Skip to main content
SpringerLink
Log in

Data Protection Law in South Africa

  • Chapter
  • First Online:
African Data Privacy Laws

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 33))

Abstract

The right to privacy is protected in South African common law and in the Constitution. Case law has interpreted the scope of this right and has enforced privacy rights for both individuals and juristic persons. After a lengthy legislative process, South Africa is poised to implement the Protection of Personal Information Act, an omnibus data protection act which complies with the European standards for data protection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/content/resourcecentre/sa-info/yearbook2014–15 [15 December 2015].

  2. 2.

    South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/content/resourcecentre/sa-info/yearbook2014–15 [15 December 2015].

  3. 3.

    South African History Online “The first large group of French Huguenots arrive at the Cape” http://www.sahistory.org.za/article/1600s and http://www.sahistory.org.za/dated-event/first-large-group-french-huguenots-arrive-cape-0 [30 January 2016].

  4. 4.

    SouthAfrica.info “A short history of South Africa” available at http://www.southafrica.info/about/history/history.htm#.VnlLK_l94gs [15 December 2015].

  5. 5.

    African National Congress “A brief history of the African National Congress” available at http://www.anc.org; SouthAfrica.info “South African history: gold and the war” available at http://www.southafrica.info/about/history/521105.htm#.VozSKfl94gs; SouthAfrica.info “South African history: Union and the ANC” available at http://www.southafrica.info/about/history/521106.htm#.VozSg_l94gs [15 December 2015].

  6. 6.

    South African History Online “Liberation struggle” available at http://www.sahistory.org.za/liberation-struggle-south-africa/genesis-armed-struggle-1960-1966 [15 December 2015].

  7. 7.

    Constitution of the Republic of South Africa Act 200 of 1993.

  8. 8.

    Constitution of the Republic of South Africa, 1996. (It was adopted as Act 108 of 1996, but no Act number is to be associated with the Constitution – see Citation of Constitutional Laws Act 5 of 2005 s 1.)

  9. 9.

    South African Government “The Constitution” available at http://www.gov.za/constitution [15 December 2015].

  10. 10.

    In Ch 2.

  11. 11.

    S 2 of the Constitution of the Republic of South Africa, 1996.

  12. 12.

    Wikipedia “Law of South Africa” available at https://en.wikipedia.org/wiki/Law_of_South_Africa [15 December 2015].

  13. 13.

    S 39.

  14. 14.

    Statistics South Africa “Mid-Year Population Estimates, 2014” Table 8 available at http://www.statssa.gov.za/publications/P0302/P03022014.pdf [15 December 2015].

  15. 15.

    South African Yearbook2014/5 “Land and its people” available at http://www.gcis.gov.za/content/resourcecentre/sa-info/yearbook2014-15 [15 December 2015].

  16. 16.

    United Nations Development Programme “Human development report 2014” Tables 1 and 2 available at http://hdr.undp.org/en/content/table-1-human-development-index-and-its-components, and http://hdr.undp.org/en/content/table-2-human-development-index-trends-1980-2013, 15 Sept. 2015 [15 December 2015].

  17. 17.

    Statistics South Africa “General household survey 2013” (2014) available at http://beta2.statssa.gov.za/publications/P0318/P03182013.pdf [15 December 2015].

  18. 18.

    SouthAfrica.info “South Africa’s telecommunications” available at http://www.southafrica.info/business/economy/infrastructure/telecoms.htm#.Vnl9_l94gs#ixzz3v4Kiwr4E [15 December 2015].

  19. 19.

    World Wide Worx “Social media landscape 2015” available at http://www.worldwideworx.com/wp-content/uploads/2014/11/Exec-Summary-Social-Media-2015.pdf [15 December 2015].

  20. 20.

    See Makulilo AB “Privacy and data protection in Africa: A state of the art” 2012 (vol 2 no 3) International Data Privacy Law 163 171 and authority cited there.

  21. 21.

    See Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1) International Information & Library Review 34.

  22. 22.

    Mbigi L and Maree J Ubuntu: The Spirit of African Transformation Management (1995) 1–7.

  23. 23.

    Mokgoro JY “Ubuntu and the law in South-Africa” 1998 (vol 1 nr 1) Potchefstroom Electronic Law Journal (PELJ) 3.

  24. 24.

    Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1) International Information & Library Review 34.

  25. 25.

