Privacy law, in a nutshell

11 Apr 2012

About us
WebTechLaw (Proprietary) Limited Find us
94 Athol Street, Highlands North Johannesburg, Gauteng P O Box 189 Melrose Arch, 2076 C 083 444 8260 F 086 683 1731 @webtechlaw Registration No.: 2012/001694/07 Skype pljcbsn http://webtechlaw.com

Who is us?
Paul Jacobson paul@webtechlaw.com T 011 083 5132 or 087 733 2014

About This Guide

This guide is intended as a pretty high level overview of what privacy is in South African law. This is a rapidly changing area of the law. My intention is not to comprehensively explore any particular privacy law legal framework in South Africa but rather to take readers through this sometimes troubling landscape, point out the current law and its trends as well as highlight particular risks. Of course I should also point out that this guide focuses on South African legal frameworks and while the issues raised in this guide may be applicable to other jurisdictions, you should take specic advice before applying this guide to foreign legal frameworks (at least foreign to South Africa). This takes me to the inevitable set of qualications and disclaimers for a work of this nature. This guide is not a comprehensive or exhaustive discussion of the law relating to direct marketing or the various legal principles involved. That would be a much more substantial work. While this guide does deal with these legal frameworks in some detail, please dont rely on this guide as anything other than a general introduction to its subject matter. You certainly shouldnt rely on this guide as legal or other professional advice without taking independent, appropriate and specic professional advice too. This guide is based on published versions of the various legal frameworks it discusses which are available on 2012-04-11. Some of these frameworks are being updated. I will endeavour to update this guide as these legal frameworks are updated or as trends and ideas evolve but Im not making any promises so, once again, dont rely on this guide as professional advice pertaining to your particular circumstances or requirements. Lastly, a word about how you can use this guide. This guide is copyright Paul Jacobson and is published under WebTechLaws Document Use Terms and Conditions which include important licensing information. Please take some time to familiarise yourself

with this licenses features by clicking on the link in the footnote below. This is version 1.0 and it was published on 2012-04-11.

The primary law governing privacy law is the Bill of Rights and article 14 in particular: 14 Privacy Everyone has the right to privacy, which includes the right not to have(a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed. The right to privacy is a general right to privacy rst. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights: Has a law or a party's conduct infringed the right, taking into account the right's scope; and If there is an infringment, is it justied under the Limitations clause in the Bill of Rights? The Limitations clause in the Bill of Rights is article 36: 36 Limitation of rights (1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including(a) the nature of the right; (b) the importance of the purpose of the limitation; (c) the nature and extent of the limitation;

Page 1

(d) the relation between the limitation and its purpose; and (e) less restrictive means to achieve the purpose. (2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights. So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally. The seminal case on the right to privacy is Bernstein and Others v Bester NO and Others. The Constitutional Court said that the right to privacy is informed largely by a legitimate expectation of privacy which, in turn, means that a person must establish that: he or she has a subjective expectation of privacy and that the society has recognized that expectation as objectively reasonable. The subjective component means that a person can't have an expectation of privacy where that person has consented to have his or her privacy invaded. The objective component introduces a requirement for reasonableness when assessing an apparent privacy violation. There is a notion of a "continuum of privacy interests" which is a helpful application of this idea of a legitimate expectation of privacy. The Court in the Bernstein case said the following: The truism that no right is to be considered absolute, implies that from the outset of interpretation each right is always already limited by every other right accruing to another citizen. In the context of privacy this would mean that it is only the inner sanctum of a person, such as his/her family life, sexual preference and home environment, which is shielded from erosion by conicting rights of the community. This implies that community rights and the rights of fellow members place a corresponding obligation on a citizen, thereby shaping the abstract notion of individualism towards identifying a concrete member of civil society. Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly. This is an explanation for why people in the public eye have a different legitimate expectation of privacy than people who are deeply private and secretive. A person's legitimate expectation of privacy is determined by their level of publicity and the consents they have given to invasions of their privacy.

Page 2

Without delving into the law further we can already see that an aspect of the legitimate expectation of privacy is this subjective expectation of privacy which is determined by factors like consent and so on. Bottom line here is that if you grant your consent to a company to collect and process your personal information in some way, you don't have a legitimate expectation of privacy when it comes to the authorised use of that personal information. The general right to privacy should protect another important interest called "informational self-determination". This interest includes the ability to control what information is collected, how and and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination). So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn't otherwise permissible but you have a say over what that information can be used for, not to mention the ability to nd out what personal information authorised parties have collected and correct it if need be. Chapter 8 of the Electronic Communications and Transactions Act contains a voluntary set of principles which go some way towards codifying this aspect of privacy law but it is limited to "electronic transactions" and, as we pointed out above, is voluntary. Notwithstanding these limitations, it is helpful in formulating a privacy policy which contains the necessary consents which a service may require from its users. The proposed Protection of Personal Information Bill will take this process further and introduce a far more structured and mandatory regime to protect collection and processing of personal information but we are still some way away from that proposed law being passed. That being said, we recommend to our clients that they develop privacy policies in line with this proposed legislation because it is the likely shape of things to come (which is important when incorporating privacy considerations into a medium to long term project) and it provides sound principles for the collection and processing of personal information.

Page 3