printer friendly version

Guide to data privacy law in SA: privacy is a contentious issue

The debate around data privacy is an emotional one. It impacts on our bodily privacy, our communications and our personal information. The debate is also a complex one as the right to privacy is not absolute. Lance Michalson, of specialist IT law firm, Michalsons Attorneys, highlights some of the issues.

There are also competing interests that need to be balanced, such as the maintenance of law and order and the interests of industry sectors such as direct marketing, banking, insurance, health care and pharmaceutical services. The South African Law Commission is currently working on drafting a Data Privacy Bill, and has recognised that 'the task of balancing these opposing interests is a delicate one'.

Different forms of privacy

There are different, but related forms of privacy. These include:

(i) bodily privacy (which is concerned with protecting yourself against invasive procedures such as drug testing and cavity searches).

(ii) privacy of communications (which covers the security and privacy of mail, e-mail, telephones and other forms of communication).

(iii) territorial privacy (which concerns the setting of limits on intrusion into the domestic environment and workplace and includes searches, video surveillance and ID checks).

(iv) information/data privacy (which deals with rules governing the collection and handling of personal data such as financial information and medical information).

The current position

There is established case law in South Africa on all of the above concepts of privacy, except for information privacy. Whilst everyone has a right to privacy under the Constitution and common law, it is debateable whether or not information privacy is covered by the constitutional and common law right to privacy, which is one of the reasons why information privacy has received the specific attention of the South African Law Commission.

Although there is no general data protection law (like the Data Privacy Act the Law Commission is currently working on) data protection issues have been mentioned in certain pieces of legislation and certain codes of conduct. Examples of legislation are:

* The Constitution of the Republic of South Africa Act 108 of 1996.

* The Promotion of Access to Information Act 2 of 2000.

* The Electoral Act 73 of 1998.

* The Electronic Communications and Transactions Act 25 of 2002.

Examples of codes of conduct are.

* The Code of conduct for banks issued by the Banking Council in March 2000 (which covers financial privacy).

* The industry code of conduct which regulates credit bureaux (whose main object is to collect and furnish information concerning the credit worthiness of people).

* Various best practices published by the Marketing Federation of South Africa.

Constitutional right to privacy

Much of the privacy debate amongst ordinary South Africans centres around the right to privacy under the Constitution. The right to privacy is dealt with in section 14 of the Constitution which provides that "everyone has the right to privacy, which includes the right not to have:

(a) their person or home searched.

(b) their property searched.

(c) their possessions seized.

(d) the privacy of their communications infringed."

The right to privacy in section 14 is not absolute. As a fundamental right it can be limited in accordance with the limitation clause of the Constitution contained in section 36. The Law Commission Issue Paper states that "any data privacy legislation will therefore have to find a balance between the data subject's fundamental right to privacy as set out in section 14 of the Constitution on the one hand, and on the other hand, other persons' legitimate needs to obtain information about the data subject. ... In this investigation it is the delicate balance between the right to privacy and these opposing rights and interests that has to be determined." (Issue Paper, page 53).

It is thus clear that the right to privacy in the context of information privacy needs to be fully developed. The South African Constitutional Court has delivered a number of judgments on the right to privacy. None of them relate to information privacy. They relate to the possession of indecent or obscene photographs, the scope of privacy in society and searches.

Common law right to privacy

In terms of the common law, every person has personality rights such as the rights to physical integrity, freedom, reputation, dignity and privacy. The right to privacy has been recognised as an independent personality right that applies to both natural persons and juristic persons. There have been no reported cases around privacy at common law which deals specifically with information privacy.

Legal proceedings not easy

Although the right to information privacy is not yet recognised in South African law by either statute or any case law, and although there is no general data protection law, this does not mean that an individual cannot institute legal proceedings alleging an infringement of the right to privacy.

However, it is going to be very difficult to prove the infringement (the facts have to be present and there are several complex legal issues that have to be addressed). This will involve complex legal arguments, the matter will be in Court for a long time and a final decision would in all likelihood only be handed down after the enactment of the Data Privacy Act, by which time the infringement might well be lawful under the Act.

When it comes to an alleged infringement of the right to information privacy, it is therefore not correct to talk about these infringements as unlawful or illegal, as this form of infringement of the right to privacy is not yet recognised in South African law by either statute or any case law. Moreover, in the absence of a definition of 'personal data/personal information', (i) many activities which are objectionable on the face of it, might not be and (ii) the activity might relate to a situation where information which is 'personal' on the face of it, is not in fact personal.

Creating a data privacy law in South Africa

In early 2002, the Law Commission gave notification of a project to begin work on drafting a comprehensive national Data Privacy Act. A project committee was appointed and had its first meeting in July 2002 and then released its issue paper in Q4 2003 and invited submissions by 1 December 2003. A long process still has to be followed before the Data Privacy Act becomes law:

(i) A Discussion Paper will follow the Issue Paper (which will probably be published for information and comment by Q4 2004 with workshops on the draft Act being held in Q1 of 2005), which will be followed by,

(ii) A Green Paper.

(iii) A White Paper or be fast tracked for enactment (like the ECT Act was).

(iv) Then be debated by the relevant Parliamentary Portfolio Committee.

(v) Then sent to the State Law Advisor for certification.

(vi) Then sent to the National Council of Provinces.

(vii) Then the National Assembly.

(viii) Then sent to the President for signature and enactment in the Government Gazette.

The way things are looking

The preliminary proposals of the Law Commission set out in the Issue Paper can be summarised as follows:

a) Privacy and data protection should be regulated by legislation.

b) General principles of data protection should be developed and incorporated in the legislation.

c) A statutory regulatory agency should be established.

d) A flexible approach should be followed in which industries will develop their own codes of practice (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency.

Note: The information contained in this document has been prepared by Michalsons Attorneys and is intended for general information purposes only. Do not make any business decisions on the basis of this information without consulting an appropriately qualified lawyer who can analyse your precise requirements.

Share this article:

Further reading: