Section
14 of the South African Constitution of 1996 states, "Everyone has the
right to privacy, which includes the right not to have – (a) their person or
home searched; (b) their property searched; (c) their possessions seized; or
(d) the privacy of their communications infringed." Section 32 states,
"(1) Everyone has the right of access to – (a) any information held by the
state, and; (b) any information that is held by another person and that is
required for the exercise or protection of any rights; (2) National legislation
must be enacted to give effect to this right, and may provide for reasonable
measures to alleviate the administrative and financial burden on the
state."[1] The interim Constitution contained equivalent
provisions to Section 14 and Section 32.
The
South African Constitutional Court has delivered several judgments on the
constitutional right to privacy. These deal with legislation prohibiting the
possession of indecent or obscene photographs and child pornography, searches and seizures and the criminalization of prostitution. The court's interpretation of the right is a
mixture of US and European jurisprudence. On the one hand, the court has
emphasized that the roots of the right lie in the value of human dignity. On the other hand, the court has defined the
right, along US lines, as protecting an actual (or subjective) expectation of
privacy that society is prepared to recognize as reasonable.
The
constitutional right to privacy also has application in private litigation. Recent decisions have considered the effect of
the right in litigation seeking to prevent the publication of intimate
photographs of a quasi-celebrity, and an action for damages to compensate for
publication of an inaccurate report that a person had been arrested for
terrorism.
There
is currently no general statutory protection of privacy or general data
protection legislation in South Africa.
In
early 2000, the South African Law Reform Commission was requested by Parliament
to investigate the introduction of privacy and data protection legislation. The
impetus for the request was Parliament's consideration at the time of the
Promotion of Access to Information Act (the Act). Drafts of the Act contained a
chapter proposing the regulation of access to, and dissemination of, personal
information held in private and public "data banks." Parliament took
the view that these matters would be better regulated by a comprehensive
purpose-specific statute and the chapter was removed from the Access to
Information Act as finally enacted. The Law Reform Commission, having
researched the matter, then published an Issue Paper on Privacy and Data
Protection in August 2003. The Issue Paper makes a number of preliminary
recommendations that closely track the provisions of the European Union (EU)
Data Protection Directive. This is to be expected since the Directive, by
requiring a basic level of data protection in countries doing business with the
EU, is an important impetus for the law-reform initiative. The Commission
recommends that legislation be enacted to govern the collection, use and
dissemination of personal information in both the public and private sectors,
and calls for the creation of a specialized Commission. The Commission is
likely to complete its work in the first half of 2005, and the legislative
process is likely to take at least a year after that.
The Regulation of Interception of
Communications and Provision of Communication-related Information Act 70 of 2002 (the Interception Act) is the
end-product of several proposals of the Law Reform Commission. In November
1998, the Commission recommended amendments to facilitate the monitoring of
cellular phones and Internet Service providers (ISPs). On July 18, 2001, a Bill was introduced into
Parliament, proposing the repeal and replacement of the Interception and
Monitoring Prohibition Act 127 of 1992. According to Mr Johnny de Lange,
Chairperson of the Parliament's Portfolio Committee on Justice and
Constitutional Development, the Bill "aims to regulate the interception
and monitoring of certain communications . . . to regulate authorized
telecommunications monitoring," and "to prohibit the provision of
certain telecommunication services which do not have the capacity to be
monitored." Following 18 months of limited consultation
with stakeholders, the Interception Act was enacted and entered into force in
December 2002.
The
passage of the Interception Act had initially been delayed, pending
finalization of the Council of Europe Convention on Cyber crime, which, if
ratified, would require member states and non-member signatories to enact
measures consistent with the Convention. South Africa is one of four non-member
signatories to the Convention, along with the United States, Canada and Japan. The Interception Act conforms to the
requirements of the Convention.
The
Interception Act was considered and passed as several unathorised surveillance
incidents had come to light in the last few years. In 1996, it was revealed
that the South African Police Service had been monitoring thousands of
international and domestic phone calls without a warrant. The opposition Democratic Party announced in
November 1999 that it had found surveillance devices at its parliamentary
offices and national headquarters. In February 2000, the government apologized to
the German government after the media reported that an intelligence operative
had placed spy cameras outside the German Embassy.
The
purpose and essence of the Interception Act remains similar to all previous
versions. The Act prohibits wiretaps and surveillance, except for law
enforcement purposes. It requires that all telecommunications services,
including ISPs, make their services capable of being intercepted before they
could offer them to the public. There is a provision for the Minister to exempt
ISPs from these provisions. However, while exemptions can be made from the
requirement to enable a network for surveillance purposes, ISPs that are exempt
will be required to contribute to a fund which will be used to purchase
centrally held surveillance equipment. This equipment will be used on a
rotational basis as needed by smaller ISPs who are required to comply with a
surveillance request by law enforcement.