    Mokgoro J Y “Ubuntu and the law in South-Africa” 1998 (vol 1 no 1) Potchefstroom Electronic Law Journal (PER) 7.

  26. 26.

    1995 (3) SA 391 (CC). Other case law interpreting ubuntu includes S v Mandela 2001 (1) SACR 156 (C); Crossley v National Commissioner of the South African Police Services [2004] 3 All SA 436 (T); Du Plooy v Minister of Correctional Services 2004 3 All SA 613 (T); Port Elizabeth Municipality v Various Occupiers 2005 (1) SA 217 (CC); Dikoko v Mokhatla 2006 (6) SA 235 (CC); S v Maluleke 2008 1 SACR 49 (T); S v Sibiya 2010 1 SACR 284 (GNP); The Citizen 1978 (Pty) Ltd v McBride 2011 (4) SA 191 (CC). Van Vuren v Minister of Correctional Services 2012 1 SACR 103 (CC).

  27. 27.

    See further Himonga C, Taylor M and Pope A “Reflections on judicial views of ubuntu” 2013 (vol 16 no 5) Potchefstroom Electronic Law Journal 370.

  28. 28.

    2011 (4) SA 191 (CC) para [217]–[218].

  29. 29.

    See para [217]–[218].

  30. 30.

    [2015] ZACC 18 at 21.

  31. 31.

    2007 (5) SA 323 (CC) at paras 28–29.

  32. 32.

    IT Web Business “Consumers still worried about privacy” available at http://www.itweb.co.za/index.php?option=com_content&view=article&id=80414 [15 December 2015].

  33. 33.

    In SA law, the right to identity is also identified as a personality right that may be infringed because of the processing of incorrect personal data (see discussion below). Identity is not recognised eo nomine in the Bill of Rights but, like the right to a good name (fama) which is also not mentioned explicitly, it can be considered to be protected under the right to dignity, which is mentioned explicitly in section 10. The concept of human dignity in the Constitution can therefore be compared with the wide dignitas concept of common law (see below).

  34. 34.

    S 13 of Act 200 of 1993.

  35. 35.

    The Constitution of the Republic of South Africa, 1996.

  36. 36.

    The courts have, however, also extended the constitutional right to privacy to “substantive” privacy rights. These are rights which enable persons to make decisions about their family, home and sex life. See, for example, De Reuck v Director of Public Prosecutions, Witwatersrand Local Division 2004 (1) SA 406 (CC); Bernstein v Bester NO 1996 (2) SA 751 (CC).

  37. 37.

    1998 (4) SA 1127 (CC) 1145. Also see Roos A “Data privacy law” 363–487 in Van der Merwe D, Roos A, Pistorius T, Eiselen GTS and Nel SS Information and Communications Technology Law (2016) 417.

  38. 38.

    Bernstein v Bester NO 1996 (2) SA 751 (CC).

  39. 39.

    Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd: In re Hyundai Motor Distributors (Pty) Ltd v Smit NO 2001 (1) SA 545 (CC) para 16.

  40. 40.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 17.

  41. 41.

    S 36 of the Constitution of the Republic of South Africa, 1996. Examples of laws of general application that limit the right to privacy are the Promotion of Access to Information Act 2 of 2000 and the Regulation of Interception of Communications and Provision of Communication-Related Information Act 25 of 2002.

  42. 42.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 271–272.

  43. 43.

    Such as the public’s right to be informed and right to freedom of expression. See eg Khumalo v Holomisa 2002 (5) SA 401 (CC) at [41]–[44] (referring to the balance that needs to be struck between dignity and freedom of expression).

  44. 44.

    S 8(1) of the Constitution of the Republic of South Africa, 1996.

  45. 45.

    S 8(4) of the Constitution of the Republic of South Africa, 1996.

  46. 46.

    See below.

  47. 47.

    Also see Burchell J The legal protection of privacy in South Africa: A Transplantable hybrid 2009 (vol 13.1) Electronic Journal of Comparative Law available at http://www.ejcl.org/131/art131-2.pdf [15 December 2015].

  48. 48.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 12. Personality rights are characterised by the fact that they cannot be transferred to others, cannot be inherited, are incapable of being relinquished, cannot be attached and that they come into existence with the birth and are terminated by the death of a human being (or in the case of a juristic person, when such person comes into existence or ceases to exist) – Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 13.

  49. 49.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 25–38.

  50. 50.

