Data Protection & Cybersecurity 2019 Comparisons

Last Updated May 08, 2019

Contributed By Bowmans

Law and Practice

Authors



Bowmans is a leading African law firm. Its track record of providing domestic and cross-border legal services in the fields of corporate law, banking and finance law and dispute resolution, spans over a century. With 400 specialised lawyers, Bowmans is differentiated by its independence and the quality of legal services it provides. The firm delivers integrated legal services to clients throughout Africa from six offices (Cape Town, Dar es Salaam, Durban, Johannesburg, Kampala and Nairobi) in four countries (Kenya, South Africa, Tanzania and Uganda). Bowmans works closely with leading Nigerian firm, Udo Udoma & Belo-Osagie, and Mozambique-based boutique firm, Taciana Peão Lopes & Advogados Associados. It also has strong relationships with other leading law firms across the rest of Africa and is a representative of Lex Mundi, a global association with more than 160 independent law firms across the globe. Clients include corporates, multinationals and state-owned enterprises across a range of industry sectors, as well as financial institutions and governments. Bowman's expertise is frequently recognised by independent research organisations.

The Protection of Personal Information Act 4 of 2013 (POPIA) was assented to by the President of South Africa and was published in the Government Gazette on 26 November 2013. While some limited provisions of POPIA are currently in effect (namely, the definitions section, sections relating to the office of the data protection authority – the Information Regulator – and provisions relating to the making of regulations under POPIA) the operative provisions of POPIA, including those stating the conditions for the lawful processing of personal information, are not yet in effect. Final Regulations under POPIA were published in December 2018, but have also yet to come into effect. It is generally expected that the operative provisions of POPIA will come into effect in 2019. Once all the operative provisions of POPIA have commenced, there will be a transitional period of 12 months (extendable to three years) to give time to ensure compliance with the Act.

Until the full commencement of POPIA, the personal information of data subjects in South Africa will continue to be afforded the general protections provided for under the common law and the Constitution of the Republic of South Africa Act 1996 (the ‘Constitution’). In terms of the common law and constitutional right to privacy, data subjects have an objectively reasonable expectation of privacy that may not be wrongfully or intentionally interfered with. This protection extends to the collection, processing and storage of personal information as well as to the disclosure of personal information to third parties.

The Electronic Communications and Transaction Act 25 of 2002 (ECTA) contains certain data protection principles that may be adopted on a voluntary basis, although these provisions will be repealed once the operative provisions of POPIA come into effect. ECTA also prohibits certain internet activities. For example, with regard to ECTA, a person may not, without authority or permission, intentionally access or intercept any data, interfere with data in a way that causes such data to be modified, destroyed or otherwise rendered ineffective, or use any device or computer program to overcome unlawfully security measures designed to protect or restrict access to data. ECTA also prohibits computer-related extortion, fraud and forgery.

The Promotion of Access to Information Act 2 of 2000 (PAIA) has been in effect in South Africa since 9 March 2001. PAIA sets out the detailed processes and procedures that need to be followed where a person wishes to get access to any information that is held by either the State or a private body and provides for ancillary matters such as the preparation of a manual in order to facilitate requests for access to information.

At present, there is no specific cyber-security legislation in South Africa. However, a Cybercrimes Bill is currently under consideration following an undertaking by the Department of Justice and Constitutional Development to review cyber-security laws in South Africa to ensure a coherent and integrated cyber-security legal framework. It is expected that a further bill will be published in due course specifically in relation to cyber-security matters.

South Africa’s national data protection authority is the Information Regulator. The Information Regulator is independent and is subject only to the Constitution and to the law, and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice. The Information Regulator is also accountable to South Africa’s parliament. The Information Regulator exercises its powers and performs its functions in accordance with POPIA and PAIA. In particular, the Information Regulator is empowered to educate people about POPIA, monitor and enforce compliance with POPIA, consult with interested parties, handle complaints, conduct research and report to parliament, prepare codes of conduct, and facilitate cross-border co-operation in the enforcement of privacy laws.

POPIA provides that a person will be entitled to submit a complaint alleging interference with the protection of personal information of a data subject to the Information Regulator, which will then be required to investigate the complaint. The Information Regulator may also, on its own initiative, conduct an investigation into perceived non-compliance with POPIA by a data controller. If the Information Regulator proceeds to investigate a complaint, it must notify the complainant, the data subject (if not the complainant) and the data controller accordingly. The data controller should also be provided with details of the complaint and informed of its right to submit a written response.

At present (pending the commencement of the operative provisions of POPIA), an individual can only protect his or her right to privacy under the common law and constitutional right to privacy by way of an interdict (prohibiting the unauthorised use or disclosure of his or her personal information) or through a civil damages claim for compensation.

Cyber inspectors may also be appointed under ECTA. A cyber inspector may, amongst other things, monitor and inspect any website or activity on an information system in a public domain and report any unlawful activity to the appropriate authorities.

On receiving a complaint, the Information Regulator may:

  • conduct a pre-investigation;
  • act, at any time during the investigation, as conciliator in relation to any interference with the protection of the personal information of a data subject;
  • decide to take no action on the complaint or require no further action to be taken in respect of the complaint;
  • conduct a full investigation of the complaint;
  • refer the complaint to the enforcement committee; or
  • take any further action, as is required.

