6t Information and Communications Technology Law

The question remains: what are we to understand by the concept of ICT crime, or, as

4
itis more popularly known, computer crime? Burchell tried his hand at an evaluation
of computer crime in his inaugural lecture as professor in criminal law at the Uni-
versity of Cape Town on 24 April 2002." He distinguishes” beween the role of a
computer as an object (or target) of crime and as an instrument to commit crime
and argues that the latter type of activity might already be adequately covered by
Criminal Law existing commoniaw crimes. Even when defining new crimes in order to protect a
computer as an object, he argues for restraint, saying that “any legislative interven-
tion must be meticulously defined and costed and personnel who will be called on to
implement it, trained to do so”. This is an admirable sentiment, but might be beter
accomplished by a deeper analysis of the real legal interests involved in a term as
4.1 Introduction to ICT crime superficial as “computer crime”.
In the opinion of some commentators, crime has always been with us and computers Collier’ extends the above distinction to highlight the different relationships be-
are simply another tool criminals use to commit their crimes. Thus, for example, tween computers and crime, namely computers as the object or victim of crime, as
Colin Tapper asks the following rhetorical question in one of the first books to place the instrument of crime, and as incidental to a crime (for instance, as storage devices
computers and law in the proper context: “It may be asked why there is any more for relevant data).
need for a book on the law of computers than there is for a book on the law of type- UK author fan Walden’ disti between “computer-related crimes” (such as
writers or uining forks”. fraudulent activity involving the use of computers), “content-rclated offences” (such
Bricily, Tapper’s answer to this question boils down to the fact that computers as the distribution of pornographic material involving chikiren by means of comput-
were’ playing an increasingly important role in the community, that they were quali- ers and cellphones), and “computer integrity offences” (in which the computer itself
tatively different from anything else that had come before and that traditional legal is the object of an attack). These categories correlate approximatcly with those
enumerated by Collier: the computer as an instrument of crime, the computer as
principles were inadequate to deal with the legal problems caused by computers.
incidental to crime, and the computer as an object of crime respectively.
Well into the twenty-first century these anguments seem more valid than ever. Not
only has “the computer” been expanded into a wide-ranging and dynamic new con- While the above categorics are undoubtedly useful, most of them are aimed at
cept called “information and communications technology” (ICT), but the Taw is still protecting a very important legal interest: ICT data. This paralicls the growing num-
desperatcly trying to keep up with this rapidly moving target. ber of statutory ICT crimes, such as the creation and distribution of virus and
“worm” programs, and denial-of-service attacks, “phishing” and “spoofing”," similarly
This siusation does not apply only to substantive criminal law, where new crimes created in order to protect data, the most valuable assct of the twenty-first century.
have had to be defined to take account of typical ICT crimes such as “hacking” and Data are important because they constitute potential information. Looking at the
the distribution of “viruses” and “worms”. The investigation of these non-traditional precise of computer criminals may provide a useful distinction in nomenclature.
types of crime and the procedures to be followed in bringing reliable eviience in If the target is data (whether or not the data might be used in further crimes}, we
that regard before court have led to qualitative changes in ICT forensics and legal have a genuine example of ICT crime. If the computer's role is simply that of a tool
procedures. Although the main focus of this chapter is on substantive criminal law, to open the doors of the safe at Fort Knox in order to enable the criminals to get
the present chapter also deals further on with the more formal aspects of bringing hold of the gold bullion inside, we are dealing with an ICT-related crime. Walden
ICT criminals to book (in other words, with criminal procedure). In addition, para- argues that content-related offences ment separatc treatment, especially if the con-
graph 4.2 below shows the close interface between the law and related, but nomlegal, tent turns out to be child pornography on the Internet His angument has merit, given
ficlds intimately pertinent to the investigation of computer crime and sheds some the fact that South African law deals with child pornography in an Act entirely di-
light on these fields. Examples of the latter include risk management and ICT secu- vorced from most other [CT-related mattcrs, namely the Films and Publications Act. :
rity (which are proactive, and may also provide valuable evidence), as well as busi- In a note Van der Merwe has explored the importance of the integrity of data in
ness-continuity management’ and the investigation of computer crime (both being the modern ICT world.” The note strives to shilt the focus away from protecting
reactive).

“Criminal justice at the crossroads” 2002 SAL{579 ff.

Scenmnaave

Ibid. 58%.
1 Tapper Computer Law xxiii- Collier “Criminal baw and the Internet” 523 ff.
2 Ibis worthy of comment that these words were uttered as long ago as 19738_ “Computer crime and information misuse” 296 ff.
3 Formerly known as “disaster recovery” See para. 4.3.1 below for a more complete discussion of these new forms of crime_
Act 65 of 1996.
“Information technology crime — a new paradigm is needed” 2007 TI/RIIR 309.
 Chapter 4: Criminal law 65 i = Information and Communications Technology Law

the “container” of valuables (the computer is merely the modern equivalent of a 4.2 Aspects of ICT security, including the investigation of ICT
bank-vault, only instead of money or gokl it contains data) to protecting the real crime and preparing a case for court (forensics)
valuables iin most ICT crimes, namely the data contained in the computer, cellphone,
GPS" device, and so on. In the same note the author argucs in favour of a distinction ICT security has become increasingly important because of the special nature of ICT
originally made by Tony Twine at a conference entiued “Knowledge management —
crime. Consider the specialised knowledge and expertise required for the investigation
overcoming the information overload”.”
of the scene of an alleged computer crime and for the preservation of potentially
relevant evidence. Even though the focus of the present chapter is on substantive and
Twine’s distinction grades the following ICT-related concepts in an ascending formal criminal law, limiting the scope of our enquiry to these wo ficlds would cave
order of information value: “data”, “information”, “knowicdge” and “wisdom”. A fifth the reader with an incompicte picture. The two closcly allied ficids of ICT security
(but separate) concept, “intelligence”, works as a catalyst for the other four, trans- (preventative) and ICT crime investigation (reactive) deserve at least 4 cursory glance.
forming (objective) data into (subjective) information, information into knowledge, It is also of interest to note that'a concept ECT Act that has been circulated
by the
and knowledge into wisdom. Twine then argues convincingly” that of the four tradi- Deparument of Communications.” The new Act devotes much more attention to
tional production resources (namely land, capital, labour and cntreprencurship) security matters and foresees the creation of a permanent “ICT Security Hub”. Sec
only entreprencurship actually involves the intelligence to “process” onc of the lower tion 47 of the concept proposes a new section S5A that should read as follows:
factors to a higher level. Nonctheless, the basic foundational concept in the above “Cybersecurity Hub 85A. (1) The Minister shall in consultation
with the JCPS clas
schema, which concept also stands in the greatest need of protection by the criminal ter, create a Cybersecurity Hub for the purpose of—
law, consists of data which are analogous to the ore from which precious metal such (a) creating awareness about threats to electronic communications networks and
as gold is extracted. In a sense, data are not user-specific in that they retain the electronic communications from cybercrime;
potential for being transformed into anyone's information. Data are the rough ore (b) responding to cybersecurity incidents;
from which the refined gold of information, knowledge and wisdom may later be
(c) creating guidelines to educate persons, private and public bexdies about what
extracted. That is why the focus of the Klectronic Communications and Transactions rity is and what measures to put in place to protect themselves and their
Act‘‘ison protecting “data” or “data messages”. information from cybercrime;
(ed) lising co-ordination of cyb ity
To sum up, although it might be more accurate to speak of IT crime (or, more
accurately, ICT crime) rather than the dated concept of computer crime, the con- fe) conducting eybersecuity audits, asessments and reatnes exercises for any person
cepts of “data crime” and “data protection” should not be lost sight of. Instead of on request; and
focusing on peripherals and externalities, the definitions of these crimes should () fostering and p ang jon by Gover the private sector,
rather target the truc contents of the compromised computers or other hardware, civil society and caeccaaeenl communities and businesses in the setting and im-
namely the data they contain. plementation of cybersecurity standards and other matters.
(2) The Minister may make regulations in respect of—
ICT crime is a multi<tisciplinary field of endeavour. Even though the present
(a) the types of cybersecurity incidents that should be reported to the Cybersecurity
chapter focuses on substantive and formal criminal law (with limited reference to Hub;
forensics), one cannot when dealing with the investigation and prosecution of ICT
(b) the manner in which the Cybersecunty Hub shall administer and implement the
crimes avoid making references to other ficlds of law, such as privacy law and the law National Cyberscaurity Framework:
of evidence, to mention just two. Although privacy and evidence are dealt with in fe) oa en or guidelines that may be generally applicable or
separate chapters,” reference to these ficlds of law will be made where useful.
Finally, IT security also deserves a mention and will be treated next. If proactive {d) dec peoae as nese casas to and by the Cybersecurity Hub by any
security measures are adequate, the need for a drastic and reactive system (such as person;
criminal law) to be invoked might fall away completely or, at least, be diminished (e) compli with dards, procedurs and p developed
in terms of the Na-
considerably. tonal Cybersecurity Framework;
(the way in which a person may apply for an audit of his or her or its compliance or
the way in which such an audit may be carried out at the instance of the Cyberse-
curity Hub; and
‘g any other relevant matter which it is necessary or expedient to prescribe for the
1 Geographical positioning sytem. proper implementation of this Chapter”
12 Meld at Kyalami, Gauteng on 5 August 1998.
13° But see para 9.1.1 fn 5, below, fora different view.
14 Act 25 of 2002.
15 See Chapters 9 and 5 respectively. 16 In GN B88 in Government Canelie 35821 of 26 October 2012.
 68 Information and Communications Technology Law

Qhapter 4: Criminal law 67

4.2.2 The proper investigation
of ICT security breaches
(including fe ics)
It is interesting to note that both subsections (1) (/) as well as (2) (¢) make mention of
standards in the context of cybersecurity. This echocs the emphasis that has also Benade ct al.” sketch out a series of procedural steps to be taken to facilitate the
been placed on standards when dealing with signatures in the sections dealing with orderly investigation of the site of a suspected ICT crime. These steps include the
evidence. planning and preparation of an ICT-crime investigation and the gathering and
analysis of the crime-rclated information itself.
4.2.1 ICT security
An important part of such an investigation is the preparation of a case against the
ICT security basically boils down to a carcful evaluation of the security risks that a SUSPCCIS, which case might later be brought to court. This is the ficld of computer
given user's ICT assets, resources and activities are exposed tw and includes the for- forensics.” Basically, the term “forensics” amounts to the following of cenain
mulation and quantification of CORMUESINERISES, 28, well as the prediction of the acknowledged standards during the investigation of and presentation of evidence
effectiveness of such countermeasures.” against the accused, which procedure tends to persuade the court to admit such
These tasks should also include the compilation and approval of business-continuity evidence and give due and proper weight to it
plans to be implemented when any of the above risks coming to fruition. The con- The gathering and analysis of information about ICT crime is a rather complex
tinual auditing, monitoring and adaptation of such plans also form an important process that entails determining the nature of the crime, the degree of technical
part of the total strategy. This whole ficid of “knowledge” was known as “disaster expertise involved as well as the history of the crime’s type in the environment in
recovery”, but the more sophisticated term “business continuity”, placing a greater which the crime was committed. The investigator should liaise with personne! man-
emphasis on the positive aspects, has become more usual. agement in order to check the job descriptions of all suspects, informants and
Fortunately, standards have been established to make security goals more achievable. witnesses and should also verify from the personnel files any relevant personal connec-
In this regard, ISO” 17799, a code of practice for information-sccurity management and tions between such role-players. Finally, of course, the investigator should carefully
best practices, has been very helpful. Such codes also focus on aspects such as physi- examine the computer or tclecommunication system, interview and question relevant
cal and environmental security, system and access control, and personnel security. role-players, and formulate possible scenarios and test them with relevant experts.
Pan of managing one’s ICT risks is to understand the value of relevant data or In a very thorough work on the forensically desirable reaction to crime, Douglas
information to one’s organisation and to evaluate the importance of such data and Schweitzer decals with the so-called “preliminary response” to a suspected incident of
information to the future well-being of the organisation. Maherry takes great pains ICT crime.“ This response should include at least the following steps: preparing the
wo point out that the real threat to information belonging to an organisation docs ICT system for data collection; enabling the logging (by the investigator) and audit-
not lie in “hordes of evil hackers lurking on the Internet just waiting to attack and ing of access (by the prior users) to the system; collecting data from computer
deface your Web site”.” The danger “lies within”, as it were, in that most businesses memory; “imaging” all data from hard drives; and following the required “chain of
have not yet learned the full extent of their commercial dependence: ¢ on IT systems custody” to present the court with a complete scenario. Only when all these steps
and the “very real world trust that has to be placed in those systems”_ ” Maherry fur- have been followed will a (knowledgeable) court be able to ensure that the proper
ther points out that during the 1990s the focus had really been on internally focused weight is ascribed to the data in question. The weight attached depends on the
information systems, but that this focus has now shifted to more externally focused admissibility and quality of the evidence gathered and presented.
systems, with the attendant greater risks to security. Although the present work neatly categorises™ substantive criminal law, criminal
This means that the security of both ICT hardware (such as the technical infra- procedure, law of evidence and security into their respective pigeon holes, the com-
strucuure) and applications (mostly software) is important One should also focus on the puter-crime investigator does not have this luxury at the scene of the suspected
human clement, of course, including such factors as personnel screening and security. crime and simply has to collect all possibly relevant clues. He or she also has to do
Finally, all hardware, software programs and the operators making use thercof actually this as neatly and carefully as possible, otherwise the State's case might be destroyed
have just one goal in mind — the production, use and safe storage of accurate data.” by incisive cross-cxamination by an astute defence counsel.

17 Benade “SITA advanced kamer manual on information systems security in the DOD" (an in-house
information manual} 83. 22 Benade “SITA advanced learner manual on information systems security in the DOD" 39 ff.
18 International Seandards Organisation. 23) The word “forensics” comes from the Latin forum meaning “court”.
19 ee ee ee @. 24 Schweitzer Incident Response 6 fT.
20 Ibid. 25° Or, at least, attempts to do so.
21 ee nO ne ee
evidence including a 2015 Bill from the Department of Justice.
 Chapter 4: Criminallaw 69 70 Information and Communications Technology Law

4.3. The common law with respect to ICT crime In South Africa banks have been warning against phishing schemes for some time,
which schemes have become more common during the past few years. In March
4.3.1 Introduction — from common law to computers 2007, for instance, Absa, Standard Bank and FNB confirmed that some of their
South African criminal law is in the fortunate position of sill having a living and clients’ accounts had been breached in this fashion.” The form of the attack was a
developing commorn-taw system which, because of its emphasis on flexible and adapt- phishing e-mail purporting to be from one of the banks concerned and requesting
able general principles rather than on a multiplicity of rigid rules, can reasonably be the client to update his or her details clectronically. The attack was also one of the
expected to adapt more casily to new legal phenomena. However, whether the South most sophisticated yet in that, after gaining details such as the clients’ card number
African common law regarding crime in general (being the Roman-Dutch law) has and PIN, as well as their e-mail addresses, the phishing program returned the victims
successfully adapted to the coming of the computer is a more controversial subject.” to the genuine bank website, thus leaving them with the illusion that all was well.
In this regard, it might be instructive to examine the many phases the common- Ironically, just before this attack, FNB had actually suggested some precautions to
law crime of theft has gone through. From a crime which, during the Middle Ages, help protect its customers.” These were to confirm the validity of any e-mail purport
involved cutting through somebody's purse” and extracting the silver and golden ing to have been sent by the bank by calling the bank’s helpline; never to divulge
coins in it, theft has evolved in such a way as to include programming a computer to personal details or passwords by e-mail; to type out the bank's web address in the
mail one’s virtual “loot” to Switzerland, or whatever safe country one has in mind, address window of one’s Internet-browsing program rather than clicking on a link in
long after one has safcly completed one’s “getaway”. an e-mail; to check the security information under the VeriSign logo (if available) in
the e-mail; to check the message for spelling mistakes or poor grammar, and to
Even though cenain forms of theft are now dealt with by means of statute, the
check whether the e-mail has been (electronically) signed by the proper official.
basic common-taw crime of theft remains and has to be applied, even to cases of
According to Dr Chris Kotze, CEO of FNB Online, this type of phishing activity
computer-based thefi. The same applies to other common-aw crimes of dishonesty,
for example in cases involving computer-based fraud. increased significantly through the first six months 2007. The bank closes down forty
to seventy phishing : sites every month, after they have been active for three or four
One thing that has changed, though, is the fact that the definitional scope of such days cach at a time.”
crimes can no longer easily be expanded. This is because the so-called “legality”
principle, nullum crimen sine lege.” has been (by implication) made part of the in- Another classic computer crime is that of hacking, or gaining access to a website
without permission. One of the best-known examples in South Africa was the hack-
ttienable human rights bestowed by South Africa’s Constitution,” in terms of section
ing of the eNaTIS electronic database in 2007." Even though cNaTIS has had quite
8(1) of which it “binds the legislature, the executive and the judiciary”. On the other
hand, the judiciary may “apply, or ifnecessary develop, the common law” in order to enough problems without any outside interference, Wolfgang Selzer, an industry
expert, sees the incident as “indicative ofa dramatic increase in the number of infor-
give greater effect to such human rights.” This licence and duty should ensure that
mation technology security breaches in SA”.
the common Iaw remains a developing system which is alive and can react to change.
The situation is not helped iin any way by the fact chat cyber-crime “tool kits” are
Even though computer-illiterate lawyers may think that the common law regarding
now on sale via the Internet” for those who lack the necessary skills to perform such
thefi is alive and well when they read of “identity theft” on the Internet, this new
crime is really a species of fraud. It usually involves activities called “phishing” and crimes. A typical example of such a tool is “spy software” which can log all the details
“spoofing”. The former activity entails sending out an e-mail purporting to require
and work performed on a computer on which such software has been installed.”
These developments are tally ominous in light of the meteoric rise in import
information from the recipient for some legitimate purpose — often such e-mails take
the form of a request for personal details from one’s “bank”. Sometimes these mes- ance of such nations as China. China, for onc, has expressed interest in developing
sages direct the recipients to a “spoof” (false) website, usually a website controlled by
“informationised armed forces” as part of its broader military strategy, which might
lead to a new “cyber cold war.”
criminals, purporting to be a legal site — again usually resembling that of a genuine
bank. Having acquired sufficient personal particulars to impersonate realistically
someone who has been tricked into revealing his or her details, the “identity thicf™
can then gain access to the victim’s true banking or shopping sites and carry on 31 “Rank cients warned of phishing scam” wew.iol.co.za/general/news
(accessed 27 May 2007).
32 *FNB helps online banking clients transect safety” hup-/ /itweb.coza/sections {accessed 14 March
further fraudulent activities at the expense of the victim. 2005).
“New phishing scam nets crs” WwW. i core( f 30 Jurie: 2007).
Blectronic National Transport Information System.
EASey

26 Because Roman law existed “ECT (Before Christ) it may therefore chronologically be seen as abo Phasiwe “Hacker let eNaTlS off tightly — expert” wew_businessday.co.za
{accessed 12 July 2007).
being firmly “BA in the sense of “Before Computers"! “Cyber crime tool kits go on sale” hitp:/ /newswote.bbe_co.uk
(accessed 6 September 2007}.
27 Whence the ancient description of a thief as a “cutpurse”. Computess to which large numbers of people can gain access of use, such as those in Internet
cafés
28 Nocrime without (preceding) criminal prohibition. for ecample, are especially vulnerable.
See “Spy software ‘raises risk of cyber crime"” www.busine-ssday.
29 This principle may be deduced from the wording of s 8(1) of the Constitution of the Republic of cont (accessed
30 July 2007).
South Africa, 1996 which reads as follows: “This Bill of Rights applies to all law and binds the legista- 38 Williams “Cyber spies and ether espionage” Mail & Cuandian 4 December 2007. See also para.
ture, the executive, the judiciary and all organs of state” _ 4.6.3.3, below, where the strategic importance of cybenware is illustrated with reference tw a cross
30 S8(3). border incident between Russia and Estonia.
 Chapter 4: Criminal law 71

72 Information and Communications Technology Law

4.3.2 Academic opinion on South African common law
The question of the adaptability of South African common law has been explored by ofsubjective fights, such as personal rights.” For example, he distinguishes between
a number of South African authors. The first of these, JA Coetzee,” did not have “an intention to transfer ownership [and] an intention to cede rights (Lc. transfer
computers specifically in mind, but discussed in more general terms whether theft of credit)”.
immaterial things is possible. He argued that no dogmatic principles exist that would In a more recent series of articles” Ebcrsohn seems to follow the second course,
prevent theft from being “expanded” in this way. An carly article by the present namely for the criminal law to extend the category of things that may be stolen
author” also tried to match commontaw principles with the (then) new field of com- instead of tinkering with the privatetaw definition of ownership. In this way, person-
puter crime and decided that the whole question compatibility depended on wheth- al rights and immaterial rty rights could be covered by a judicial ion of
er theft of intangibles was possible in modern South African law. the traditional concept of theft. Ebersohn argues that modem theft is Mexible
enough to encompass “the appropriation of personal rights”, the electronic irans-
In a later article” Van der Merwe presented two possible solutions for the theft of
fer of credit between banking accounts,” the copying of[ incorporcal property and
intangibles where computers are involved. The first of these was for the common-taw
even passwords and confidential credit-card information.”
aspects of the law of things” to be expanded to include incorporcals among things
that may be possessed and owned and therefore also stolen. The second was for the Many of the arguments in favour of expanding the traditional concept of theft also
apply to other commomtaw crimes such as fraud. The question may be asked whether
criminal Faw to extend the category of things that may be stolen to include specifical-
Roman-Dutch law will be able to with the many new dece; schemes
ly personal rights and immaterial property rights. An objection to cither of these
dreamed up by cybercriminals. It is submitted that, although the Roman-Dutch legal
courses could be that such a development would fly in the face of the definitions of
system has always proved remarkably to change, it is probably a “good
“ownership”, “property” and “thing” that have been developed through the ages.
thing” that South Africa has passed the Electronic Communications and Trans-
Another objection lies in the fact that these three concepts might develop varying actions Act” to take care of cybercrime. That said, although this Act docs cover
content in criminal and private law respectively, if the suggested developments are ¢rimes such as fraud and extortion, the crime of theft was left out of the ECT Act
not harmonised in both fickis. The legality principle might provide sufficient grounds This was probably a conscious decision not to get involved in the abstract argument
for a specific objection against the expansion of the subject-matter of theft in criminal posed in the previous paragraphs. By contrast, the latest Bill from the L ent of
law. Its Latin format, nullum crimen sine lege, literally means “no crime without (a Justice provides the State with a much wider range of offences, including theft of
preceding) law”. The philosophical basis for the rule is that, if the aw is not clear on intangibles (which may even include patent and copyright), terroristic activities,
a certain point, it is unfair to expect citizens to adjust their behaviour on that point espionage, moneytaundering and the like.”
A further problem limiting this type of development is the theory of subjective In the same series of articles, Ebersohn” makes out a similar argument regarding
rights which forms a comerstone of the South African common law. According to this fraud, namely that many computer-related fraudulent schemes fall within the wide
theory all legal rights may be classed into four r categories of subjective rights, namely parameters of “potential prejudice”. However, he perhaps takes the matter a litle
real rights, pera rights,” perennality rights“ and rights to immaterial propery.” too far when he¥ that an unsuccessful hacking attempt constivutes the com-
Loubser™ cites a Swiss case” from the canton of Basel which acknowledges that the pleted crime of fraud “because a risk of prejudice existed when the misrepresen-
concept of “sache™™ used to be limited to corporeal rights but then states that “the tation was made”.” The already vague boundaries in the doctrine of inchoate crime
realities of modern cconomic society required that disposal of credit in a bank between “the end of the preparatory actions” and “the commencement of the con-
account be treated in the same way as appropriation of moncy in cash”. * Loubser is summation” make poor bedfellows for a concept as vague as “potential prejudice”.
If the concept of potential prejudice is to be expanded to encompass frustrated
careful not to expand the concept of ownership in co! ‘al matters to other incorpo-
hackers, our courts will have to bring more Clarity to it than is present in South Afri-
real rights and prefers not to use the term “ownership” at all with the other categorics
can casaw on fraud.