    The Roman law concerning liability for injury to personality has been adopted in South Africa – see Neethling J, Potgieter JM and Visser PJ Law of Delict 7 ed (2015) 12.

  51. 51.

    As a general rule, negligence on the part of the defendant is insufficient for liability (see eg NM v Smith 2007 (5) SA 250 (CC) para [48].) However, the application of the common law must be informed by the precepts of the Constitution – NM v Smith 2007 (5) SA 250 (CC) para [28]. South African law initially held the owner, editor, publisher and printer of a newspaper strictly liable for the publication of defamatory content. After the adoption of the Constitution and the recognition of the freedom of expression of the press and other media as a fundamental right, the court in National Media Ltd v Bogoshi 1998 (4) SA 1196 (SCA) held that the democratic imperative of the free flow of information, and the role played by the mass media in this respect, is not served by imposing strict liability on the mass media. The court was also not prepared to reinstate the common-law position of liability based on intent or animus iniuriandi, because it would then be too easy for the mass media to rely on the absence of consciousness of wrongfulness. Instead, the court held that the mass publication of defamatory statements raises a presumption of negligence. Considerations of policy, practice and fairness inter partes require that the onus be placed on the defendant to rebut this presumption.

  52. 52.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 42.

  53. 53.

    See, eg, Jansen van Vuuren v Kruger 1993 (4) SA 842 (A) 849; Herselman v Botha 1994 (1) SA 28 (A) 35; SAUK v O’Malley 1977 (3) SA 394 (A) 401–402; Naylor v Jansen; Jansen v Naylor 2006 (3) SA 546 (SCA) 551 para [7]. Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa 2 ed (2012) 335.

  54. 54.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 56.

  55. 55.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 163.

  56. 56.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 254.

  57. 57.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 270–271.

  58. 58.

    Bernstein v Bester NO 1996 (2) SA 751 (CC) 789; Jansen van Vuuren v Kruger 1993 (4) SA 842 (A) 849; NM v Smith 2007 (5) SA 250 (CC) para [48]. See also Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa 2 ed (2012) 56.

  59. 59.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 30 270–271.

  60. 60.

    Prof Johann Neethling is the leading authority on privacy and data protection in South Africa. He wrote his LLD thesis on the right to privacy (Neethling J Die Reg op Privaatheid Unisa (1976)) and he was the project leader of the SA Law Reform Commission’s Committee (SALRC Privacy and Data Protection Project 124” (2001)) that did the research on which the Protection of Personal Information Act 4 of 2013 is based.

  61. 61.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 36. This definition has been accepted by the South African courts – see eg National Media Ltd v Jooste 1996 (3) SA 262 (A) 271; Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 (4) SA 376 (T) 384; Bernstein v Bester NO 1996 (2) SA 751 (CC) 789; Swanepoel v Minister van Veiligheid en Sekuriteit 1999 (4) SA 549 (T) 553.

  62. 62.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 30 270–71; Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa 2 ed (2012) 326. This is similar to the American privacy torts of “intrusion upon the plaintiff’s seclusion or solitude, or into his or her private affairs” and “public disclosure of embarrassing private facts about the plaintiff” – See Prosser WL Privacy 1960 (48) California Law Review 383.

  63. 63.

    A person may decide that personal information may be disclosed to a specific person only or to a defined group of persons, without relinquishing the right to decide to exclude other persons from being acquainted with this information – see inter alia National Media Ltd v Jooste 1996 (3) SA 262 (A) 271–272; NM v Smith 2007 (5) SA 250 (CC) 262–263.

  64. 64.

    See Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 36 271. In other words, a false image is created by the use of the information. This is similar to the American privacy torts of “publicity which places the plaintiff into a false light in the public eye” and “appropriation for the defendant’s advantage of the plaintiff’s name or likeness” – see Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 37.

  65. 65.

    Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa 2 ed (2012) 58, 335.

  66. 66.

    1954 (3) SA 244 (C).

  67. 67.

    Other cases in which the right to privacy was recognised and protected include Kidson v SA Associated Newspapers Ltd 1957 (3) SA 461 (W); National Media Ltd v Jooste 1996 (3) SA 262 (A) 271; Jooste v National Media Ltd 1994 (2) SA 634 (C); Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 (4) SA 376 (T); Bernstein v Bester NO 1996 (2) SA 751 (CC); Jansen van Vuuren v Kruger 1993 (4) SA 842 (A); Swanepoel v Minister van Veiligheid en Sekuriteit 1999 (4) SA 549 (T).

