Section 14 of the South African Constitution of 1996 states, "Everyone has the right to privacy, which includes the right not to have - (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed." Section 32 states, "(1) Everyone has the right of access to - (a) any information held by the state, and; (b) any information that is held by another person and that is required for the exercise or protection of any rights; (2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state."[2358] The interim Constitution contained an essentially similar provision to Section 14, in Section 13.[2359] It is clear that both sections are written in a way that directly responds to the experiences during the apartheid era of gross interferences with peoples' right to privacy. The South African Constitutional Court has delivered several judgments on the right to privacy relating to the possession of indecent or obscene photographs,[2360] the scope of privacy in society,[2361] and searches.[2362] All the judgments were delivered under the provisions of the Interim Constitution as the causes of action arose prior to the enactment of the Final Constitution. However, as there is no substantive difference between the privacy provisions in the Interim and Final Constitutions, the principles remain authoritative for future application.
In early 2002, the Law Commission gave notification of a project to begin work on drafting a comprehensive national Privacy Act. This could take months to two years. Many important privacy provisions, specifically regarding data retention and personal privacy, originally intended for this Act have largely been left out of the new laws on Electronic Commerce, Surveillance and Access to Information, to be included in this general law when drafted. Although these laws do make efforts to cater for personal privacy protection, the result is that certain important gaps remain until the privacy law is promulgated. By June 2003, there was still no documentation available in the form of a research or issue paper, or any draft Bill available for comment.
On July 18, 2001, a new Interception and Monitoring Bill was introduced into the South African Parliament, proposing amendments to the 1992 Act, which had previously been amended to strengthenprivacy concerns. According to Adv. Johnny de Lange, Chairperson of the South African Parliament's Portfolio Committee on Justice and Constitutional Development, the Bill "aims to regulate the interception and monitoring of certain communications...to regulate authorized telecommunications monitoring," and "to prohibit the provision of certain telecommunication services which do not have the capacity to be monitored."[2363]Following eighteen months of limited consultation with stakeholders, mainly law enforcement agencies and telecommunication operators, the President signed a new surveillance Act into law. The Regulation of Interception of Communications and Provision of Communication-related Information Act became operational in December 2002.[2364]
The passage of this surveillance law had initially been disrupted, pending finalization of the Council of Europe Convention on Cyber crime, which, if ratified, would require member states and non-member signatories to enact measures consistent with the Convention.[2365] South Africa is one of four non-member signatories to the Convention, along with the United States, Canada and Japan.[2366] The new surveillance Act conforms to the requirements of the Convention.
Its purpose and essence remains similar to all previous versions. The Act continues to prohibit wiretaps and surveillance, except for law enforcement purposes. It requires that all telecommunications services, including Internet service providers (ISPs), make their services capable of being intercepted before they could offer the service to the public. There is a provision for the Minister to exempt ISPs from these provisions. However, while exemptions can be made from the requirement to enable a network for surveillance purposes, ISPs that are exempt will be required to contribute to a fund which will be used to purchase centrally held surveillance equipment. This equipment will be used on a rotational basis as needed by smaller ISPs who are required to comply with a surveillance request by law enforcement.
Generally, providers will be required to pay for the costs of making their systems wiretap-enabled. No model of cost sharing is proposed at this stage and the state will be responsible for the costs of connecting central interception centers to telecommunications providers. Criminal penalties are also included should a service provider refuse to comply with the provisions of the Act or assist law enforcement. Repeat offenders may in addition face the revocation of their service license granted under the Telecommunications Act.[2367]
The National Intelligence Agency (NIA) announced in February 2000 that it was creating a signals intelligence service based on the model of the United Kingdom's GCHQ.[2368] Under the authority of new Regulation of Interception of Communications Act, the NIA will have the authority to intercept all postal, telephone and Internet communications under the auspices of crime control and national security, actual or potential threats to public health and safety, and to assist foreign law enforcement agencies with interception regarding organized crime or terrorism, under a mutual assistance agreement.[2369]
Additional amendments contain new definitions which widen the scope of the Bill;[2370] an expanded list of grounds for obtaining a wiretap order; including a wiretap to ascertain the location of a person in the case of an emergency;[2371] an expanded range of interception directions that can be granted,[2372] such as decryption orders;[2373] and an augmented list of offences under the Act,[2374] which includes being in possession of a stolen cellular phone and failure to report a SIM card stolen, lost or damaged.
New provisions on data retention require all telecommunication service providers (TSPs) to gather detailed personal data on individuals and companies (including photocopies of identity documents) before signing contracts or selling SIM (Subscriber Identity Module) cards for pre-paid mobile services. Provisions require that such data is made available to law enforcement agencies when requested to. There is no limit specified for the length of time TSPs are required to retain personal data, but a requirement to store communication related information is currently limited in duration to twelve months.