Generally,
providers will be required to pay for the costs of making their systems
wiretap-enabled. No model of cost sharing is proposed at this stage and the
state will be responsible for the costs of connecting central interception centers
to telecommunications providers. Criminal penalties are also included should a
service provider refuse to comply with the provisions of the Act or assist law
enforcement. Repeat offenders may in addition face the revocation of their
service license granted under the Telecommunications Act.
Several
amendments made by Parliament during the consideration of the Interception Act
widened the scope of the legislation.The definition of "communication" has
been augmented to include all "direct" and "indirect"
communications, which together cover all traffic, signaling and other call
related information, as well as the content of such communications. Amendments
include: an expanded list of grounds for obtaining a wiretap order; including a
wiretap to ascertain the location of a person in the case of an emergency; an expanded range of interception directions
that can be granted, such as decryption orders; and an augmented list of offences under the
Act, which includes being in possession of a stolen
cellular phone and failure to report a stolen, lost or damaged SIM (Subscriber
Identity Module) card.
Provisionson
data retention require all telecommunication service providers (TSPs) to gather
detailed personal data on individuals and companies (including photocopies of
identity documents) before signing contracts or selling SIM cards for pre-paid
mobile services. Provisions require that such data is made available to law
enforcement agencies when requested to. There is no limit specified for the
length of time TSPs are required to retain personal data, but a requirement to
store communication-related information is currently limited in duration to 12
months.
The
Minister has several broad powers in the Interception Act, including the
discretion to stipulate all technical and security requirements for networks to
be capable of surveillance, including capacity, the systems to be used, the
facilities and devices to be acquired, and the type of communication-related
information to be stored. At this stage, consultation in developing these
standards appears to be limited to the Minister, other relevant ministers and
TSPs. There is no provision for public interest or technical bodies to be
consulted.
The
National Intelligence Agency (NIA) announced in February 2000 that it was
creating a signals intelligence service based on the model of the United
Kingdom's GCHQ. The NIA will have the authority to intercept
all postal, telephone and Internet communications under the auspices of crime
control and national security, actual or potential threats to public health and
safety, and to assist foreign law enforcement agencies with interception
regarding organized crime or terrorism, under a mutual assistance agreement. In January 2004, the Department of
Communications put out a tender calling for proposals by technology firms to
create interception centres to intercept, monitor and store email and cellphone
messages.
While
the Act is in the early stages of implementation, several problems are
beginning to emerge. Various operational requirements appear impractical and
seem not to be implementable. For example, a requirement that before an
Internet service contract can be concluded, ISPs are required to verify the
identity of the subscriber. As many Internet users subscribe online, this
creates many difficulties. Moreover, ISPs now have to verify identities and
retain copies of identity documents.
Other
problems pertaining to technical network issues are emerging and the Department
of Communications has set up a working group with industry to examine these
issues. At the time of writing, various directives were in the process of being
discussed to clarify implementation difficulties.
The
Electronic Communications and Transactions Act (ECTA) has been in operation
since August 2002. The main purpose of the Act is to facilitate
e-commerce by creating legal certainty and promoting trust and confidence in
electronic transactions. It provides for functional equivalence of electronic
documents, recognition of contracts, digital signatures, electronic filing and
evidence etc. The Act also contains statutory provisions on
cybercrime and creates several computer crime offences. These include:
unauthorized access to data; interception of, or interference with data;
computer related extortion; fraud, and forgery aimed at interfering with commercial activities
and hacking. Other provisionsrestrict ISP liability; promote consumer rights; criminalize spam and
require all websites engaged in "offering goods or services for sale, for
hire or for exchanges by way of an electronic transaction" to provide
information about the security and privacy policy of the website. Websites that collect personal information may
voluntarily subscribe to certain principles in the Act intended to protect a person's
privacy, but are not required to do so.
Chapter
II of the ECTA directs the Minister of Communications to develop a national
"e-strategy" within two years of the commencement of the Act. Amongst
the matters to be addressed by the e-strategy are the closing of the
"digital divide" through programs aimed at providing Internet
connectivity to disadvantaged communities and encouraging the private sector to
initiate schemes to provide universal access.
The
ECTA provides for the registration of all cryptography providers and services
and government accreditation of authentication providers. A new "cyber
inspectorate" will monitor websites and public information systems and
investigate complIaince by cryptography and authentication providers.