  68. 68.

    1977 (4) SA 376 (T) 386.

  69. 69.

    2007 (4) SA 89 (SCA). See also Wells v Atoll Media (Pty) Ltd [2010] 4 All SA 548 (WCC) paras [48]–[49].

  70. 70.

    This is in line with the Constitution – see Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd : In re Hyundai Motor Distributors (Pty) Ltd v Smit NO 2001 (1) SA 545 (CC) para 17; Dhlomo v Natal Newspapers (Pty) Ltd 1989 (1) SA 945 (A); Financial Mail (Pty) Ltd v Sage Holdings Ltd 1993 (2) SA 451 (A); Janit v Motor Industry Fund Administrators (Pty) Ltd 1995 (4) SA 293 (A). Juristic persons do not have personality rights that involve the feelings of a person (such as dignity) or the body of a person (physical integrity) – Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 71.

  71. 71.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 281.

  72. 72.

    Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality 2 ed (2005) 278.

  73. 73.

    Act 4 of 2013.

  74. 74.

    See Roos A “Data protection: Explaining the international backdrop and evaluating the current South African position” 2007 (124) South African Law Journal 400 for a detailed discussion of these acts and their limitations. Also see Roos A “Data privacy law” 313–397 in Van der Merwe D, Roos A, Pistorius T and Eiselen S Information and Communications Technology Law (2008) 358–367.

  75. 75.

    Act 2 of 2000. An aspect of this Act that is relevant for present purposes is that it gives individuals access to records containing personal information about them in both the private and the public sectors – ss 11 and 50.

  76. 76.

    Act 25 2002. In terms of ss 50 and 51 of this Act, data controllers that electronically collect personal information may voluntarily subscribe to certain principles in the ECT Act which are intended to protect a person’s privacy. The data subject and the data controller must first reach an agreement in terms of which the data controller will adhere to these principles, before the principles become applicable to the transaction. The rights and obligations of the parties in respect of a breach of the principles are governed by the terms of the agreement between them.

  77. 77.

    Act 34 of 2005. The Act provides that a person, who receives, compiles, retains or reports confidential information pertaining to a consumer or prospective consumer must protect the confidentiality of that information. The Act prescribes how this must be done – see s 68. Credit bureaux have certain duties in respect of consumer credit information (s 70) and a right to access credit information and challenge its correctness, is also provided for by the Act (s 72).

  78. 78.

    Act 68 of 2008. S 11 of this Act protects consumers’ right to privacy with regard to direct marketing.

  79. 79.

    Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on the Open Democracy Bill [B67–98] (24 January 2000).

  80. 80.

    Before the ODB was published, a Draft Bill was published for comments (GG 18381 of 18-10-1997). The Draft Bill was based on policy proposals made by the Task Group on Open Democracy. A recommendation of the Task Group was that an Open Democracy Act should have more than one function, including a freedom of information component, a privacy component, an open meetings component and a component protecting whistleblowers (see Williams D “Access to Information in the New South Africa” 1997 (Aug) De Rebus 563 565; Roos A “Data Protection Provisions in the Open Democracy Bill, 1997” 1998 THRHR 497). The open meetings component was subsequently deleted and the Bill itself was further scaled down – only the access to information component remained in the PAI Act. The whistleblowers chapter of the ODB became the Protected Disclosures Act 26 of 2000. See further White J “Open Democracy: Has the window of opportunity closed?” 1998 South African Journal of Human Rights 65; Currie I and Klaaren J The Promotion of Access to Information Act Commentary (2002) 2 et seq (para 1.2).

  81. 81.

    Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on the Open Democracy Bill [B67–98] (24 January 2000) 17.

  82. 82.

    Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on the Open Democracy Bill [B67–98] (24 January 2000) 17. See also Roos A “Data Protection for South Africa: Expectations Created by the Open Democracy Bill, 1988” in The Constitutional Right of Access to Information (Report of a seminar held on 4 September 2000 at St George’s Hotel, Rietvlei Dam, Pretoria) Konrad Adenauer Stiftung Seminar Report no 5 (2001) 43 and Klaaren J, Currie I and Smith A “Analysing Foreign Access to Information Legislation from a South African Viewpoint” 29–40 in The Constitutional Right of Access to Information (above) 31.

  83. 83.