39 Coetzee *Diefstal van onliggaamlikesake” 1970 THRHR 369 ff

0 Van der Merwe “Computer crime” 1985 Obtter 124.
wr 28

4l Van der Merwe “Diefstal van onliggaamlike sake met spesifieke verwysing na rekenaars” 1985 SACC Loubser “The Thefi of Money in South African Law” (LLD thesis, Suellenbosch University, 1977} 83.
129. See also A St QO Skcen “Compaters
and crime” 1984 SACC 262. Ebersotin “A common law perspective on computer-related
crimes” 2004 THRHR
22 ff.
SSSRSRRE Se

42 Which is part of private

law. hid. 51_
43 Mostly in terms of contractual relationships. Ibid. 33_
44 Including the right to one’s good mame, for instance. Ibid. 37.
45 Which include patents, copyright and the tike. Ibid. 42.
46 “The Theft of Moncy in South African Law” (1.LD thesis, Stellenbosch University, 1977) 193. Act 25 of 2002.
47 Appeal court of Basle 28/11/1961 BEE (1961) 87 IV 115, dealing with a Mr Kroevierski. B 2015 of 2015 at http://www justice gov-za/legistation /invitations/invites.hem_
48 “Thing” in English, sak in Afrikaans and resin Latin. Ebersétin “A common law perspective on computer-related
crimes” 2004 THRIR 193 ff_
49 Loubser “The Theft of Money in South African Law? (LLD thesis, Stellenbosch University, 1977) 179. 201 and 203.
These well-known terms relating to the doctrine of atrempe have been derived from a multitude of
cases in both English and South African law.
 Chapter 4: Criminal law 73
74 Information and Communications Technology Law

Ebersohn also argues that “South African courts have expanded the term ‘proper-
ty’ to include ‘substantial interests’ as well as ‘rights in such property’. for purposes 4.4.1.1 Theft
of the commoniaw crime of malicious injury tw propeny”.” This flies in the face of A number of theft cases have also illustrated how the subject-matter of theft has been
the opinion expressed by Burchell that the thing destroyed has to be corporeal and dematerialised, especially when it is in the shape of abstract sums of money. These
therefore that “to infect a computer programme with a virus that destroys infor- cases include Rv ) Milne and Erleigh,” Ro Manuel.” R o Scoulides,” S 0 Gathercole,’ So
mation on the disk is not malicious injury to propeny”.™ Kotz,” Su Verwey,” Sv Graham” and S 9 Harper.™
Finally, Ebersohn even argues that the crime of crimen injuria might be commited The matter is probably best summed up by Greenberg JA in the Manuel case in
by hacking into a computer system: which he stated the position as follows: “under our modern system of banking and
Therefore it ts submitted that where a hacker gains access to A’s computer system and paying by cheque or kindred process the question of ownership of specific coins no
copies, deleted,
or modifies data he commits crimen injuria. 1Lts further submitted that longer arises where resort to that system is made”. In other words, once moncy has
where a hacker merely gains toa pater sy without deleting, copying or been dematerialised from the ownership of specific coins, the theft of abstract sums
modifying data, he is also guilty of crimen injuria_
of money is quite possible.
In an instance of crimen injuria that might be classified as ICT-related crime,” a man
was fined RIO 000 for videoing up a woman’s skiru™ 4.4.1.2 Fraud
Ebersohn rounds off his article with an appeal to the constitutional right to
As far as fraud is concerned, it was decided in S v Van den Berg” that the conduct of
privacy:” but this right may have to be reconciled with another constitutional right,
the accused, in unlawfully crediting the account concerned with R800 when the
namely the right of any citizen to have the principle of legality honoured by his or
account had not been entitled to such credit, had been a fraudulent misrepresen-
her lawgiver. He also argues that an invasion of privacy would amount to the crime
tation to the bank. The coun also found that the fact that such misrepresentation
of crimen injuria, but this statement would probably have to be limited to extreme had been introduced electronically into the computer system did not differ at all
invasions in order to render justice to cach according to his or her rights. from the conduct of a clerk who, with the intent to deceive, makes a false entry with
While the creativity of many of Ebersohn’s arguments is admirable and shows the @ pen in a ledger account
vital signs of life ofa healthy criminal-justice system, Ebers6hn should perhaps also
have canvassed the question of nullum crimen sine lege (no crime without a prior law), 4.4.1.3 Malicious injury to property
also known as the legality principle, a little bit more.
So Howard” was one of the first South African examples of an accused’s being con-
victed of malicious injury to property for causing an entire computer system to break
4.4 South African case-law and legislation regarding down. The system in question controlled the online financial systems of the Edgars
substantive ICT crime and Jct Stores chains of shops and millions of rands were lost as a result of the
actions of the accused, a disenchanted former employee. These actions were
4.4.1 South African caselaw committed before the promulgation of hacking as a statutory crime in terms of the
The subjective rights mentioned in paragraph 4.2 above are not merely academic Electronic Communications and Transactions Act," Which is discussed in context
creations, but have been recognised and given legal force by South African courts in with similar legislation under the next main heading”
such cases as Universileit
van Pretoria 0 Tommie Meyer Films (Edms) Bp.” In that case, Watney” has written a penetrating discussion of the Howerd case, covering prelim-
the court decided that, even though a university might not have personality rights in inary procedural points such as jurisdiction, as well as important points of substantive
the “werfkrag” ® of its imagery and symbols, it does have a right to immaterial
ty in that regard, in the sense that the university’s imagery and symbols may not be
used without the permission of the University. 1951 (1) SA 791 (A)-
SSR2SAAIas2IRA

1953 (4) SA S23 (A).

1956 (2) SA SSK (A).
207. 1964 (1) SA 22 (A).
Burchell and Milton Principles of Caminal Law 3 ed 851 fn. 18. 1965 (1) SA TER (A).
BSERERE

Ebersohin “A common law perspective on computer-related crimes” 2004 THRIIR 375 379. 1968 (4) SA GS2 (A).
See the arguments regarding the classification of ICT or computercrime under para. 4.1 above. 1975 (3) SA 569 (A).
Be ee ee a aan SIRE IGRI (2) SA 638 (D)-
Ebersitin “A tated crimes” 2004 THRHR 375 30. 1993 (4) SA 523 (A) 526.
Pech bi aes 1 1S.) of the Corpus Paris Cialis as “suum cwigue tribuere” — to renderto 1991 (1) SACR 104 (1).
each what he deserves. Unreported case no. 41/258/02, Johannesburg regional magistrates’ court (see 2005 TSAR 603) -
1977 (4) SA 886 (T). Act 25 of 2002.
38

Literally “drawing power”. See para. 4.4.2 below.

Wamey 2005 TSAR 603.
 Qhapter4: Criminal law 75 76 Inf and C

law, for instance whether the erasure of digital data could amount to damage to the contravention of section 27(3) of the same Act, namely that the accused had
property to the extent required by the crime of malicious damage to property. The failed to take steps to prevent access to these images by a person under the age of 18
question of jurisdiction was answered in the State’s favour because at Icast an cle-
years. What makes this case of interest to the present work is the fact that the images
ment of the crime took part in the arca of the court's jurisdiction, thus satisfying the
in question were all stored as data on a computer. The accused was convicted on the
relevant statutory requirement.” Whether erasure of digital data amounts to ma-
majority of the charges of being in possession of child pormography, but acquitted of
licious damage to property was also decided in favour of the State because of the the charge of failing to take steps to prevent a person younger than 18 years from
facts of the case, namely that the hard drive ofa nctwork server was damaged after it
accessing the images. This was because the one person concerned testified that she
had attempted to reboot 256 times and the file loadirm.exe had been altered, both had only used the particular computer to play the game Solitaire.
as a result of interference with the system by the hacker. The court found that be-
cause the POS™ systems were rendered unusable for a some time, temporary damage
had been done to corporeal property. Nonetheless, the court also remarked in an 4.4.1.5 Gambling
obiter dictum that the alternative argument by the State was equally strong, namcly Closely allied with the “sin” of pornography, is that of online gambling, or “gaming”
that the “property” in the crime of malicious damage to property no longer necds to as it is sometimes cuphemistically called. In a recent case concerning the gambling
be physical. licence of Casino Enterprises of Swaziland there was some dispute as to where the
gambling was really taking place.” Everything was organised from Swaziland, and the
4.4.1.4 Pornography casino therefore argued that it did not need a Gauteng gambling licence. In reply,
the Gauteng and national gaming boards, as well as the Minister of Trade and Indus-
Perhaps because computers are mostly used to calculate and transfer sums of moncy, try, argued that gambling was being carried out (and the moncy spent) in South
the focus of computer crime is usually on commercial IT crime. Nonctheless, ICT Africa and therefore needed to be licensed locally. In his judgment, Judge Hartzen-
technology can also be used to commit crimes of an entirely different, non- berg opined that gambling can be dangerous for individuals and that they have to be
commercial mauure, such as accessing child pornography by means of the Internet. protected by means of controls. On the other hand, the court recognised that gam-
This crime is dealt with in terms of the Films and Publications Act” which was specif- bling could be a great source of revenue for the province, which, if wiscly spent,
ically amended in 1999 to cope with pornography on the Internet This Act is an could improve the standard of living of the province's residents.
excellent example of how legislation should be kept abreast of modern develop- In dismissing the application by the casino, thej added that it was difficult to
ments, and one can only hope that legislation concerning gaming, for example, will sce how the Swaziland legislation, in terms of which the plaintiff had obtained its
be similarly developed. casino licence, would have extrtterritorial operation. It is submitted, however, that
A number of reaHife instances of such crimes of a non-commercial nature have all computers linked to the Internet ipso facto have “extraterritorial operation” and
arisen in the past few years. The South African Deparument of Home Affairs portfo- that these matiers may have to be dealt with by muld-lateral ureaty rather than by
lio commiuce has called for tougher criminal sentences for those convicted of the one-sided national Icgislation.
possession of child pornography.” According to a 2003 amendment to the Films and In South African law, gambling is regulated by the National Gambling Act” and a
Publications Act, the maximum prison term [or this type of offence has been in- number of provincial ordinances. The relationship between these two levels of legis-
creased from five years to ten years. According to South African Internet guru, lation has been explored by Carnelley.” She concludes that the political decision
Anhur Goldswtuck, these are not idle precautions: “Based on the global experience of whether online gambling shouki be regulated at a national or provincial level had
adult content on the Internet, it makes sense that porn will be a huge revenuc- not yet been finally taken in all provinces, but that some legislative amendments
generator for ar would be due cither way. However, in the end, the decision has come down firmly on
The recent case of S 9 Rawlinson,” decided in the regional magistrates’ court in the side of provincial regulation. For example, in Gauteng gambling is regulated by
means of the Gauteng Gambling Ace” In its preamble this Act enumerates the
Durban, seems to bear this prediction out. The accused was charged with | 159
various types of gambling it regulates, such as casinos, bingo, loucries, tovalizators,
counts of the contravention of section 27(1)(a)(i) of the Films and Publications
betting pools, gaming-machine keepers and bookmakers. Unforwunately, it neglects
Act.” namely the possession of child pornography. Count | 160 was an allegation of
to mention specifically whether online gaming falls within its purview, which leaves
us with Carnellcy’s views as the only authority.
85 S 90(4) of the Magistrates Courts Act 32 of 1944, although the coun (wrongly) mentioned s 89 in
this context.
86 Point of sale
87 Act 65 of 1996.
92 Mbkwanasi “Online gambling could cost punters Ridin” wew.iol.co.za/general/news (acossed
88 “Child porn: Heavy clown” www news24.com/News24 ( ISN 2003).
30 Nowember 2006).
89 “Porn to be 3G ‘killer app™ wew.itweb.co.za/ sections (accessed 7 February 2005)_
90 Case no. 041/3019/05, September 2007. 93 Act 33 of 1996.
91 Act 65 of 1996. 94 “The validity of provincial regulation of gambling on the Internet” 2000 Ofaler 358.
95 Act 4 of 1995 (C}.
 78 Information and Communications Technology Law
Chapter4: Criminal law 77
also issued a warning about potential jurisdictional problems arising from the inter-
4.4.1.6 Trespassing national nature of computer crime.
There was some doubt whether the traditional crime of trespassing could cover hack- Both the Green Paper and the report of the Law Commission have been overtaken
ing into a computer. One of the first South African hackers to gain notoricty by the Department of Communications’ promulgation of legislation, in the shape of
hacked into Unisa’s network, but instead of uying to charge him with trespassing the ECT Act, tackling these issues. The creation of new statutory crimes, such as
Unisa turned the incident to its marketing advantage by claiming airtime to advertise hacking, is doubtless one of the Act’s greatest contributions. However, the Law
its student services on a television programme M-Net aired on Koki's exploits. Commission's second (procedural) stage has yet to be carried out.
Since the ECT Act” came into force, the accused in a number of regional-coun This two-stage development process is echoed by the European Commission's
cases have been successfully prosecuted for illegal access to data in terms of sec Convention on Cybercrime” which has also been split into “substantive” and “pro-
tion 86(1) of the Act™ In some instances this charge was combined with a contraven- cedural” stages.
tion of section 86(2), in that the accused had also interfered with the data, and of
section 86(5), in that the action of the accused in addition amounted to a denial-oF 4.4.2.2. Criminal provisions of the Electronic Communications and
service attack.” Transactions Act™
The criminal provisions in the ECT Act are, without doubt, the most important statu-
4.4.2 South African legislation: The Electronic Communications and tory countermeasures against cyber-crime in South Africa to date. These provisions are
Transactions Act found in Chapter XIU of the ECT Act, entitled "Cyber Crime”, and comprise sections
85 to 89. Even though the chapter title sounds like another species of crime target-
4.4.2.1 Preparatory work ing computers in the “cyber” world, closer scrutiny of the statutory crimes themselves
Dedicated ICT legislation dealing with computer crime has been slow to appear. The makes it quite clear that data are the real legal interest that stands to be protected.’””
first piece of legislation to address this arca is the Electronic Communications and The first important section of the ECT Act in this regard is section 86(1), which
Transactions Act.” This Act was preceded by a fair amount of research by the South criminatises any unauthorised “access to or interception of data”. Significantly it adds
African Law Commission (SALC),” some of which served as a basis for the Act. a new prohibited action namely “interception of” to “unlawful access” and “modifica-
Strangely, a “Green Paper on E-Commerce”™ issued earlier by the Department of tion”, which the SALC had thought to prohibit in connection with data, and leaves
Communications did not address the question of cyber-crime at all. out the last term." Presumably “interference with” (sce the next paragraph) super
sedes the original “modification” posited by the SALC. As the former term is wider
The Law Commission had split its work into two incremental stages. The first was
and can readily be interpreted as subsuming the latter, this is probably an improve-
to investigate whether unauthorised access to computers” and unauthorised modifi- ment
cation of computer data and software applications" could adequately be dealt with
Section 86(2) specifically prohibits any unlawful modification of data by outlawing
by the South African common law, and, if not, whether legislation in this regard was
“interference with data” that would cause such data to be “modified, destroyed or
required. The Commission found that the extension of existing common-taw crimes
erased or otherwise rendered ineffective”. This section should be able to cover the
by the cours was unlikely and that legislation was required.
creation and distribution of computer “virus” programs," provided that, together
The second stage looked at the desirability of inwoducing specially tailored pro- with the other elements of a crime, the necessary causal link and mens ra can be
cedural provisions to enhance the investigation and prosecution of the crimes inves- proved. The last clement will probably ¢ on many occasions take the form of dolus
tigated during the first stage. ‘The Commission found in this regard that Chapter 2 of eoentualis,” = with dolus generals * This type of recklessness is closer to intent
the Criminal Procedure Act™ would probably not apply to computer searches or the
seizure of information (or data)” contained in computer equipment. The Commission
107 Budapest (November 2001) hutp://conventions.coc.int/Treaty/en/Treaties/Homl/ 185.htn
(accessed 9 August 2007). South Africa has signed the treaty but not yet ratified it. This treaty will
96 Krick Steenkamp, also known as “Koki”. See Jurgens “Teenager’s sneaky antics set him up for exciting be further explored in para. 4.6.3.5 below.
career” Sunday Times 14 January 1996. 108 Act 25 of 2002.
97 The Electronic Communications
and Transactions Act 2% of 2002. 109 See the argument in para. 41 above, indicating that data are the real target of most ICT criminals
98 See, for instance, 50 Mombikayiss Duma (SCCC 181/2004) and So Van der Merwe Engelbrechi, EASY. and not the computer containing such data.
PAYROLL. and Lambrecht (SOCC 111/05). 110 See para. 4.2.1 above. “Modification” of data is now dealt with under x 86(2) of Act 25 of 2002.
99 So Siegfned Ernst Sakmann (SCCC 280/04). IIL See Van der Merwe “Information technology crime — a new paradigm is needed” 2007 THRHR 308
100 Act 25 of 2002. for a description of virus programs and other nove} ways of committing computer crime, such 2s
101 SALC “Computer-retated Crime” et . “worms”, “bots” and “rootkits”.
102 In-house publi of the Depar 2000. 12 “{ Sorcece' reasonable possibiiay that: my program wall kuteriere with someone else's data, and
103 Generally
known as “hacking” simply do not care”
104 For instance, by means of virus programs. 113 “I foresee 2 reasonable possibility that my program will interfere with someone else's data, and |
105 Act 51 of 1977. simply do not care whose dat it is.”
106 Author's own interpolation.
 Chapter4: Criminal law 79
st jon and CG ications Technology Law

(dotus) than to negligence (culpa). This is important in view of the fact that subsec-
tions (1) and (2) of section 86 specifically require that the prohibited actions be Maat treats the main crimes created by the ECT Act in three groups: unauthorised
committed intentionally. access to data," and unauthorised interception of data,™ in terms of section 86(1)
of the Act, and unauthorised modification™ of data in terms of section 86(2). As far
The criminalisation of virus programs (or, rather, of the conduct of their creators
and distributors, to be technically correct) has not come a moment too soon for as interception is concerned, she explores the possibility of including “packet sniffing”
South Africa. The technical n programs of MWEB, the South African Inter- under the umbrella of “interception”. “Packet sniffing” is described in the first cdi-
net service provider, “caught” 120471 viruses in October 2003 before they could tion of Cyberlaw@SA™ as follows:
infect users’ mailboxes."* Anti-virus vendors are of the view that, given the increasing When information is sent over the Internet, the message ts broken up into smaller parts,
number and sophistication of mobile viruscs and sman phones in South Africa, it is called dats packets. These packets are then sent to the recipient
one by one over the
only a matter of time before virus programs become a significant problem for the Internet, and the recipient's computer places the packets in the correct order and com-
cecllular-telecommunications industry."” Their views are supponed by a senior man- bined them again into one message for it to be read by the recipient. When these pack-
ets travel over the Internet, they can be easily intercepted, a copy of the original packet
ager of IT security and strategy at Standard Bank."
can be made, and the original packet can again be sent on its way. This & known as
Subsections (3) and (4) of section 86 of the Act deal with the tools used in the “packet sniffing’.
carrying on some of the activities, such as access, interference and so on, discussed in
Buys argues that this interception procedure is best classified under the term “mon-
the present paragraph. The dealing in or usc of such devices is criminally prohibit-
itoring”, rather than “interception”, because the message still reaches its intended
ed. Section 86(5) specifically prohibits so-called “denial of service” attacks. This
recipient, even though it might be slightly “second-hand”.
means that anyone who performs clectronic actions that slow down or stop a lawful
user's access to IT services commits an offence. Watney'™ comes to exactly the opposite conclusion, in favour of “interception”,
indicating the dire need in South African law for authoritative, binding casc-law in-
Section 87 of the Act creates statutory and data-related versions of the common-
law crimes of extortion, fraud and forgery. This raises the question already sct out terpreting this type of ambiguous clause.
above,"” namely whether these types of activity might not already be adequatcly Maat also covers denial-ofservice attacks in terms of section 86(5) of the Act,” as
covered by existing common-law crimes. It is difficult to gauge exactly what success well as the possession of certain types of access devices (in terms of section 86(3))""
the criminal provisions of the Act have had at the time of writing,'” because there are and their prohibited use (prohibited in terms of section 86(4)).™
as yet no reported cases in which these provisions have been judicially interpreted. Rather indirectly the ECT Act also criminalises a few other undesirable actions on
the Internet.” The first of these is “spam”, a four-teucr word signifying a surfeit of
4.4.2.3. An evaluation of the criminal provisions of the unwanted clectronic communications transmitted cither by means of the Internet or
Electronic Communications and Transactions Act by means of the cellular network. Afier receiving some kind of service, one is often
Academic opinion, at least on the criminal law aspects of the ECT Act, is not very asked to complete an “evaluation form”, a request often accompanied by the prom-
copious. Collier," for example, simply repeats the substantive provisions of Chap- ise of some vague and nebulous reward. One of the fickds in such a “form” is for one’s
ter X11] verbatim before criticising some of the procedural provisions. e-mail address or cellphone number. Disclosing these details opens one to receiving
Maat™ is complimentary about the fact that the Act deals with the currency of “da- targeted advertising ad infmilum, which rapidly becomes a nuisance or “spam”.
ta” instcad of using the terms “computer” or “computer system”: “This is advan- In the same category is “adware”, which brings advertisements to one’s computer
tageous since the scope of the Act is not limited to a computer, especially in the light after one has clicked on a link in an Internet browser window. Although many of
of the revolution in information technology’. these advertisements enable onc to turn them off, some do not — which transforms
The term “data” is defined by the ECT Act as the “electronic resentations of the “adware” to spam.
information in any form”. This seems to be in keeping with the distinction berween
data and information sct out at the beginning of this chapter_ a
124 “Cyber Crime:
A Comparative Law Analysis” (LLM thesis, Unisa, 2004) 5¢ ff.
12 131,
ila Kanctee reer eh PERE hea peg emiceesing Siri pyran‘ winesseiehceey cay beese 26 19
(accessed 11 November 20 3).
127 Cordon “Internet criminal law" 429-430.
115) Pieterse “Mass cellular viruses imminent” wew.ioweb.co.za/sections
(accessed 17 fuly 2006)-
116 Thed.
128 Watney “Die strafregretike
en prosed: iddele terbekamping van kub d (deel 1)7
2003 TMAR GS.
117 See para. 4.2 above for academic opinion on this point.
8 August 2007- 129 “Cyber Crime: A Comparative Law Analysis” (LLM thesis, Unisa, 2004) 125 ff.
19 *Criminal
law and the Internet” 319 fF. 190 Phat. 143 ff.
120 This topic is deah with in para. 4.5 below. 1S Bbid. 145 ff.
121 “Cyber Crime: A Comparative Law Analysis” (LLM thesis, Unisa, 2004) 58. 182 The next few paragraphs are ken from Van der Merwe “Information technology crime — a new
122 $1 of Act 25 of 2002. paradigm is needed” 2007 THIRIIR 309.
123 See the distinctionsmade by Twine in para. 4.1 above. 183 “Spam”
is defined in Webster's New World Dictionary of Computer Terms 08) as “Unsolicited advertising
in a Usenet user group or email The term is apparently derived from a Monty Python skit”.
 Chapter 4: Criminallaw 8&1 §2 Information and Communications Technology Law

Spam on mobile phones has also become an increasing nuisance, but the Wircless penalty provisions be made much higher. This same applies to a previous Bill from
Applications Service Provider Association (the WASPA) has now issued regulations the Deparument of Communications.“ If cither of these Bills were to adopted, it
to put a countermeasure in place. Ifa user of a mobile service replics to an unwant- would remove one of the strongest objections
to the present operation of the ECT Act.
ed spam message with the word “STOP”, the mobile-service provider will sec tw it
that that user receives no more messages from the service provider who had been 4.4.3 South African legislation: The Regulation of Interception of
ordered tostop." Communications and Provision of Communication-Related
The ECT Act deals with spam in section 45, which imposes certain dutics on any- Information Act'*
one who sends a consumer “unsolicited goods, services or communications”. The
sender has to provide the consumer with the option of cancelling his or her sub- 4.4.3.1 Criminal provisions of the RIC Act
scription to the mailing list™ and also with particulars of how the sender obtained The RIC Act contains a number of criminal provisions, perhaps partly because of the
the consumer's personal information.” Section 45(3) criminalises non-compliance extensive regulatory powers 1 regarding the transmission and interception of data it
with these two requirements, and section 45(4) criminalises the sending of unsolicit- both bestows and controls.” Thus, certain actions are criminalised in connection
ed communications to a person after the later has notified the sender that such with the interception of communications by persons who exceed their right to mon-
communications are not welcome. itor indirect communications, ** by law-enforcement officials who exceed their mon-
These provisions look good in theory and will probably work reasonably well on itoring rights,” * or by persons who misuse a decryption key issued to them."*
South African spammers, but most of the junk mail and spam come from overseas A more controversial provision’ criminalises the lack of proper statutory record-
destinations and from sources that do not respond to any attempted e-mail commu- keeping of anyone who "“sclis, or in any other manner provides” any cellphone or
nications. Geissler” recommends specific spam legislation based on the Australian SIM card to any other person. This record-keeping is quite oncrous and includes
Act. She recommends that spam be defined as “unsolicited, bulk e-mail” and obtaining and preserving the buycr’s full names, identity number, “residential and
that the definition not be limited to “unsolicited, bulk, commercial e-mail”."" Other business or postal address, whichever is applicable”, as well as a certified copy of the
uscful principles to be incorporated into such legislation include an “opt-in” rather buyer's identification document “on which his or her photo, full names and identity
than an “opt-out” approach (the ECT Act presently subscribes to the later); proper number, whichever is applicable, appear”.'” It is hard to imagine that a casual seller
consent; accurate sender information; a functional “unsubscribe” facility; immediate of a second-hand cellphone or a family member passing on an unwanted phone is
selFidentification by such messages as “unsolicited”; a prohibition of tools designed likely to welcome such exacting requirements. The purpose of these requirements is
to transmit spam; and a prohibition of the practice of the sender's registcring mul- ly to enable the relevant authorities to race the owner of a phone which has
tiple e-mail addresses for the purposes of unsolicited bulk e-mail. been involved in any criminal activity
Another provision makes the manufacturing, assembling, possessing, sciling, pur-
As to the penalty provisions of the ECT Act, when compared with those of similar
chasing or advertising of any “listed equipment” a criminal offence." “Listed equip-
Acts, such as the RIC Act,” maximum periods of imprisonment of one year for
ment” is defincd™ as “any electronic, electro-magnetic, acoustic, mechanical or
most of the crimes prohibited by section 86 of the ECT Act scem wocfully in-
other instrument, device or equipment, the design of which renders it primarily use-
adequate.“
ful for purposcs o of the interception of communications”. This definition has been
Mention has already been made of a new Bill proposed by the Department of expanded upon™ by a schedule of “instruments, devices and equipment™ which
Justice.” © Besides proposing a number of new offences, it is suggested that the will now be held to amount to listed equipment “under conditions or circumstances
specified in Column 2 of the Schedule”. The instruments listed in the schedule