Included
in the ECTA is a provision authorizing the Minister to declare both public and
private databases critical in the "national interest" or the
"economic and social well-being of South Africa." Once declared, the
Minister can require the database to be registered, including all information
about its location and the types of data stored. The law also authorizes the
Minister of Communications to determine technical standards and set procedures
for the general management of critical data bases, their security and disaster
recovery procedures.
South
Africa does not have a data protection authority but has a Human Rights
Commission (HRC), which was established under Chapter 9 of the Constitution.
The HRC's mandate is to protect, and investigate infringements of, the
fundamental rights guaranteed in the Bill of Rights, and to take steps to
secure appropriate redress where human rights have been violated. The
Commission has limited powers to enforce the Promotion of Access to Information
Act.
South
Africa has a well-developed financial system and banking infrastructure.
Despite the sophistication of the financial sector, the privacy of financial
information is weakly regulated by a code of conduct for banks issued by the
Banking Council. The current Code (in place since 2000) has recently been
revised and will be replaced with effect from October 1, 2004. Adherence to the Code is voluntary and it is
expressly declared to be not legally binding. Financial institutions
subscribing to the Code undertake not to share personal information of their
clients without consent except in the public or "where [banks'] interests
require disclosure'. Information may be disclosed to third-party credit risk
management services with prior consent, or after notice to the client.
Important
new legislation – the Financial Intelligence Centre Act 38 of 2001 aimed at
preventing money laundering was passed by Parliament in 2001 and the bulk of
its provisions came into effect in 2003. Along the lines of similar legislation
in other jurisdictions, the Act creates the Financial Intelligence Centre, a
supervisory and investigative body that receives and analyzes information
regarding suspected money-laundering activities supplied to it by financial
institutions, and disseminates reports to the criminal investigative
authorities, the intelligence services and the revenue service. Banks and other
financial institutions are required to verify the identity of their customers,
must maintain a considerable body of information about customers and their
transactions, and must report suspicious transactions to the Centre.
The
weakness of banks' data security measures were exposed in a well-publicised
case of identity-theft during 2003. A hacker was able to gain access to the
account and password details of the Internet banking accounts of a number of
bank customers, using commercially available keystroke-logging spyware. The
publicity given to the case -- unusual, since banks usually keep bank fraud
cases confidential – resulted in upgrades to security by most commercial banks
offering Internet banking services.
Credit
bureaux are currently self-regulated by a Code of Conduct administered by the
Credit Bureau Association (CBA). After the government's Consumer Affairs
Committee investigated into the ability of the CBA to enforce its code, the
government has proposed legal regulation of the industry. The draft regulations
were published for comment in April 2003. They propose strict limitations on
the types of information that may be held by credit bureaux, and the period of
time for which information can be held. They also require access to credit
information by consumers to ascertain the accuracy of the information credit
bureaux hold on them, and to require procedures to allow them to dispute it.
The
Cabinet approved a plan in March 1998 to issue a multi-purpose smart card that
combines access to all government departments and services with banking
facilities. In the long term, the smart card was intended to function as
passport, driver's license, identity document and bankcard, linked to
fingerprint information.In 2003, a commission recommended major changes
to the conceptualization of the project. In February 2004, the report of the
transaction advisors on the feasibility of procuring the new identity document
through a public private partnership recommended against the partnership. The
procurement process and form of the new identity document are therefore still
uncertain.
In
2004, the Department of Home Affairs began a pilot programme to issue 30,000
smart cards to refugees (persons granted political asylum). In the Department's
view, this programme is an initial step towards a planned rollout of six
million smart cards per year over a five-year period. The full program entails
the conversion of 30 million paper-based sets of records into the Department's
electronic document management system. The government agency aims to eventually
produce "an integrated biometric database of all people the Department
deals with – citizens, residents, refugees, illegal foreigners."
The
Promotion of Access to Information Act (PAIA) came into operation on March 9,
2001. The Act is
a general freedom of information legislation, modeled on the FOI laws of the
United States and Commonwealth jurisdictions. It is however unusual and
ground-breaking in at least two respects. First, it is based on, and backed up
by, a specific constitutional right of access to information, entrenched in the
Bill of Rights. Secondly, this right, and
as a consequence, the Act, is applicable not only to information in government
hands but also to information held in the private sector. There is no competent Commission to monitor the
implementation of the Act or to provide dispute-resolution services. Instead,
the South African Human Rights Commission is charged with monitoring the use of
the Act, publicizing the rights that it creates, assisting members of the
public to make requests, conducting research and publishing explanatory
material about the Act. Disputes over alleged maladministration of the Act (e.g., requests for information not answered, indexes of records not
submitted as required by the Act) can be heard by the Public Protector (the
South Africa's Ombudsman). Disputes over the substance of a refusal of a request for information are resolved by way of
an application to the ordinary courts.