    SA Law Reform Commission (SALRC) Privacy and Data Protection Project 124 Discussion Paper 109 (2005) para 1.1.

  84. 84.

    Draft Bill s 1(1).

  85. 85.

    OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data Paris (23 September 1980).

  86. 86.

    Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No 108/1981, Strasbourg (28 January 1981).

  87. 87.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data 1995 Official Journal L 281/31.

  88. 88.

    See SALRC Privacy and Data Protection Project 124 Discussion Paper 109 (2005) ch 8.

  89. 89.

    Bill 9 of 2009.

  90. 90.

    The Portfolio Committee on Justice and Constitutional Development debated the Bill and made amendments to it. In this process, notice was taken of new developments in the EU approach to data protection. Also see Stein P “South Africa’s EU-style data protection law” 2012 (10) Without Prejudice 48; Milo D and Palmer G “South Africa – New comprehensive data privacy law passed” Linklaters 31 January 2014 available at http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-News-31-January-2014/Pages/SouthAfrica-New-comprehensive-data-privacy-law-passed.aspx; Luck R “POPI – Is South Africa keeping up with international trends” 2014 (May) De Rebus 45 also available at http://reference.sabinet.co.za/webx/access/electronic_journals/derebus/derebus_n541_a26.pdf [15 December 2015].

  91. 91.

    Act 4 of 2013.

  92. 92.

    In terms of Government Gazette 37544 of 11 April 2014 the following sections came into force: s 1 (definitions); Part A of Chapter 5 (establishment of Information Regulator); s 112 (grants the Minister the authority to adopt regulations); and s 113 (procedures for making regulations). It was reported that the final step to be taken before the full implementation of POPI was appointing a Regulator for which five nominees were called for. The deadline was August 2015, but it was not met. In November 2015 parliament called for a workshop to be held on the Act, thus delaying the implementation of the Act – see Financial Mail FM Fox “Regulation: personal data in limbo” 28 January 2016 available at http://www.financialmail.co.za/fmfox/2016/01/28/regulation-personal-data-in-limbo [30 January 2016].

  93. 93.

    S 114(1).

  94. 94.

    Act 4 of 2013 Preamble. The Act contains a purpose clause (s 2), explaining the purpose of the Act in detail:

    2. The purpose of this Act is to—

    1. (a)

      give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—

      1. (i)

        balancing the right to privacy against other rights, particularly the right of access to information; and

      2. (ii)

        protecting important interests, including the free flow of information within the Republic and across international borders;

    2. (b)

      regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;

    3. (c)

      provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and

    4. (d)

      establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

  95. 95.

    The processing could be done either manually or automatically, but if it is done manually the Act will only be applicable if the record forms part of a filing system or is intended to form part thereof – see s 3(1)(a).

  96. 96.

    S 3(1). If those means are only used to forward information through South Africa the Act is not applicable to the processing.

  97. 97.

    The definitions are in s 1.

  98. 98.

    The term “responsible party” was borrowed from the Dutch data protection law (Wet Bescherming Persoonsgegevens of 2000).

  99. 99.

    Directive 95/46/EC a 2.

  100. 100.

    Personal information includes (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

  101. 101.

    Directive 95/46/EC a 2.

  102. 102.

    Processing includes (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information.

  103. 103.

    A record includes writing on any material; information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; a label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means; a book, map, plan, graph or drawing; a photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of equipment of some kind, of being reproduced.

  104. 104.

    See Dir 95/46/EC a 3(2), a 9.

  105. 105.

    The Act defines “de-identify” in s 1 as meaning, in relation to personal information of a data subject, to delete information that identifies the data subject, or that can be used or manipulated by a reasonably foreseeable method to identify the data subject, or that can be linked by a reasonably foreseeable method to other information that identifies the data subject.

  106. 106.

    S 6(1)(b).

  107. 107.

    S 6(1)(a).

  108. 108.

    S 7.

  109. 109.

    S 6(1)(c).

  110. 110.

    S 6(1)(d).

  111. 111.

    S 6(1)(e).

  112. 112.

    S 37. In terms of s 38 the processing of personal information for the purpose of protecting members of the public against, for example, dishonesty, malpractice and maladministration by persons in the financial sector may also be exempted from some of the conditions for lawful processing.

  113. 113.

    See s 4(1) and Ch 3.

  114. 114.

    S 8.

  115. 115.