134 See iWerk 9 August

2007, 4.
135 S$ 45{1). 143. GN 35821 in Gowernment Gazelle of 26/10/2012.
136 S$ 45(2). 144 Act 70 of 2002 (the RIC Act).
187 “Bulk Unsolicited Electronic Messages
in South Africa” (LL.D thesis, Unisa, 2005). M5 See para. 2.6.4.1 of Chapter 2 above.
138 Act 129 of 2003. 146 S51 read with s 6(2) of the RIC Act.
199 875. One wonders whether “electronic communication” or “data mesage” might not have a wider 147 S51 read with ss 7(4) and 8(4).
er ei a teats “email”. 148. S51 read with s 29(8).
140 The Regul: of I i i andProvision ofCG jon Retest 149 S51 read with s 40.
polis, ssapaesreonin pragma 5 51(1)(6)(i) of the RIC Act which provides for im- 180 S401).
prisonment of up to 10 years. See also para. 4.4.5 below. 15t Sol read with s 45.
14h Sce s 89(1) of the ECT Act 2% of 2002. Only the crimes prohibited in s 8i(4) and (5) (covering In2 Ins 44.
such matters as denial-of-service attacks) and those prohibited in s 87 (extortion, fraud and for- 153 By CN R1263
of 29 Ds 2005 which imroduced a schedule
of liswed regarding
gery) may attract imprisonment of up to five years. the definition.
142 See 4.3.2 above. 134 A description of these instruments is found in column | of the Schedule.
 Chapter 4: Criminal law &3

include keystroke recorders, retrieval software, tclephone wirctaps, microphones and

other forms of electronic transmitters, ccllular-phone intercepting devices, cameras
and “Any instrument, device or equipment which is capable of being used to deter- &4 Information and Communications
Technology Law
mine or monitor the geographical location of a person, vehicle or object”.
The breadth of this provision is disturbingly wie, especially when read with the belonging to someone clse), whereas a password usually gives one access to one’s
definition of “interception” as own instrument or information.
the aural or other acquisition of the c of any mcation through the use of Mention has already been made of the more onerous criminal provisions of the
any means, including an interception device, so as to make some or all of the contents RIC Act when compared with those of the ECT Act The criminal provisions of the
of a communication available to a person other than the sender or recipient or intend- RIC Act are contained in section 51 and make provsion for “fines not exceeding
ed recipient of that communication. R2 000 000 or imprisonment not excecding 10 years”, to cite one example. In the
In the days of the old local “plaaslyn™™” Aunt Malie’s “listening in” to the local gossip case of juristic persons, these fines may be increased to a maximum of R5 000 000.""
would now be considered criminal. It is yet to be determined whether the activities
of amateur radio operators” are affected by the breadth of the present criminal 4.4.4 South African legislation: The Electronic Communications Act”
provisions. Even though these operators make use of “call signs” they do so to ident-
fy themselves to the community of other radio hams (who might happen to be on 4.4.4.1 Criminal provisions of the Electronic Communications Act
the air) rather than to limit return access to them. One hopes that the title of this Act, which is confusingly similar to that of the Elec-
Fortunatcly, the “conditions and circumstances specified in Column 2 of the tronic Communications and Transactions Act, ~ will not confuse too many industry
Schedule” provide some relief. Equipment furnished "in the ordinary course of his outsiders. In the opinion of the authors, the previous tide (the Convergence Bill)
or her business” by a telecommunications service provider to a customer, or used by did a much beter job, both in describing the true nature of the Act and in differen-
a telecommunications service provider “in the ordinary course of his or her busi- tiating it from similar-sounding Acts. Perhaps the fact that the Electronic Communi-
ness”, is not put to unlawful use. cations Act repeals the old Telecommunications Act made the legislature feel it
had to emphasise the “communications” aspect of the new Act. On the other hand,
The above paragraphs contained a summary of possible crimes that may be com- the new Act also repeals a great pan of the old Broadcasting Act,” which repeal em-
mitted in terms of section 51(1) of the RIC Act by “any person”. The same provision phasises the aspect of convergence.
also lists crimes which may be committed by postal service providers or their employ-
ces,” telecommunications service providers or their employees,” or by “decryption The substantive criminal provisions of the EC Act are not very exciting. The actions
key hokicss” or their employees.”
proscribed consist mainly of not complying with licensing conditions contained in
the suspect’s licence."
“Decryption key” is defi ined'™ as
It is worth noting that the EC Act not only repeals important legislation, such as
any key, mathematical formula, code, password, algorithm, or any other data which is
used to —
the Telecommunications Act and the Independent Broadcasting Authority Act.”
but also amends a number of definitions in the Sentech Act” and the RIC Act”
(a) allow access to encrypted information; or
(6) facilitate the putting of encrypted information into an intelligible form. Because the EC Act docs not really contain any provisions related to criminal pro-
cedure, it docs not feature under the next heading.
Foruunately, it seems that simply using a password in order to access one’s cellphone
or computer docs not necessarily put one in possession of a “decryption key” in that
the latter is often used specifically for gaining access to encrypted information (often 4.5 South African case-law and legislation regarding the proper
procedure for investigating computer crime
155 This includes, of course, a geographical positioning system (CPS), as was allegedly
used by some of 4.5.1 South African case-law and common law on criminal procedure
the accused
in the Boeremag trial: Se Du Toit and Others {unreported TPD case no. OC91/2003).
156 Inst.
Very few cases have been reported on the procedural aspects relating to the investi-
157 A telephone connection between geographically adjacent farms by means of which it was possible gation of and forensic testimony regarding computer crime. One such casc is that of
to “listen in” 10 the Conversations of one's neighbour, even though each farm had its unique coen-
bination of short and long ringtones.
158 The so-called “radio hams”. 164 See para. 4.4.2.3 above.
159 As published in CN R1263 of 29 December 2005. 165 S$51(1)(6)4).
160 $51{2). 166 See, for instance, x 1 (2) (6) (i) (66) and 51(3) (6) (i) (48)-
161 S51(3). 167 Act 36 of 2005 (the EC Act).
162 Ss5i(4). 168 Act 2% of 2002.
163 Inst. 169 Act 103
of 1996.
170 Act 4 of 1999.
171 In terms of s 74(1) and (2) of the EC Act.
172_ Act 158 of 1993.
 Qhuapter
4: Criminallaw 85 ~ 86 Information and Communications Technology Law

Sw Ndiki™ in which the court was confronted with the question whether the eviden- including the South African Police Service, with powers of inspection or scarch and
tial provisions of the ECT Act’ could be classified as “procedural”, in which case the scivure in terms of any law may apply for assistance from a cyber inspector to assist it
presumption against the retrospective operation of stauutes might not apply. Justice in an investigation”.”” The Act also provides that a cyber inspector may request a
Van Zyl found that whether an enactment is a procedural maticr depends on its warrant to enter premises and access an information system that has a bearing on
terms read in context. It might meet this test “not only if it deals with a new pro- an investigation and to carry out the necessary searches authorised by the ECT Act”
cedure to be followed, but also with new rules regarding to proot.” In view of the The Act gives cyber inspectors wide-ranging powers including the right to search pre-
fact that Van ZylJ later dealt with computcr-based evidence as real evidence, it was mises, information systems and persons. Inspectors may also take extracts from or
not necessary for him to decide this point." make copics of any book, document or record found on the premises that might have
Similarly, there is no commomtaw position with regard to the South African kaw of a bearing on the investigation. They are also given the power to access or inspect a
criminal procedure or civil procedure as far as ICT matters are concerned. Had computer or other cquipment forming part of an information system and may also
there been, the “mother” system would have been the English law, as is the case with use such apparatus to search any data forming part of the information system.”
the South African law of evidence. Ironically, what has happened to substantive law Once of the more controversial sub-clauses™ empowers the cyber inspector to
in many European countries has also happened to South Africa procedural law — the require the person by whom or on whose behalf the cyber inspector has reasonable
whole area of law has been fairly comprehensively codified. These “codifying” picces cause to suspect the computer or information system is or has been used, or require any
of Iegislation are explored under the following heading. person in control of, or otherwise involved with the operation of the computeror infor-
mation system to provide him or her with such reasonable technical or other assistance
as he or she may require for the purposes of this Chapter . - .
4.5.2 South African legislation
This clause is obviously aimed at a situation in which a computer or information sys-
4.5.2.1 Procedural provisions of the ECT Act™ tem is password-protected and the cyber inspector cannot gain access without the
The ECT Act blows both hot and cold as far as its procedural Provisions are con- suspect's co-operation. If the suspect does not co-operatc, or falscly claims to have
cerned. What could possibly be wrong with prescribing precisely which criteria have “forgotten” her or his password, the inspector may invoke section 82(2) which states
to be followed for an authentication product to be accredited” and then shifting the that any person who “refuses to co-operate” with or “hinders” the person conducting
onus onto the person who wishes to query the authenticity of an advanced electronic the search commits an offence. This gives the Act much-needed “teeth” to help en-
signature that followed those criteria precisely?" The answer to this question im- force digital searches and seizures.
mediatcly below indicates one of the main weaknesses of the procedural provisions To sum up, even though the ECT Act promised a new development in the special-
of the ECT Act and also indicates why this Act has not yet played a greater role in ised investigation of cyber-crime by creating cyber inspectors, to date not much has
South African e-commerce in general and in the prosecution of cybercriminals in come of this, because no cyber inspectors have been appointed yet. The reason
particular. scems to be that no government deparument has been willing to assume responsibil-
Vital for the crime-combating provisions of the ECT Act is a body of persons ity for this body of people The ECT Act does, however, define a number of new con-
known as “cyber inspectors: “© These inspectors have the power to monitor and in- cepts that may be indirectly relevant to searches and seizures in terms of other legis-
spect websites” and report “any unlawful activity to the appropriate authority”. Th lation. These concepts are explored under the following headings.
also monitor and investigate the activities of cryptography service providers,
authentication service providers™ and critical database administrators.” 4.5.2.2 Procedural provisions of the Criminal Procedure Act™
That the combating of cyber-crime is one of the purposes for which cyber inspect- (as it relates to ICT crime)
ors were created is dear from the ECT Act itself when it says that "Any statutory body, General search-and-seizure warrants are usually obtained in terms of sections 20 and
21 of the Eriminal Procedure Act. [1is interesting to note that section 82(3) of the
ECT Aa™ incorporates the relevant clauses of the Criminal Procedure Act by ree
12007} 2 Alt SA 18% (Ck). erence, with the provision for necessary changes to keep the two Acts compatible.”
Act 25 of 2002.
Se Niki [2007] 2 All SA 185 (Ck) 187 para [3].
For his findings om the purely evidential aspects, see Chapter5 below.
The Electronic Communications and Transactions Act 25 of 2002. 187 S$81(2).
As has been done in ss 37 and 38 of the Act. 188 S83.
181 As has been done in s 13(4). 189 S82 spells out these powers.
Provided for in Chapeer XH of the ECT Act. 190 Note again the importance of the new universal currency — data!
S81(1)(a)- 19) SR2(1)( A).
S81(1)(6). 192 Act 51 of 1977.
S81(1)}(o-. 193 Discussed
in para. 4.5.2.1 above.
S8I(1INd. 194 $82(3) of the Electronic Communications and Transactions Act 2% of 2002.
 Chapter
4: Criminal law 87 8 Information and Communications Technology Law

The two Acts are therefore designed to be used in conjunction with cach other. Sec- makes precisely the point that the above-mentioned clause in the ECT Act militates
tion 23 of the Criminal Procedure Act provides that onc may search an arrested per- against too wide an interpretation of “anything” in the Criminal Procedure Act.
son for, and scize, suspicious articles, while section 24 of the same Act contains The ECT Act does not try to define the tangible receptacle of data in the shape
corresponding provisions regarding premises. ofa “computer system”, but focuses — correctly, it is submitied — on the more general
In general, section 20 of the Criminal Procedure Act is used when searches are car- concept of an “information system” which is defined as “a system for generating,
ried out by the police. The main question is whether this also applics when computers sending, receiving, storing, displaying or otherwise processing data messages and in-
and information systems are the objects of investigation. Even though this section cludes the Intemet"- The advantage of this more general definition is that it places
docs not specifically authorise a search for a particular article, it lists the articles that the emphasis on data, where it belongs becausc of the importance of this commodity.
may be seized when a search in terms of another empowering provision is carricd out.
Indeed, section 20 uses very wide terms, including “anything”, which should thus “Data” are defined in the Bill™ leading up to the ECT Actas “any representation of
include computers, data and information systems. This is also the view of Nicman,™ information, knowledge, facts or concepts capable of being processed in a computer
Watncy™ and Lucouw.'” The later also finds suppor in the argument that the intan- system” and include a representation held in any removable storage medium which
gible (data, for example) is usually contained in a tangible object (such as a computer). was in the computer system for the time being when the system was searched. It is
interesting to compare this definition with the definition of “data” in section | of the
On the other hand, research carricd out by the South African Law Commission
ECT Act™ — “electronic representations of information in any form” — which relies
was Icss optimistic about the possibility that such a wide interpretation would solve
on the undefined concept of “information”. Provided that “information” is given a
the problem of intangibles. In its discussion paper the Commission argued that it
wide definition, the lauer definition of “data” is more economical in that one docs
was necessary for the definition to ensure by means of specific legislation that infor-
not have to speculate upon the philosophical distinctions between “information” and
mation and IT equipment are unequivocally included within the purview of any new
“knowledge” or try cnumerate the various receptacles in which data may be stored!
legislation.
Section 7(1) of the suggested Computer Misuse Bill™ includes a specific provided With reference to the scizure and preservation of data in terms of the Criminal
permitting the State to seize “any computer system or take any samples or copies of Procedure Act, it is usually beter for investigators to make extracts or copics of
applications or data”. Section 1 of the Bill defines “computer system” as relevant data and to conduct forensic investigations on the basis of those extracts
an electronic, magnetic, optical, clectrochemical, or other data processing device, or a rather than carry off a suspect’s computers and quarantine them for months, or even
group of such interconnected or refated devices, onc or more which is capable of contain- years, until the case is finished. For investigative purposes it usually suffices to make
ing data, or performing « logical, anthmetical, or any other function in relation to date. three copies of the relevant data:
One does not have to rely on an interpretation of the breadth of “anything” in sec- Three copies are usually made — one to be sealed and . . - kept in a secure environment
tion 20 of the Criminal Procedure Act” to determine the powers of the non- until the court date. Another is used by the proscaution to do tests on and to scour for
existent’ cyber inspectors to search. Section $2(4) of the ECT Act, dealing with relevant evidence. The third is returned to the so that he or she may prepare the
defence case. This gives the prosecution a “time slice’ to work with. However, this pro-
these inspectors’ right to inspect, search and seize, states as follows: “For purposes of cedure would also make it impossible to prove offences which have been happening
this Act, any reference in the Criminal Procedure Act, 1977, wo ‘premises’ and ower time, unless scveral ‘time slices’ are taken.”
‘article’ includes an information system as well as data messages”_
It is also important for the prosecution to indicate a “trail of evidence” to show the
Applying the old Romanaw principle inclusio unius est exclusio alterius™ one could
court that the article has not been interfered with between the time of the article's
argue that, because the ECT Act had to legislate this point specifically in sec
seizure and that of its presentation in court. In the case of data this is only possible if
tion 82(3), much doubt exists about the precise meaning of the term “anything” in
such data are encrypted immediatcly after being seized and only decrypted immedi-
section 20 of the Criminal Procedure Act. See in this regard Nieman’s thesis” which
ately before being usec as evidence before court Establishing the “trail” in respect of
data involves expert evidence from a person skilled in cryptography to sect the court's
195 “Search and Seizure, Production and Preservation of Electronic Evidence” (LUD thesis, North mind at rest on this score.
West University,2006) 203 ff.
196 ee nS oprah: raids ter bekamping van kabermisdaad (deel 1)” 2008 TSAR
The encryption procedure involves the so-called cryptography “hash function”
65.67. which converts the digital data into a fixedtength hash valuc. The MD5 or SHA-I hash
197 “International accounting standards and electronic commerce” 178-179.
198 related Crime” Discussion Paper 99, Project 108, July 2001, 66-68.
199 Proposed by the South African Law Commission in the above-mentioned Discussion Paper 99-
wo SI of the Electronic: Communications and Transactions Act 25 of 2002.
BSRRE

Act 51 of 1977.
2 At the time of writing (August 2007). Also in s 1.
202 “Inclusion of the one amounts to the exclusion of the other.” Act 25 of 2002.
23 “Search and Seizure, Production and Preservation of Electronic Evidence” (LLD thesis, North- See Twine’s distinctions
in para. 4.1 abowe.
West University, 2006) 520- Van der Merwe “Law and electronic commerce” 112-115.
 c 4: Crimi 90 Information and Communications Technology Law

functions are often used; both are fairly secure because their key lengths are 128 bits The basic (and also the best) way to intercept communications legally is to obtain
and 160 bits respectively.” an interception direction beforehand, after which such interception will be author-
ised." However, the partics to a communication may also intercept the communi-
This was the procedure followed by the police and their expert witness testified on cation. A party to a communication who is not a law-enforcement officer may inter-
this point. Under cross-¢xamination, however, the expert admitted that the MDS cept the communication — provided that the interception is not for the purpose of
hash function, in its present form, is not infallible. This is because, as Bert den Boer
committing an offence. A law-enforcement officer who is party to a communication
and Anton Bossclacrs (1994) and Hans Dobbertin (1996) indicate, the MD5 algo- may intercept such communication — on the grounds described in section 16(5)(a)-
rithm under certain (admiucdly exceptional) conditions can provide identical
Communications may also be intercepted with the consent of a party to the
hashes for two different messages.” This means that the algorithm cannot always
communication. Again, a distinction is made on the basis of whether the intercepting
guarantee authenticity of the document or message it relates to. In 2004 Xiaoyun
Wang ect al. provided an example of MD5 “collisions” under certain circumstances (third) party is a law-enforcement officer or no If he or she is not, the same quali-
fication as that in the previous paragraph applies, namely that the interception is not
This scems to indicate that cryptography experts should make use of both the MD5
for the purpose of committing an offence.” A law-enforcement officer may only
and SHAI cryptography functions to prove the integrity of the data beyond reasona-
intercept as a thied party if one of the parties gave prior written consent to such
ble doubt’ Unfortunately, at the time of writing the Boeremag case had not yer been
interception, or, again, on the grounds described in section 16(5)(a), provided that
finalised, but readers are urged to look out for the court's findings on this point.
cenain other technical requirements are also met.
If the above standards are not adhered to, the prosecution might find itself falling
An interesting variation on the above is constituted by the interception of indirect
foul of the provisions of the Criminal Procedure Act that require adequate safe-
communications in connection with the carrying on of a business.” In this regard,
keeping of exhibits until the case can be brought before the court” and the safe
the “system controller” has to exercise his or her discretion for record-keeping pur-
transfer of the exhibits to the clerk of the court where the criminal proceedings are
poses. But first let us consider the terminology used by the Iegislature_
about to be instituted.”
A “system controller” is defined fairly widely” with reference to private bodies,
The new Bills proposed by the Deparument of Communications and the Depar-
national and provincial governments, municipalitics and any other public bodies.
ment of Justice” do present a more up-to-daw: approach to criminal procedure as
The main purpose of the definition seems to be to indicate some person in authority
far as [T-investigations are concerned. Despite some concerns with other parts of the
Bills, the recommended changes in procedure cannot come soon cnough. who can take responsibility when anything gocs wrong.
An “indirect communication” is defined™ as
4.5.2.3. Procedural provisions of the Regulation of Interception of the transfer
of information, includinga message
or any part of a message, whether
Communications and Provision of Communication-Related (a) in the form of -
Information Act™ (as it relates
to ICT crime) (i) speech, music or other sounds;
(it) data;
As its title indicates, the most important procedural provisions of the RIC Act turn
on the interception of communications (which are basically data in transit) and the {i} text;
obtaining of realtime or archived communication-related information (which (iv) visual images, whether animated or not;
basically information on how well the data travelled while they were in transit). Part 1 (v) signals; or
of Chapter 2 of the Act deals mainly with the legal interception of communications. (vi) radio frequency spectrum; or
Part 2 of Chapter 2 deals with the prohibition of the provision of certain infor (6) in any other form or combination of forms,
mation. Chapters 3 and 4 of the Act deal with applications for and the issuing and
that is transmitted in whole or in part by means of a postal service or telecommuni-
execution of directions and cntry warrants. cabons system.

209 These key lengths make it much more difficult to decipher encrypted messages than the previous
standard of 64 bits — sec Thompson “MD5 collisions and the impact on computer forensics” www.
accessdata.com (accessed 31 May 2006)- 216 In terms of s 3 of Act 70 of 2002
210 Thompson “MDS collisions and the impact on P ics” www. com 27 without the knowtedge of the other party (s 4(1))-
31 May 2006). 218 S$ 4(2).
2 Thad. 219 ‘These grounds mostly he cd crime and
212 S$ 30(3) of Act 51 of 1977. 20 Sst).
213 $33 of Act 51 of 1977. 221 $6.
at See 4.3.2 abowe. 222 Inst.
mnt
 $2. Information and Communications
Technology Law
Chapter4: Criminal Law 91

For the definition of a “telecommunications system” the reader is referred to the offence is in the offi ing or that the > gathering of information is likely to have conse-
ene, Act.™ which was repealed by the Electronic Communications quences for the national economic interests or t the national security ~ or the inter-
national relations or obligations of the Republic.“
™ In terms of a schedule to the latter Act, all references to the Telecommuni-
cations Act should be read as references to the Electronic Communications Act. The RIC Act also provides for the issuing of a “realtime communication-related
Unfortunately, that Act contains no definition of a “telecommunications system”, direction”. To distinguish this from an “interception direction”, one needs to look
which leaves an uncomfortable legislative gap between the three Acts involved_ at the statutory definitions of these two types of direction. A “rcal- time communi-
cation-related direction” is “a direction . . which authorises the interception at any
The RIC Act expressly permits interception to prevent serious bodily harm™ or to place in ththe Republic, of any communication in the course of its occurrence or trans-
determine the location of a party to a communication in the case of an emergency. mission™” whereas an “interception direction” is “a direction. . . in terms of which a
Interception is also permissible if it is authorised by other Acts.” telecommunications service provider is directed to provide realtime communi-
Finally, t the Act makes provision for the monitoring of signals for maintenance cation-related information in respect ofa customer, on an ongoing basis, as it becomes
purposes” or for the purpose of monitoring the radio-frequency spectrum.” available””*
Pan 2 of Chapter 2 of the RIC Act prohibits the provision of cither realtime or In addition to the various types of direction, the Act also provides for the appli-
archived communication-related information™ except in terms of a “realtime or cation for, and issuing of, an entry warrant, which application may also be madc,
archived communication-related direction”.” “Direction” is defined as “anyi intercep- and granted, orally.” The Act also provides” details for the execution of directions
tion direction, realtime communication-related direction, archived communication- and entry warrants, but discussion of these purely procedural aspects fall outside the
related direction or decryption direction issued under this Act”. scope of the present work.
If the customer of a telecommunication service provider gives the latter written Slightly more controversial than warrants and directions is the obligation imposed
ec for the provision of communication-related information, no problem on telecommunication service providers to provide “a telecommunication service
™ It is also interesting that the availability of corresponding procedures in terms which has the capability to be intercepted”. Probably most controversial is the addi-
of other
oth legistation for geuing hold of the desired information docs not invalidate tional obligation on providers to store “communication-related information” for
the present provision,” with the very important that any realtime or archived lengthy periods.™ Such periods are laid down as not less than three years and not
communication-related information obtained iin terms of alternative legislation “may
more than five years from the date of transmission, but deserving operators who arc
not be obtained on an ongoing basis”. This seems to suggest that obtaining infor-
obliged to store such information for more than three years may apply to the “Cab-
mation on such a basis presents no problem in terms of the RIC Act. inet member responsible for communications” to have such period reduced, provided
Chapter 3 of the RIC Act deals with directions.” (entry) warrants™ and “oral that it is not reduced to less than three years.™
directions” or “oral entry warrants”. ™ An “interception direction” may be obtained
Obligations relating to cellphones are very similar. Before entering into any con-
tract to provide a “mobile cellular tclecommunication service”, a service provider has
to obtain personal and contact details of the prospective client, as well as a photo-
copy of her or his identification document, and verily the personal details of the
client with reference to the identification document” At the request of any applic-
ant who has had a communications-related direction issued,” the service provider
SERRNRESERUERENEES

242 S 16(5)(a) (i), but see also s 16(5)(a)(v) concerning the “gathering of information” in this regard.
243 S-16(5)
(a) (ii).
244 S 16(5)(a) (ai).
245 S 16(5)(a) (iv).
246 S17 of the Act
27 Si.
248 Si (emphasis added).
249 Ins 22.
20 S23.
251 In Chapter
4 of the Act.
S is{2). 252 S30(1)(a).
Ss 17-21. 253 S WO(2){a)
{ii
S22. 24 S208).
Issued by a judge after bearing an oral application in terms of s 2(7) of the Ac. 255 All of this happens in terms of s 39.
Or postal service provider, which is not really relevant to the present work
S$ 16(2)(a).
‘2560 In terms of s 17 of the Act.
 ~ 94” Information and Communications Technology Law
Chapter 4: Criminal law 93

this legislation was the direct result of a Colorado court's holding that information
must “immediately comply with that request if the person specified in the request is a in hospital records was not a thing of value and could not therefore be stolen.
customer of the tclecommunication service provider concerned”.” These obligations
In the mid-1980s two important statutes were passed by the US Congress™ to com-
are extended™ t customers who use prepaid services. What is even more concern
bat computer-related crime in which federal interests are involved: the Counterfeit
ing is that such obligations are extended not only to proper cellphone dealers but
Access Device and Computer Fraud and Abuse Act™ (the CFA Act) and the Elec
also to “any person who sold, or in any manner provided, a cellular phone or SIM-card tronic Communications Privacy Act™ (the ECP Act).
to any other person”. This means that anyone who sells an unwanted cellphone to,
say, a colleague at work or gives it away to a [amily member has to keep a full data-
The latter Act was enacted to include the digital ansmission of clectronic data
base containing all such transactions. The Act also imposes the same obligation on to broaden the government's powers to tap into private communications. Its pro-
visions were thoroughly tested in the serics of cases in the matter of the United States
that colleague or family member, and one wonders whether the final owner of the
cellphone would have to submit 4 full post-mortem report on the death of the phone v Councilman. The defendant was vice-president of a company called Interloc Inc.
so that official records are not thrown into confusion! which made its business from the online listing of rare and outof-print books. The
legal problem arose from Councilman’s directing Interloc employees w intercept ¢-
Readers may be wondering at this stage what the above discussion has to do with a mail traffic directed to Amazon.com, the well-known Internet book finder and re-
He 6 on criminal law. The answer is simply that the Act comprehensively criminal- tailer. It was alleged by the prosecution that the purpose of these interceptions was
i disobedience of many of the obligations discussed here. to develop a list of the most wanted books, gain strategic commercial information
about possible competitors and thus obtain a strategic advantage. Councilman re-
4.6 Comparative law regarding computer crime plied that his firm’s actions did not fall within the prohibition™ on the interception
4.6.1 The United States of “electronic communications”, because the camail messages were, in fact, in “elee-
tronic storage”.
The United States has not only been at the forefront of the development of compu-
ter technology, but also (probably as an inescapable corollary of that pre-eminence) It took the American judges a while to make up their minds on the merits of the
suffered most at the hands of computer crime. In reaction, state legislatures have case. The district court” decided that Councilman was right. The First Ciccuit Court
rushed to the scene with legislative guns blazing, although the federal legislature has of Appeals” upheld the district court's decision, although the three-judge panel was
been more cautious. divided. Afier the case was reopened by means ofa special court application, "it was
As has been pointed out by another foreign observer of the American computer only at the level of the full court that the @ que decisions were reversed by a five-to-
crime scene, Colin Tapper, the development of ways of dealing with such crime two majority and the indictment found tw be good after all. The full court motivated
has occurred in two stages. The first stage consisted of criminalising the “theft” of its decision as follows:
trade secrets. However, instcad of trying to complete this difficult exercise (the Although the text of the statute does not specify whether the term “electronic communi
success of which turns on difficult questions such as the proprietary nature of trade cation” includes communications in electronic storage, the legishative history
of the ECPA
secrets, information and intellectual property), state legislatures chose to move on to indicates
that Congress intended the term to be defined broadly. Furthermore
that his-
asccond, more inclusive, type of computer legislation. tory indicated that Congress did not intend, by including electronic storage within the
definitionof wire communications, to thereby exclude clectronic storage from the def
An example of early state legislation of the second type is the Colorado Computer
iniGon of clectronic communications.”
Crime Act of 1973. This Act has the following, very wide, definition of “property”
capable of being stolen: “financial instruments, information, including clectronically In South Africa the ECT Act’s definition of “data message” would have solved this
produced data, and computer software and programs in cither machine- or human problem rather neatly in that “a stored record” is part of it. On the other hand
readable form, and any other tangible of intangible item of value”. This definition American courts make a much more watertight division between data stored and
may be criticised on several grounds. Not only is it much too widely framed (“any - . - data travelling. The Counalman case illustrates graphically the value of information
item of value”), which goes against the legality principle of nudism crimen sine lege, and the lengths to which people will go to get hold of it.
but it also seems to mix both and electronic forms of data and to confuse the
field of intellectual propery with that of criminal law.™ Iv is interesting to learn that
‘Thus binding
alll States.
SSISSERRTE

18 USC§ 1030 (1984).

18 USC §§ 2510-2711 (1986).
Act 70 of 2002 5 39(4). 18 USC § 2511 (1)(a).
RERSERES

By s 40. ‘The latter term is dealt with in 18 USC § 2510(17).

