing materials must be the same entity that collected the recipients contact information and only relevant promotional messages must be sent.


Any entity that intentionally sends unsolicited promotional messages to a consumer after that consumer has opted-out, commits an offence. This offence is punishable by a fine not exceeding N$500 000 or imprisonment not exceeding two years or both such fine and such imprisonment.


How Will Cyber Security Firms Be Affected?

Where there was previously no regulation of electronic security products or services, there is now a procedural hurdle to overcome before cyber security firms can lawfully operate in Namibia. These firms will now need to obtain accreditation.


For clarity, a cyber security firm in this instance means a company that conducts any activity relating to the security or integrity of data or an information system, or the linking of any action to a specific information system or person; Section 42 of The Act requires a person who supplies a security product or service to obtain accreditation from the Communication Regulatory Authority of Namibia (CRAN).


CRAN will issue a certificate of accreditation based on various classes of products or services. The accreditation process will include determining whether the product or service is sufficiently secure, as well as assessing the expertise of the person providing the service.

Further conditions to accreditation include, the financial well-being of the provider, technical competence of its staff, record keeping, review of its authentication processes and security breach procedures.


Section 48 of The Act makes it an offence to provide cyber security services without accreditation punishable with a fine not exceeding N$50 000 or imprisonment for a period not exceeding two years or to both such fine and such imprisonment.

How Will Web Service Companies Be Affected?

In a situation where a web services company provides hosting or data storage services to a supplier of goods/services and that supplier conducts fraudulent activity or transfers unlawful data through the web service company’s platform. Is the web services company liable? Can consumers apply to for a takedown of a fraudulent website on the hosting company platform? And do web service companies have an obligation to monitor the content of their clients to ensure lawfulness?


Fraudulent Client Conduct

The general rule is that companies that provide conduit services, caching services, hosting services, information location tools and other web services are not liable for criminal or civil liability in respect of the material or activities of their clients.


The exceptions to this rule include the following:

1. The web services company has actual knowledge of the fraudulent material or data,

2. The web services company modifies the data it hosts/transmits; and

3. The web services company acts beyond its role as an uninvolved intermediary (e.g. it initiate the transmission of the data, rather than transmitting data on instruction).


For as long as the web services company keeps itself removed from the content of the activity, it can also remain removed from any potential liability for fraudulent activity.


Take Down Notices

A typical solution offered to consumers who are victims of fraudulent online activity is a takedown notice. This is a complaint lodged with the web services company, notifying them of the fraudulent activity and requesting the takedown of the webpage being hosted on that platform.


Section 54 of the Act stipulates the form in which a takedown notice must be submitted to the web service company. This section further outlines the procedure for content/website take downs, including objections to takedowns, wrongful takedowns and penalties for persons who provide false statements in a request for a takedown notice.


Conclusion

The Electronic Transactions Act 4 of 2019 is set to provide order in an environment where there was previously free reign. It is the first step in regulating an environment that will be crucial to the way Namibian business will conduct themselves in the future.


Other sections in the Act make it clear that there is more legislation to come in the online space. Specifically, Chapter 2 establishes the Electronic Information Systems Management Advisory Council, this council is set to spearhead regulation in this space.


Over the next few months and years, businesses must keep their fingers on the pulse of internet regulation in Namibia and consistently provide industry input – in the name of shaping the future business environment that they will operate in.


About the Author

Zach Kauraisa holds an LLB and an LLM. He is currently a Candidate Attorney at Koep & Partners in Windhoek Namibia. For inquiries, email: zach@koep.com.na