II. Surveillance policy
The Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (the Interception Act) is the product of several proposals of the South African Law Reform Commission. In November 1998, the Commission recommended amendments to facilitate the monitoring of cellular phones and Internet service providers (ISPs).1 On July 18, 2001, a Bill was introduced into Parliament, proposing the repeal and replacement of the Interception and Monitoring Prohibition Act 127 of 1992. According to Johnny de Lange, Chairperson of the Parliament's Portfolio Committee on Justice and Constitutional Development, the Bill "aims to regulate the interception and monitoring of certain communications . . . to regulate authorized telecommunications monitoring," and "to prohibit the provision of certain telecommunication services which do not have the capacity to be monitored."2 Following 18 months of limited consultation with stakeholders, the Interception Act was enacted in December 2002. It entered into force on November 30, 2005.
The purpose of the Interception Act remains similar to previous versions. The Act prohibits wiretaps and surveillance, except for law enforcement purposes. It requires that all telecommunications services, including Internet Service Providers (ISPs), make their services capable of being intercepted before they could offer them to the public. There is a provision for the Minister to exempt ISPs from these provisions. However, while exemptions can be made from the requirement to enable a network for surveillance purposes, ISPs that are exempt will be required to contribute to a fund that will be used to purchase centrally held surveillance equipment. This equipment will be used on a rotational basis as needed by smaller ISPs that are required to comply with a surveillance request by law enforcement.
Generally, providers will be required to pay for the costs of making their systems wiretap-enabled. No model of cost sharing is proposed at this stage, and the state will be responsible for the costs of connecting central interception centers to telecommunications providers. Criminal penalties are also included should a service provider refuse to comply with the provisions of the Act or assist law enforcement. Repeat offenders might, in addition, face the revocation of their service license granted under the Telecommunications Act.3
Several amendments made by Parliament during the consideration of the Interception Act widened the scope of the legislation. The definition of "communication" has been augmented to include all "direct" and "indirect" communications, which together cover all traffic, signaling and other call-related information, as well as the content of such communications. Amendments include: an expanded list of grounds for obtaining a wiretap order, including a wiretap to ascertain the location of a person in the case of an emergency;4 an expanded range of interception directions that can be granted,5 such as decryption orders;6 and an augmented list of offences under the Act,7 which includes being in possession of a stolen cellular phone and failure to report a stolen, lost or damaged SIM (Subscriber Identity Module) card.
Provisions on data retention require all telecommunication service providers (TSPs) to gather detailed personal data on individuals and companies (including photocopies of identity documents) before signing contracts or selling SIM cards for pre-paid mobile services. Provisions require that such data is made available to law enforcement agencies when requested. There is no limit specified for the length of time TSPs are required to retain personal data, but a requirement to store communication-related information is currently limited to 12 months.
The Minister has several broad powers in the Interception Act, including the discretion to stipulate in a directive all technical and security requirements for networks to be capable of surveillance, including capacity, the systems to be used, the facilities and devices to be acquired, the type of communication-related information to be stored, and the period for which such specified information must be stored. The first draft of the directive was released in August 2004 and addresses all of these issues.8 A consultation process has been initiated calling for opinions from interested persons in the telecommunications sector. The directive will become operational within six months of promulgation of the Interception Act.
While the various stakeholders prepared for the Interception Act to come into operation, several problems had begun to emerge. Various operational requirements appear impractical and hard to implement. An example is the requirement that before an Internet service contract can be concluded, ISPs are required to verify the identity of the subscriber. As many Internet users subscribe online, this creates many difficulties. Moreover, ISPs now have to verify identities and retain copies of identity documents. Another impediment to the Act's enforcement is the question of who will bear the great costs associated with the implementation and maintenance of the monitoring and storage equipment required for ISPs to fulfill their obligations under the new legislation.
The Interception Act has some impact on the privacy of communications in the workplace through some of the exceptions to the general prohibition of interception and monitoring, particularly Section 5 (interception with the prior consent of a party to the communication) and Section 6 (interception for business purposes, or as referred to in comparable foreign legislation - "the business exemption"). Before the enactment of Section 5 of the Interception Act, the interception of electronic communications in the workplace in South Africa was primarily regulated through electronic communications policies or employee consent agreements embedded in the employment contract.9 The business exemption (Section 6) appears to allow employers to intercept and store the e-mail messages of their employees, for transactional, record-keeping and network security purposes, that are sent in the course of company business over the company's telecommunications network and upon reasonable efforts to notify the parties of the communication of the possibility of interception.
South Africa does not have a data protection authority but has a Human Rights Commission (HRC), which was established under Chapter 9 of the Constitution. The HRC's mandate is to protect and investigate infringements of the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated. The Commission has limited powers to enforce the Promotion of Access to Information Act.15
- 1. http://www.doj.gov.za/salrc/dpapers.htm
- 2. http://www.sfu.ca/cprost/prepaid/relateddocs/SouthAfrica/Interception%20...
- 3. Act No. 103 of 1996, as amended.
- 4. Section 8.
- 5. These include: broad interception direction; an archived communications direction (any communication related information in the possession of a telecommunications service provider (TSP) and which is being stored by that TSP for up to one year, regarding the transmission of the indirect communication) and real time (real time information on an ongoing basis without interception) or supplementary direction, or a combination thereof. Also on application are entry warrants (to rig premises and intercept postal articles) and decryption directions. All can be obtained as oral directions when urgent circumstances prevail.
- 6. Section 21.
- 7. Chapter 9.
- 8. http://www.info.gov.za/gazette/notices/2004/26644.pdf
- 9. This trend can be observed in the growing number of cases concerning interception of e-mail in the workplace, e.g., Bamford & Others v. Energizer (SA) Ltd  12 BALR 1251 (P) (employees suspended for forwarding e-mails with pornographic, sexist and racist nature) and Cronje v. Toyota Manufacturing  3 BALR 213 (CCMA) (an employee was suspended for circulating a racist e-mail).
- 10. http://www.info.gov.za/gazette/acts/2002/a25-02.pdf
- 11. Chapter III.
- 12. Chapter XIII.
- 13. By incorporating notice and take down procedures; mere conduit recognition and safe harbor provisions. Liability will only attach where an ISP has direct knowledge of illegal or objectionable material and fails to take effective action as required by law.
- 15. Act No. 2 of 2000.