The Information Regulator must, as soon as possible, advise the complainant and the organisation to whom the complaint relates of the course of action that the Information Regulator decides to adopt. If the Information Regulator investigates a complaint, it must notify the complainant, the data subject (if not the complainant) and the data controller. The data controller should also be provided with details of the complaint and informed of its right to submit a written response. The Information Regulator may issue:

  • an information notice (on its own initiative or if requested by a third party to do so) to a data controller requiring the data controller to provide certain information to the Information Regulator, including a report on compliance with the conditions of lawful processing; and/or
  • an enforcement notice to a data controller where a complaint has been made to the Information Regulator alleging interference with the protection of the personal information of the data subject. The enforcement notice will be issued to the data controller after an investigation, and will require the data controller to take specific steps within a period specified in the notice, or to refrain from taking such steps, and/or stop processing personal information specified in the notice, or for a purpose or in a manner specified in the notice within the period specified in the notice. A data controller may apply in writing to the Information Regulator to cancel or vary the enforcement notice. A data controller may also appeal against an enforcement notice. An appeal must be filed at the High Court within 30 days of receipt of the notice.

When investigating a complaint, the Information Regulator may, subject to obtaining a warrant from a court, at any reasonable time, enter and search any premises occupied by a data controller.  A warrant will generally be granted if the court is satisfied that there are reasonable grounds for suspecting that a data controller is interfering with the protection of personal information of a data subject, or that an offence under POPIA has been or is being committed.

The African Union has adopted the African Union Convention on Cybersecurity and Personal Data Protection, which is pending ratification by 15 of the 54 African Union members. South Africa has yet to sign or ratify this Convention.

The Direct Marketing Association of South Africa (DMASA) is a self-regulatory organisation that operates a national opt-out database. The DMASA represents its members in the interactive and direct marketing sectors and has engaged extensively with the Information Regulator on the restrictions on direct marketing under POPIA and the new Regulations under POPIA.

POPIA is very similar to the pre-GDPR UK Data Protection Act 1998. Furthermore, while there are distinct similarities with the GDPR, the GDPR is generally regarded as providing a higher standard of data protection than POPIA. There are also a number of distinct differences between POPIA and the GDPR, such as the scope of the definition of personal information (which, in South Africa, includes the information of identifiable legal persons, where applicable) and the scope of application (POPIA is only applicable to data controllers domiciled in South Africa or, where they are not domiciled in South Africa, where they process personal information by automated or non-automated means in South Africa). It is difficult to assess the comparative enforcement of POPIA, as compared to the GDPR, for example, as the operative provisions of POPIA are yet to come into effect.

A key legal development has been the establishment of the office of the Information Regulator and the publication of the final Regulations under POPIA (in December 2018), although these Regulations are not yet in effect. The pending implementation date of the operative provisions of POPIA continues to receive significant attention from the public and media.

The Information Regulator has reported that some data controllers have reported data incidents to it on a voluntary basis over the past 12 months, and that these data controllers have met with the Information Regulator following data breaches. However, there is currently no legal obligation to do so, given that the operative provisions of POPIA are not yet in effect.

It is generally expected that the operative provisions of POPIA will come into effect in 2019. It is further expected that regulatory activity, enforcement and litigation will increase once the operative provisions of POPIA come into effect. The Information Regulator may also publish guidance on a number of topical issues once POPIA is in force, although this will depend on the operational capacity of the Information Regulator at that time.

Data protection officers (referred to in POPIA as ‘information officers’) must be registered with the Information Regulator prior to taking up their duties in terms of POPIA. In terms of POPIA, the duties and responsibilities of a body's data protection officer (information officer) include encouraging and ensuring compliance, by the body, with POPIA; dealing with any requests made to that body in terms of POPIA; and working with the Information Regulator in relation to investigations by the Information Regulator in relation to that body.

In terms of the Regulations published under POPIA, an information officer must also ensure that:

  • a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is carried out to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • a manual is developed, monitored, maintained and made available under PAIA;
  • internal measures are developed together with adequate systems to process requests for information or access thereto; and
  • internal awareness sessions are conducted regarding POPIA.

Personal information must be processed lawfully and in a reasonable manner that does not unnecessarily infringe upon the privacy of the data subject. Personal information may only be processed if, given the purpose for which it is processed, the processing is adequate, relevant and not excessive. The justified bases on which personal information may be processed are if:

•       the person to whom the personal information relates consents to such processing (which consent must be a voluntary, specific and informed expression of will);

  • the processing is necessary to give effect to a contract to which the data subject is a party;
  • the processing is necessary to give effect to a legal obligation;
  • the processing protects a legitimate interest of the data subject;
  • the processing is necessary for the proper performance of a public law duty by a public body; or
  • the processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.

The processing of sensitive personal information, including the transfer of that information to third parties, is prohibited unless consent has been obtained from the data subject or otherwise in the specific circumstances set out in POPIA in relation to a particular category of data.

The concepts of ‘privacy by design’ or ‘by default’ are not specifically dealt with in POPIA. However, in practice, POPIA requires data controllers to consider data protection and privacy issues at the outset and further requires data controllers to only process the minimum amount of personal information necessary to achieve the specific purpose. No guidance has, as yet, been published on the application of the ‘privacy by design’ or ‘by default’ concept in the South African context.

There is no requirement in POPIA to conduct privacy impact analyses. However, under the Regulations published under POPIA, an information officer is required to, amongst other things, ensure that a personal information impact assessment is carried out to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. Unlike the GDPR, however, the Regulations do not stipulate specific instances in which a data protection impact assessment is required, but rather make it a blanket requirement. This will likely be an area in which further clarity will be sought once the operative provisions of POPIA, and the Regulations published under POPIA, come into effect.

The implementation of internal privacy policies may assist organisations in meeting the principle of accountability as required under section 8 of POPIA. Furthermore, in terms of both POPIA and PAIA, a data controller is required to maintain documentation in relation to all processing operations, ie, of personal information and other data, under its responsibility. As such, an internal privacy policy is generally considered to be advisable.