The Minister has several broad powers in the Act, including the discretion to stipulate all technical and security requirements for networks to be capable of surveillance, including capacity, the systems to be used, the facilities and devices to be acquired, and the type of communication related information to be stored. At this stage, consultation in developing these standards appears to be limited to the Minister, other relevant ministers and TSPs. There is no provision for public interest or technical bodies to be consulted.
In 1996, it was revealed that the South African Police Service was monitoring thousands of international and domestic phone calls without a warrant.[2375] In February 2000, the government apologized to the German government after it was found that an intelligence operative had placed spy cameras outside the Germany Embassy.[2376] The opposition Democratic Party announced in November 1999 that it found surveillance devices at its parliamentary offices and national headquarters.[2377]
In 2001 Privacy International submitted a statement on an earlier draft of the bill criticizing the proposals as "inconsistent with international standards on human rights and the legal requirements of the South African Constitution" and calling for its delay until several changes could be made.[2378] At present, while the Act is in the early stages of implementation, several problems are beginning to emerge. Various operational requirements appear impractical and seem not to be implementable. For example, a requirement that before an Internet service contract can be concluded, ISPs are required to verify the identity of the subscriber. As many Internet users subscribe online, this creates many difficulties. Moreover, ISPs now have to verify identities and retain copies of identity documents.
Other problems pertaining to technical network issues are emerging and the Department of Communications have set up a working group with industry to examine these. At the time of writing, various directives were in the process of being discussed to clarify implementation difficulties.
This Act is the end-product of several proposals of the South African Law Reform Commission, which in November 1998 recommended amendments to facilitate the monitoring of cellular phones and ISPs.[2379] These proposals were part of a wider project to rationalize the many former apartheid government security laws.[2380]
In August 2002 the long-awaited for Electronic Communications and Transactions Act was promulgated.[2381] Following two years of extensive consultation, its main purpose is to facilitate e-commerce by creating legal certainty and promoting trust and confidence in electronic transactions. As such, it provides for functional equivalence of electronic documents, recognition of contracts, digital signatures, electronic filing and evidence etc.[2382] The Act also contains statutory provisions on cybercrime and creates several computer crime offences, including unauthorized access to data; interception of, or interference with data; computer related extortion; fraud, and forgery[2383] aimed at interference with commercial activities and hacking. Positive provisions are included on the restriction of ISP liability;[2384] promoting consumer rights; criminalizing spam and requiring all retail websites to have an accessible privacy policy. The Act also provides for a national e-strategy to bridge the digital divide.
While awaiting a specific privacy and data protection law to be drafted, personal privacy protections remain weak, and are largely based on the voluntary adoption of a set of privacy principles by data collectors. While the principles cover explicit, written consent for collection and use of personal data, the purpose for which it is gathered, non-disclosure, etc., this is regulated as a matter of contract and agreement, with the sanction for breach to be determined between the parties. In addition, the provisions on personal privacy only apply to electronically collected personal data, ignoring information gathered in non-electronic ways but subsequently captured electronically.
The Act proposes the registration of all cryptography providers and services and government accreditation of authentication providers. A new law enforcement 'cyber inspectorate' is proposed who will monitor websites and public information systems and investigate compliance by cryptography and authentication providers.[2385]
Included in the Act is a provision authorizing the Minister to declare both public and private databases critical in the "national interest" or the "economic and social well-being of SA." Once declared, the Minister can require the database to be registered, including all information about its location and the types of data stored. The law also proposes to authorize the minister to determine technical standards and set procedures for the general management of critical data bases, their security and disaster recovery procedures.[2386]
South Africa does not have a privacy commission but has a Human Rights Commission (HRC), which was established under Chapter 9 of the Constitution. The HRC's mandate is to investigate infringements of and protect the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated. Additionally, the Commission has limited powers to enforce the Promotion of Access to Information Act.[2387]
There are no other specific pieces of legislation on general data protection law. Other than the Constitutional right to privacy, the South African common law protects rights of personality under the broad umbrella of the actio injuriarum. The elements of liability for an action based on invasion of privacy are the same as any other injury to the personality, namely an unlawful and intentional interference with another's right to seclusion and to private life. The Law Commission is currently drafting a new computer crimes law.