$40(3). 245 F Supp. 2d 319 (D Mass 2003).
Ins 51. 973 F 8d 197 (1st Gir 2004).
Tapper Computer
Law 4 od 301. S85 F 3d 793 (ist Cir 2005).
‘Ta. 18, art. 5.5, Colorado Revised Statutes 1973. US ¢ Gouncilman Court of Appeals No. 13-1083, (majority) decision delivered on 11 August 2005.
“No crime without a (preceding) law,” referring to a law which has been properly formulated. SI of Act 25 of 2002.
In that it mentions sofwware and programs as property capable of being stolen.
 96 Information and Communications Technology Law
Qhapter4: Criminallaw 95

monitored the ¢-mail of MCI and Digital Equipment security officials. When he was
Turning to the CFA Act, this Act has had two incarnations, namely that of 1984 discovered, Digital Equipment charged him with causing damage amounting to
and the amended form of 1986. The only prosecution in terms of the 1984 version $4 million to computer operations and with stealing software worth $1 million.
that the present author was able to find was that of the Los Angeles hacker Philip Mitnick was convicted and received a one-year jail sentence at a low-security federal
Gonzales Fadriquela, who used his home computer to break into the computers of prison. In 1992 he was pursued by federal agents for parole violations but went to
the Department of Agriculture. A plea bargain reduced the original charges to a ground and “di red” for a while. On Christmas Day of 1994 he broke into
simple “misdemeanor”, which gave rise to a sentence of three years’ probation, a fine Tsotumu Shimomura’s computer system at the San Diego Supercomputer Center.
of $3 000, and 200 hours of community work. The 1986 Act added three new offences: Egged on by racist slurs on his Japanese descent, Shimomura conducted an clectron-
(a) theft of property by the use of a computer as part of « scheme to defraud; ic bounty hunt for Mitnick, which hunt captured the public's imagination and even
(5) a “malics di ge" felony which dis es ill to a federal interest com- made the pages of the Reader's Digest” The hunt culminated in Mitnick’s arrest in
puter and altering
or damaging or destroying in| jormation on it; January 1995 after Shimomura and federal agents traced the signal of a cellphone
(preventing the authorised use of a computer. that Mitnick was using at the time.
The crime specified in paragraph (4) woukd obviously encompasses illegal “hacking” Mitnick pleabangained™ for a sentence of up to eight months’ imprisonment.
and the deleterious effects a virus program might have on federal information. The However, the US Justice Deparment argued that the Mitnick case was mult-
crime specified in paragraph (c) includes crimes similar to those created by sec- jurisdictional and that the plea bargain was only a partial disposition of the case. In
tion 86(5) of the South African ECT Act™ (denial-oF service attacks). 1996 he pleaded guilty to one federal charge of cellulartclephone fraud and admit-
There have been a number of successful prosecutions in terms of the CFA Act. In ted violating probation in respect of a prior computer-fraud conviction. In 1997 he
United States 9 Czubinski”” the accused, an employee of the United States Internal was sentenced to nearly two years in prison for repeated parole violations and using
Revenue Service, accessed the private files of some of his collcagues, apparently out stolen ccliphone numbers to dial into computer databases. He was at that time still
of sheer curiosity. The circuit court of appeal reversed his conviction by the coun of awaiting trial on 25 counts of computer and wire fraud,” possessing unlawful access
first instance on the basis that the prosecution had failed to show that he had devices, damaging computers and intercepting electronic messages. Later that year a
obtained anything of valuc. In 1999 the CFA Act was used to te Robert group of hackers broke into one of the main “portals” of the Internet and threat-
Morris, a Cornell graduate student, who had created a “worm™™ and released it on ened wi ad destruction if Mitnick were not freed. Mitnick was finally sentenced
the Internet, with disastrous consequences. Although Morris claimed that he had to 46 months in a federal prison after pleading guilty to “computer fraud and wire
merely been testing computer security and gathering data in this regard, his pro- fraud for breaking into computers, intercepting communications and stealing pro-
gram caused damage of up to $53 000 in some individual cases. He was convicted in prictary software from several cellular telephone companies”.™ He has since been
terms of the Act” and sentenced to three years’ probation on the condition that he released on parole yet again, and found useful employment as an Internet security
perform 400 hours of community service. consultant, even visiting South Africa in 2006!
Glenn Barker™ gives an overview of another famous prosecution in terms of the In the United States, of course, the terrorist attacks of 9 September 2001 changed
ECP Act, namely that of Kevin Mitnick. It seems that Mitnick began his criminal career the legislative landscape. The American Icgislature passed the Patriot Act” to help
early: he was convicted in 1981] of stealing computer manuals from a Pacific Bell
take care of “homeland™ security”. The full tide and main stated purpose of this Act
switching station at the tender of 175° The court took into account his youth
are “To deter and punish terrorist acts in the United States and around the world, to
and placed him on parole. In 1982 he broke into the North American Air Defense
enhance law enforcement investigatory tools, and for other purposes”. Also known as
Command computer, gained temporary control of three tclephone-company offices
HR 3161, the USA Patriot Act (United and Strengthening America by Providing Ap-
in Manhattan and gained access to all the telephone-switching centres in California.
He was back in the news in 1984 for posing as a technician and telephoning an propriate Tools to Intercept and Obstruct Terrorism)” incorporates the provisions of
authorised user to obtain the latter's password, using the excuse that he was issuing two carlier antitcrrorism bills. It considerably extends the State’s investigative and
new and cancelling old passwords. The gullible user unfortunately gave up his pass-
word with dire consequences. In 1988, at 25 years of age, Mitnick surreptitiously Reader's
Digest no. 877 (1995) 146.
ae

A process in criminal procexdure whereby the accused agrees to plead guilty to 2 lesser, competent
charge (bearing a lighter sentence) provided that other charges are dropped or be or she is
275 Which carries a lesser maximum penalty when compared to a “crime” or “offence”. assured in some way of not receiving too harsh a sentence.
276 Act 25 of 2002. ‘That is, fraud commited by means of telecommunication or “wire” technology.
BEER

277 106 F 3d 1069 (se Cir 1997). A “portal” ss a point of entry into the Internet — for instance an Internet service provider.
278 A selfpropagating rogue program that gradually expands to “fill up” all the free memory space New York Times 27 March 1999.
availableon the computer system. On 23 October 2001, which shows the urgency with which the Americans reated the incident.
279 $ 1030(5){A). In South Africa “homeland” has.a newative connotation because of its association with the apart
 98 Information and Communications
pns Technology Law

Chapter4: Criminal law 97

severe cybercrime penalties: “A criminal who steals one car can spend: more time in
jail that ahacker who causes millions of dollars in damage with a virus”. (As is point-
prosecutorial powers and has been used in many post-2001 prosecutions of suspect-
ed out above™ the South African ECT Act also suffers from a lack of sulliciendy
ed terrorists.
strong penalties for ICT crime.) Although at the time of writing the White House
On 9 March 2006, President Bush signed the USA Patriot Improvement and Re had not yet called such a commission into being, White House officials were report-
authorization Act of 2005. In a kind of progress report on five years of the Patriot ed as being “receptive to the idea”.
Act, the president lauded the co-operation between law-enforcement and intelli- The most recent ICT crime statistics at the time of writing indicate that the United
gence agencies that the Act has managed to achieve. Of special interest is his finding States hosted more than a third of all websites identified during 22006 as hosting
that the Patriot Act had also “adapted the law to modem technology”: malicious code and also relayed more spam than any other nation.“ An interesting
The Patriot Act allows Internetservice providers to disclose customer records voluntarily table reveals the countries in which malware™ is most prevalent (the figures indicate
to the government in emergentics involving an immediate risk of death or serious phys the percentage of all malware circulating):
ical injuryand permits victims of hacks iB Crimes to aw c
m monitoring Lrespiesc rs on tharcomputers.
United States 34.2%
What is especially interesting in the above quotation is the clement of voluntary co- China 31%

OPAPP
operation apparent from the use of “voluntarily”. Unfortunately, in South Africa's Russian Federation 9.5%

Ss 2
history of security legislation such phrases are in shor supply. Netherlands 4.7%
One < of the most worrying forms of ICT crime in the United States is “identity Ukraine 3.2%
theft”.™ in which confidence tricksters make it appear as if they arc, for example,
calling from a tclephone with a number different from that of the telephone they France 1.8%
are actually using. In this way they are able to pose as banks or as representatives of Taiwan 1,7%
banks and other authorities and defraud customers of those institutions. This prac- Germany 15%
tice is limited to telephone calls using VOIP.
Hong Kong 1%
Identity theft seems to be on the increase in the United States. According to Visa
10. Korea 0,9%
International, credit-card fraudsters are increasingly using technology to “steal” exist-
ing credit-card numbers and personal identities.“ These comments came shortly Others 105%."
afier news that the US Secret Service had arrested 28 from seven countries in According to the same repon, threats by means of e-mail are slowly declining while
connection with identity theft, computer fraud, crediecard fraud and conspiracy. malicious web content is growing. As usual, the target of these attacks is the most
The suspects were alleged to have trafficked in at least 1,7 million stolen credit-card valuable asset of the twenty-first century: data. According to a recent report, data-
numbers, and financial institutions estimated the suspects to have caused losses of bases are under heavy attack from hackers “trying to pilfer a rich trove of personal
over $4,3 million. Neil Hawkey, a spokesperson for Visa, commented as follows: and financial data”. The result is that enterprises are having to look at all possible
There is nothing new about phishing.” it's merely an old fraud technique in a new ways of securing their databases against hackers.
guise. However, people can guard against Web- and email-based phishing attempts by
In 2004, the “Securely Protect Yourself against Cyber Trespass” Bill (the SPY ACT)
bearing in mind that no bank will ever ask customers
to divulge PIN numbers and other
information.” was introduced to the US Congress to protect consumers who download software
that has the ability to collect and transmit information.” However, the end product™
As a result of increasing ICT crime in the United States, during November 2005 a
group of software technology officers from major vendors in the United States
appealed to President Bush for a “cybercrime commission” to be convened.” The
See para. 4.4.2.3 above.
of the commission would be “to address cybercrime and identification See also fn. 269 above.
theft”. It was argued that new legislation was necded and that the US needs more “US worst for malware hosting
and spam relaying” www.itweb.coza (accessed
24 January 2007).
See para. 4.2.3 above in connection with spam.
An amalgamation of the “malicous” and “software” — hence, referring to software created for a
290 www whitehouse. gov /infoous/patriotact (accessed 27 Apeil 07). inalicious,
often unlawful, purpose.
a Which is really fraud. “US worst for malware hosting and spam rekaying” www.itweb.co.za (accessed 24 January 2007).
88

“Scummers snag money on Net phones” www.wired.com/

news/ privacy (accessed
20 March 2005)_ “Hackers striking databases in record numbers” www infoworld.com/products (accesed 27 July
Voice over Internet protocol. 2006)
geeee

“Technology aiding crime” www itweb.coza/sections (accessed | November 2004). “Congresswoman reintroduces spyware bill” wew.idg-news (accessed 5 January 2005).
82

See para. 4.3.1 above on “phishing”. During April 2007 a subcommitee of the House Commitiee approved the Bill (IIR 964) which
means that the Bill could make further progress on its way to becoming legisiation one day-
 Chapter 4: Criminal law 99

has been heavily criticised for not focusing on consumers but on software vendors.” 100 Information and Communications
Technology law
Another major criticism is that the federal Bill might pre-empt state provisions in this
regard that would be more effective than the SPY ACT could ever be. In Cox v Riley” the dispute concerned a power saw controlled by means of the in-
Such provisions have now appeared in the shape of a bill entided the Identity sention ofa printed circuit containing a number of computer programs. Cox was the
Theft Enforcement and Restitution Act of 2007." This bill expands existing identity- operator. He had deliberately sabotaged the saw by crasing a number of these pro-
theft and aggravatedidentifytheft statutes to include recovery of the value of the grams, rendering the saw unusable until it was reprogrammed, which would have
time lost as a result of identity theft or even atempted identity theft. In addition, the cost the owner time and effort of more than a minimal nature.” By focusing on the
bill seeks to increase penalties for identity thieves who use malicious spyware and hardware instead of the , the court managed to convict Cox of a contraven-
keystroke loggers to commit their evil deeds. tion of section 1(1) of the Criminal Damage Act of 1971.
Perhaps as a result of such cases as these, the Scottish and English Law Commis-
4.6.2 The United Kingdom sions brought out reports in the second half of the 1980s, recommending the adop-
tion of specific computer-crime legislation. This legislation followed, in the shape of
In Oxford 0 Moss™ it was decided that confidential information in the shape of the the Computer Misuse Act of 1990. This Act created three important new statutory
of an examination paper did not constitute “property” for the purposes of the offences. The first is a “basic hacking offence™” bearing the status of a “summary
English Theft Act. offence”, which means that the crime is justiciable in magistrate’s courts. The text of
A problem with this Act is whether one can use the phrase “deception” in connec- section 1 of the Act is as follows:
tion with a machine. It seems, therefore, that traditional definitions of English (1) A person is guilty of an offence if—
crimes are not easily adapted to modern versions of those crimes, particularly varia- (a) he causes 2 ee to perform any function with intent to secure access to
tions involving information technology. Hopes for natural adaptation and develop- any program of held in any computer;
ment of the understanding of which things are capable of being stolen were dashed (6) the access he intends to secure is unauthorised; and
in Ro Loyd” The court took a restrictive view of section 6 of the Theft Act and () he knows that the time when he causes the computer to perform the functions
restricted the prohibited “taking” to outright takings and not to cases in which the that this is the case.
outside action only caused a diminution in the value of the property. (2) The intent @ person has to have to commit an offence under this section need not
be directed at —
An interesting, early reported case dealing with general information-tcchnology
(a) any particular program or data;
crime in the United Kingdom is R o Schifreen and Gold." The case concerned two
(4) a program or data of any particular kind; or
hackers who had gained unauthorised access to the UK's Prestel”” system. The legal
(2 a program or data held in any particular computer.
question was whether they had commiticd fraud against Prestel by making use ofst
false password. They were charged in terms of the Forgery and Counterfeiting Act. Section 2 of the Act creates a second type of crime, a so-called “ulterior hacking
The prosecution based its case on the fact that the “user segment” part of the pro- offence”. It is ulterior in the sense that the hacker has to commit the offence de-
gram, which had acted as repository for the password files, was a “false instrument”, scribed in subsection (1) with the ulterior intent to commit an offence described in
which would bring it within the purview of the Forgery Act. The court rejected this subsection (2). The latter crimes are characterised by harsher sentencing provisions
argument with the following words: “The Procrustean attempt to force these facts — for instance, a crime for which the sentence is fixed by law or for which a person of
into the language of an Act not designed to fit them produced grave difficulties for 21 years of age or older might be sentenced to five years’ imprisonment This type of
both judge and jury, which we would not like to see repeated”. sentence would obviously only be imposed for more scrious instances of hacking.
The third type of offence is aimed at the creators and distributors of virus pro-
grams. Section 3 of the Act provides that
(1) A person
is guilty of an offence if—
(a) he does an act which causes an unauthorsed modification of the contents
of
any computer; and
ee ee ek ne eee (5) at the me when he does the act he has the requisite intent and the requisite
knowledge.
Pa cs eb aba aisasses wrew.intermetnews.com (accesd 20 July 2007).
(1978)
68 Cr App R 183. “Requisite intent’
i is, in turn, defined in section 3(2) as
Theft Act 1968 (12 Seatutes 488). an to causea modifi of the of any iP and by so doing—
[1985]
OB 829 (CA). (@) to impair the operation
of any computer;
[1988] AC 1063.
An early version of the Internet based on “videotext™. South Africa had the similar BELTEL service.
Forgery and Counterfeiting
Act (UK) 1981.
Ro Schifreen and Cold | 1988} AC 1063 1071. 315 (1986)
83 Cr App R26.
 Chapter 4: Criminal Law = 101 102 Information and Communications Technology law

(6) to prevent
or hinder access to any program or data held in any computer,
or The UK is fortunate to have a powerful Data Protection Act,™ the ambit of which
(Q to impair the operation of any such program or the reliability
of any such date might be extended in future to include custodial sentences for offenders.” On the
The latter part of section 3 is comfortably wide cnough to encompass any damage a other side of the coin, the UK’s new Fraud Act makes it an offence to fail to disclose
virus program could cause. Although the substantive part of the Computer Misuse information in the form of a proper data protection notice.” Thus, on the one
Act seems to be quite workable, the fact that the Act does not provide enough pro- hand, information is protected and, on the other, information holders are forced to
cedural and evidential aids to help prove these abstract offences may prove a weakness. give it up under certain circumstances. Although serving different purposes, both
An interesting application ofsection 3 of the Computer Misuse Act of 1990 was the Acts show the strategic value of information.
charging of an 18-year-old “spammer”, David Lennon, for impairing the operation Tt has been suggested that Britons live in greater fear of crime on the Internet than
of computers in that way.*” The original case was thrown out by a magistrate who of being burgled.” The Get Safe Online campaign found that attacks on Windows
ruled that the sending of c-mails did not violate the Computer Misuse Act, because PCs happened every 15 minutes and that fears of online crime ran so deep that
email servers were sct up to receive e-mail. The Crown Prosecution Service appealed people were put off using the Internet altogether; 18% of respondents said that they
against this ruling and in May 2006 the case was sent back to the magistrates’ court were afraid of shopping online. The same survey pointed out, however, that many
This time the court came to the opposite conclusion and Lennon was sentenced to a people were not taking the basic steps to protect themselves from ICT crime in that
curfew forcing him to stay home every night for two consecutive months. The pros- 17% of respondents had no anti-virus software, 22% had no firewall and a further
ecution dropped a demand that Lennon repay costs amounting to £29 000 which 23% said that they had opened e-mails received from unknown sources.
arose when five million e-mails he was responsible for sending “crashed” the servers
of the Domestic and General Insurance Group. 4.6.3 Other countries and groupings
The UK has also been the site of a type of crime not yet dealt with, namely Inter-
net plagiarism. In 2003 a final-year student in south-cast England boasted that she 4.6.3.1 Canada
had for three years been submitting cssays bought and copied from the Internet and Canadian ICT law has been characterised by hightevel litigation on whether infor-
passing them off as her own.” Universities have cited “laziness”, “lack of appropriate mation is capable of being stolen. In the first case of R v Slewart™ the matter turned
preparation for assessment” and “peer pressure” as some of the reasons for this prac- on the interpretation of section 283(1) of the Canadian Criminal Code, which hokis
tice. All commentators agree though, that universitics need to take a tough stand that “anything whether animate or inanimate” is capable of being stolen. In a majori-
against this “cut-and-paste” practice and that more students found guilty of it should ty decision the court held that the stavutory phrase was wide cnough to encompass
be “sent down”. the theft. of information, but recognised that its decision was out of step with the
A panicularly innovative way of “phishing” has come to the fore, also in the UK- British decision in Oxford a Moss” A minority of the court felt that such a drastic
In contrast to established cross-scripting techniques whereby whole pages are hi- interpretation of the phrase should rather have been left to Parliament to act upon.
Jacked by false websites, a new “crossframe” scripting approach is able tw inject false On appeal, however, the court in the second R v Stewart™ case held that, whatever
content onto the genuine web page, making the misrepresentation extremely diffi- the legal classification of information might be for the purposes of civil Taw, infor
cult to detect. A user visiting the real website would then be confronted with, for mation was not “property” for purposes of criminal law. Although Piragofl™ agrees
example, a false “account update” form requesting her or his personal details. with the decision of the appeal court, he feels that more could have been done to
The UK was also home to a hacker accused of carrying out the “biggest military recognise some form of interest in the information,™ for instance the right to con-
hack of all time”.“* Gary McKinnon was arrested in 2002 by the UK’s National Hi- fidentiality and exclusive usc. The present author, however, is not very impressed
Tech Crime Unit for hacking into a serics of remote computers used by the United with the idea of having one concept of “property” for private law and another for the
States army, navy, air force and Department of Defense. In applying for McKinnon’s purposes of criminal law. It scems, then, that one’s success or failure in litigation
extradition to the US, the Deparument said that he had caused damage of more than may depend on one’s choice of forum for litigation.
$700 000 while exploring the various military institutions electronically. The extra-
dition order was granted, underlining the importance of international co-operation™
in the bate against international ICT crime.
‘The DPA, 1988.
GRESBRRR

“United Kingdom: Getting tough on cata crime” wew.mondag.com (accessed 17 February 2007}-
318 See para. 4.4.2.3 above on spamming. Thad. The Fraud Act cume into force on 15 January 2007.
319 “U.K. spammer gets wounonth curfew” www.news.com (accessed 24 August 2006). “Net crime“bég fear’ for Britons” wew.newsvote. bbc.co.uk (accessed 12 December 2006).
320 “Students using the net to cheat” bttp:/ /newsvou. bbc.co.uk (accessed 17 November 2003). (1983)
5 COC (3rd) 481.
321 A British ism for “expelled”. (1978)
68 Cr App R 183. See pare 4.6.2 above.
822 See para. 4.3.1 above on phishing. T1988] 1 SCR 963; 41 COC(Sd) 481; 63 CR 3d 305.
SIS. “New srvic_of nhishine arrack dixcowensd” sew sechworld com _Gocesesd21 March 200") “Computer crimes and other crimes against information technology
in Canada”
in Sieber Compu
 Chapter4: Criminal Law 105
104 Ink jon and€ icabons Technology Law

4.6.3.2 Germany 4.6.3.3 Russia

In his country report on Germany, Mohrenschlager™ uses the following working def- Three Russian hackers convicted of orchestrating denial-ofservice attacks against UK
inition for dealing with (and classifying) computer crime: “Computer crime covers bookmakers were cach sentenced to eight years’ imprisonment and fined $3 700."
all sets of circumstances where electronic data processing forms the means for the According to the Russian prosecutors these three carried out 54 similar attacks in 30
commission and/or the object of an offence and represents the basis for the suspi- countries in a period of six months. Apparently the modus operandi of the crimes
cion that an offence has been committed”. involved planting spyware in the systems of targeted (usually online-gambling) firms.
Forunatcly the German legislature has not been backward in legislating against This was then followed by threats that, unless the gang was paid off, the websites con-
informationtcchnology crime. In 1986 the German Criminal Code was amended cerned woukt be subjected to deniabof-service auacks. This crime is of a piece with
to provide for the different forms of this modern crime. For instance, section 184 the conventional commondtaw crime of extortion, save that computers (and the
criminalises the distribution of pornography.” including allowing young people Internet) are used as instruments.
under the age of 18 years access to such computer data on the Internet through lack In one of the first examples of “ r warfare”, Estonia was hit by a sustained
of proper precautions.” Although this may appear to be the criminalising of negli- denial-ofservice attack from Russia- ntly the attack was sparked by ethnic
gence, intent is still an clement of the offence™ and “allowing ... access” should riots by Russians in Estonia set off by the removal ofa Russian war memorial from
rather be scen as part of the criminal act in the sense that the offender does not have the Tallinn™ city centre. Fstonian websites were swamped by numerous service
to play an active role. requests originating in Russia, which prevented the websites from carrying out their
Section 202a criminalises data espionage.” The term “data” is specifically con- legitimate business. While the Fstonian government has not blamed the Russian
fined to data which are stored electronically or magnetically and which are not government directly, the foreign ministry has published a list of IP addresses from
directly visible or accessible.“ which the attacks were launched and it is alleged that some of these are addresses
Whereas section 263 of the German code criminalises fraud in general,” sec- belonging to the Russian government and presidenual administration.
tion 263a targets computer fraud specifically.” Section 269 criminalises the forgery This type of crime illustrates once more that information (and instruments that
of data which are necessary to prove something,” and sections 303a™” and 303b gather and distribute it) is probably the most important prize in any form of modern
data altcration and computer sabotage respectively. crime. According to a newspaper report on the incident the attack on Estonia was
“merely the tip of the iceberg” and the previous year featured similar “distributed
According to Schwarvencgger™” the legal interest (Hechisgul) protected against vi-
denial of service attacks” on government targets in the United States, Germany,
rus programs is the “unimpaired disposability of data by the right holder”. He also India, New Zealand and Australia.
attempts a definition of “data” as follows: “The term has to be understood in a wide
sense as a sequence of signs or signals that have informative value (information 4.6.3.4 The United Arab Emirates (UAE)
translaicd into codec)”. This indicates that data and information should never be
The UAE Cyber-crimes Act™ was enacted in order to afford computer users “greater
equated with cach other.
comfort and security by protecting and regulating lawful access to and use of the
Schwarzenegger sees the Rechisgut in the case of hacking, or illegal access to data, Internet and relevant computer systems”-
as the “formal right to disposability”, which means that only the rights holder has the Actions prohibited by the Act include the unlawful accessing of websites or infor-
right to determine who should have access to the data concerned. mation systems, the unlawful delaying of such systems, and the erasure, deletion,
removal, damaging or amendment of software programs or data or of any infor-
mation contained in such programs or data.
385 “Computer crimes and other crimes against information wchnology in Germany” in Sieber Compu- It is clear then that the UAE regards the above-mentioned crimes as examples of
ferkriminaliial
und Strafrecht 198. ICT crime. However, there are also a number of ICT-related crimes created by the
336 Also known as the SeGB, for Strafgesizbuch. new Act. These include fraud, the selling of drugs, and moncy laundering by means
337 Schonke and Schrader Sinafgesetsbuck Kommentar 27 ed 1589 {. of computer systems. The Act also includes as an offence the performing of cenain
388 Thad. 1600.
actions that would constitute “an offence to public morals”. Doubtless this includes
339 Ibid 1611.
340 Pbid. 1716. such crimes as Internet pornography, a so-called “contentrelated ICT crime”.
S41 S$ 202a(2).
342 Schénke and Schroder Strafgeseizbuch
Kommentar 2179 ff.
S48 “Russian bookmaker hackers jailed for eight years” wewtheregister.co.uk (accessed 5 October 2006).
343° Ubad. 2242 ff
344 Ebi. 2388 ff.
349° “The cyber pirates hitting Estonia” hitp:/ /newswote.bbe.co.uk
(accessed 18 May 2007).
350 The capital
of Estonia.
345 Thick. 29003 fT.
RAG Thick Pre AT
 Chapter4: Criminal Law 105
106 Information and Communications Technology Law
4.6.3.5 The Council of Europe’s Convention on Cyber-crime
This picce of international “Iegislation” a major step forward in the combating of and problems arising from the incompatibility of criminal and criminal-procedure
international cyber-crime. One of the major problems with cyber-crime is precisely codes.
its international nature, which gives rise to problems of jurisdiction, incompatible It is therefore of the greatest importance that countries, including South Africa,
proceduraHaw systems and so forth. Although originating in Europe, the Conven- ratify international documents such as the Convention on Cyber-crime. Failing to do
tion is flexible enough to be adopted by any country and South Africa has, in fact, this will create “crime shelters” similar to the “tax shelters” created by the legislation
taken the first stepsto do so. (or lack of it) in certain States.
The first part of the Convention deals with substantivetaw measures. Signatorics As regards legislation combating ICT crime, South Africa used to be a leader in
are supposed to ensure that the following types of offences are prohibited nationally. Africa, having adopted a number of technology-related statutes. However, without
“Offences against the confidentiality, integrity and availability of computer data the necessary political will and corresponding funding for the required administra-
and systems”, which include the illegal interception of, or interference with, data; tive structures, this country will quickly become an casy target for international ICT
the illegal access to, or interference with, a computer system: and the misuse of crime. In addition, its legislation is by now again in nced of an overtaul, especially in
devices, including the making available of a tool or password for the purpose of the fast-moving world of cybercrime. In this regard, the two Bills from the Depart
committing any of the above offences. ments of Justice and of Communications provides some hope.
“Computer-related offences”, including computer-related forgery and computer
related fraud. “Contentrelated offences”, relating to online chiki pornography in its
various formats. Finally, treaty countrics have to criminalise copyright-related offences.
South Africa has complied with most of the substantive treaty obligations. Most of
the offences referred to have been criminalised by sections 86 and 87 of the ECT
Act, others by the Films and Publications Act™ and the South African Copyright Act
The second par of the Convention deals with proceduraHaw matters. Certain
conditions and safeguards have to be laid down for human rights to be protected
adequately while the computer data necessary for possible prosecutions is obtained.
These might include production orders for data controlled by any person or service
provider within the territory concerned_
Chapter 3 of the Convention deals specifically with international co-operation in
the investigation and prosecution of criminal offences. This might involve extra-
dition for trial to a member country, and includes an international point of contact
staffed by trained operators twenty-four hours a day, seven days a week.
As far as the second and third parts of the Convention are concerned, South
Africa has definitely not yet passed (or amended) the legislation necessary to ensure
the country’s compliance with its international obligations. Such steps might also
have constitudonal implications, but until something positive is done at the Iegisla-
tive level we may never find out.