With regard to external privacy policies, section 18 of POPIA provides that, when collecting personal information from data subjects, data controllers should take reasonably practicable steps to ensure that data subjects are made aware of:

  • the personal information being collected;
  • the name and address of the data controller;
  • the purpose for which the information is collected;
  • whether the supply of the information by the data subject is voluntary or mandatory;
  • the consequences of failure to provide the information;
  • any particular law authorising or requiring the collection of the information; and
  • any further information, such as the recipient or category of the recipients, the nature or category of the information and the existence of the right of access to information.

This information should be provided to the data subject before the data subject’s personal information is collected, or as soon as is reasonably practicable after it has been collected. POPIA provides a number of exemptions from the requirement to provide this information, such as:

  • where the consent of the data subject has been obtained;
  • where non-compliance would not prejudice the legitimate interests of the data subject;
  • where compliance is not reasonably practicable in the circumstances, or where non-compliance is necessary to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
  • to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
  • for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
  • in the interests of national security.

POPIA affords data subjects certain rights including:

  • the right to be notified (see (e) above);
  • the right of access – any person, having provided adequate proof of identity, has the right to find out if an organisation is using or storing his or her personal information. This is often referred to as the right of access. No fee is payable for such a request. A copy of the record or description of the personal information held by an organisation about a person can be requested within a reasonable time, at the fee that has been set, in a reasonable manner or format, and in a form that is generally understandable;
  • the right to correction and deletion –  a data subject can challenge the accuracy or correctness of the personal information held about him or her by an organisation and ask for it to be corrected or deleted (or destroyed). In this regard, a data subject may, in the manner set out by the Information Regulator, ask an organisation to:

i) correct (ie, by adding more details) or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

ii) destroy or delete a record of personal information about the data subject that the organisation is no longer allowed to keep or retain.

  • the right to restrict processing – the data controller must restrict the processing of personal information if:

i) its accuracy is contested by the data subject, for a period enabling the data controller to verify the accuracy of the information;

ii) the data controller no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;

iii) the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or

iv) the data subject requests to transmit the personal information into another automated processing system.

  • the right to object – a data subject has the right to object to the processing (use) of his or her personal information, at any time, in certain circumstances including:

i) if an organisation is processing personal information on the grounds, for example, that the processing is necessary for pursuing the legitimate interests of the organisation or a third party to whom the information is supplied. If an organisation agrees to the objection, it must stop using the personal information for that purpose unless it can give strong and legitimate reasons to continue using the information despite the data subject’s objections; and

ii) for purposes of direct marketing, other than direct marketing by unsolicited electronic communications (which is regulated separately under POPIA). In other words, a data subject has an absolute right to object to an organisation using his or her personal information for direct marketing – in other words, trying to sell things to the data subject. This means that the organisation must stop using the personal information if the data subject objects.

  • rights in relation to automated decision-making and profiling – a data subject may not be subject to a decision that results in legal consequences for, or affects, him or her or it to a substantial degree, and which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person, including his or her performance at work, or his or her or its creditworthiness, reliability, location, health, personal preferences or conduct, other than in certain circumstances as set out in POPIA (as discussed further below).

POPIA does not apply to the processing of personal information that has been de-identified to the extent that it cannot be re-identified again. The term ‘de-identify’ is defined in POPIA as deleting any information that identifies the data subject, can be used or manipulated by a reasonably foreseeable method to identify the data subject, or can be linked by a reasonably foreseeable method to other information that identifies the data subject. No further guidance has yet been published on this issue by the Information Regulator. POPIA also does not contain any specific carve-outs in relation to pseudonymisation.

POPIA does contain certain restrictions on profiling and automated decision-making (as set out above), but does not contain any provisions dealing specifically with online monitoring or tracking, Big Data analysis or artificial intelligence. However, the general framework for processing personal information under POPIA would be applicable.

A data subject or, at the request of the data subject, the Information Regulator, may institute a civil action for damages against the data controller, whether or not there is intent or negligence on the part of the data controller. As such, liability is strict. A court may award an amount that is just and equitable, including payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of a breach of the provisions of POPIA, aggravated damages and interest.

Furthermore, when determining an appropriate administrative fine to be paid pursuant to the determination that an offence has been committed by a data controller in terms of POPIA, the Information Regulator is required to consider, amongst other factors:

  • the nature of the personal information involved;
  • the duration and extent of the contravention;
  • the number of data subjects affected or potentially affected;
  • whether the contravention raises an issue of public importance; and
  • the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects.

POPIA recognises a special category of sensitive personal information, referred to as ‘special personal information’ in the Act, the processing of which is regulated separately in POPIA and is subject to fairly stringent requirements. Special personal information is information about a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and criminal behaviour. The processing of special personal information, including the transfer of that information to third parties, is prohibited unless consent has been obtained from the data subject or otherwise in the specific circumstances prescribed by POPIA such as, for example, if the Information Regulator has authorised the processing.

Financial data relating to an identifiable living or existing data subject is considered to be personal information for the purposes of POPIA, and any processing of financial data is accordingly required to comply with the provisions of POPIA. Banks, credit providers and other providers of financial services are subject to sector-specific requirements in terms of the Banks Act 94 of 1990, the National Credit Act 34 of 2005 and the Financial Advisory and Intermediary Services Act 37 of 2002.

Health data relating to an identifiable, living data subject is considered to be special personal information for the purposes of POPIA. There is a general prohibition on processing health data under POPIA unless, amongst other grounds:

  • the processing is carried out with the consent of the data subject;
  • the processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • the processing is for historical, statistical or research purposes (provided certain additional requirements are met, such as that sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent);
  • the processing is by medical professionals, healthcare institutions or facilities or social services, if the processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned; or
  • the processing is by insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations.

Communications data relating to an identifiable living or existing data subject is considered to be personal information for the purposes of POPIA, and the processing of any such communications data is required to comply with the provisions of POPIA.