    S 1. “Information officer” is defined with reference to the definition of information officers in the Promotion of Access to Information (PAI) Act. The same person who in terms of the PAI Act is acting as the information officer of an entity will also be the information officer in terms of the POPI Act.

  116. 116.

    S 56.

  117. 117.

    S 9.

  118. 118.

    S 10.

  119. 119.

    S 11(1)(a) of the Act.

  120. 120.

    S 1.

  121. 121.

    S 11(2)(a).

  122. 122.

    S 11(2)(b).

  123. 123.

    S 11(1)(b) of the Act.

  124. 124.

    S 11(1)(c).

  125. 125.

    S 11(1)(d).

  126. 126.

    S 11(1)(f).

  127. 127.

    S 11(1)(e).

  128. 128.

    S 11(3)(a).

  129. 129.

    S 11(3)(b).

  130. 130.

    This form of direct marketing is regulated in detail in section 69 of the Act.

  131. 131.

    S 12(1) of the Act.

  132. 132.

    S 12(2).

  133. 133.

    S 13.

  134. 134.

    S 13(2).

  135. 135.

    S 14(1). The steps that must be taken to inform the data subject are explained under the openness principle.

  136. 136.

    S 14(2). Several other situations where data may be kept for longer periods are listed in s 14(1)(a)–(d).

  137. 137.

    S 15(1).

  138. 138.

    S 15(2).

  139. 139.

    S 15(3).

  140. 140.

    S 16.

  141. 141.

    S 17. The manuals that must be maintained are the same as those required in terms of the PAI Act. These manuals must contain “in sufficient detail to facilitate a request for access to a record of the body, a description of the subjects on which the body holds records and the categories of records held on each subject” – see PAI Act s 4(1)(d) (public bodies) and s 51(1)(e) (private bodies).

  142. 142.

    S 18.

  143. 143.

    This may, for example, include the names of the recipients of the information, the nature of the information and the data subject’s rights in terms of the Act.

  144. 144.

    S 18(4).

  145. 145.

    S 19(1).

  146. 146.

    S 19(2).

  147. 147.

    S 19(3).

  148. 148.

    S 21(1).

  149. 149.

    S 20.

  150. 150.

    S 21. This section contains detailed provisions in this regard.

  151. 151.

    S 22(5).

  152. 152.

    S 22(4).

  153. 153.

    S 22(6).

  154. 154.

    The right to object to certain processing activities forms part of the data subject participation principle in many other data protection laws, but in POPI it forms part of the processing limitation principle already discussed above.

  155. 155.

    S 23(1)(a) and (b).

  156. 156.

    S 23(2).

  157. 157.

    S 25. See PAIA ss 18 and 53.

  158. 158.

    POPI Act s 23(4)(a). See PAIA Ch 4 of Part 2 and Ch 4 of Part 3.

  159. 159.

    S 24(1).

  160. 160.

    S 24(2).

  161. 161.

    S 24(4).

  162. 162.

    S 24(3).

  163. 163.

    S 26.

  164. 164.

    S 34 of the Act.

  165. 165.

    In the case of the personal information of a child, a person competent to consent to any action or decision being taken in respect of any matter concerning a child, should consent – S 35(1)(a) read with s 1 (definition of “competent person”).

  166. 166.

    S 27(1) and S 35(1).

  167. 167.

    S 27(2) and (3) and S 35(2) and (3).

  168. 168.

    S 28.

  169. 169.

    S 29.

  170. 170.

    S 32.

  171. 171.

    For more detail, see ss 28–33 of the Act.

  172. 172.

    S 57(1)(a).

  173. 173.

    S 57(1)(b).

  174. 174.

    S 57(1)(c).

  175. 175.

    S 57(1)(d).

  176. 176.

    S 107(b).

  177. 177.

    S 69(1).

  178. 178.

    S 69(2).

  179. 179.

    S 69(3).

  180. 180.

    S 69(4).

  181. 181.

    S 70(1).

  182. 182.

    S 70(2).

  183. 183.

    S 70(3) and (4).

  184. 184.

    S 71(1).

  185. 185.

    S 71(2)(a).

  186. 186.

    S 71(2)(b).

  187. 187.

    S 61(1).

  188. 188.

    S 60(2).

  189. 189.

    S 60(4).

  190. 190.

    Ch 9.

  191. 191.

    Binding corporate rules are defined in the POPI Act s 72(2)(a) as meaning “personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country”.

  192. 192.

    S 72(1)(a).