4.7 Conclusion
It is clear that ICT crime is a growth industry internationally. Precisely because of its
international nature, such crimes create many political and jurisdicional problems

884 ‘The Electronic Communications

and Transactions Act 25 of 2002.
395 Act 65 of 1996.
356 Act 98 of 1978. While on the subject of copyright offences, it is interesting w note that it was only
as recently 2s 2004 that a péracy offender was sent to pil for the first time in South Africa. The Pre-
toria Commercial Crimes court sent Craig Marnoch to jail for the maximum tern of three years in
terms of the Copyright Act. He had tricked hundreds of South Africans into purchasing pirated
 108 = Information
and Communkations Technology law
The Law of ICT Evidence
disinformation and propaganda. Regimes such as those of Hitler and Stalin simply
foreshadowed the cffors of the opposing forces in the ongoing Iraq war where
modern media really came into their own. Winning the propaganda war is as im-
5.1 Introduction portant as any military battle in this age of mass media.
Has the fact that increasingly sophisticated technology is available to ordinary citi-
5.1.1 Historical background zens affected this bleak picture? One could surmise that citizens can now check the
By contrast to, say, criminal law, South African law of evidence é is based fairly heavily veracity of government information against a number of independent sources and
on the English law of evidence. As mentioned above,' South African criminal pro- find out for themsclves what the truc position is. Unfortunately many people still
cedure is also based on English law,’ but is more comprehensively codified than the scem to be vacillating between the following two extremes:
law of evidence. The Roman-Dutch legal system has had litte or no influence in this (a) not trusting any information emanating from a computer, because it is the
areca. This is probably to be expected, given that it found its final form well before instrument of an evil government, of the anu-Christ, or both;
the computer age and in light of South Africa’s specific legal-historical development. (b) trusting almost anything they read on a computer because it is “hi-tech” or
In the constitutionally important British casc of Campbellv Hall’ it was decided that because the name of an “author” is typed below the information.
any local legal system of a British colony would remain in place until specifically The true problem of the information and communications era therefore scems to be
repealed. After the second British occupation of the Cape of Good Hope in 1806, to decide exactly how much value should be attached to a given piece of infor-
the formal part of the existing Cape law was repealed and re-enacted or codified on mation, especially when that information is stored clectronically and digitally. The
the basis of the English model. This change was probably much needed to enable only field of law which advenises itsclf as a specialist in the area of verifying facts is
the newly appointed (and English-speaking) judges and magistrates to adjudicate on the law of evidence. Unfortunately, like all other fields of law, this fickd sometimes
matters coming before them. This applied especially to the law of evidence as part of finds itself struggling to adapt to a new world in which paper is being phased out of
the formal legal system," which is very coun- and practice-oriented. By contrast, the general commercial transactions and to “decreasing contact between human beings
greater part of South African substantive law’ is based more on general principle and and the information needed to conduct business”.*
still firmly based on Roman-Dutch law. Sprowl argues that older forms of record-keeping contained “non-tigitizable in-
formation” such as the specific shape of a signature, the condition of the paper and
5.1.2 Technological background the spacing of letters and numbers that together used to guard the authenticity of a
In post-industrial society information and communications technology can be a vital cheque." Most of these “guarantees of authenticity” vanish once the information they
asset provided it is placed in skilicd hands and are used properly in terms of con- transcribe has been digitised as a computer record. This is well expressed by Khaled
stitutionally fair legal principles. Unforwunately, like any potent object, such as a who remarks that when “we bring in the Internet factor we . . . have a certain amount
firearm, such technology can also be misused. Indeed, the twentieth and twenty-first of anonymity associated with the dara”. " As a result, courts now have to look at circum-
centuries have been characterised by increasingly extensive use by governments and stantial evidence to establish the authorship and authenticity of computer records.”
political groupings of information and communications technology to disseminate In practice, however, the admissibility and weight of such evidence are an open
question once the original paper document has vanished. Determining such admis-
sibility and weight is even more difficult if it is established that a digital document is,
1 See para. 4.5.1 in Chapter 4 abowe.
in fact, the original document and has been created as such,
2 Asiscivil
3 (1774) 1 Cowper 204, 98 ER 1045. This chapter endeavours to explore and find solutions to these problems. The
4 Examples of formal law are the law of criminal procedure, the bor of civil procedure and the law of background to and further development of “cyber-cvidence” in South African law of
evidence. evidence and in the legal systems of a number of other counwies, the latter for
5 Examples of substantive law are criminal law and private bw, the latter includingmany facets such as
comparative purposes, are also explored. Furthermore, a number of recent techno-
contract, delict, succession, husband
and wife and so on_
logical developments (such as modern cryptography) and data standards (such as
XML and XBRL) are also dealt with” because they help guarantec the integrity and
107

6 French “The admissibility of computer records in the SA law of evidence — a comparative survey”
1982-1983 Natal University Law Reoiens 112.
7 Sprowl and Maggs Compuier Applications in the Law 4.
8 Khaled “The evidential provisions of the ECT Act 25 of 2002: A comparative law perspective” (LLM
 Chapter5: The Law of ICT Evidence 108

110) Information and Communications Technology law

authenticity of data for future forensic usc. Applying existing and well-tried eviden-
tiary principles to data emanating from ICT technology presents workable solutions
technology. Section 33 of the Civil Proceedings Evidence Act defines “document” as
that, in time, will lead to effective jurisprudence.
including “any book, map, plan, drawing or photograph”. Section 34(5) empowers
the court to draw reasonable inferences from the form or content of the document
5.2 South African legislation on ICT evidence containing the evidence in question or from any other circumstances.
These questions are addressed below in a discussion of South African casclaw on
5.2.1 The Civil sina Evidence Act* this point. One recent case in particular — Trustees for the lime being of the Delsheray
Afier a particularly “hard case” ing documentary evidence, namely Vulcan Trust 2 ABSA Bank Lid”— in which many of the outstanding issucs are thoroughly
Rubber Works (Ply) Lid oSAR& H," the position was finally alleviated
by Part VI of the canvassed, is well worth studying in decail even though the case turned on an inter-
Civil Proceedings Evidence Act. In the Vulcan Rubber Works case the respondent pretation of the Uniform Rules of Cour.”
sought to lead evidence about the results ofa search one of its officials had made of
a government department’s records, but the evidence was excluded by the court as 5.2.2 The Criminal Procedure Act”
hearsay. The Civil Proceedings Evidence Act” is confined to civil matters. In criminal matters
The Civil Proceedings Evidence Act brought about a substantial exception to the electronic evidence is (su; ly) governed by the Criminal Procedure Act, specifi-
hearsay rule with regard to documentary evidence. Section 34(1) (a) provides that, if cally by sections 221 and 222. Section 221 deals specifically with the admissibility of
direct oral evidence ofa fact in civil proceedings would have been admissible, any certain trade or business records provided that certain conditions are met. Sec
“statement made by a person in a document and tending to cstablish [a] fact” is tion 222 makes certain provisions of the Civil Proceedings Evidence Act” mutatis
admissible as evidence towards establishing such fact mutandis applicable to criminal proceedings.
The definition of “document” the Criminal Procedure Act is much wider than its
This exception is subject to one of two conditions. The first is that the person
civil equivalent, namely: “any device by means of which information is recorded or
making the statement must have had personal knowledge of the matters dealt with in
stored”.” Although the Criminal Procedure Act is also based on English law, it has
the statement. The second is that the document in question must be a continuous
managed to avoid many of the computer-related pitfalls that have laid low the South
record and the person making the statement must have made such statement in the African Civil Proceedings Evidence Act. One such example is that the former Act
performance of a duty to record information supplied by a person who has, or might acaply: speaks of “any statement contained in a document’, * instead of the latter
reasonably be supposed to have, personal knowledge of such matters.
Act's “any statement made by a person in a document”. * The “document” of the
Section 34(1)(6) requires, in addition, that the person who made the statement Criminal Procedure Act also docs not have to be or form part of a “continuous rec-
must be called as a witness “unless he [or she] is dead or unfit by reason of his [or ord”, as is required by the Civil Proceedings Evidence Act.
her} bodily or mental condition to attend as a witness or is outside the Republic and Strategically one of the most important clauses for criminal procedure” is proba-
it is not reasonably practical to secure his [or her] attendance or all efforts to find bly section 38(1)(a) of the Civil Proceedings Evidence Act, one of the sections of
¢ the
him [or her] have been made without success”- fauer Act which have been made applicable also to criminal proceedings.” This
Notwithstanding these extreme-sounding criteria, section 34(2) gives the presiding section states that nothing in Part VII of the Civil Proceedings Evidence Act shall
officer an overriding discretion to admit the statement, even if some of the condi- prejudice the admissibility of any evidence that would, apart from the provisions of
tions mentioned have not been met, if “he [or she] is satisfied that undue delay or Part VII of the same Act,” be admissible.
expense would otherwise be caused”. The court then has a further discretion to
decide exaculy how much evidential weight should be attached to the statement 16 See para.5.4 below.
concerned.” 17 [2014] 4 AB SA 748 (WCC).
The Civil Proceedings Evidence Act is based broadly on the English Evidence Act 18 Rule 32(2) in particular. Readers who interested in the history and
ited “Unshackling
fame lot of the so-called
the Shackl defe
of 1938, which means that it was fairly out of date to stan with. It therefore suffers
from the same defect as that blighting the English Act: namely that it was framed
long before the Computer Age. It is also doubtful whether its definition of a docu-
ment is wide enough to include computers and other recent manifestations of ICT 21 Sx 33-38 of Act 25 of 1966. These sections deal with documentary evidence.
22 $2215) of Act 51 of 1977 (emphiasis added).
23 S220(1).
1} Act 25 of 196%. 24 S 34(1) of Act 25 of 1965 (emphasis added). “A person” gave the coun difficulties in Narfis v SA
12 From the expression “hard cases make bad kaw". Bank of Athens 1976 (2) SA 573 (A), which led to the introduction of the Computer Evidence Act 57
13 1958 (3) SA 285 (A)_ of 1983. See paras 5.23 and 5.3. below.
1A Act Ph nf 196% 25 S34(1){a)
of Act 25 of 1965.
 112 Information and Communications Technology Law
Chapter 5: The Law of ICT Evid it

the ECT Act" has extended the evidential provisions of the Computer Evidence Act to
As far as criminal proceedings are concerned, S$ 9 Ndiki” is very instructive in the criminal proceedings but also that the later Act has been widely criticised for not con-
interpretation of certain clauses of the Criminal Procedure Act. This case is analysed
taining more draconian penaltics to inhibit secmingly ever-increasing cybercrime
in greater depth below, together with other relevant case-law.”
activity.

5.2.3 The Computer Evidence Act* Reaction to the Computer Evidence Act was overwhelmingly negative. Staniland,*
French,” Skeen,“ Stecle,“ Delport,” Ebden“ and Van der Merwe," among others,
The Computer Evidence Act was enacted to correct a perceived shortcoming of published comment critical of this legislation. In the twenty years of its existence,
South African law of evidence as far as computer-stored evidence was concerned.” only one or two cases appear to have dealt with the Computer Evidence Act, and
The genesis
of this Act lics in Narlis v SA Bank of Athens™
In this case
the bank then only in passing” or an obiter dictum.” This Icadls onc to the conclusion that most
sought to introduce evidence extracted from its computerised records to show that affected parues had “contracted out” of the provisions of the Act, probably because
the respondent had an overdraft facility with the bank. The bank was unable to use of the uncertainty of the exact nature of its application.
section 28 of the Civil Proceedings Evidence Act,” which makes specific provision for This lack of appreciation for one of its products caught the attention of the South
the admission into evidence of entries in banker's books, because of section 33 of African Law Commission. As a result the Commission entered upon a further project
the same Act The latter section precludes the admission of such evidence if the to find out exactly what the matter was with the AcL The new project was entitled
bank is one of the parties to the litigation in which the evidence i is sought to be used. “Investigation into the Computer Evidence Act™ and led to a finding that the legis-
The bank therefore uied to avail itself of section 3401) (a)" which contains the lation had not accomplished its purpose, possibly “because the required authent-
phrase “any statement made by a person in a document”. Holmes| A fastened onto cation pencedures proved to be too severe to partics who wished to rely on its pro-
this requirement and rejected the admissibility of the statement in question, remark- visions”_
ing that “a computer, perhaps fortunately, is nota person”. However, it is submitted that the opposite was the case. Even though section 2(1)
The outcome of the Narlis case caused great unhappiness and uncertainty in the of the Computer Evidence Act required an “authenticating affidavit” describing the
banking community, to whose professional activities IT had become a mainstay. =a normal operation of the computer and identifying any printouts (or truc copies
South African Clearing Bankers’ Association therefore instructed Judge Didcou™ thereof) as authentic, section 2(2) limited such an affidavit thus; “It shall suffice for
prepare a report and a draft bill in this regard. Both documents were geateiel isto the purposes of subsection (1) if the descriptions required by paragraph (Q™ and
the South African Law Commission, which, in turn, presented a SReport on the the certifications required by paragraphs (d) and (¢) are given to the best of the
admissibility in civil proceedings of evidence generated by computers™ to the Minis- knowledge and belief of the deponent to the authenticating affidavit”. It is likely that
ter of Justice. ‘The draft bill became South Africa's first piece of IT legislation, in the the evidential weight of such an “in-house” declaration would have been so low that
shape of the Computer Evidence Act.” banking (and similar) institutions would not have considered it worthwhile to take a
The Law Commission, and later the legislature, did not feel disposed to extend the chance on the affidavit’s effectively setiling the status of a disputed computer document.
applicability of the Act to criminal proceedings also. This was because, it was argued, Instead, these institutions simply inserted a clause in the fine print of the contracts
unrepresented accused persons would not be able to give informed consent to, or with their customers in terms of which the customers undertook not to query the
oppose effectively, any computer evidence proffered against them. Also, the conse- authenticity of any computer-based documents should any dispute arise in that regard.
quences of criminal proceedings are far more serious in that the liberty of individu-
als might be at stake. Given these considerations, it seems rather ironic not only that 41 Act 25 of 2002. See para. 5.2.5 below.
42 “The Computer Evidence Act: its admissibility in civil proceedings” 1983 Computer Law and Practice
2t 24.
12007]
2 All SA 185 (Ck)- 43. “The admissibilityof computer records in the SA law of evidence — a comparative survey” 1982-1983
See para. 53.1 below.
Natal University
Las Rewiew 123.
BES

Act 57 of 1983. 44 “Evidence and computers” 1984 SALJ 675.

Jest by s 92 of the El _? 45 “Computer-produced
printoat reliable as evidence” 1983 SAL{510.
The Act was subsequently
25 of 2002. 46 “Die Wet op Rekenaargetuienis” 1983 Obiler 140.
7 “Computer evidence in court” 1985 SAL 687-
1976 (2) SA.573 (A). For further discussion of this case see para. 5.3.1 below.
48 “Documentary evidence (with specific reference to hearsay)” 1994 Obiter
64 80 fT.
Act 25 of 196%.
BARRSS

49 See Ansha Construction ¢ Aruba Ioldings 2008 (2) SA 15 (C) 166.

Discussedunder para. 5.2.1 abow.
50 See Shresbree
0 Klerck 2000 (4) SA 457 (SE) 467.
Emphasis added.
st Working Paper 60, Project 9% presented to the Minister of Justice in June 1982.
Narlis e SA Bank of Athens 1976 (2) SA 573 (A) 577.
2 Meiring “Electronic transactions” 90_
The fate Judge Dideott later retired as one of the first judges of South Africa's Constitutional
53 Ofs SUL) of Act 57 of 1983.
 Chapter5: The Law of ICT Evidence 115
114 Information and Communications
Technology Law

which are contained in Chapter Ill of the Act, “Legal recognition of data messages”.
5.2.4.2 Implications of the Law of Evidence Amendment Act Pan | of Chapter HI, containing sections 11 to 20, deals specifically with “Legal
The main impact of the Law of Evidence Amendment Act was to provide new statu- requirements of data messages”. In other words, these sections are of vital import-
tory grounds making hearsay evidence admissible, at the discretion of the court” ance to the law of evidence because they set out the legal requirements for a data
One of the factors the count is obliged to consider in making its decision is “the message to be admitted as evidence before a court.
nature of the evidence.”
Section 11 repeats the title of the Chapter Hl and states chat information will not
This Act treats together the evidential admissibility and weight of hearsay evidence
be “without legal force and effect merely on the grounds that it is wholly or partly in
and of computergenerated evidence. But can computer-generated evidence (with-
the form ofa data message”™” or is simply referred to in such a message.” In the opin-
out human intervention) be scen as hearsay evidence? As Collier™ points out, no
ion of Rens” it is not clear what the legal position would be were the text thus refer-
computer printout occurs without human intervention. This is because the computer
red to in the public domain or in paper format. Sdll, he recommends making use of
is driven by a program written by a human author who has carefully anticipated
electronic hypertext™ references incorporating any further details of an agreement
various logical possibilitics and placed them in sequence.
when, for instance, the computer screen does not provide cnough space for such
As will be scen in 5.2.5. below, in S o Ndhloou™
it was held that the new statutory
details. Such a step is, of course, subject to the further provision that a reasonable
provisions relating w computer-based evidence in no way interfered with the statuto-
person would notice such incorporation and that the further detail is accessible,
ry provisions dealing with hearsay. Sce also Von Willing v S” for a successful applica-
cither electronically or by means of a computer printout.
tion of the rule.
However the matter was only fully deliberated over by the Constitutional Court in
It should also be noted that the ECT Act™ excludes transactions in terms of
Savot v National Director
of Public Prosecutions.” The court carricd out a very complete panicular legislation from the workings of the Act itself. Thus, electronic formatis é
and useful analysis of the hearsay rule that also included 4 comparative survey of this not suitable for transactions in. terms of the Wills Act,” the Alienation of Land Act”
and the Bills of Exchange Act In a similar fashion, the ECT Act excludes the validi-
legal phenomenon. It held that POCA “did away” with the prohibition on hearsay (as
well as with other exclusionary rules) as far as criminal charges in terms of subsec- ty of certain types of clectronic transactions. Hofman speculates on the reason for
tion 2(2) were concerned. Even though this matter turnedyyupon an interpretation of these exclusions” and concludes that more careful drafting of the Act would have
a scction of the Prevention of Organised Crime Act (POCA)” it has relevance for the made such a dramatic provision unnecessary.
future role of hearsay across the entire spectrum of criminal law.
Although the court dealt with the effect of POCA on hearsay, similar facts and
5.2.5.2 Writing
previous convictions, only the firsunentioned concept is dealt with under the present Section 12 of the ECT Act deals with the legal requirement that something has to be
heading. The coun found the rationale for the exclusion of hearsay evidence to be the “in writing”. It provides that this requirement is met if the document or information
general unreliability of such evidence (which of course, cannot be tested by cross- is
examination since the person probably made the statement out of coun and is not be (a) in the form of a data mesage; and
present to be cross-examined as to its accuracy). This was followed by a very interest- (6) accessible in « manner usable for subsequent reference.
ing analysis and comparison with the legislation dealing specifically with hearsay This emphasis on the truc value underlying the concept of written evidence, namely
evidence, namely Act 45 of 1988. The latter Act retained the exclusionary rule but per- that the document has to be accessible for future reference, has to be applauded. On
mitted statutory exceptions, some of which gave a fairly broad discretion to the court. the other hand, it is not clear what steps the custodians of the (electronically stored)
data messages will have to take in order to ensure future reference to such docu-
5.2.5 The Electronic Communications
and Transactions Act” ments. In this regard, regular “migration” of the electronic data concerned (from
the working database to later versions of hardware and software) might have to be
5.2.5.1 Introduction
The present ECT Act is an omnibus Act containing many different and disparate
Sih.
provisions.” The present chapter deals with the cvidential provisions of the Act, all of
SPeRSSez23aF

S112).
with caution”
2003 (june) De Rebus
23 24.
A piece of uxt electronically “cross-referencing”
another piece of text.
66 S3(1)(o of Act 45 of 1988. S113).
67 S3(1)(a (ii). S$ 4(3) read with Schedule 1 to the Act
BS

“Evidently not so simple: Producing computer print-outs in court” 2005 (1) JBL 6
69 [2006] JOL 17037 (W). Act 7 of 1953.
Act 68 of 1981.
70 [2015] JOL. 33085 (SCA).
Ti 2014 (5) BCLR 606 (CC) Act 34 of 1964.
72 Se 2(2) of Act 121 of 1998. S 4(4) read with Schedule 2 to the Act
“The meaning of the exclusions in section 4 of the Electronic Communications and Transactions
73 Act 25 of 2002 (the ECT Act)-
Act 25 of 2002" 2007 SALJ 262 fF.
__74 The provisions creating new statute ry forms
of computer crime are discussed
in Chapter
|
“116 Information
and Communications Technology Law

undertaken to ensure the future availability of those data, and such migration might
Chapter5: The Law of ICT Evidence 117
be quite expensive. Of course, the ECT Act is not the only Act imposing archival
requirements with regard to certain classes of document;” one might therefore kill
several (statutory) birds with one stone if one’s clectronic data can be stored reliably The firat four requirements are based on the UK's Electronic Signatures Regu-
for along period of time. lations. From the use of the word “and” after requirement (c)* and the fact that
requirement (¢) does not form part of the UK regulations, one can deduce that the
On the topic of clectronic “writing” one has to agree with Rens” that some uncer-
latter was a late addition by the South African parliament. This becomes even more
tainty existed before the ECT Act whether a legal requirement that an agreement be
“in writing” would be met by a document stored electronically. He supports Jansen’s probable given the fact that President Mbeki signed the ECT Act into law before tcle-
view” that agreements may now, after the promulgation of the ECT Act, be conclud- vision cameras, with the Posuastes Genera physically authenticating his signature.
ed by means of data messages and advanced clectronic signatures. However, he The final part of the ji puzzle in terms of the requirements for accreditation is
found in section 283) of the ECT Act where one learns that the South African Post
criticises” Jansen’s example of a contract for the alienation of land, because this type
Office Limited is a “preferred authentication service provider”.
of transaction is specifically excluded by the two schedules to the ECT Act.
Although the latter term is not defined in the ECT Act, it would appear that one
5.2.5.3 Signature has to distinguish between private commerce services and public e-government ser-
Section 13 of the ECT Act is simply entitled “Signature” and stipulates that, when the vices. The former type of service may be dispensed by authentication service pro-
viders whose products have been accredited by the Accreditation Authority.” The
signature of a person is required “by law” and that law docs not specify the type of
signature, “that requirement in relation to a data message is met only if an advanced fatter type of service has to be performedby 4 “public body";* section 28 of the Act
electronic signature is used”.” Section 1 of the Act provides the following definition introduces the concept of a “preferred authentication service provider” in this
of such a signature: “an clectronic signature which results from a process which has regard_
been accredited by the Authority as provided for in section 37°. According to section 27, public bodies may accept electronic filing of documents,
Section 37 provides for an “Accreditation Authority”, defi ined” as the Director create or retain documents in electronic form, issue permits, licences or approvals in
electronic form, and make or receive payment in electronic form. Section 28(1)
General (of the Department of Communications), although this official may also
allows a public body, by means of notice in the Government Gazelle, to specify the for-
appoint other employees of the Deparunent as “Deputy Accreditation Authorities””
mat of data messages, the type and means of attachment of clectronic signatures,
The end goal of these accreditation processes is “an authentication product or
service”.” which term one may safely assume to be sufficiently wide to include an and “the identity of or criteria that must be met by any authentication service pro-
electronic signature. vider used by the person filing the data message or that such service provider must
be a preferred authentication service provider”.
The Act also prescribes the criteria for accreditation. But before accreditation can
take place the Accreditation Authority has to be satisfied that the particular authen- Section 28(2) then declares the “South African Post Office Limited” a preferred
tication product or service embodics all of the following charactcristics: authentication service provider and gives the Minister” the power to designate any
other preferred authentication service provider “based on such authentication ser-
(a) is uniquely linked to the user;
vice provider's obligations in respect of the provision of universal access”. “Universal
(6) ts capable of identifying that user;
access” is defined as “access by all citizens of the Republic to Internet connectivity
(2 is created using means that cin be maintained under the sole control of the user; and electronic transactions”.
and
Section 28 gives rise to a number of questions. It is obviously a great advantage for
(d) will be linked to the dat or data message to which it rekstes in such a manner that
asty subsequent change of the data or dain sncaage = detectable; any provider of authentication products or services to attain the status of a “prefer-
red authentication service provider”, but the criterion of universal access seems a bit
(2 is based on the face-to-face identification
of the user."