The Regulation of Interception of Communications and the Provision of Communication-Related Information Act 70 of 2002 (RICA) regulates the interception of any direct communication and indirect communication (electronic communications) in the course of its occurrence or transmission by means of an electronic communications system in South Africa (ie, traffic on network infrastructure). The interception of communications is, generally speaking, prohibited (even by the government), unless an interception direction is obtained from a designated judge in accordance with the procedures set out in RICA or where the express written consent of the subject is obtained. There are some exceptions to this general prohibition, eg, where a participant has consented or where monitoring is necessary for business purposes, subject to certain conditions. Content that is covered by RICA includes email communications and information contained in the records of telecommunications service providers (including, for example, information relating to the location of a user of the telecommunications service).

The processing of special personal information, including the transfer of that information to third parties, is prohibited unless consent has been obtained from the data subject or otherwise in the circumstances prescribed by POPIA such as, for example, if the Information Regulator has authorised the processing.

In terms of section 43(1) of ECTA, any supplier offering goods or services for sale, for hire or for exchange by way of an electronic transaction must make certain information available to consumers on the website where such goods or services are offered, including “the security procedures and privacy policy of that supplier in respect of payment, payment information and personal information.”

Furthermore, in terms of section 18 of POPIA, when collecting personal information from data subjects, data controllers should take reasonably practicable steps to ensure that the data subjects are made aware of certain things, such as the information being collected, the purpose for the processing of the information, who the information will be shared with, etc. This is usually set out in a privacy notice or privacy policy and made available on a website.

There is no prohibition on using cookies, beacons, or tracking technology in South Africa. The use of cookies is also not specifically regulated under POPIA, eg, there is no specific requirement to use a cookies banner on a website. However, the general framework for processing personal information under POPIA would apply to any use of cookies, beacons or tracking technology to process personal information.

There are no specific ‘do not track’ regulations in South Africa, although any processing of personal information in South Africa must be in line with the general framework for processing personal information as set out under POPIA.

While not specifically stated in POPIA, consent (which must be voluntary, specific and informed) should be obtained prior to processing personal information for the purposes of behavioural advertising. This is on the basis that none of the other justifications for processing is relevant to the processing of personal information for behavioural advertising.

The processing of any personal information for the purposes of video and television must be in accordance with the provisions of POPIA.

There are no specific regulatory obligations for social media, search engines and large online platforms, although any processing of personal information in South Africa must be in line with the provisions of POPIA.

There is no specific right to be forgotten, as in the European Union, but data subjects do have the right to request the destruction or deletion of their personal information held by a data controller.

Hate speech, disinformation, publishing of abusive material and political manipulation are not specifically regulated under POPIA or any other statute. The publication or other processing of this type of material would be dealt with in terms of the general legal principles that apply to hate speech (which is not protected speech) and defamatory material. ECTA also provides for take-down processes that may be followed to have offending material removed.

There is no specific right to data portability, including in respect of special personal information, although POPIA does provide that the data controller must restrict the processing of personal information if the data subject requests to transmit the personal information into another automated processing system.

The minimum age for the processing of personal information is 18 years (unless parental consent is obtained). In terms of section 34 of POPIA, a data controller may not process the personal information of a child (a person under the age of 18) unless the processing:

  • is carried out with the preceding consent of a competent person (ie, the child’s parent or guardian);
  • is necessary for the formation, exercise or defence of a right or obligation in law;
  • is necessary to comply with an obligation of international public law;
  • is for historical, statistical or research purposes (provided that it serves a public interest and it appears impossible to obtain consent); or
  • has deliberately been made public by the child with the consent of a competent person.

The Information Regulator may also grant specific authorisation for the processing. Further, even if any of these grounds are satisfied, the lawful conditions for the processing of personal information under POPIA must still be complied with by the data controller.

See 1.1 Laws above. The personal information of a child includes educational or school data.

The use of personal information for direct marketing purposes is currently regulated by ECTA, which provides that the intended recipients of electronic communications for the purposes of direct marketing need only be given an opportunity to opt-out of receiving further communications, and the Consumer Protection Act 68 of 2008 (CPA), which imposes general restrictions on all direct marketing communications.

POPIA, however, introduces specific provisions regarding the use of personal information for direct marketing purposes via electronic communications (email, SMS, automated voice messages, but excluding telephone calls). The definition of ‘direct marketing’ is to approach a data subject, either in person or by mail or electronic communication for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject, or requesting the data subject to make a donation of any kind for any reason. In terms of section 69 of POPIA, direct marketers will only be able to use individuals’ personal information (eg, their names, contact details and other personal information) for direct marketing purposes after obtaining the specific consent of the intended recipients of any such direct marketing communications.  In other words, individuals will have to opt in in order for direct marketing communications to be sent to them lawfully. A data controller may approach an individual (who has not previously withheld consent) only once to request consent for processing the individual’s personal information for direct marketing purposes. The only exception to this general rule that consent must be obtained is where direct marketing communications are sent to existing customers (ie, where the data controller has obtained the contact details of the data subject in the context of the sale of a product or service), about similar goods or services to those which the customer purchased previously. However, the existing customer must still be provided with a reasonable opportunity to object to the use of his or her personal details (ie, to opt out) at the time when the personal information was collected and every time a communication is sent to the individual for the purposes of direct marketing. The opportunity to opt out must be given to the customer free of charge and must be free of unnecessary formality.

The new requirements that are imposed in terms of POPIA must still be read with the requirements of the CPA in relation to direct marketing. These include requirements to allow data subjects an opportunity to stop any direct marketing approach, to check internal marketing lists against the official opt-out registry that is established or recognised by the National Consumer Commission, and to contact data subjects at home only at certain limited times.

The common law and constitutional right to privacy must often be balanced against the employer’s right to conduct and protect its business. In other words, the circumstances that may reasonably justify an invasion of privacy will differ from case to case and will depend on reaching an acceptable balance between the privacy interests of the employee and the business interests of the employer where these are in conflict. The operational realities of the workplace are therefore relevant considerations to be taken into account.