Concern
has been expressed from various quarters (including the Human Rights
Commission) about the ineffectiveness of the Act's dispute resolution
processes. Litigation is widely recognized as being too inaccessible and
cumbersome to be an effective way of enforcing the freedom of information
rights in the Act and in the Constitution.
On
paper, the Act grants extensive freedom of information rights. However, it is
more difficult to assess the effectiveness of these rights in practice. First,
because the Act is not yet completely operational. It will not be possible to
draw accurate conclusions about the success or failure of the Act until
"manuals" (indexes of records) are published. Second, because a vital resource for
researchers - the statistics on the use of the Act, to be compiled by the Human
Rights Commission - have not yet been published. There are no comprehensive
empirical studies available on the implementation of the Act. In the absence of
such studies, much of the evidence available to researchers is anecdotal.
Requesters have reported that PAIA requests are often dealt with extremely
slowly or, more troublingly, are simply ignored. There appears to be widespread ignorance of the
requirements of the Act, and even of its existence, in the public sector.
However,
there have been a number of high profile cases involving use of PAIA. For
example, the leader of the Opposition made a successful request to the
Presidency and the Ministry of Justice for records relating to a number of
controversial presidential pardons of prisoners who had been refused amnesty by
the Truth and Reconciliation Commission. One of the most active users of the Act – the
South African History Archive (SAHA), a NGO which collects and archives
apartheid-era documentation – has retrieved large quantities of classified
material from military archives and documents collected by the Truth and
Reconciliation Commission. While SAHA has had some important victories, the
organization suggest that use of the Act has been limited because the culture
of freedom of information has not taken root yet and because PAIA has been
poorly publicized. The Institute for Democracy in South Africa has
lauched a campaign to use the access rights granted by the PAIA to require
political parties to disclose the sources of their funding. Predictably enough, the requests for this
information were not met with transparency by political parties, and the
organization has begun a court process to test the principles at stake.
There
appears to have been little use by requesters of the private-sector provisions
of the Act, but the extent to which the Act has had an impact on the private
sector is almost impossible to measure. Certainly, the Act's requirements that private
bodies publish indexes of their records have so far largely been ignored.
Even
before September 11, 2001, South Africa had been revising its anti-terrorism
laws. A draft anti-terrorism Bill was tabled for debate in Parliament and was
the subject of public hearings at the Portfolio Committee on Safety and
Security. The Bill was widely criticized as unconstitutional for its far
ranging provisions with regard to personal freedoms, detention, bail and wide
police search and seizure powers.The proposed Bill initially defined an
act of terrorism as "an unlawful act committed in or outside the
Republic" while a "terrorist organization" was defined as "an organization
declared as such by the Minister of Safety and Security and which is likely to intimidate the public
or a segment of the public, or is likely to carry out a convention offence."
This
broad definition of a "terrorist" and "terrorist
organization" could extend to legitimate protest activity. Interest groups
have argued for a more precise definition that will reduce the chances of
arbitrary state action against individuals or organizations.
Other
concerns pertain to the wide powers given to the Minister of Safety and
Security, the National Directorate of Public Prosecutions, and general law
enforcement agencies, and the right given to the state to declare organizations
as terrorist organizations.NGOs that made submissions on the Bill raised
concerns that its far-ranging provisions pose a threat to personal freedom,
freedom of expression and freedom of the media. In particular, the powers given
to the police and prosecuting authorities to act ex parte against individuals and organizations
simply on the basis of unspecified "reasonable grounds" have been
cause for concern. Many submissions also noted that the
new proposed Bill may also be unnecessarily duplicative of legislative
resources as there are approximately 22 existing laws that can already
adequately deal with "terrorism" crimes without placing constitutional
freedoms at risk. Perhaps, and most significantly, the leading trade union
organization the Congress of South African Trade Unions (COSATU) opposed the
bill on the ground that its definition of terrorism could lead to the outlawing
of legitimate strike activities.
The
draft legislation was passed by the National Assembly in November 2003. However, after
introducing the law in a redrafted form (now titled the Protection of
Constitutional Democracy against Terrorist and Related Activities Bill) in the
second chamber of Parliament in February 2004, the government announced, under
the threat of a nationwide strike by COSATU, that it was delaying a vote on the
legislation until after the April 2004 elections. The government has
re-introduced the draft legislation in July 2004.