95 2002 No. 318 in terms of the European Communities Act (1972 c. 68). The regulations came into
86 Sev, for example, the Companies Act 61 of 1973, the Income Tix Act 58 of 1962, the Customs and force in the UK on 8 March 2002.
Excise Act 91 of 1964, the Insolvency Act 24 of 1996 and the Value-Added Tax Act 89 of 1991. 96 Thus seemingly introducing para. (d) as the final subclause, whereas the acual final sub-clause
87 “Approach with caution” 2003 (June) De Refus 23 24. (para. (4) is not prefaced by an “and” in the final format of the legisiation.
88 “A new era for ecommerce in South Africa” 2002 (October) De Rebus 16- 97 In terms of ss 37-41 of the Electronic Communicationsand Stet Ree
89 Correctly,it is submited. an absolute requirement in that s 35 allows ddited service provid
90 S13(1). pocthacts be corsa ta aa Veraine; Ponsadbnd had er soci qngheed ax poctdota cd machi weibas
Ot Ins 34(1)- or services in terms of ss 23-30) of the Act.
92 In terms
of s 34(2). 98 Defined in s | of Act 25 of 2002 as natio l, pr ial or bodies of x or any
93 S33. der Renn teas os uedieuee tcansehen s potew er matonecg Reactant coos ar aarti
94 S38 ___ tuition a provincial constitution or in terms of any legiskation——
 Chapter5: The Law of ICT Evidence 119

118 Information and Communications Technology Law parties have not agreed on a specific type of electronic signature, the requirement of
validity
is met with regard
to a data message if
obscure. To qualify does such a provider have to make available free access to the (a) a method is used to identify the person and to indicate the person's approval of the
Internet to every citizen or to special groups of citizens or perhaps to do so at a information communicated; and
special price? Mention has already been made of the South African Postmastcr (6) having regard to all the relevant circumstances at the time the method was used,
General's authentication of President Mbcki's signauure of the ECT Act, but it might the method was as reliable as was appropriate for the purposed for which the infor-
be asked whether the Post Office has the infrastructure to serve all other govern- mation was communicated."
ment departments as a preferred authentication service provider. Should the State Again the legislation should be commended for not only focusing on the identifica-
Information Technology Agency (SITA) not be the favoured service provider in this tion aspect of authentication, but also incorporating the exercise of will of the per-
? Hardware and software may be bought if the budget is sufficiently generous, son whose signature stands to be authenticated. It also allows the court to exercise its
but SITA already has the necessary know-how to operate these. Whereas, were the discretion according to the relevant circumstances obtaining at the critical moment
Post Office the favoured provider, it would need to implement an extensive — and of signature.
expensive— retraining programme. The use of an advanced clectronic signature puts the onus of proof on. a person
While on the subject of the SITA, it is interesting to note that the State Infor attacking the validity or proper application of the signawure.™ Finally, when an clec-
mation Technology Agency Act™ (the SITA Act) was amended in several i important tronic signature is not required by the partics to an clectronic transaction, an cx-
respecis by the State Information Technology Agency Amendment Act™ shortly after pression of intent will not be without legal force and effect merely because it is in the
the ECT Act came into force. Several of these amendments contain wording very form of a data message or is evidenced by means other than an clectronic signature.”
similar to that of the corresponding sections of the ECT Act, the inescapable conclu-
Note that regulations regarding cryptography and authentication service providers
sion seems to be that the two Acts should be read together for one to see a complete
picture of c-government in South Africa. were recently promulgated.’ "These regulations make the provisions of the ECT Act
much more practical and bring them closer to ideal business practice.
To mention but one instance of parallel wording, the definitions of “authenti-
cation products or services” and “electronic signature” in the (amended) SITA Act
5.2.5.4 Original
are taken directly from the corresponding provisions of the ECT Act."" The only dif-
ference is that as part in the definition of “electronic signature” the ECT Act speaks Section 14 of the ECT Act was probably inserted to deal with the mule that copies of
of “data” and the SITA Act of “electronic representation of information”. paper documents are not acceptable as evidence in court. This is because signs of
Section 7(7) of the SITA Act also gives clarity to the concept of a “preferred any alterations, erasures and so on are more obvious on original documents and
authentication service provider”, thus: because “wet” signatures may be subjected to forensic analysis-
If the Agency decides not to authentication products or services for a department The ECT Act deals with this problem by requiring that the integrity of the infor-
or public in terms of subsection (6) (c), the or public
body must pro- mation contained in the data m be assessed: has it remained complete and
cure through the Agency those or services from a preferred authentication ser unaltered except for the addition of endorsements or changes which arise in the
vice provider referred to in secon 28(2) of the Electronic Communications and Trans- normal course of communication, storage or display?"" The Act also requires that
actons Act, 2002. the information be capable of being displayed or produced to the person to whom it
In other words, if the SITA cannot, or will not, provide the authentication product is to be presented.”
or service, it seems that the government deparument concerned will have to approach
the Post Office in this regard in terms of section 28(2) of the ECT Act. Failing that, 5.2.5.5 Admissibility and evidential weight of data messages
the department will have tw wait for the Minister of Communications to designate Section 15(1) prohibits “the rules of evidence” from excluding the admissibility of a
any other authentication service provider as “preferred” before being able to make data message merely on the grounds that the message is not an original “if it is the
use of that provider's services. best evidence that the person adducing it could reasonably be expected to obtain”-
Returning to section 13 of the ECT Act, ifa signawure is required by law,” only an This clause takes care of the “best evidence” rule which is part of our heritage from
advanced electronic signature will do,” invoking the considerable legal and tech- the English law of evidence. This rule stems from the practice of admitting the best
nical complications explored in the previous paragraphs. On the other hand, mov-
ing beyond the matter of advanced electronic signauures, an “ordinary” clectronic
signature is not without force and effectjust because it is in electronic form. Ifthe 108 S 1343).
09 S$ 13(4).
110 S$ 13(5).
11 See para. 5.4.2 below.
102 Act 88 of 1998.
112 For instance, by providing examples of the appropriate forms to be used.
103 Act 38 of 2002. 113 8S 14(2) of Act 2 of 2002.
104 (Aad cietiaeacieaee ares Seach sa Lied enc Ace
ee et a Se a Alt
S$ 14(1) (5).
 Chapter5: The Law of ICT Evidence 121
120 Information and Communications Technology Law

the issues may be found in the decision of Litake and Others v S"" Here it was held
aluernative to evidence which has been lost or destroyed as the “best evidence” under
that our courts should be aware of the danger of confusing provisions dealing with
the circumstances. criminal procedure with statutory (or commonmtaw) provisions dealing with hearsay.
Section 15(2) instructs the court to give “due evidential weight” to a data message In general, section 15 as a whole may be seen as the heart of the evidential pan of
once that message has been admited in terms of subsection (1). Section 15(3) sets the ECT Act. It addresses most of the negative arguments concerning the admissibil-
out some valuable guidelines to assessing such evidential weight. These consist of the ity of documents emerging from a computer.
court's having regard to
(a) the reltability of the manner in which the dats message was generated, stored or 5.2.5.6 Originality
comm! .
An original paper document has always carried more evidential weight than photo-
(6) the reliability of the manner in which the integrity of the data mewage
was main-
tained:
copies or faxes of it because of the forensic tests it can be subjected to. For this
reason, a number of statutes require the holders of important documents to retain
(c) the manner in which its originator
was identified;
the original documents for certain prescribed periods of time.”
(d)_ any other relevant factor.
Section 16(1) of the ECT Act now allows data messages to comply with such high
Factors (a) and (6) deal with the “chain of evidence” and how well the witness can
evidential requirements, provided that three requirements are met:
indicate that what the court is seeing is what the data message originally consisted of-
(a) the information contained in the data message has to be accessible for subsequent
In this regard witnesses should consider finding guarantces of reliability in encryp- reference;
tion programs and programs that make “checksums” of all the bits and bytes on
(8) the data message has to be in the format in which it was generated, sent or re-
departure and on arrival of a data message at the computer of the witness. If any of ceived, or in a format which can be demonstrated to represent accurately the infor-
these sums show discrepancies, the integrity of the data message has been lost and mation generated, sent or received: and
the message no longer constitutes reliable evidence. {c) the origin and destination of that dats message and the date and time it was sent or
Factor (¢) deals with the very important factors of authorship and source which received can be determined.
constitute the heart of authentication. Factor (d) is simply a catch-all clause in case Section 16(2) makes it clear that these requirements do not apply to “any infor-
the legislature has “forgoucn” anything. mation the sole purpose of which is to enable the message to be sent or received” —
Finally, subsection 15(4) introduces the so-called “shopbook exception” that South the so-called “traffic data” or “metadata”.
Africa has inherited from English law. A data message made “in the ordinary course The main ment of section 16 is that it makes possible the longterm retention of
of business” is admissible upon its mere production in legal proceedings'” and con- records in electronic format.
stitutes rebuttable proof of the facts it contains. The common sense behind this rule
is probably that busy businesspeople do not have time to scrutinise every one of the 5.2.5.7 Production of document or information
thousands of transactions that pass “through” their IT equipment daily, hence, The term “production” is taken from the law of civil procedure. The Civil Proceed-
unless something is obviously wrong or an uncommon transaction is processed, one ings Evidence Act™ sets out certain conditions and requirements regarding the pro-
may assume everything to be normal. duction of documents. The purpose of these conditions and requirements is to
Section 15(4) was interpreted in Ndlovu 2 Minister
of Correctional Services and Another enable the opposing side to familiarise itself with the documents the “producing”
as dealing with two types of document, namely data messages made in the ordinary side is likely to base its case on and to prepare accordingly so as not to waste the
course of business (the correciness of which does not require certification) and court’s time with lengthy adjournments.
copies, printouts or extracts from a business record which are certified as correct. ‘The use of data messages as “documents” is permitted,” provided that cenain
Collier” points out, however, that subsection (4) could also be interpreted as requir conditions are met: namely that “the method of generating the electronic form of
ing the cenification of both types of document identified by the court. that document provided a reliable means of assuring the maintenance of the integri-
ty of the information contained in that document” and that it was reasonable to
After the Ndlovucase some confusion developed concerning the exact relationship
between the statutory provisions dealing with hearsay evidence and those dealing
with admissions and confessions," particularly when one of the latter implicates a 119 [2014] 3 AISA 138 (SCA). See the case discussion by Lianchman
in PER 2015 (18) 2. This decision
co-accused. An authorative overview of these decisions and a workable resolution of culminated 2 trend already started earlier and described in cases such as $ v Molimi 2008 (5) BCLR
451 (CC).
120 See 5.2.5.1 abowe.
115 The proceedings might be in terms of any law, the rules of any organisation, or the common law. 12) Act 25 of 1965.
116 [2006]
4 All SA 165 (W). 19? ws 170 of Act 2% of 0?
 122. Information and Communications Technology Law
Chapter5: The Law of ICT Evidence 123
expect that the information contained in the data message “would be readily acces-
sible so as to be usable for subsequent reference”."™ The second of these require- Thus section 19(1) provides that a “requirement in law for multiple copies of a
ments has to be established “at the time the data message was sent”, which is some- document to be submitted - . . is satisfied by the submission ofa single data message
what strange in that certain data messages do not travel but simply remain in long- that is capable of being reproduced” by the addressee of the message.
term storage for the rest of their lives. This is according to the definition ofa! “data Correspondingly section 19(2) determines that legal nouns and verbs such as
message” as “data generated, sent, received or slored by clectronic means”. ” The “document”, “record”, “file”, “submit”, “lodge”, “deliver”, “issue”, “publish”, “write in”,
same definition also explicitly includes “a stored record”. “print” or similar expressions should be interpreted so as to admit into evidence the
Section 17(2) introduces the concept of metadata, but in a wider sense than that electronic equivalent embodicd in a data message.
used with regard to retention.’” Whereas section 16(1) does not extend the obli- Section 19(3) docs the same with regard to the sealing ofa document and sec-
gation to retain information “the sole purpose of which is to enable the message to tion 19(4) with regard to registered or certified post, in the sense that this process
be sent or received”, section 17(2) states that the integrity ofa data message remains may be performed clectronically. Sealing of an clectronic data message must be
unblemished despite “the addition of any endorsement” or “any immaterial change, done by means of the advanced electronic sigmature of the person by whom the
which arises in the normal course of communication, storage or display”. Given the message must be scaled. Such a message which ts to be registered must be registered
sometimes static nature of data messages, this seems a more complete and sophistic- by the Post Office concerned and sent to an clectronic address supplied by the cus-
ated qualification than section 16(1) and seems also to make provision for electronic tomer. This is probably because the Post Office is defined as a “preferred authend-
signatures (Cendorsements” ) that do not affect the body of the data being signed. In cation service provider” by the ECT Act." Mention has already been made of the
this regard, XML.” * allows certain parts of a document to be signed, leaving other need for the Post Office to provide the required technological infrastructure to
parts untouched.™ make certain sections of the ECT Act more than just dead leucrs.”” It is doubuful
whether this infrastructure fas been put in place as yet, and the fack of this im-
5.2.5.8 Notarisation, acknowledgement and certification portant link provides another example of the ECT Act’s not (yet) working.
Section 18 deals with notarisation, acknowledgement and certification, which are
usually carried out by specialised professionals. Notaries arc, of course, specialised 5.2.5.10 Automated transactions
attorneys who have passed the required practical examinations and can act as a type Section 20 deals with “electronic agents” that perform actions required by law for the
of “super witness” for et: important documents r with the two “ordin- formation of a contract. It also has some consumer protection built into it in that
ary” witnesses."” They also provide a venue for the safe keeping of such documents. the pany making such use of an electronic agent is presumed to be bound by the
Should any doubt later arise concerning the authenticity ofa document, the notary terms of the agreement. On the other hand, the party interacting with such an
may produce that document and testify that the signatures are genuine. electronic agent to form an agreement is not bound by the agreement unless the its
Subsections (2) and (3) of section 18 deal with the portability of data from a hard terms are capable of being reviewed by a nawural person legally representing that
copy to an clectronic version of the same document. These subsections enable a party prior to the formation of the agreement.”
qualified person to certify that the two forms of the same document are equivalent. Further consumer protection is built into section 20(¢}. Thus, no agreement
In the cases described above in which an clectronic copy of the document comes formed if a person interacting with the clectronic agent has made a matcrial error, is
into play, the certifier or notary has to vouch for the authenticity of such copy by not given an opportunity to correct it, has not notified the other contracting party of
making use of an advanced electronic signature.” the error as soon as the error came to the notice oF the frst party, has not taken
reasonable steps conforming with the other contracting party's instructions to return
5.2.5.9 Other requirements the objects of any performance received" in terms of the abortive agreement, and
Section 19 strives to make a data message the full legal equivalent of a traditional has not used or received any material benefit from the performance delivered by the
paper document, albeit in electronic format. other person.
It is interesting to note that, as long as the actions of the electronic agent are
capable of review by the person making use of such agent, it is not necessary for the
124 S17(1)(5). poses of the principal's contractual liability that he or she actually do so. Presum-
125 Ins lL of the Act 25 of 2002. ably this is so that liability for wilful neglect or “blindness” cannot be avoided by a
126 Emphasis added.
127 See para. 5.2.5.6 above with respect to the retention of documents
128 Extended Mark-up Language. 132 S$ 28(2).
129 See Van der Merwe “How standards (such as XM.) accomplish electronic authentication in Web 133 See para. 5.2.5.3 above, especially the discussion of s 28(2} of the ECT Act 25 of 2002.
services” 2005 Obiler 660. 134 SMa).
ARIE
 124 Information and Communications Technology law Chapter5: The Law of ICT Evidence 125

party who docs not actually wish to review the process, in order that the agreement in this Scnsc was held by the court to be wide cnough to include a computer
be unilaterally sabotaged. printout, provided that the other requirements of section 221 are satisficd. This
more general concept of a document includes the limited definition in sec-
5.3 South African case-law and opinion on ICT evidence tion 221(5), cited above, but is not limited by its scope.
In Harper the accountant who had been dealing with the books and records con-
5.3.1 South African caselaw cerned was overseas during the time of the trial and it would have been very difficult
As is pointed out in 5.2.3, the genesis of South African legislation in the and expensive to get her to return to South Africa to testify. This difficulty satisfied
area of computer evidence lies in Narlis v SA Bank of Athens. In that case the bank the inabilityxo-tesdfly criterion set by section 221 of the Criminal Procedure Act, and
sought to enter into evidence extracts from its computerised records, in order to the court accordingly admiued the computer printout as evidence.
show that the respondent had had an overdraft with it.
This finding on the admissibility of computer-sourced records was confirmed and
Although the Civil Proceedings Evidence Act'™ makes provision for entries in expanded upon for Namibia in the case of So De Villiers,” decided in terms of the
banker's books to be admitted as evidence, these provisions did not avail the bank. South African Criminal Procedure Act” which applied to Namibia at the time. The
This was because section 33 of that Act precludes this submission if the bank is one Namibian judge (O’Linn J) found that a computer printout was close cnough to a
of the partics to the litigation in which the evidence i is sought to be used. According- “duplicate original” to be acceptable asevidence."
ly, the bank uicd to make use of section 34(1)(a)'™ which contains the phrase “any
statement made by a person in a document”. Holmes JA emphasised this Sv Howard” was one of the last cases turning on the admissibility of computer-
requirement and uttered the following famous words: “Well, a computer, perhaps sourced evidence before the ECT Act™ dealt with the matter in a more systematic
fortunately, is noLa person”. fashion. Howard, a disenchanted computer programmer, had managed to halt the
entire commercial activity of wo major chain stores on a Saturday morning because
Although this effectively disposed of the merits of case, Holmes then continued to he was unhappy with his working conditions. The Johannesburg commercial regional
show in his judgment some other dangers inherent in accepting the bank's clectron-
magistrates’ court accepted computer-based evidence and convicted Howard of the
ic document into evidence. There may be, for instance, no evidence proving how the
commontaw crime of malicious injury to property and sentenced him to five years’
computer operated, who operated it and who fed information into it. The proposed
imprisonment.”
witness for the bank had not had continuous surveillance of the computer con-
cerned and was not able to testify about such details as the opening debits of the The Howard case was followed by Sv Ndiki™ the facts of which were also played out
electronic accounts concerned, the rate of interest charged, the correctness of the before the ECT Act had come into force, although the case was heard aficrwards.
final amount owing or of certain other disputed figures. Secing, however, that Ndiki is the first reported case in which the interface beoween
So Harper was heard before the promulgation of the Computer Evidence Act,"° IT and evidence is thoroughly scrutinised, it is dealt with in some detail.
but the latter would not have been applicable anyway, being limited to civil cases. In The accused were charged with a number of counts of fraud and theft in connec
the Harper case the prosecution tried to prove the contents of cenain accounting tion with the delivery of medical supplics to the Department of Health and Welfare,
documents which had been (parily) stored on a computer. Milne| considered the Eastern Cape. The problem was that part of the State’s case depended on the admiss-
definition of “document” in section 221(5) of the Criminal Procedure Act’ and ibility of computer printouts which constituted evidence necessary to prove the
found that this specialised definition (“any device by means of which information is fraudulent actions with which the accused were charged. Counsel for the accused
stored or recorded”) could not accommodate a computer, because the latter also raiscd an objection to the admissibility of such printouts on the grounds that the
sorts and collates evidence. However, the judge was able to make use of the more ECT Act had not yet come into operation at the time of the commission of the
general approach to information contained in a document provided for in sec- alleged offences with which the accused were charged.
tion 221{1) of the Criminal Procedure Act. This section provides that ifa document One of the first legal matters Van ZylJ had to deal with was whether the ECT Act
forms part of a trade or business record," or if the person who originally supplied could have retrospective effect in the present matter. In the end it was found that
the information contained in the document is no longer able w testify,’ that docu-
ment may be admitted as evidence of the facts contained in it. The term “document”
46 Even one in which the information has been soried and collared.
147 1993 (1) SACR 574 (Nm).
138 Act 25 of 1965 M8 Act SL of 1977.
199 Of the Gvil Evidence Act 25 of 196%. See para. 5.2.1 abowe. 49 Akthough not formally defined, the term “duplicate original” occurs a number of times in the
140 Narlis o SA Bank of Athens 1976 (2) SA 573 (A) 577. wording of the Criminal ProcedureAct 51 of 1977.
141 1981 (1) SA 88 (D). 150 Unreported case no. 41/298/02, Johannesburg regional magistrates’ court (discussed by Watney
142 Act 57 of 1983. See the discussion of the Act in para 5.2.3 above. 2005 TSAR 603). The case is sometimes referred to as the “Edgars hacker” case.
as _Act bt of 1977. ISL Act 25 of 2002.
126Information and Communications Technology Law
this question could be left open because the printouts could be accommodated by Chapter5: The Law of ICT Evidence 127
existing law, as will be shown.
The judge then had tw decide what the exactct relationship was between the ECT
judged as hearsay evidence." In the end this type of statement was admitted into
Act and the Law of Evidence Amendment Act,“ specifically with regard to hearsay
evidence:
evidence. As far as the former Act is concerned, he found relevant case-law in Ndloou Pe
v Minister of Correctional Sercices and Anotherin which Gautschi AJ stated that “there is as the d therein a hi ad and are not
no feason to suppose that section [5 seeks to overrule the normal rules applying to admissible in terms of the statutory exceptions in sections 34 of the Civil Proceedings
Evidence Act or section 221
21 of the Criminal Procedure Act, such evidence is provisional-
hearsay”."™ In marrying documentary cvidence with the requirements of the Law of ty admitted intoevidence."
Evidence Amendment Act, Van Zyl] found as follows:
The judge found that exhibits D5 w D9 stood on a different legal footing because
The definition of hearsay quite clearly extends to documentary evidence. Whether or not
the evidence contained in the document cin be said to on the credibility of a they had been created without human intervention or assistance. In the end he found
person, is a factunal question that must in turn be determined from the facts and circum- that this type of evidence could most fittingly be categorised as real evidence:
stances of each case. Ifa computer printout contains a statement of which a person has To the extent that the computer through its operating system processed existing inform-
personal knowlerige and which ix stored m the computer's memory, its use in evidence ation (Exhibits D5 and 19), did calculabons and “create” new information without human
upon the credibility of an identifiabl and Id therefore i inter jon, such as seq b the ‘er * of cheques (Exhibit D9) and
hearsay. On the other hand, where the probative value of a statement in the printout is the recording of the identity of the P who d the P at any
dependent upon the ‘credibility’ of the computer itself, section 3 will not apply. Gime; much evedence tm my view constitutes real evidence. As stated, the admissibility of
As will rapidly become apparent, Van Zyl| followed a logical approach in this mat- this evich is dh dent upon the y and the relrabili of the ¢ ris
erating sy and its pre as PP d to the credibili y a
ter, as well as the other outstanding issues, by concentrating on exactly what the
panty concerned wished to prove with a specific document and also on the specific In Ndlovu 9 Ministerof Correctional Services and Another™ the Minister of Correctional
requirements of any relevant legislation concerned.” In reviewing prior casclaw, he Services relied on a two-page computer printout from the Depanment’s computer
found that the Narlis case had said no more than the following on the requirement system which printout indicated monitoring of Ndlovu as a parolee during a period
that “a person” had to be involved: “where it is sought to make a document admiss- highly relevant to the outcome
of the case.” It was argued on Ndlovu’s
behalf that
ible under section 34, the requirements of the Act have to be satisfied and one of the printout was not admissible as evidence because it was not the¢ original docu-
those requirements is that the maker of the statement must be a natural person”. ment.’ ® Although this argument was rejected on technical grounds” the court did
make obiter mention of the possible applicability of section 15(1)(4) of the ECT
He also dealt with S o Harper and found that MilneJ had simply meant to say in
that case that a computer, the machine itself, could not be scen as part of the ex- Act" The coun held— correctly, it is submited— that the ECT Act did not interfere
with the provisions of the Law of Evidence Amendment Act 45 of 1988 on hearsay
tended definition of “document” in section 221(5) of the Criminal Procedure Act,
evidence and that the court could exercise its discretion in terms of the latter Act to
at least not when the computer's operations comprise more than the mere storage
admit such evidence.
or recording of information. " However, this did not mean that a computer printout
could not constitute a document, both in the ordinary sense of the word and also in Another case in which the evidential provisions of the ECT Act played an import-
terms of the definition in section 221(5)- ant role is atpresent still” being tried in the High Court in Pretoria— the so-called
Boeremag case." In this matter a great deal of potentially incriminating evidence has
Applying the above exposition of the Taw to the facts of the case, Van Zyl] differ
been found on computers and Geographical Positioning Systems (GPSs) of some of
entiated between two classes of document. Exhibits D1 to D4 bore the signatures of
the accused. At the time of writing the Statc’s case had finally been closed, but it is
cenain officials and it was clear to the judge that these documentary statements were
not certain when the entire case will finally be completed.
dependent upon the credibility of the signatories. The computer was mercly a tool
used by witnesses making typed hearsay statements, and these statements had to be
Vt Pbit. 196 para. [95].
16% Thad. 200 para. [56]. Nowe that this seatement applied to the entire series of documents (11-19).
154 Act 45 of 1988, which brought 2bout a new statutory regime for hearsay evidence. 166 Uhid. 196 pura. [37].
15% [2006] 4 All SA 162 (W) 175F. 167 [2006] 4 AILSA 165 (W).
156 Se Ndiki [2007] 2 All SA 185 (Ck) 194 para. [31]. 168 For a fuller discussion of this interesting case, see Collier “Evidently not so simple: Producing com-
157 Thad. 191 para. [20]. puter printouts
in court” 200% (1) JBI. 7.
158 Narlis 0 SA Bank of Athens 1976 (2) SA 573 (A)- 169 And therefore not the best evidence available_
159 So Ndiki [2007] 2 Al SA 85 (Ck) 190 para [14]. 170 The objection was raised only during argument at the end of the case and not during evidencein-
160 1961 (1) SA 88 (D). chief or cross-<xamination.
161 Act 51 of 1977. 171 Act 25 of 2002.
162 Sw Ndiki [2007] 2 AN SA 185 (Ck) 190 para. [16]. 172. At the time of writing the case had been going for more than four years and it was nec clear when
163 fhed. 191 para. 17]. it was likely to be concludexL
 Chapter5: The Law of ICT Evidence 129
128 Information and Communications Technology Law