The Constitutional Court has acknowledged that the scope of the right to privacy is hard to pin down. However, the core concept of this right is the right to be left alone, free from unwanted and unwarranted intrusions. In addition, the right to privacy encompasses the competence to determine “the destiny of private facts which includes the right to decide when and under what conditions private facts may be made public.” The scope of the right to privacy has to be demarcated with reference to the rights of others and the interests of the community. The court distinguished the ‘inner sanctum’ of the right, where the right to privacy is at its broadest and strongest and thus shielded from erosion by conflicting rights of the community. However, as a person moves into communal relations and activities, such as business and social interaction, the scope of personal space shrinks accordingly. South Africa’s courts have not established a hard-and-fast test for the determination of the scope of the right to privacy. It would, however, only exist insofar as the individual would have a “legitimate expectation of privacy.” A ‘legitimate expectation’ means that one must have a subjective expectation of privacy that society recognises as objectively reasonable.

POPIA provides that a person will be entitled to submit a complaint alleging interference with the protection of personal information of a data subject to the Information Regulator, which will then be required to investigate the complaint.  The Information Regulator may also, of its own initiative, conduct an investigation into perceived non-compliance with POPIA by a data controller. 

If the Information Regulator proceeds to investigate a complaint, it must notify the complainant, the data subject (if not the complainant) and the data controller accordingly.  The data controller should also be provided with details of the complaint and informed of its right to submit a written response. In terms of its powers under POPIA, the Information Regulator may issue:

  • an information notice (on its own initiative or if requested by a third party to do so) to a data controller requiring the data controller to provide certain information to the Information Regulator, including a report on compliance with the conditions of lawful processing; and/or
  • an enforcement notice to a data controller where a complaint has been made to the Information Regulator alleging interference with the protection of the personal information of the data subject. The enforcement notice will be issued to the data controller after an investigation, and will require the data controller to take specific steps within a period specified in the notice, or to refrain from taking such steps, and/or stop processing personal information specified in the notice, or for a purpose or in a manner specified in the notice within the period specified in the notice. A data controller may apply in writing to the Information Regulator to cancel or vary the enforcement notice. A data controller may also appeal against an enforcement notice. Such an appeal must be filed at the High Court within 30 days of receipt of the notice.

When investigating a complaint, the Information Regulator may, subject to obtaining a warrant from a court, at any reasonable time, enter and search any premises occupied by a data controller. A warrant will generally be granted if the court is satisfied that there are reasonable grounds for suspecting that a data controller is interfering with the protection of personal information of a data subject, or that an offence under POPIA has been or is being committed.

The personal information of data subjects in South Africa will continue to be afforded the general protections provided for under the common law and the Constitution (section 14). In terms of the common law and constitutional right to privacy, data subjects have an objectively reasonable expectation of privacy that may not be wrongfully or intentionally interfered with. This protection extends to the collection, processing and storage of personal information as well as to the disclosure of personal information to third parties.

A warrant can be issued in terms of Section 25 of the Criminal Procedure Act 51 of 1977 where it appears to the court, based on information provided under oath, that there are reasonable grounds to believe that, amongst other things, an offence has been, is being or is likely to be committed upon or in any premises in which he or she has jurisdiction.

Further, RICA regulates the interception of any direct communication and indirect communication in the course of its occurrence or transmission by means of an electronic communications system in South Africa (ie, traffic on network infrastructure). The interception of communications is, generally speaking, prohibited (even by the government), unless an interception direction is obtained from a designated judge in accordance with the procedures set out in RICA. However, in terms of section 7, any law enforcement officer may intercept any communication, if he or she is satisfied that there are reasonable grounds to believe that a party to the communication has caused or may cause serious body injury to another person or himself or herself. The law enforcement officer must also be of the opinion that because of the urgency of the need to intercept the communication, it is not reasonably practicable to make an application to a judge for the issuing of an interception direction or an oral interception direction; the sole purpose of the interception must be to prevent such bodily harm.

Section 8 of RICA sets out the process for the interception of communications to determine a location in an emergency situation, ie, where no interception direction is required. However, there are post-notification steps that must be complied with. For the purposes of RICA, a law enforcement officer includes a member of the Police Services, the Defence Force, the State Security Agency as defined in the Intelligence Services Act 65 of 2002, or the Directorate of Special Operations as defined in the National Prosecuting Authority Act 32 of 1998.

Finally, a cyber inspector may, in terms of ECTA and in accordance with performing his or her functions, at any reasonable time, without notice and on the authority of a warrant, enter any premises or access an information system that will assist an investigation. A cyber inspector is appointed by the Department of Telecommunications and Postal Services.

Please see section 3.1 Laws and standards for Access to Data for Serious Crimes above.

There is no specific provision for an organisation to invoke a foreign government access request as a legitimate basis to collect and transfer personal information, and any collection and transfer of personal data in response to a foreign government access request would have to be justified under one of the general justifications in POPIA (consent, legitimate interest etc).

The current public debate regarding privacy relates to the fact that the operative provisions of POPIA are yet to come into effect. At present, the protection of personal information of data subjects in South Africa is afforded only the general protections provided for under the common law and constitutional right to privacy. The level of enforcement of these rights has been relatively low given that affected data subjects have to institute legal proceedings to protect their rights, which can be prohibitive. While POPIA does not fundamentally change the existing requirements imposed by the common law and constitutional right to privacy, it will improve the enforcement mechanisms to ensure the protection of personal information.

POPIA includes specific provisions regarding the transfer of personal information across borders to countries outside of South Africa. In this regard, international data transfers of personal information outside of South Africa are prohibited under POPIA unless certain grounds can be met.