  193. 193.

    S 72(1)(b)–(e).

  194. 194.

    Directive 95/46/EC.

  195. 195.

    EU Working Party on the Protection of Individuals with regard to the Processing of Personal Data “Working Document: Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries” WP 4 (22 April 1998).

  196. 196.

    S 39.

  197. 197.

    S 41. On 7 September 2016 Parliament recommended the appointment of Pansy Tlakula as chairperson of the Information Regulator. Pariament also nominated the four other members required. These nominations must be approved by the President.

  198. 198.

    S 47.

  199. 199.

    S 52.

  200. 200.

    See s 40.

  201. 201.

    S 44(1). S 44(2) prescribes what matters the Regulator must have regard to in performing its functions with regard to information matching programmes.

  202. 202.

    S 1.

  203. 203.

    S 55(1).

  204. 204.

    S 55(2).

  205. 205.

    S 56.

  206. 206.

    S 74.

  207. 207.

    S 89.

  208. 208.

    S 76(3).

  209. 209.

    S 74.

  210. 210.

    S 73.

  211. 211.

    S 79.

  212. 212.

    S 76(1)(b).

  213. 213.

    S 76(1)(d).

  214. 214.

    S 79.

  215. 215.

    S 78(1).

  216. 216.

    S 76(1)(b).

  217. 217.

    S 80.

  218. 218.

    S 81.

  219. 219.

    S 82.

  220. 220.

    S 63.

  221. 221.

    S 89.

  222. 222.

    S 90.

  223. 223.

    S 92.

  224. 224.

    S 97(1).

  225. 225.

    S 100 and s 103.

  226. 226.

    S 109. Criminal sanctions and administrative fines will be discussed below.

  227. 227.

    S 99(1).

  228. 228.

    S 99(2).

  229. 229.

    S 99(1).

  230. 230.

    S 99(3).

  231. 231.

    S 107(a).

  232. 232.

    S 107(b).

  233. 233.

    S 100.

  234. 234.

    S 103(1).

  235. 235.

    S 104(2).

  236. 236.

    S 105 (responsible party) and s 106 (third party). An account number is any unique number assigned to a data subject.

  237. 237.

    S 59.

  238. 238.

    S 54 and s 101.

  239. 239.

    S 102

  240. 240.

    S 103(2).

  241. 241.

    S 104(1).

  242. 242.

    S 108.

  243. 243.

    S 109(1).

  244. 244.

    S 109(5).

  245. 245.

    S 109(2)(c).

  246. 246.

    EU Working Party on the Protection of Individuals with regard to the Processing of Personal Data “Working Document: Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries” WP 4 (22 April 1998). These principles are purpose limitation, data quality and proportionality, transparency, security, right of access, access, rectification and opposition, restrictions on onward transfer to third countries.

  247. 247.

    EU Working Party on the Protection of Individuals with regard to the Processing of Personal Data “Working Document: Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries” WP 4 (22 April 1998).

  248. 248.

    EX.CL/846(XXV). The text of the Convention is available at https://ccdcoe.org/sites/default/files/…/AU-270614-CSConvention.pdf.

  249. 249.

    Greenleaf and Georges “The African Union’s data privacy Convention: A major step toward global consistency?” (2014) Privacy Laws & Business International Report 18.

  250. 250.

    See http://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Pages/default.aspx [17 July 2015]. See further Greenleaf and Georges “African regional privacy instruments: Their effects on harmonization” 2014 Privacy Laws and Business International Report 19–21.

Bibliography for SA Chapter

Books and Journals

  • Burchell J The legal protection of privacy in South Africa: A Transplantable hybrid 2009 (vol 13.1) Electronic Journal of Comparative Law at <http://www.ejcl.org/131/art131-2.pdf>

  • Currie I and Klaaren J The Promotion of Access to Information Act Commentary (2002)

    Google Scholar 

  • Greenleaf G and Georges M “The African Union’s data privacy Convention: A major step toward global consistency?” (2014) Privacy Laws & Business International Report 18

    Google Scholar 

  • Greenleaf G and Georges M “African regional privacy instruments: Their effects on harmonization” 2014 Privacy Laws and Business International Report 19–21

    Google Scholar 

  • Himonga C, Taylor M and Pope A “Reflections on judicial views of ubuntu” 2013 (vol 16 no 5) Potchefstroom Electronic Law Journal 370