the required standards of accuracy and whether the particular computer conformed
As counsel for some of the accused in this case, D van der Merwe, one of the pre- to them.
sent authors, explained to the court, there are two possible (and widely diverging) In the case of documentary evidence from a computer, on the other hand, one
ways of approaching ICT evidence: the “paper” and the “protocol” approaches. needs to apply the test laid down by the Law of Evidence Amendment Act," namely
According to these authors, the paper approach tries to approximate a hard-copy whether the document contains statements and whether the value of these statements
document as closcly as possible, whereas the protocol approach accepts that we are depends on the credibility of anyone other than the person giving the evidence.”
dealing with digital documents and strives w find alternative (digital) guarantees of
The two opposite approaches are fairly casy to resolve by means of this test. A wit-
authenticity.” The former approach has to be self-defining as to semantics — in
ness’s statement typed on a essing program by the witness herself or him-
other words, cach instance ofa paper document lays down its own rules for how it is
self and handed in as evidence of the truth of the contents of such statement is obvi-
to be understood — whereas the semantics of the latter approach are defined by the
ously hearsay evidence in an electronic form. The statement tells a story which needs
agreed-upon protocol, or standard, which is to be followed.
to be tested by cross-cxamination of the author. On the other hand, when the exec
As thorough as the approach of Van ZylJ was in the Ndiki casc,”” it was still very utor ofa will hands in a printout of the will, he or she is obviously not vouching for
much a paper-based approach based on existing legislation and common law. It the “truth” of the contents of the actual word-processing document. The document
scems obvious that a worldwide need exists for universal standards as far as e- is the expression of the testator’s will and is not telling a story which needs to be
commerce, edlocuments and digital signatures are concerned, and South Alfica tested by means of cross-examination. Whether the will is authentic (in the sense
would probably need new dedicated legislation in this regard. Nevertheless, the of not being forged) is another matter entirely and has nothing to do with hearsay
approach in the Ndiki case in classifying at least part of the computer-based evidence evidence. The question of authenticity is covered by guarantees such as electronic
as real evidence would seem to indicate the beginning of a shift to the protocol signatures.
approach. Whereas the protocol approach tends to classify the products of modern Unfortunately, the above position has been clouded by arguments that the ECT
technology as real evidence,” the older, paper-based approach tends to classify such Act™ uses such wide language that all hearsay emanating from a computer is now
products as documentary evidence.™ unconditionally admissible. These arguments are dealt with under the next heading.
In Pillay 0 S™ the court considered the admissibility of tape recordings that had As has been shown above, lawyers will find that it is not always the ECT Act that is
been made surreptitiously. The court found that the admission of such evidence applicable, as more and more other pieces of legislation also stan catering for the
would bring the administration of justice into disrepute and refused to admit it. computer age. In Lz Roux v the Honourable Magistrate Viana™ the matter wirned on
Another recent case illustrates the interplay of relevant legislation as far as infor- section 69 of the Insolvency Act.™ The court decided that the Act inchuded books
mation is concerned. In Chulchce ¢ Davis” the coun had to tease out partially over- and documents relating to the insolvent estate, wherever these may be. More ger-
lapping picces of legislation including the Constitution,” the Companies Act and mane to the present work is the fact that electronic books and documents were also
the Promotion of Access to Information Act (PAIA).'" The court managed to do so held to be included.
by following a common-sense approach and by not saddling the company with over
onerous reporting duties in this regard. 5.3.2 South African academic opinion
In the case of real evidence from a computer,” no hearsay is involved. As Van ZylJ South African academic opinion has been fairly unanimous in its condemnation of
pointed out," correctly, we submit, without human intervention only the accuracy of the old Computer Evidence Act.” A synopsis of the various academic viewpoints is
the computer is involved and no humans need be cross-examined about such evi- found in Compulers and the Law.™ Criticism of the Act was not confined to legal
dence. The only pcopte likely to be cross-examined are computer expens explaining academics but also included that of a computer scientist who commented as follows:
When your house is not in order, do you put it in order, or do you change the kaw so as
174 Taken from Fastlke and Niles Secure XMI: The New Syntax for Signatures and Encryption 472-473.
t define it as being in order? It is remarkable that the draftsmen of the new legislation
175 See para. 5.4.3 below for more detail on these approaches.
176 Se Ndiki [2007] 2 AN SA 18s (Ck).
177 And to rely on expert evidence in this regard. 185 Act 45 of 1988.
178 And to rely on the document itself as the only reliable evidence. 186 S3(4) of Act 45 of 1988.
179 [2007] 1 AISA 11 (SCA)- 187 On this score, crow ination of the di i would also py dderable: difficulties!
180 [2005] 2 AISA Z2s (SCA). 188 Authenticity and electronic sigmatures are specifically dealt with by the Electronic Communi-
181 S32 of the 1996 South African Constitution as well as item 23(2)(a) of Schedule 6 to the same cations and Transactions
Act 25 of 2002.
Constitution, being the transitional arrange! in jon 10 the right to information.
The tar 189 Act 25 of 2002.
ter has been judicially considered. In Shabalala « Adorney Ceneral, Transvaal and another; Gumede and 190 [2008] 1 All SA 546 (SCA).
others @ Attorney General, Transoaal 199% (1) SA 608 (T). ADL Act 94 of 196
 130 Information
and Communications Technology Law Chapter5: The Law of ICT Evidence 131

appear to have ignored an avalanche of evidence that the house of computing is not 5.4 Technical aspects: Cryptography and standards
necessarilyin order."
The Computer Evidence Act was repealed by the ECT Act." Academic opinion of
5.4.1 Introduction
the newer Act has been much more positive. Although the ECT Act ties to keep its definitions” of “electronic signature” and
“aclvanced electronic signature” technology-neutral,” it is clear that some form of
One of the most recent commentarics on the legal position in South Africa tech y has to be involved in cither process. The former definition speaks of
regarding ICT evidence is that of Hofman.” After giving a background to the ECT “data being incorporated in or logically associated with other data” and the latter re-
Act and discussing some its provisions, Hofman asks whether the Act should not quires a process accredited by an “Accreditation Authority” in terms of sections 37
perhaps bbe restricted to commercial matters and not be extended to, say, criminal and 38 of the ECT Act. Section 38 sets out a number of criteria in this regard, name-
matiers.'” He deduces from the long dle of the Act, however, that the ECT Act was ly that the electronic signature has to be
obviously meant to have more gencral application. We agree with him wholeheartedly, (a)... uniquely linked to the user;
especially given the fact that the Act itself actually contains a number of criminal (5) . .. capable of identifying
that user;
provisions.” We also agree with him that the ECT Act was not meant to replace the (d . created using means that can be maintained under the sole control of that user; and
entire warp and woof of documentary evidence in South African, but that “except (d) ... linked to the data or data message to which it relates in such a manner that any
where the ECT Act changes it, the orslinary South African law on the admissibility of subsequent change of the data or data message is detectable;
evidence applies to data m “* An excellent practical illustration of this com- (d .... based on the face-to-face identification of the user.
mon-sense approach is S a Ndiki and other recent case-law discussed above." General agreement scems to exist that the only field of science able wo mect the
Thus, the ordinary South African mules regarding the admissibility of hearsay cvi- above list of needs is that of cryptography. This is exemplified by, for instance, the
dence should also to electronic hearsay.” Hofman criticises the viewpoint of fact that the definition of “digital signature” in Websler’s New World Didionary of Com-
another author who argues that, because the definition of a “data message” is wide puter Terms starts off by speaking of “an encrypted, tamper-proof attestation”.
enough, all data messages are admissible, whether they constitute hearsay evidence
or not Hofman points out that this angument confuses form with content. For
5.4.2 Cryptography Regulation and New Concept Legislation
example, were a statement alleged to be hearsay a contract, defamatory statement or The most basic building block, or component, in the process of encrypting some-
an assignment of copyright, the mere fact that it is in the form of an clectronic data thing is called a cryptosystem or an encryption algorithm.” This is a tool which, by
message would not suddenly render it hearsay. If the content of the data message docs
means of @ process called encryption, can transform “plaintext” into “ciphertext”.
The process is carried out by means of an encryption key. Anyone wishing to read
amount to hearsay, the court needs to look at the general rules regarding the admis- encrypted ciphernext needs the corresponding decryption key. Further discussion iin
sibility of hearsay evidence.”
this chapter focuses on the so-called “asymmetric” or “public key” system.”
Hofman should be commended for also stressing the importance of standards in The word “cryptography” is derived from two Greek words, mamcly kruptos” and
this regard. In interpreting the evidential weight of data messages in terms of sec- graphe,”” and therefore literally means “hidden writing”. While military cryptography
tion 15(3) of the ECT Act, the court needs to call expert witnesses and take note of has been regulated by a number of Acts emanating from the Department of De-
such standards as the code of practice issued by the British Standards Institute.” fence, it has been left to the ECT Act™ to regulate the use of cryptography in private

206 Ins! of Act 25 of 2002.

207 In the sense that a particular ype of technology is not required or prescribed.
208 Eres Gooey core Ser SP ey calor 2 cri be Bie oes
194 Ebden “Computer evidence in court” 1985 SALJ687 GRR. chnology to Cwer') sign
195 Act 25 of 2002. Coie tocedaes tees to read the h dwriting
on cheq
196 Hofman “Electronic evidence in South Africa”. tech push” wew.ineeb.co.za/section (accessed
23 May 2007).
197 [hid. para. 2.3. 209 See para. 5.2.5.3 above for a fuller discussion of this last criterion and the proposed role of the
198 Ss 86 and 87 of the ECT Act 25 of 2002 which inter alia criminalise hacking and the creation and Post Office in this regard.
distributionof computer virus programs. 210) Pfaffenberger
(ed) 162.
199 Hofman “Electronic evidence in South Africa” para. 3.2 211) Ford and Raum Secure Electronic Commerce 2 ext 101 £1.
200 [2007]
2 All SA 185 (Ck). 212 Cpe te fn sas Bs el Ay spe
201 See para. 5.3.1 above. 213 Which is unintelligible until it is decrypted.
202 ee Tee re i La ad Rete a 214 See para. 5.4.3 below.
203 See Collier “Criminal law and the Internet” 385. 215 Meaning “hidden”.
a4 ‘As embodied in the Law of Evidence Amendment Act 45 of 1988, 216 Meaning “writing”.
 Chapter5: The Law of ICT Evidence 133
132 Information and Communications Technology Law
Justice Bill devotes more attention to procedural and evidential matters whereas the
commercial activitics in South Africa. Chapter V of the Act deals with this topic and Department of Communications has tried to keep to the wide-ranging character of
section I of the Act contains certain important definitions in this regard, namely the original ECT Act, thus constituting a more complete replacement. Both Acts are
those of a “cryptography product”, “cryptography service” and “cryptography provid- ad idem on one specific point, however, this being also onc of the most radical depar-
er”. The Department of Communications has also —! Cryptography Regula- tures from previous Icgistation. This innovation consists of a so-called “Cyber Securi-
tions™ specifically to administer and regulate the activities of cryptography providers ty Hub”.
in South Africa. This innovation is introduced into the 2012-Bill by means of section 85A. The Hub
These regulations mainly cover the procedure to be followed any party applying is tasked, imfer alia, with “creating awareness concerning cyber crime”. With one
for registration as a cryptography provider with the Department of Communications. exception, this is the only subclause referring to cyber crime, all other clauses dealing
They also specify the information that has to be supplied with cach application. Full with “cybersecurity”. Thus, the Cybersecurity Hub shall administer the National
details have to be supplied by the applicant concerning any cryptography services Cybersecurity Framework in its manifold activities. This is a worrying trend, given the
which have been outsourced, as well as information about any trusted personnel™ different philosophics underlying the legal and security ficids. Will courts, with their
providing supervisory or management services legal background and training be able to deal expertly with security issues and values?
Following on the Cryptography Regulations, the Deparunent has also promulgat-
Chapter 6 of the 2015-Bill also introduces “Cybersecurity Strucvures” such as a
ed regulations in terms of section 41, read with section 94, of the ECT Act to regu-
late the activities of authentication service providers.” These regulations are worth “Cyber Security Centre” and a “Cyber Response Committee” forming part of a
“Cyber Security Hub". In addition, a “Government Security Incident Response
studying in greater detail, as they introduce new standards to be followed.
Team” will, infer alia, establish a 24/7 point of contact (one of the requirements set
A draft ECT Amendment Bill has been circulated by the Deparunent in 2012” but
by the 2001 Budapest Cybercrime Convention of 2001). In addition the cabinet
there has been no indication when, and if, this will come into operation. One of its
member responsible for police matters shall establish a “National Cybercrime Cen-
more dramatic innovations is the much greater emphasis that is being placed on
tre” and the cabinet member responsible for defense matters shall establish a “Cyber
security (as opposed to law). In the definition section provision is made for a
“national critical information infrastructure”, a “Justice, Crime Prevention and Command” as part of the Intelligence Division of the South African Defence Force.
Security cluster” or “[CPS cluster” as well as a “National Cybersecurity Framework”. Similarly the cabinet member responsible for Postal and Telecommunication Ser-
Lawyers are not trained in the security ficld and these requirements might bring vices shall establish a “Cyber Security Hub” and finally, certain sections of the Private
about much greaicr dependency upon experts in the field as specialist witnesses (or Sector may also be required to provide Security Incident Response Teams.
even assessors). While the innovation embodied in the latest Bill has to be applauded, it is not
Internationally the increased interest in cryptography has led to some brand-new clear where exactly this leaves the ECT Act, in its present form or in its suggested
legal issucs. This technology is at the basis of crimes such as espionage, treason and amendments. A wurf battle also scems to be brewing between the legal and security
sedition and this has led to severe export restrictions. Even where the use of cryptog- fields, cach with @ totally different background and view of man. Finally, one has to
raphy is legal (as in digital signatures, for instance), the creator of an encrypted wonder whether present<lay South Africa possesses sufficient skilled manpower to
document might be legally compelicd to disclose relevant encryption keys and other administer this ambitious type of legislation properly.
techniques in order for a legal investigation to take place. United States legislation
such as the Digital Millennium Copyright Act (1998) also makes possible the usc of
Digital Rights Management (DRM) in order to enforce intellectual property rights. 5.4.3 Standards
Whereas the Department of Communications was responsible for the draft legisla- The objective criterion of a generally accepted standard has assumed a crucial role
tion discussed above, the Department of Justice has recently published its own draft in South African ICT law, and nowhere more so than in the law of evidence. Courts
Cybercrime and Security Bill. It is fascinating to compare these two pieces of con- are desperately on the lookout for objective critcria by which to evaluate new tech-
cept legiskation side-by-side and to speculate as to whether they would be able to co- nologies that have become legally relevant and to lay down legal “standards” in the
exist peacefully. An absolute overlap exists in that both picces of legislation contain form of precedent. In the law of evidence this is best ilustratcd by the legal Snatro-
criminal prohibitions supported by severely increased penal provisions. The versy generat by electronic signatures, an area in which XML™ and XBRL”™ will
play an increasingly important role.”
219 CN R216 in Government
Gazelle 2854 of 10 March 2006.
220) Defined im reg | as “any persons who have direct duties of responsibilities for the day-tocday oper-
ations, security or performance of those business activities relating to cryptography products or ser-
S88

viees or any part thereof. Reporting Language.

GNM4 in Cowermment Cazetie 29995 of 20 June 2007. See Van det Merwe “How standards (auch as XML} accomplish electronic authentication in Web
CN B88 in Government Gazelle 35821 of 16 October 2012. services” 200% Obtter 665 and “XBRL. and the Law: Legal implications of Markup Languages” 2011
We

S ore =
 Chapter5: The Law of ICT Evidence 136

134 Information and Communications Technology Law On the other hand, the “protocol” view is described as follows:
PROTOCOL: What is important are bits on the wire generated and consumed by com-
An interesting new ficld of application for XML. és bills of lading and other sea- puter protocol processes. The bits are marshaledinto composite messages that cin have
transport documents.™ A system called BOLERO (Bills of Lacing for Europe) was nich mululevel structure. No person ever sees the full message asx such; rather, it is
developed but ran into interoperability problems because of differing data stand- viewed as a whole only by a “geek” when debugging — even then he or she sces some
ards. These were solved by a new version, marricd with XML. called BOLE- translated visible form. If you ever have to demonstrate something about such a message
ROXML.” The latter system describes the structure and form of the contents being in a court or lo a uurd party, there isn’t any way to avoid having experts interpret it
exchanged between two trading partners and in so doing makes the mutual compat- 5 prop 1 of the pr 1 one re forget that pieces of such messages
ibility of data easicr.
are actually included
in or infl: data displayed to a p
According to the latter view, counsel no longer have | to hand up a laptop computer
Van der Merwe’s first article (on XML) documents the shift away from paper doc-
so that the judge might determine the “originality” of the data being “produced”
uments, with their traditional “wet signatures”, to clectronic data messages, with before the court. The judge and assessors may work from a neatly typed (paper!)
their electronic or digital signatures. One of the most important fucure standards in transcript, which is a mere aid in evaluating the technical work that has been done
this regard is likely to be XML, particularly in the form of one of its derivatives,
by an expert witness, who may later be thoroughly cross-cxamined. Cross-cxami-
“secure assertion mark-up language” (SAML). SAML. was developed by the OASIS™ nation should turn panicularly on the standards the technical expen followed in
and has attained the (important) status of OASIS Open Standard. SAML. also ena- carrying out her or his work. The expert has to explain why the contents of the
bles trust assertions to be made regarding the authorisations, authentications and transcript may be trusted despite its journcy through the beilies of several computers
attributes of specific entities, using the XML. language specifically. These digital trust and other electronic devices. One should therefore forget about such oldtashioned
assertions are taking the place of traditional guarantees of authenticity and trust by documentary-cvidence terms as “original” and “best evidence” and start compre-
referring to the so-called “building blocks of security’:” authentication, integrity, hending such terms as “protocol”, “standard”, “canonicilisation™” and other mod-
non-repudiation, privacy and availability. ern data terminology.
As is pointed out by Van der Merwe,™ the United Sates has become an eager The ECT Act™ has taken a firm step in the protocol direction, with its emphasis
disciple of XML. after the unfortunate cvents of 11 September 2001, and the US on data messages, as 0 to the more paper-based orientation of the repealed
Department of Justice has been using this data standard extensively to provide quick, Computer Evidence Ac” While such terms as “original” and “writing” are still used
reliable data. Applying the data standard to the law of evidence will not always be in the ECT Act, they no longer serve as impenetrable barricrs to the admissibility of
easy, but guidance can be found in Secure XML™ in which the authors distinguish electronic data messages. Sull, new and internationally harmonised legislation is
between an electronic version of “paper” documents” and a more advanced virtual probably necessary to eliminate any further complications. Obviously, in this regard,
(or “protocol”) view of electronic documents.™ Eastlake and Niles describe the international standards will play a key role in any such legislation.
“paper” view as follows: In the light of the above, it is perhaps a pity that the regulations in connection
PAPER: The important objects are complete digital documents, analogous to pieces of with accreditation service providers” make no mention of cither XML. or XBRI- as
paper, viewed in isolation by people. standards. They do, however, rest firmly on other acknowledged standards.” These
A major concern is to be able to present such objects as directly as posible to a court or standards include SANS 21188, a South African National Standard regarding a
other third party. Because what is presented to the person is all that is important, any- public key infrastructure for financial services; ITU X509, the International Tele-
thing that can affect it, such as a style sheet, must be considered an intrinsic part of the communications Union's recommendation regarding public-key and attribute ceruf-
paper. Sometimes proponents of the paper onentation forget that the ‘paper’ originates icate frameworks; and SABS/1SO 17799 regarding information-security management.
in a computer, may travel over, be processed in, a ee ee On the whole, the publication of the regulations must be welcomed because it
viewed on a computer. such (sic) operations may wr iB: represents a great step forward with regard to increasing trust in electronic docu-
position of messages from pieces of other messages, or data reconstruction.”
ments. The regulations also establish public key infrastructure (PK1)"* and X509

238 A “geek” is here to be understood as someone whose interests seem to lic almost exclusively in
Coetzee “Incoterms, electronic data interchange, and the Electronic Communications
and Trans-
ee ae
a

actions Act” 2005 SA Mere Lf 1.

239 Thad.4
Thed. 11 fn. 0.
240 7 A
‘That ix, made with ink_
BREE

‘The Organisation for the Advancement of Structured Information Standards. 2al Act 25 of 2002.
See O'Neill
et al. Web Sereices Security 6. 242 Act 57 of 1983 and see para, 5.2.3 above.
243 See fn. 208 above.
“How standards
(such as XML) accomplish electronic authentication in Web services” 2005 Obiter
665 675 ff. 244 Which are specifically cited and defined in reg I.
245 Very briefly, the user of a network publishes his or her public key for co-operation with other users
Fastlake and Niles Secure XMI- The New Syniax for Signatures and Encryption 468.
of the network. However, only by means of electronic cooperation between that public key and
iad

The socalled “naner anneoach”,

 ‘Chapter 5: The Law of ICT Evidence 137
136 Information and Communications
Technology law

Digital identity management is becoming an ever-increasing priority for the private

firmly as standards to help give expression to many of the evidential clauses con- and public sectors in an anonymous electronic world in which one interacts and
tained in the ECT Act. Indeed, the X509 standard has been | described as “perhaps transacts with faceless partners over the Internet. The United States is considering
the most fundamental of the electronic signature standards” “federal identity management” using such standards as PKI. SAML,™ WSDL™ and
One possible problem as far as documentary evidence is concerned is that a num- OpenID.”
ber of standards are currently competing for the same slot. This is well explained in
A further development upon the same theme has been XBRI_ The fact that the
an anicle by the United Nations Development Programme's Asia-Pacific Develop-
acronym already mentions “Business” is an indication of the commercial potential of
ment Information Programme™ entitled “Standards for electronic documents”
this data format. Recommended reading in this regard is constituted by an. article
Yet another problem with proprictary standards for clectronic documents is one of entided “XBRL. and the Law: Legal Implications of Markup Languages.™ Here
“electronic arc = “documents created by end users 10 years ago or less cannot examples of both XMI. and XBRL. coding are given and the hope is expressed that
be opened with 100 percent fidelity in modern office software”.™ Truly open stand-
XBRL will prove to be a greater commercial success than XML. “because there is
ards should help to cure this “archacological” problem, but at the moment portable
moncy in it”! The following definition of XBRL. is given:
document format (PDF).” open document format (oDF)™ and Office open XML.
(OOXML),™ are all staking a claim to being the universal electronic document “a language for the electronic communication
of business and financial data which
Se ee en ee it provides major benefits in
format. PDF is probably best at the moment for archiving of electronic documents,
the prep: ion of bust information.
It offers cost
but is not suitable at all for common office functionality. Users who need such func
savings, eadist uaeccey improved accuracy and reliability to all those involved
tionality will have to see which way the fight goes between ODF, which is supported in supplying or using financial data.”™
by the programs of most neutral software vendors, and OOXML, which is Microsoft's
“flavour” of open documents.
Both of these standards make use of XML, which is a positive factor, but Microsoft 5.5 Comparative law regarding ICT evidence
seems to have its own “flavour” of XMI. (which is more compatible with other Mi-
crosoft programs than with those from neutral software vendors) and has taken out a
5.5.1 Introduction
number of nts in this ** ‘This led South Africa to votc against the draft In any comparative survey involving the rules of evidence, one has to keep in mind
standard ISO/IEC DIS 29500, “Information technology— Office open XML file for- the deep divide between inquisitorial systems (as found in most European countries
mats”, which gesture played its part i in the draft standard’s not garnering the re- and their former colonics) and accusatorial systems (as found in the United King-
quired number of votes forapproval.“ In an effort to make OOXML more palatable dom and its own former colonics, including the United States of America). South
wo open-standards advocates, Microsoft has made it available under its “Open Specifi- Africa falls squarely within the latter category, even though jury trials were abol-
cation Promise” (OSP). This is a mechanism through which Microsoft offers some of ished in the 1950s. The origin of many South African rules of evidence can only be
its technology specifications for use by the open-source community while promising understood against the background of a jury composed of lay people who should not
Not Lo assert any patent claims against firms which implement such specifications in be influenced by prejudicial items of evidence.
their own software. In addition, Microsoft's “Identity Selector Interoperability Pro- Examples of the later are items which involve the competence, compellability or
file”, an aspect of the OOXML. program dealing specifically with identity manage- privilege of witnesses. Section 206 of the Criminal Procedure Act™ provides that the
ment, has also been mate available under the OSP- “law as to the competency, compellability or privilege of witnesses which was in force
in respect of criminal proceedings on the on the thirticth day of May, 1961, shall
the private key on the user's own machine can any mexsages get through to that machine. The apply in any case not expressly provided for in this Act or in any other law”. In terms
whole infrastructure keeping this system effective is known as the PKI and serves as a valuable of section 252 of the Act, the identical terms apply to the admissibility of evidence:
means of electronic au “The law as to the admissibility of evidence which was in force in respect of criminal
246 Brazell Electronic Signatures Law and Regulation 261.
247 UNDP-APDIP.
248 — “APDIP ¢-Note 18/2007" www.apdip.net
(accessed 31 July 2007)_ 256 The US Department of Defense, for instance, has been certifying an increasing number of XMI.
249 products for PRI use (see www gencom /egi-bin/udt (accessed 22 March 2002))-
250 Peeibap mags coarse 257 Derived from XML.
251) Under the protection of the Organisation for the Advancement of Structured Information Standards. 2598 Web Services Description Language.
252. Under protection of the international standards body ECMA. Although the acronym used to stand 259 Se wew.gor.com/cgi-bin/udt (accesed 22 March
for “European Computer Manufacturers’ Association”, the body has widened its scope beyond that
continent. 260 oat "Trina ase.
253 See Chapter 3 above for more detail om this controversy. 261 As defined by “XBRL International Inc. * (X11) who owns and freely licenses the XBRL. speafica-
254 Sayer “ISO votes to reject Microsoft's OOXML as standard” hitp://open.itworld.com (accessed tion.
5 September 2007). 262 Typical of the accusatorial
system.
25% “Microsoft opens up its identity les” www. rid.com(, i 24 May 263 Act 51 of 1977.
2007).
 Chapter5: The Law of [CT Evidence 139

