Updated: May 20, 2020
The lack of regulation in the public sector poses a genuine threat to privacy rights. The significance of appropriate regulation, with reference to government conduct, is it reduces the often misleading ‘autonomous discretionary burden’ off the shoulders of officials. Without guidance, one can foresee privacy interests being routinely overridden by public interest considerations when the government employs profiling strategies to manage crime. As with private actors, the threat is how do individuals anticipate and challenge government knowledge or use when there are no defined parameters?
There is currently no legislation guiding the South African government on acceptable privacy practices. POPIA is yet to come into full-effect (with no definite prospective date), which means its only form of guidance can be found in the Minimum Information Security Standards (MISS is enabled by the Regulations of the Public Service Act) and this too raises concerns since it only deals with information security, so it does not cover privacy issues. It is not a data localisation law hence it does not have any provision dealing specifically with transmission of information out of the Republic and it does not prescribe any punishment for contravening its provisions.
South Africa needs an Act that holds the individual’s privacy in high regard. A data controller must have the express written permission of the data subject for collection or processing of any profiles. The two Acts that address privacy and data protection in this ‘consent-centred’ manner are section 51 of the Electronic Communications and Transactions Act (ECTA)and section 2 of the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA).
Nonetheless, an analysis of these Acts shows that their intentions are not primarily to protect the privacy of the individual, but to enable interception of communications, given certain conditions. For example, in article 5 of the RICA and article 50(4) of the ECTA, the consequences of a privacy breach are ‘governed by the terms of any agreement between’ the organisation and the individual whose personal information has been processed.
I submit that the terms of acceptable interference, when it is done by the government, should be intentionally set out. Thus, South African needs to introduce specialised legislation intended to go further than merely ‘holding its citizen’s privacy in high regard’, but to also outline how to maintain national security or to collect data for intelligence purposes.
Accordingly, the legislature should turn to the Court of Justice of the European Union (CJEU) and European Court of Human Rights’ (ECtHR) jurisprudence on what guarantees must be specified when legislating, to make sure state interferences are not arbitrary and do not go beyond what is strictly necessary. In their judgments, the courts have described in some detail what they understand to be necessary in a democratic society, including the requirement that any measure should offer ‘minimum safeguards against risk of abuse’ (See Schrems v Data Protection Commissioner ofIreland ).
These minimum safeguards were subsequently codified by the Article 29 Working Party (WP29) as the European Essential Guarantees and are worth considering.
Disclaimer: the information contained in this Insight is for awareness and discussion purposes only and does not constitute legal advice. For any enquiries, please get in touch at firstname.lastname@example.org