    Google Scholar 

  • Klaaren J, Currie I and Smith A “Analysing Foreign Access to Information Legislation from a South African viewpoint” 29–40 in The Constitutional Right of Access to Information (Report of a seminar held on 4 September 2000 at St George’s Hotel, Rietvlei Dam, Pretoria) Konrad Adenauer Stiftung Seminar Report no 5 (2001)

    Google Scholar 

  • Loubser M, Midgley R, Mukheibir A, Niesing L and Perumal D The Law of Delict in South Africa Oxford University Press Southern Africa Cape Town 2 ed (2012)

    Google Scholar 

  • Luck R “POPI - Is South Africa keeping up with international trends” 2014 (May) De Rebus 45

    Google Scholar 

  • Makulilo AB “Privacy and data protection in Africa: A state of the art” 2012 (vol 2 no 3) International Data Privacy Law 163

    Google Scholar 

  • Mbigi L and Maree J Ubuntu: The Spirit of African Transformation Management (1995)

    Google Scholar 

  • Mokgoro J Y “Ubuntu and the law in South-Africa” 1998 (vol 1 no 1) Potchefstroom Electronic Law Journal 2

    Google Scholar 

  • Neethling Die Reg op Privaatheid LLD thesis Unisa (1976)

    Google Scholar 

  • Neethling J, Potgieter JM and Visser PJ Neethling’s Law of Personality LexisNexis Durban 2d ed (2005)

    Google Scholar 

  • Olinger HN, Britz JJ and Olivier MS “Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa” 2007 (vol 39 no 1) International Information & Library Review 34

    Google Scholar 

  • Prosser WL Privacy 1960 (48) California Law Review 383

    Google Scholar 

  • Roos “Data privacy law” 363–487 in Van der Merwe D, Roos A, Pistorius T, Eiselen GTS and Nel SS Information and Communications Technology Law LexisNexis Durban (2016)

    Google Scholar 

  • Roos A “Data protection: Explaining the international backdrop and evaluating the current South African position” 2007 (124) South African Law Journal 400

    Google Scholar 

  • Roos A “Data Protection for South Africa: Expectations Created by the Open Democracy Bill, 1988” in The Constitutional Right of Access to Information (Report of a seminar held on 4 September 2000 at St George’s Hotel, Rietvlei Dam, Pretoria) Konrad Adenauer Stiftung Seminar Report no 5 (2001)

    Google Scholar 

  • Roos A “Data Protection Provisions in the Open Democracy Bill, 1997” 1998 THRHR 497

    Google Scholar 

  • Stein P “South Africa’s EU-style data protection law” 2012 (10) Without Prejudice 48

    Google Scholar 

  • White J “Open Democracy: Has the window of opportunity closed?” 1998 South African Journal of Human Rights 65

    Google Scholar 

  • Williams D “Access to Information in the New South Africa” 1997 (Aug) De Rebus 563

    Google Scholar 

Acts

International Documents

  • Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No 108/1981, Strasbourg (28 January 1981)

    Google Scholar 

  • European Union Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data 1995 Official Journal L 281/31

    Google Scholar 

  • OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data Paris (23 September 1980)

    Google Scholar 

Reports

  • Ad Hoc Joint Committee of South African Parliament Report of the Ad Hoc Joint Committee on the Open Democracy Bill [B67-98] (24 January 2000)

    Google Scholar 

  • SA Law Reform Commission (SALRC) Privacy and Data Protection Project 124 Discussion Paper 109 (2005)

    Google Scholar 

  • European Union Working Party on the Protection of Individuals with regard to the Processing of Personal Data “Working Document: Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries” WP 4 (22 April 1998)

    Google Scholar 

Case law

Internet Sources

Download references

Author information

Authors and Affiliations

  1. Department of Private Law, University of South Africa (Unisa), Pretoria, South Africa

    Anneliese Roos

Authors
  1. Anneliese Roos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anneliese Roos .

Editor information

Editors and Affiliations

  1. Faculty of Law, University of Bremen, Bremen, Germany

    Alex B. Makulilo

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this chapter

Cite this chapter

Roos, A. (2016). Data Protection Law in South Africa. In: Makulilo, A. (eds) African Data Privacy Laws. Law, Governance and Technology Series(), vol 33. Springer, Cham. https://doi.org/10.1007/978-3-319-47317-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47317-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47315-4

  • Online ISBN: 978-3-319-47317-8

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation