“DATA PROTECTION IN SOUTH AFRICA” by Emmie de Kock
(This article was first published in De Rebus, December 2005)
The issue of data protection on the Internet raises new international legal challenges. With the development of e-commerce, an increased need developed to exchange personal information. Personal data is used by corporations to make decisions, expand services and market new products. Personal data is collected when one subscribes to a website , register for Internet banking or purchase a product.
The following incidents, which were reported last year, are related to this issue:
(a) In June 2004, The Star reported that the Post Office plans to make millions by selling your personal information to private companies. In this regard, it was reported that the most state parastatals have assisted in the compilation of the National Address Database (NAD) which contain information on persons who voted, own an identification document, a TV licence, a landline or participated in the last census. Members of the public were outraged fearing that they will be bombarded with junk mail.
(b) In July 2004, the Financial Mail reported that an employee of Sentech has mistakenly e-mailed the company customer database to about 80 My Wireless customers.
According to a 1999 survey in Australia, a low percentage of adults who have access to the Internet participate in online shopping, because consumers have no confidence in private companies to protect their personal data.
Risks posed by electronic data processing include: the unauthorised use of the data for a purpose other than what it was collected for; the use of inaccurate, incomplete and irrelevant information; and the expanded possibilities of storing, comparing, linking, sharing and accessing personal data, all of which could infringe on an individual’s privacy.
These factors and the need for information to flow freely over borders, led to the development of data protection laws, which refer to the group of policies designed to regulate the collection, storage, use, transmittal of personal information. It thus refers to the protection of a person’s right of privacy of information about himself/herself, that is either collected, held, processed or stored by another person or institution (the data controller). Data protection is also often referred to as information privacy.
Data protection laws are closely related to privacy laws and there is currently no all-encompassing privacy or data protection legislation in South Africa. The right to privacy applies to online and offline activities and is internationally recognised as a fundamental right.
In South Africa, privacy is protected by our common law and Section 14 of the Constitution. The common law right of privacy is protected under the law of delict. The constitutional right to privacy is not an absolute right but may be limited in terms of law of general application and has to be balanced with other rights entrenched in the Constitution.
Some countries implemented data protection laws before the introduction of the Internet in the 1980s. A number of countries, including the USA, followed in adopting data protection laws on a national level. Today, over thirty countries have enacted data protection statutes and the number is steadily growing.
The development of the Internet and the operations of multinational corporations, led to the concept of transborder data flow which raised many legal concerns. Privacy is an important trade issue and data privacy concerns threatened to create barriers to international trade.
International organisations were formed to deal with these issues, including the Council of Europe and the Organisation for the Economic Co-operation and Development.
These organisations issued a number of significant documents in the early 1980s with a view to set standards for data protection on a national level, and to provide for the free flow of data at an international level. The most prominent document today is the European Union’s Directive on the Protection of the Individuals with regard to the Processing of Personal Data and the Free Movement of such data Directive 95/46/EC (the Directive). The Directive came into force in 1998 for all states of European Union.
Article 25(1) provides that members must prohibit the transfer of personal data to non-member states which do not ensure an adequate level of data protection.
Article 25(6) furthermore provides that the European Commission may find that a third party ensures an adequate level of protection on the basis of its national laws or by virtue of its international agreements entered into relating to the protection of privacy, basic freedoms and rights of individuals.
Since the adoption of the Directive, the Commission has determined that data protection laws of a number of non-member states are adequate including Switzerland, Canada, Argentina, Guernsey and the Isle of Man.
The USA also applied to the Commission to assess its data protection laws. In contrast with the European countries, the USA does not have general data protection laws but negotiations followed between the US Department of Commerce and the European Commission and the parties eventually entered into a safe habor agreement in 2000. This agreement consists of a set of privacy principles which US corporations may voluntarily self-certify to adhere. Such corporations would then be presumed to have adequate privacy protection in place on the proviso that the Commission may re-open negotiations, if the remedies open to its citizens prove to be inadequate.
Data protection laws in South Africa
South Africa is in the process of developing new legislation on data protection. In early 2002, the South African Law Reform Commission gave notification of a project to begin drafting a comprehensive national Data Privacy Act. A project committee met in July 2002. In August 2003, the Commission released an Issue Paper and called for comments on the following issues:
- whether privacy and data protection should be regulated by legislation;
- how general principles of data protection could be developed and incorporated in the legislation;
- whether the statutory regulatory agency should be established;
- whether a flexible approach in terms of which industries will develop their own codes of practices, which could be overseen by the regulatory agency, is viable.
The South African Law Reform Commission furthermore recently issued a Discussion Paper and draft Bill calling for comments by roleplayers and interested parties by 28 February 2006. A summary of the issues and proposed Bill is set out elsewhere in this publication.
It is envisaged that the promulgation of data protection legislation in South Africa may result in amendments to other South African legislation such as the Electronic Communications and Transactions Act No. 25 of 2002 (ECT) and The Promotion of Access to Information Act No. 2 of 2000.
After the proposed Data Privacy Act is in place, it is expected that South Africa will also apply to the European Commission to declare our data protection laws adequate.
At present, Chapter 8 of the ECT Act sets out the universally accepted data protection principles describing how personal data, as defined in the ECT Act, may be collected and used. This Chapter of the ECT Act only applies to information that has been obtained through electronic transactions.
The ECT Act definition for personal information includes information relating to race, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth. Section 51 furthermore inter alia determines that a data controller must have written permission of the data subject for the collection, processing or disclosure of any personal information on that data; a data controller may not electronically request, collect, collate, process or store personal information on which is not necessary for the lawful purpose for which the personal information is required; a data controller may not disclose any of the personal information to a third party unless required or permitted by law or specifically authorised by the data subject.
It is hoped that consumers will become increasingly aware of their data privacy rights and support businesses and data collectors which subscribe to these principles. While these principles are voluntary and not compulsory to comply with at present, it is hoped that data collectors will implement these principles pending the enactment of the new data protection legislation.
South Africa is in the process of developing data protection laws. This is necessary to keep pace with technological and e-commerce developments. The European Union Directive came into force in 1998 and set the trend for data protection laws in and outside of Europe. While the South African ECT Act contains the basic universal accepted principles for dealing with personal data collected in electronic transactions, there is a need for separate and more adequate legislation on data protection. The South African Law Reform Commission is working on new legislation which could lead to amendments of the ECT Act and The Promotion of Access to Information Act. A Discussion Paper and draft Bill have recently been released and are open for comments until 28 February 2006.
- Buys, R, Cyberlaw @ SA II: the law of the Internet (Second edition, 2004)
- Constitution of the Republic of South Africa 108 of 1996
- Electronic Communications and Transactions Act 25 of 2002
- Promotion of Access to Information Act 2 of 2000
- Hughes, B, Data Protection in South Africa (October 2004)
- Lim Yee, F, Cyberspace law (2002)
- Press statement by South Africa Law Commission concerning its investigation into privacy and data protection (August 2003)
- The Star, State to sell your privacy (June 2004)