Financial privacy is covered by a weak code of conduct for banks issued by the Banking Council in March 2000. Credit bureau Experian accidentally made available on its web site the records on 1.5 million clients in July 1999.[2388] The information was from cellular phone company Vodac and banks Nedcor, Standard Bank, Mercantile, Teljoy and Homechoice, and included names, addresses and identity, telephone and cellular phone numbers, and bank account details. In February 2000, it was discovered that First National Bank's (FNB) telephone banking service allowed callers to obtain a balance statement and available credit level for the accounts of any client. The service was reported to get 170,000 calls a month.[2389]
The Cabinet approved a plan in March 1998 to issue a multi-purpose smart card that combines access to all government departments and services with banking facilities. This is part of the information technology strategy formulated by the Department of Communications to provide kiosks for access to government services.[2390] In the long term, the smart card is intended to function as passport, driver's license, identity document and bankcard. The driver's license will include fingerprints. The new smart cards have not yet been issued to date.[2391]
The Promotion of Access to Information Act (PAIA) was brought into operation on March 9 of 2001.[2392] The Act goes beyond defining a right of access to information held by the state, and includes a constitutional right of access to information held by private organizations as well.[2393] While the PAIA contains legislative mandates for information retention in the public sector, it contains no such framework concerning information held in the private sector. As a result, information retention is primarily left to the whim of individual system managers. The PAIA's enforcement mechanism is primarily left in the hands of the South African Judiciary, whose role in balancing competing values outlined in the PAIA has been called into question due to the judges' lack of formal training for interpretation of the PAIA.[2394]
Originally introduced as the Open Democracy Bill, the proposed legislation also included comprehensive data protection provisions.[2395] However, the Parliamentary committee removed those provisions in November 1999, to form part of the specific privacy law to be drafted. The Committee wrote that, "it would be dealing with the right to privacy in Section 14 of the Constitution in an ad hoc and undesirable manner...it is intended that South Africa, in following the international trend, should enact separate privacy legislation. The Committee, therefore, requests the Minister for Justice and Constitutional Development to introduce Privacy and Data Protection legislation, after thorough research on the matter, as soon as reasonably possible."[2396] The drafting of this law is pending.
Use of the PAIA has been limited since its promulgation and official statistics are not yet available. The South African History Archives (SAHA) have been the major user of this Act in several projects seeking access to military records and documents collected by the Truth and Reconciliation Commission. While they have had some important victories, SAHA suggest that use of the Act has been limited for several reasons: that the culture of freedom of information has not yet taken root and the Act has been poorly publicized. The fact that requirement for manuals and guides, to be produced by government departments were suspended for a year until February 2002, and then extended again until 2003, means that the public has little information about the available resources.[2397] This situation should change as companies and government departments become compliant.
Even before September 11, 2001, South Africa had been revising its anti-terrorism laws. It has tabled a new draft anti-terrorism Bill for debate in Parliament and hoped to pass the law in 2003. The Bill is currently the subject of public hearings at the Portfolio Committee on Safety and Security and has been widely criticized as unconstitutional for its far ranging provisions with regard to personal freedoms, detention, bail and wide police search and seizure powers.
The proposed Bill defines an act of terrorism as "an unlawful act committed in or outside the Republic" while a "terrorist organization" is defined as "an organization declared as such by the Minister of Safety and Security and which is likely to intimidate the public or a segment of the public, or is likely to carry out a convention offence."[2398] This broad definition of a "terrorist" and "terrorist organization" could extend to legitimate protest activity. Interest groups have argued for a more precise definition that will reduce the chances of arbitrary state action against individuals or organizations. Other concerns pertain to the wide powers given to the Minister of Safety and Security, the National Directorate of Public Prosecutions, and general law enforcement agencies, and the right given to the state to declare organizations as terrorist organizations.
Non-governmental organizations that have made submissions on the Bill have raised other concerns that its far-ranging provisions pose a threat to personal freedom, freedom of expression and freedom of the media. Specifically, the powers given to the police and prosecuting authorities to act ex parte[2399] against individuals and organizations simply on the basis of unspecified "reasonable grounds." Also of concern to media organizations was that the coverage of individuals and organizations could become effectively rendered out of bounds because of the fear of prosecution on the side of the media.
The Legal Resources Centre (LRC), in a submission to Parliament, has also criticized a section of the Bill giving the Safety and Security Minister powers to make regulations concerning any matter that may or must be prescribed in terms of this legislation and any other matter "which is necessary or expedient" to prescribe for the proper implementation of this legislation. The LRC has urged that any regulations prepared should be tabled in Parliament prior to them being published for comment in the Government Gazette.
Finally, as submissions to date have noted, the new proposed Bill may also be an unnecessary duplication of legislative resources as there are approximately twenty-two existing laws on the statute books that can adequately deal with crimes of 'terrorism' without placing constitutional freedoms in question. It is expected that the Bill will be revised following this round of hearings.