Section 72 of POPIA provides that a data controller may only transfer personal information about a data subject to a third party in a foreign country if:

  • the recipient is subject to a law, binding corporate rules or binding agreement that provide an adequate level of protection that effectively upholds the principles for reasonable processing that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person, and includes provisions relating to the further transfer of personal information that are substantially similar to what is contained in POPIA. The Information Regulator has not yet provided guidance on the jurisdictions likely to be considered to offer an ‘adequate level of protection,’ but it would likely include the UK and jurisdictions regulated under the GDPR. This is an assessment to be made by the data controller;
  • the data subject consents to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party; or
  • the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject’s consent and, if it were reasonably practicable, the data subject would be likely to give it.

As a general rule, government notifications or approvals are not required to transfer data internationally. However, a data controller is required to obtain prior authorisation from the Information Regulator before any processing if the data controller plans to transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72 of POPIA.

There are no data localisation requirements in South Africa. Data is not required to be maintained in-country and may be transferred internationally if the transfer complies with section 72 of POPIA.

There is no requirement under POPIA for any software code or algorithms or similar technical detail to be shared with the government. However, section 30(1) of ECTA does provide that no person may provide cryptography services or cryptography products (ie, a service or product that makes use of cryptographic techniques) in South Africa until certain particulars in respect of that person, the ‘cryptography provider,’ have been recorded in a register maintained by the Department of Telecommunications and Postal Services. A ‘cryptography provider’ is defined as “any person who provides or proposes to provide cryptography services or products” in South Africa. A cryptography service or product is regarded as being provided in South Africa if it is provided:

  • from premises in South Africa;
  • to a person who is present in South Africa when that person makes use of the service or product; or
  • to a person who uses the service or product for the purposes of a business carried on in South Africa or from premises in South Africa.

In addition, decryption directives may be issued under RICA to enable law enforcement agencies to decrypt communications accessed by them following a lawful intercept request.

POPIA regulates the collection of any personal information in South Africa, and also prohibits the cross-border transfers of personal information other than in certain specified circumstances, eg, the consent of the data subject is obtained.

In terms of the Foreign Courts Evidence Act 80 of 1962, a foreign trial court or litigant may lodge an application to obtain evidence with the High Court in whose jurisdiction the evidence is located. The applicant must prove that the foreign trial court wishes to obtain the evidence in relation to foreign civil proceedings. If this is done, the High Court must grant the application unless prohibited by the Protection of Businesses Act 99 of 1978, which broadly prohibits the sharing of information relating to any business, whether carried on within or outside South Africa, without the permission of the Minister of Justice. The detailed procedure is set out in the Act.

A competent authority of the requesting state may also address a letter of request to the Director General of the Department of Justice and Constitutional Development in terms of section 40 of the Superior Courts Act 10 of 2013. If the Minister of Justice and Constitutional Development thinks it appropriate that the request be given effect to without application to the High Court, the Director General will send the letter of request to the relevant High Court in accordance with the detailed procedure set out in section 40 of the Superior Courts Act. If the Minister of Justice and Constitutional Development considers the request undesirable, the foreign litigant must apply directly to the High Court in terms of the Foreign Courts Evidence Act. The execution of the letter of request may be refused if prohibited by the Protection of Businesses Act (see above).

Finally, the Convention on the Taking of Evidence Abroad in Civil and Commercial Matters (the ‘Convention’) applies where the requesting state and the requested state are both contracting parties to the Convention. South Africa acceded to the Convention in 1997, but has not yet incorporated the Convention into domestic law. However, in practice, South Africa has applied the Convention to both incoming and outgoing requests for judicial assistance. The detailed procedure is set out in Chapter 1 of the Convention. The model form letter developed by the Permanent Bureau of the Hague Convention should be used and the letter must be in one of South Africa’s 11 official languages. All letters of request must be sent via the Director General for approval, before being dealt with by the relevant High Court in terms of section 40 of the Superior Courts Act.

There are no ‘blocking’ statutes in force in South Africa at present.

Big Data analytics is not specifically addressed in terms of South African data protection law and no guidance on Big Data analytics has, as yet, been issued by the Information Regulator. However, the general framework for processing personal information under POPIA would apply to the analysis of personal information that forms part of Big Data analytics.

Automated decision-making is not defined in POPIA. However, POPIA includes mechanisms to safeguard data subjects whose data is subject to automated processing. In terms of section 71 of POPIA, a data subject may not be subject to a decision that results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of automated processing of personal information intended to provide a profile of such person, including his or her performance at work, or his or her creditworthiness, reliability, location, health, personal preferences or conduct. This is not applicable if the decision has been taken in connection with the conclusion of a contract and the request of the data subject in terms of the contract has been met or appropriate measures have been taken to protect the data subject’s legitimate interests; or the decision is governed by a law or code of conduct (although no such code of conduct has yet been issued by the Information Regulator) in which appropriate measures are specified for protecting the legitimate interests of data subjects. The appropriate measures must give the data subject an opportunity to make representations about the automated decision and require the data controller to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make such representations.

Section 71 of POPIA, as set out above, prohibits profiling by automated means unless one of the exemptions apply. With the exception of this provision, there are no other specific provisions in POPIA regulating profiling. However, the general framework for processing personal information under POPIA would apply to the processing of personal information for the purposes of profiling.

Artificial intelligence is not specifically addressed in POPIA and no guidance on artificial intelligence has yet been published by the Information Regulator. However, the general framework for processing personal information under POPIA would apply to the processing of personal information for the purposes of artificial intelligence.

The Internet of Things is not specifically addressed in POPIA and no guidance on the Internet of Things has yet been published by the Information Regulator. However, the general framework for processing personal information under POPIA would apply to the processing of personal information for the purposes of the Internet of Things.

