Privacy and Data Protection in South Africa

Privacy and Data Protection in South Africa

• 1.
  Privacy and data protectionin South Africa Dr Ian Brown (@1br0wn)
• 2.
  Outline • Legal framework- constitutional, horizontal, and sectoral protections • Recent developments
• 3.
  Bill of Rights(Constitution chapter 2) • Section 14: “Everyone has the right to privacy, which includes the right not to have a. their person or home searched; b. their property searched; c. their possessions seized; or d. the privacy of their communications infringed.” • Broad Bill, implementing ICCPR, with similarities to EU Charter, including relevant rights such as equality, dignity, freedom of assembly/association/ expression etc. International law and optionally foreign law part of interpretation • Section 36: “The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors...” • Section 38: rights may be enforced by persons and groups acting in the public interest, as part of a group/class, and associations of members
• 4.
  General laws • ElectronicCommunications and Transactions Act, 2002 (ECTA) - voluntary principles for processing personal data from e-transactions • Protection of Personal Information Act (POPI) passed in 2013 but mostly not yet in force. Extensive rights and obligations, similar to EU Data Protection Directive (e.g. covers all processing, special category data, broad interpretation of personal data, prior regulator authorisation, exemptions for anonymised data and journalistic/literary/artistic purposes). • Some GDPR elements e.g. accountability, legitimate interests, Information Officers, breach notification. No RTBF, DPIA, portability • Sections enabling appointment of Information Regulator and promulgation of regulations brought into force April 2014
• 5.
  Sectoral laws • Regulationof Interception of Communications and Provision of Communication-related information Act - regulates interception and fixed/ mobile telephony customer information sharing. Electronic Communications Act, 2005 and 2011 Regulations require licensed telecommunication companies to protect customer information • Financial Advisory and Intermediary Services Act, 2002, and the National Credit Act, 2005 require client information to be kept private, although allowing disclosure when legally required or to protect interests • National Health Act, 2003 makes disclosure of patient data without consent an offence. Similar provisions in The Choice on Termination of Pregnancy Act, 1996 and the Children’s Act, 2005 • Information Regulator may approve sectoral codes of conduct under POPI
• 6.
  Recent developments • InformationRegulator members appointed December 2016 - Pansy Tlakula is chairperson • Draft regulations Sept 2017; final version published Dec 2018 • “Red tape” still delaying full POPI enactment - ECTA will be repealed and businesses will have 12 months to comply once POPI fully brought into force
• 7.
  Thank you! • Pleaseinteract with us on @1br0wn, @RIAnetwork and @BricsCyber • Further reading: • Rohan Isaacs and Kerri Crawford, Data protection in South Africa: overview, Practical Law, 1 Dec 2018 • A. Roos, in A. Makulilo (ed.) African Data Privacy Laws, Springer, 2016 • Novation, POPIA & GDPR comparison, Jan 2019