Autonomous decision-making is not specifically addressed in POPIA and no guidance on autonomous decision-making, including autonomous vehicles, has yet been published by the Information Regulator. However, the general framework for processing personal information under POPIA would apply to the processing of personal information for the purposes of autonomous decision-making.

In terms of POPIA, facial recognition would be treated as the processing of biometric data. For the purposes of POPIA, ‘biometric data’ is considered to be special personal information and, as such, may only be processed if:

  • the consent of the data subject is obtained;
  • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • processing is necessary to comply with an obligation of international public law;
  • processing is for historical, statistical or research purposes to the extent that:
  • the purpose serves a public interest and the processing is necessary for the purpose concerned; or
  • it appears to be impossible or would involve a disproportionate effort to ask for consent;
  • and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
  • information has deliberately been made public by the data subject; or
  • in relation to processing information relating to the data subject’s race or ethnic origin, such information can be processed without consent if:
  • it is necessary to identify the data subject, and only if such processing is essential for identification purposes; and
  • the processing complies with laws and other measures designed to advance or protect persons or categories of persons, disadvantaged by unfair discrimination. Such legislation would include the Employment Equity Act 55 of 1998, and the Broad Based Black Economic Empowerment Act 53 of 2003, which focus on rectifying past injustices. 

Biometric data is considered to be special personal information for the purposes of POPA, and any processing of such data must comply with the provisions of POPIA, where applicable.

Geolocation is not specifically addressed in POPIA and no guidance on the use of geolocation data has been published by the Information Regulator, as yet. However, the general framework for processing personal information under POPIA would apply to the processing of personal information for the purposes of geolocation. Providers of telecommunications services (such as mobile operators and ISPs) are subject to specific rules in terms of RICA in relation to the processing of location data.

The use of drones is not specifically addressed in POPIA and no guidance on drones and the processing of personal information has yet been published by the Information Regulator. However, the general framework for processing personal information under POPIA, and the right to privacy, would apply to the use of drones.

The key data security obligations under South African law are contained in:

  • ECTA – which regulates unauthorised access to, interception of, or interference with, data and the offences of computer-related extortion, fraud and forgery;
  • RICA – which regulates the interception of any direct communication and indirect communication in the course of its occurrence or transmission by means of an electronic communications system in South Africa (ie, traffic on network infrastructure). The interception of communications is, generally speaking, prohibited (even by the government), unless an interception direction is obtained from a designated judge in accordance with the procedures set out in the Act;
  • POPIA – in terms of which a data controller is required to ensure that it has implemented sufficient security measures to ensure the integrity and confidentiality of personal information that it processes; and
  • the Cybercrimes Bill – which proposes introducing a framework for detecting and combating cyber-crimes by creating new crimes, and extending the jurisdiction of, and expanding the power of, law enforcement agencies to investigate and prosecute cyber-crimes. The Bill criminalises the unlawful and intentional access to, or interference with, data, a computer program, a computer data storage medium, or a computer system. The Bill also criminalises the unlawful and intentional interception of data, any act of cyber-fraud and any malicious communications. The Bill also imposes an obligation on electronic communications service providers or financial institutions that are aware, or that become aware, that their computer system is involved in the commission of any category or class of offences to report the offence to the South African Police Service (the SAPS) within 72 hours of having become aware of the offence, and to preserve any information that may assist law enforcement agencies investigating the offence. These obligations, however, must not be interpreted as imposing obligations on an electronic communications service provider or financial institution to monitor the data that such electronic communications service provider or financial institution transmits or stores, or to actively seek facts or circumstances indicating any unlawful activity.

At present, conventional law enforcement bodies such as the SAPS and the National Prosecuting Authority have jurisdiction over cyber-crimes. In order to intercept communications within the limits provided for in the Regulation of Interception and Monitoring of Communications and Provision of Communication-Related Information Act, SAPS use the services of the Office for Interception Centres. Further, the Information Regulator is responsible for monitoring the security measures implemented by data controllers to protect personal information, and for ensuring general compliance with the provisions of POPIA.

There is no over-arching cybersecurity agency in South Africa at present.

To date, the role of the Information Regulator has been limited as the operative provisions of POPIA are not yet in effect.

Sectoral regulators are also responsible for ensuring the protection of personal information in various sectors, where mandated to do so in accordance with the applicable sectoral legislation. The relevant provisions of such sectoral legislation, and the role of any applicable sectoral regulators, must be considered on a case-by-case basis.

There are no specific standards prescribed under POPIA, and no guidance has yet been published by the Information Regulator on this issue. However, in practice, organisations will generally ensure adherence to ISO 27001, in particular, to ensure compliance with section 19 of POPIA (Security measures on integrity and confidentiality of personal information).

In terms of section 19 of POPIA, a data controller is required to ensure that it has implemented sufficient security measures to ensure the integrity and confidentiality of personal information that it processes. This requires the data controller to take appropriate and reasonable technical and organisational measures to prevent loss of, and damage to, or unauthorised destruction of, personal information and unlawful access to or processing of that personal information. In this regard, the data controller is required to take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The data controller is required to have due regard to generally accepted information security practices and procedures that may apply to it generally or be required in terms of specific industry or professional rules and regulations.

In terms of section 21 of POPIA, a data controller must also, in terms of a written contract between the data controller and any data processor (referred to as an ‘operator’ in POPIA), ensure that the data processor that processes personal information for the data controller establishes and maintains these security measures.

There is no specific legal requirement under POPIA for a written information security plan or programme or an incident response plan. There is also no requirement to involve the board of directors, or conduct an insider threat programme.

The African Union has adopted the African Union Convention on Cybersecurity and Personal Data Protection, which is pending ratification by 15 of the 54 African Union members, although South Africa is yet to sign or ratify this Convention.

In terms of section 57 of the Cybercrimes Bill, the National Executive in South Africa may enter into an agreement with any foreign state regarding, amongst other things, the provision of mutual assistance and co-operation relating to the investigation and prosecution of an offence, the implementation of cyber-crime response activities, the implementation of emergency cross-border response mechanisms to mitigate the effect of cyber-crimes, and the reciprocal implementation of measures to curb cyber-crime. Notice of such an agreement must be given in the Government Gazette once Parliament has ratified or acceded to it.

There are no key affirmative security requirements (including required reporting, certification or other external involvement) for personal data under POPIA.

ECTA regulates the establishment of, and minimum standards in respect of, critical databases. In this regard, the Director General of Telecommunications and Postal Services may, from time to time, cause audits to be performed by a critical database administrator to evaluate compliance with the provisions of ECTA. This audit may be performed by cyber inspectors or an independent auditor.

If a data subject’s personal information has been accessed or acquired by an unauthorised person (ie, a ‘security compromise’), the data controller must notify the Information Regulator and, if the identity of the data subject can be established, the data subject himself or herself must also be notified. This notification must be made as soon as reasonably possible after the discovery of the data breach. The data controller may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned.

The notification to the data subject must be in writing and must be communicated to the data subject by post, by email, by being placed in a prominent position on the data controller’s website, by being published in the news media, or as directed by the Information Regulator. This notification must contain enough information to allow the data subject to take protective measures against the breach of their personal information, and must include:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the data controller intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the data controller, the identity of the unauthorised person who may have accessed or acquired the personal information.

The Information Regulator may also tell a data controller to publicise the fact of any security compromise if the Information Regulator believes that such publicity would protect a data subject who has been affected by the security compromise.

At present, there are no specific security requirements applicable to medical devices, industrial control systems, and the IoT in South Africa.

The general prohibition on monitoring and interception of communications under RICA is subject to a range of exceptions. This includes the interception of indirect communications (such as emails or internet communications) sent over a business telecommunication system without consent in the course of carrying on a business. The types of communications that may be intercepted in terms of this exception are indirect communications by means of which a transaction is entered into in the course of a business, which otherwise relate to a business, or which otherwise take place in the course of the carrying on of a business.

The interception of communications in accordance with this exception is subject to certain conditions, namely that it may only be effected with the express or implied consent of the chief executive officer, or equivalent officer, of the business, and it must be for the purpose of monitoring or keeping a record of indirect communications in order to establish the existence of facts, for purposes of investigating or detecting the unauthorised use of communications systems or in order to secure, or as an inherent part of, the effective operation of the systems. Such interception and monitoring of communications is subject to the further conditions that the telecommunication system concerned is provided for use wholly or partly in connection with the business, and reasonable efforts must have been made to inform employees in advance that their communications may be intercepted and monitored (through, for example, the publication of an appropriate use policy or guide). Alternatively, the employees must have given their prior written consent to the monitoring. If consent is given, the other conditions set out above do not need to be met.

In terms of ECTA, there is no general obligation on a service-provider to monitor the data that it transmits or stores, or actively seek facts or circumstances indicating an unlawful activity. However, under ECTA a cyber inspector may monitor and inspect any website or activity on an information system in the public domain, and report any unlawful activity to the appropriate authority. A cyber inspector may also, in the performance of his or her functions, at any reasonable time, without prior notice and on the authority of a warrant, enter any premises or access an information system that has a bearing on an investigation.

In terms of ECTA, any person who refuses to co-operate or hinders a person conducting a lawful search and seizure (ie, a cyber inspector), is guilty of an offence.

In terms of the Cybercrimes Bill, an electronic communications service provider, financial institution or person who is in control of any container, premises, vehicle, facility, ship, aircraft, data, computer program, computer data storage medium or computer system must, if required, provide technical assistance to a police official or investigator. Further, in terms of section 54 of the Cybercrimes Bill, an electronic communications service provider or financial institution that is aware or becomes aware that its computer system is involved in the commission of an offence must:

  • without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service; and
  • preserve any information that may be of assistance to the law enforcement agencies in investigating the offence.

At present, and although POPIA is not yet fully in effect, data controllers will generally take the measures set out in POPIA, or similar measures, to notify data subjects in order to mitigate potential liability under a civil claim, but there is no statutory requirement to do so as yet. The Information Regulator has also reported that some data controllers have reported data incidents to it on a voluntary basis and have met with the Regulator following data breaches but, again, there is currently no legal obligation to do so. As such, to date there have not been any significant audits, investigations or penalties imposed for data security incidents or breaches. There has also not been any significant private litigation involving data security incidents to date.

Bowmans

11 Alice Lane
Sandton
Gauteng
South Africa

+27 11 669 9000

+27 11 669 9001

info@bowmans.co.za www.bowmanslaw.com
Author Business Card

Law and Practice

Authors



Bowmans is a leading African law firm. Its track record of providing domestic and cross-border legal services in the fields of corporate law, banking and finance law and dispute resolution, spans over a century. With 400 specialised lawyers, Bowmans is differentiated by its independence and the quality of legal services it provides. The firm delivers integrated legal services to clients throughout Africa from six offices (Cape Town, Dar es Salaam, Durban, Johannesburg, Kampala and Nairobi) in four countries (Kenya, South Africa, Tanzania and Uganda). Bowmans works closely with leading Nigerian firm, Udo Udoma & Belo-Osagie, and Mozambique-based boutique firm, Taciana Peão Lopes & Advogados Associados. It also has strong relationships with other leading law firms across the rest of Africa and is a representative of Lex Mundi, a global association with more than 160 independent law firms across the globe. Clients include corporates, multinationals and state-owned enterprises across a range of industry sectors, as well as financial institutions and governments. Bowman's expertise is frequently recognised by independent research organisations.

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.