138 Information and Communications ‘Technology Law with computer evidence, but as soon as the term “written” becomes relevant com-
puters are usually involved. Very few people today reson to ballpoint pens and pads
of paper when trying to express themselves “in writing”-
proceedings on the thirticth day of May, 1961, shall apply in any case not expressly
provided for by this Act or any other law”. Because of the dear mention of a “person” and “assertion” it seems clear that
purely computer-generated records should not be affected by the hearsay mule.
Because these provisions refer specifically to the cvidential stanutes applicable in Even though this exclusion is often cast under the “business records” exception,™ it
South Africa before the declaration of independence from Great Britain — namely, is clear that such records would not qualify as hearsay in the first place.”
those in force in England, they specifically import English law on those points into
As in many other countries, international standards are also important in the
the South African law of evidence. This type of legal clause is known as a residuary
United States. Thus, recommendations from international bodies such as UN-
clause. CITRAL™ play an important role in shaping American legislation in respect of elee-
Except in so far as the South African legislature has made specific changes there- tronic evidence. Comparing this situation with that in South Africa, Mciring opines
fore, those pre-1961 rules of English law still form part of the law of evidence in that the UNCITRAL. Model Law “forms the basis of the provisions in Chapter 3 of
South Africa. For example, the UK case of Hollington 9 Hewthorné™ introduced a rule the ECT Act”" In fact, the South African provisions have been influenced by a
concerning opinion eviience into South Africa, namely that the evaluation of wit- much wider spectrum of international law, especially that of Europe, as shown in
nesses by a magistrate in a criminal case was only an opinion and could not serve any paragraph 5.5.3.
purpose in the ensuing civil trial. Since 30 May 1961 the UK courts have abrogated Openness to international legislative influences is also the truce situation in the
this rule, but it is deepfrozen into the South African law of evidence as a residuary United States. The American Federal Electronic Signatures in Global and National
clause. Commerce Act” (the F-Sign Act) lays down a fairly open-ended approach for the
United States. One of its first stated principles is that a signature, contract or any
5.5.2 The United States of America other record relating to such an electronic transaction should not be denied legal
effect, validity, or enforceability simply because it is in clectronic form. Furthermore,
In the USA, the so-called Federal Rules of Evidence (FRE) are discussed in an in-
a contract relating to such a transaction may not be denied legal effect, validity, or
formed article by Paula N Singer.™ Of interest to the present chapter are the eviden-
enforceability solely because an clectronic signature or electronic record was used in
dal rules regarding “data compilations”, which Singer discusses under the headings
its formation.
“Authentication”, “Hearsay” and “Best evidence”. She believes that foundation testi-
mony plays an important role in authentication and criticises the American trend of It is worth noting that, to prevent conflicting staxlevel approaches to IT evidence,
shifting the burden of persuasion to the opponent of the evidence to try and show the E-Sign Act forbids any state statute or regulation that would limit, modify or
that such evidence is inaccurate or untrustworthy. This shift dispenses with the need supersede any of the Act’s prescriptions in a manner that would discriminate in
for foundation testimony. favour of or against a particular technology. This is an encouraging step in the direc-
tion of technological neutrality. However, it is accepted that cach state may
She also does not like the idea that FRE 902 dispenses with the need for the au-
laws that offer an approach slighdy different from that of the E-Sign Act, provided
thentication of public documents. The accuracy of such documents still depends on
that variance is consistent with the overall terms of the Act.
the accuracy of the process by which they documents are created. Presumably com-
puters used by the government function in a way no different from that of comput- Title HI of the Act requires the US Secretary of Commerce to “promote the accept-
ers in the private sector. Similarly, civil servants cannot be trusted to be any more ance and usc, on an international basis, of clectronic signauures in accordance with
accurate than people whose very income depends on their own accuracy and [certain specified principles] and in a manner consistent with section 101 of [the
productivity. In the end, Singer sums up by pointing out that too much attention has Federal E-Sign Act]”." Underlying these lofty goals are the removal of paper-based
been focused on the form of the evidence presented and too litde attention paid to obstacles to ecommerce, the ability to allow transacting partics w determine
the safe, taken to ensure the accuracy of that information. In this regard the the appropriate authentication wchnologies and implementation models for their
role of standards should not be underestimated.
Hearsay is defined in FRE 801(¢) as “a statement, other than one made by the dec- See, for instance,
Uniled States 0 Vela 1982 673 F 2d (5th Cir 86).
39 888

larant while testifying at the trial or hearing, offered in evidence to prove the truth See FRE 803(6) and cases such as United States » Moore 1991 923 F 2d (1st Gir 910).
of the matter assented”. As arguext by Khaled “The evidential provisions of the ECT Act 25 of 2002: A comparative law per-
spective” (LLM dissertation, Unisa, 2008) 15.
“Statement” is defined in turn as “(1) an oral or written assertion or (2) the non- ‘The United Nations Commission on International Trade Law, which has also produced a Model
verbal conduct of a person, if it is intended by the person as an assertion”. Obvi- Law on Electronic Commerce.
ously the “oral” part of the definition has caused few, if any, problems in connection “Electronic transactions” 83.
Public Law 106-229 of 30 fune 2000.
G85

S 101 (a).
 Chapter5: The Law of ICT Evidence 141
140 Information and Communications ‘Technology law
(b) by extending
to the exceptions to the rules applicable to hearsay or best
transactions, the ability to allow transacting parties to prove that their authentication evidence, onginally crafted to deal with ordinary documentary evidence; or
approaches and the transactions themscives are valid, and the principle that jurisdic- (c) by creatinga statutory solution drafted specifically with computers in mind_
tions should follow a non-iiscriminatory approach to clectronic signatures and The last-mentioned course seems to have been the British way of doing things as far
authentication methods from other jurisdictions. as the form of documentary evidence is concerned. The most important pieces of
While the F-Sign Act works on the federal level, states are encouraged to adopt UK legislation in this area have been the Evidence Act of 1938, the Criminal Evi-
individually a uniform Act proposed by the National Conference of Commissioners dence Act of 1965, the Civil Evidence Act of 1968, the Police and Criminal Evidence
on Uniform State Laws dealing with the validity of electronic records and electronic Act of 1984, the Criminal Justice Act of 1988 and the Civil Evidence Act of 1995.
signatures. This Uniform Electronic Transactions Act was promulgated by the British courts have struggicd to adapt the provisions of some of these Acts to com-
National Conference in 1999 and has since been adopted in one form or another by puter evidence, especially in cases complicated by hearsay implications. R v Spiby”
41 of the federal states and by the District of Columbia.”™ presents an excellent synopsis of the previous treatment by UK judges of this problem,
and presents a sound common-sense model for dealing with this type of legal problem.
In the end, a statement to the effect that US policy on electronic signatures is
In Spiby the tills in a shop were connected to a computer. After processing by the
based on a minimalist approach of the UNCITRAL. model is at least partially justi-
fatter, the results of the day’s transactions were printed out on tll rolls. The witness
fied.” However, this is still a long way from adoption of the latter model in its entire called to explain the system had no specialised computer training, but was an expe-
ty, as has been done by countries such as Australia, France, Ireland and the Phil- rienced clerk with a sound general knowledge of the financial system of the shop.
ippines. Readers should also be alive to the possibilities of an alternative model in The judge found that the matter did not need to be solved by the maxim omnia prae-
the shape of the EU's Electronic Signatures Directive, which is dealt with in para- sumundur
rile esse acta,”™ nor was it necessary to go into the whole question of hearsay
graph 5.5.3 below. evidence, because the piece of machinery had luced its printouts without any
Of great interest is the signing into effect of the US Digital Accountability and human intervention. Sul, irrespective of whether the evidence is hearsay,” some
Transparency Act (DATA) by President Obama on the 9° of May 2014. It is hoped type of additional evidence may have to be presented by the Crown that the “auto-
that this law will move United States federal spending from a document into a data matic” computer systems functioned reliably. Even though reliability can often sim-
environment where the XBRL. standard” is also likely to play a major role. ply be deduced from the presumption of regularity, in the present case the trial
court was assisted by a witness explaining the working of the system. The judge
The above international standards do not prevent the various federal states from
found that the witness had sufficient knowledge and experience to assist the court
anticulating different standards for their day-to-day practice regarding the admissibil-
Even though the main body of the Act provided no specific rules in this regard, the
ity of computer records. These standards may relate to such factors as whether
court found the duy™ concerned in Part H of Schedule 3 of the Police and Criminal
standard equipment was used, whether routine procedures were adhered to and Evidence Act™
whether the required foundation testimony indicated trustworthiness.”
All this work from the previous century has now been almost completely supersed-
ed by European Union legislation which has found application in the United King-
5.5.3 The United Kingdom dom. The basis for most of these EU-based legal developments may be found in an
In the UK Colin Tapper was one of the first commentators on the (then) new arca of EU directive™ which has been adopted as authoritative in the UK by means of the
“computer law”. His comments on the struggles of this new area of human endcav- Electronic Communications Act™ Section 7 of this Act addresses the admissibility
our with some of the ancient rules of evidence still have some relevance, even well into and evidential weight of electronic signauures as follows:
the wwenty-first century: “Much of the history of the law of evidence, and panicularly 7 (1) In any legal proceedings
of the hearsay rule, over the last 100 years, has been one of painful and ponderous (a) an electronic signature incorporated into or logically associated with a
adaptation to the reception of documentary evidence””” particular clectronic communication or particular electronic data, and
He mentions three ways in which the law of evidence may respond to the chal-
lenge:
(a) by expanding
the common
law rules; 1990 91 Cr App 186.
Bee

“Everything is presumed to have been done i the proper fashion.”

Hearsay was 2 sep issue of admissibility and not rel in the pr case. Had it been,
the
Crown would have had to comply with s 68 of the Police and Criminal Evidence Act, 1984 o€ its
Brazel Flectromic Signatures Law and Regulation 149. successor, 5 24 of the Criminal Justice Act, 1988. It is unwise therefore to cite Spiby as authority for
See www.ibls.com /docsfornLasp
(accessed 4 July 2007). the admission of hearsay evidence.
98s

And the criteria to discharge this duty.

Ree

See par. 5.4.3 supra.

See, for example, Capital Marine Supply o M/V Roland Thomas [1 1983 719 US (teh Gir 104-106) and 1984 Chapter c60_
Khaled “The evidential provisions of the ECT Act 25 of 2002: A comparative Low perspective” 1999/98 /EC.
(LLM dissertation, Unisa, 2008) 19 ff, 81. 2000 Chapter 7.
‘Tanner Coméouter Lose 149 ff
8
142 Information and Communications Technology Law

(5) the certification by any person of such a sgnature, shall cach be acdmiss-
sssobacberrn rn ranpratibee Asie arr Cosham S cpa Chapter5: The Law of ICT Evidence 143
communication or data or as to the integrity
of the c
data.
(2) For the purposes of this secGon an electronic signature is so much of anything
5.5.4 Australia
in electronic form as — Special mention should also be made of Australia because of its legislative efforts
(a) is incorporated iinto or otherwise logically aseciated with any electronic in the field of ICT evidence. Its legislative history is typical of that of many other
communication or electronic dats and countries and provides an instructive example.
(6) Re Fee eens eee on ao reeee bae The state of South Australia was one of the first legislatures to come up with a del-
blishing the auth y of the gon or data, the inition of “computer” distinguishing it from other machines: “a device that is by
siaspaniaF ascisie caacases ot Aone Kea. electronic, clectro-mechanical, or other means of recording and processing
(3) Fes Ss peat Rees et ee nia ae coc a ean cepa eee OE data according to mathematical and logical rulesand of reproducing that [sic] data
associated with a particular clectronic communication or electronic or mathematical orlogical consequences thereof”.
data is certified by any person if that person (whetherbefore or after the making According to Tapper™ the South Australian Evidence Act is an excellent carly ex-
of the communication) has made a statement confirming that— ample to ae legislature wanting to enact similar legislation. Sections 59a and 59b
(a) the signature were added in 1972 specifically to provide for computer output, which includes
(5) a means of producing, communicating
or verifying the signature, or computer-generated documents. It has been remarked that “these appear to be
(Qa procedure applied to the signature, derived from section 5 of the English Civil Evidence Act 1968 but are somewhat
is (etther alone or in combination
with other factors) a valid means
of extab- different in substance and drafting”.
lishing the authenticity of the communication or data, the integrity of the It is also interesting to note that the state of Victoria took another tack entirely
communication or data, or both. with its Evidence (Documents) Act of 1971, which amended Victoria’s Evidence Act
This takes care of two difficult questions that might arise, namely the authenticity of 1958. The main conditions required for the admissibility of a document were that
of certain communications or data and the integrity of such communications or business should have been “as usual”, the document had to have been produced in 4
data. The details surrounding possible implementation of a technical solution to period during which the computer was regularly used to store and process infor
mation for the purpose of any activities regularly carried on during that period,
such problems were spelled out by the subsequent Electronic Signature Regulations,
whether for profit or not; during that same period and in the ordinary course of
passed into law in the UK during 2002. These regulations deserve a closer look,
those activities, the computer must have been regularly supplied with information of
especially since they to have been the inspiration behind an important part the kind contained in the statement or of the kind from which the information so
of the South African ECT Act.” The lauer’s definition of an “advanced electronic
contained was derived; and, finally, that information contained in the statement had
signature” is, in fact, taken almost verbatim from the UK regulations. Unfortunately to reproduce or be derived from information supplied to the computer in the ordin-
the South Africa parliament then grafied onto this definition a special role for the ary course of those activities.
South African Post Office™ which role it has been unable to fulfil.
It is quite clear that “regularity” and “ordinarily” played quite an important role in
Also interesting for comparative purposes is the UK regulations’ definition of an the fate of Victoria's electronic documents. These terms are vague in themselves and
(ordinary) “clectronic signature”: “data in clectronic form which are attached to or one wonders what the situation would have been in the event of everyday occurrenc-
logically associated with other electronic data and which serve as a method of es such as the end-of-the-financialyear rush or thieving employees. Would that have
authentication”. This definition is quite closc to that in the South African ECT Act™ led to a temporary moratorium on the admissibility of any clectronic documents?
except for the fact that the latter adds “incorporated in” to the list of associating That said, South Africa also makes use of the “in the ordinary course of business” test
verbs and uses “intended by the user to serve as a signature” instead of “serve as a in section 15(4) of the ECT Act™ dealing with the admissibility and weight of clee-
method of authentication”. Whatever the detail, there is an apparent common tronic records.
source of inspiration. Victoria’s conditions for admissibility also played an important role regarding a
certificate purporting to be signed by a person holding a responsible position in
relation to the computer or to the management of the relevant activities. The court
could in its discretion reject any statement if for any reason it appeared to that court
to be inexpedient in the interests of justice that the statement be admitted. The Law
287 Act 25 of 2002. Reform Commission of New South Wales criticised these provisions:
288 ‘That of initial face-to-face authentication,
by a Postmaster, to launch the entire chain of authenti-
cation: Present Mbcis eqoe! the Elecronic Communications sad Trencictioes Bil into tw, bry
means of an electronic sign in the physical p of the P a
289 $1 of Act 25 of 2002. 290 $5494 of the Evidence Act of South Australia 1929-1972.
Aaa eee Les SE
 Chapter5: The Law of ICT Evidence 145

144 Information
and Communications Technology law Commerce of 1996. The Electronic Transactions Act addresses many of the concerns
raised above and is also fairly tcchnology-neutral so as not to be overtaken by fast-
The first criticism és that, although there is a discretion to reject, there is no condition of moving technological devclopments. For example, in terms of the Act electronic
admissibility which requires the information supplied to the computer to have any particu- signatures are acceptable in evidence, provided that the method used to create such
far standard of reliabelity as is the cese with statements in business records not produced by signature was “as reliable as was appropriate for the purposes for which the infor-
a computer which ure admissible under section 55. There is no practical reason for not mation was communicated”. The Act also provides a solution for such ticklish
specifying x standard of reliability for the source material whether or not the record in issucs as the production, recording and retention of electronic documens.
question wits produced
by a computer. We think that, in Guling to specify such a stand- Following the promulgation of the federal Electronic Transactions Act, cach of the
See section 55B goes further than is either necesstry or destrable to, mect the Australian States repealed its older legislation™ and enacted slightly differing local
Y y for the admission of in dh produced by comp versions of the federal Act.
_Hibe ssccssd cristae of acctsog {a0 sy ikea tac ppetiestces ic orc by cestificae iss
the conditions of admissabilityhave been ee too far. A party against
whom such
2 certificate was tendered might often find it difficult to claim effectively
that oral evi- 5.5.5 Germany
dence of the matters in the certificate should have been called because he would ordin- Having dealt with three countries from the common-law spectrum, the present over-
arily have no, knowledge or means of knowledge of the record-keeping process in ques- view would not be complete without reference to at least one civiltaw counuy. Ger-
Gon. We think that an opportunity for cros+examination should be given by requinng many is an excellent example of such a jurisdiction.
oral or affidavit evidence of such matters. German legislation addresses three main arcas of application:
The third criticism of section 55B involves a comparison with section 55. It depends (a) imitation-proof digital signatures;
upon the fact that any system of records may be kept or produced either by the use of
ne ee en eee ee pene by sections (b) building the required country-wide security infrastructure; and
55 and 558. produce ssomakam staules. "Take for: example hospital records. These are (c) guarantecing the rights of participants to clectronic and legal activities.
now kept by use: of in some h is in cire which d satisfy all Bieser is optimistic about the legal success of digital documents with digital signa-
the req of admissibili d by 55B. A in a printout of tures and argues that such documents should have at least the same evidential value
such 3 record would be admisible as evidence of the facts asserted. If the records were. as traditional (paper) documents.
kept in the usual written form, and the same statement appeared in them, the statement
Id not be admissble under 55 unles there was evil that the person who In Bieser’s view the required legal and security infrastructure ought to be built up
made the entry or supplied the information from which it was made had
by means of free competition. The role of the State should be confined to licensing
knowledge and was not available as a witness, or pursuant to an exercise of the court's and controlling the role-players with regard to digital signaures. This is analogous to
discretion. Another example is provided by credit bureau operations. A printout from the position in South Africa where the Department of Communications fulfils a sim-
the records of a credit bureau if kept by usc of a computer would be admissible under ilar licensing and regulatory function with regard to such role-players as authent-
section 55B as evidence of the facts asserted. But if the records were kept in a written cation and cryptography service providers.
form, « statement in the records would not be admissible under section 55 without The first piece of legistation to address specifically the topic of clectronic signa-
proof of knowledge and y of the p who, supplied
the information, or tures in Germany was a 1997 “Law for Electronic Signatures”, which, according to
in the discretion of the court as mentioned above. Brazel, was so “highly prescriptive” that it formed one of the reasons for the Euro-
The impor of these remarks is obvious. In adapting to new forms of digital evi- pean Commission’s introduction of the Electronic Signatures Directive.” In the
dence, cours should not throw overboard all of the traditional safeguards for and end, the “Law Governing Framework Conditions for Electronic Signatures”,
guarantees of the integrity and authenticity of documents, whether these be in hard amending the 1997 Act, was passed in Germany, specifically regulating the activitics
copy or electronic form. One of these safeguards is the right to cross-examine of certification service providers. Once accredited by the Regulicrungsbehorde.™ such a
properly an expert witness, which right should not be substituted by a “certificate” service provider may provide “qualified electronic signatures with provider accredit-
from some anonymous civil servant. On the other hand, to wy drag ICT-stored
data ation”, a kind of “scal of approval”.
back to the traditional paper test of “proof of knowledge” by an “available person”
who makes entries and supplics information seems overly conservative. It is a fact
of
S10.
modern life, with its increasing technological complexity, that humans no longer
. at

Similar to that of Victoria's Evidence Act of 1958 and Evidence (Documents)

Act of 1971 and
have an overview of everything that happens within the “belly of the beast”— in this South Australia’s Evidence Act (see fn. 270 abowe).
case, inside the processor and memory of a computer. A much better way tw guaran-
tee the quality of ICT data is to ensure that the human role-players who have any- signature
thing to do with the electronic data concerned adhere to certain standards. Bravell Hlectromic Signatures Law and Regulation 117.
S288

empenrnconies Pa ‘Teal
Ee 1 S_876"
of 21 May 2001.
In the end, Australia passed a! federal Act in this regard in the shape of the Elec- By means of a special certificate,
tronic Transactions Act of 1999,” based on the UNCITRAL. Model Law on Electronic Cs ist) of the L:tw for Electronic Sippratures.
146 information and (heumenicaiions Technology Law
Chapter5: The Law of ICT Evidence 147

The stated purpose of the “Law Governing Framework Conditions for Electronic
Signatures” is to “create framework conditions for electronic signatures”. Especially 5.6 Conclusion
interesting are the varying definitions of the different levels of sophistication for South Africa can be considered a leader in the area of electronic evidence in Africa,
electronic signatures. Thus “electronic signatures” are defined as “data in clectronic primarily because of the recent adoption of a number of technology-related statutes.
form that are attached to other electronic data or logically linked to them and used It is, however, of the greatest importance that Africa realises the strategic importance
for authentication”. of acting (and Icgislating) as a continent to achieve the same economies of scale and
The next step up is that of “advanced electronic signatures”, which are defined as harmonisation of legislation that other continents are starting to achieve.
“electronic signatures” with additional characteristics. For instance, they In this regard, Africa could do worse than follow the example of its former coloni-
(a) are exclusively assigned to the owner of the signaturecode: al masters. If the French, Portuguese, German, Dutch, Belgian and British legisla-
(6) enable the owner of the signature code to be identified; tures can co-operate, as they are doing in respect of Europe-wide legislation, surcly
(dare produced with means which the owner of the signature code can keep under their former colonics can similarly work more closcly together in this very important
his sole control; and area of human endeavour regarding the admissibility and weight of ICT-based evi-
(d) are so linked to the data to which they refer that any subsequent alteration of such dence. Unfortunately their colonial heritage seems to be delaying the adoption by
data may be detected. the African Union of a truce pan-African approach. The Francophone countries seem
le readers will immediately recognise the strong resemblance to the bent upon following an inquisitorial system of evidence and procedure while the
South African definition of“advanced clelectronic signature” the criteria for which are Anglophone countries base their system on the accusatorial British approach.**
set out in scction 38 of the ECT Act.™ This resemblance is not surprising, because In the area of ICT evidence, as in most other areas of ICT law, standards are of
both concepts stem from the same EU framework, namely the Directive. However, vital importance. It seems that the system of public and private keys, with their
the Germans go one step further by also defining “qualified clectronic signatures”. accompanying certificates, is likely to become a worldwide technical standard in the
These are advanced electronic signatures that area of electronic documents. The South African legislature has a difficult balance to
(a) are based on a qualified certificate valid at the time of their creation; and maintain between using technologically ncutral words and making it clear that inter-
(6) have been produced with a secure signature-creation device. national standards must be adhered to. In this regard, standards-setting bodies such
as the South African Bureau of Standards have a major role to play.
A criticism that might be brought against the formulation just quoted is that it is per-
haps not suflicienuy technology-ncutral, focusing specifically on the PRI infrastruc
ture. In this respect the second part of the definition is more satisfactory, simply
speaking of a “signature-creation device” which is more neutral in terms of the tech-
nology used.
Because of the nature of the inquisitorial criminaljustice system, most European
countrics do not have the problems with the admissibility of evidence that countrics
in the commontaw tradition have. The fact that most of the lattcr™ still have jury
trials means that an extra procedural step has to be built into their criminal pro-
cedure— namely, the determination whether a given picce of evidence is admissible
or not.” Only evidence admitted in this way by an accusatorial judge is subject to the
second test, the gauging of the avight of such evidence. The latter test is the only task
of inquisitorial judges.

SS
FlectronicSignatureAct.
pdf (accessed 9 July 2007).
S21).
$2(2).
mene

Act 25 of 2002.
S2(3)of the Cerman Electronic Signature Act www.signaturbuendnis.de/englisch/
legalrequirements/FlectronicSignatureAct.pdf
(accessed 9 July 2007).
A noble exception being Soath Africa.
es

Even though South Africa abolished the jury system halfway during the previous century, a look at

< [7]>
our stringemt rules governing the admissibility of evidence shows that our law of evutence still
operatesas if'a jury is present_
 364 Information and Communications Technology law

9 The risks inherent in the processing, be it manual or automatic, of personal data

or information are that the data or information may be inaccurate, incomplcte or
irrelevant, accessed or disclosed without authorisation, used for a purpose other
than that for which they were collected, and that they may be unlawfully destroyed”
Data Privacy Law When data are processed automatically, added risks arise because of the very nature
of automatic processing. “It is very difficult to check the contents of storage systems,
because information is stored in a form which is not immediately intelligible. Also,
the volume, range and nature of the data stored may be enormous. Automatic pro-
cessing increases the possibilities of intercepting, storing, matching,’ sharing,” min-
9.1 Introduction ing,” selecting and accessing personal data.
The collection of information on individuals is not a ncw phenomenon. In fact, The collection of personal data or information has become ubiquitous in everyday
record keeping on individuals is as old as civilisation itself.’ However, the develop- life. Sometimes people give out the information voluntarily (on social service net
ment of information technology has influenced the collection and exploitation of works, or tobusinesses who offer loyalty cards in exchange for personal information,
personal information. Computers are able to store vast amounts of information (in to name buta few),” but sometimes the information is collected surreptitiously by
the form of raw data) relatively effortlessly, economically and for long periods of means of technological inventions that the data subject is not even aware of. Exam-
time. Furthermore, they are able to process’ and disseminate that information at ples include the use of cookies," radio frequency identification tags (“RFID tags”) on
incredible speeds. The end result of such essing is often the creation, by hu-
mans or — frequently — the computer itself, of new information that forms the basis
of decision-making.” 5 Neisingh and De Ih Transhorder Moa
of Pe i Data: A Survey of Some Legal Restrictions
on the Free
low of Data Across National Borders 16.
The development and growth of tlecommunications technology, connecting Samy ier toe bacteremia tairmemns opine a ateeca ay Law of Privacy in
computers in networks (principally the Internet) and enabling the transmission of South Africa 195-196, Faul “Crondslae
van die beskerming
van die bankgeheim” (uD ewe RAU,
information between computer systems, has further lent impetus to the processing of 1991) 524.
personal information. Networks enable more users to gain access to a wider range of 7 Data matching entails comparing the recoeds of different agencies or institutions by using a com-
mon denominator, ee ees ee aren so all pecans: eho euy be nictaded in cone: don
personal information. Various organisations keep financial, medical, education and
one file, in order to ch Ms inchigible p are ng benefits under
employment records of individuals for a variety of purposes. Networks make it possi- a government programme. Toes oF ae: coeeeney ee banal a ches eee oe
bic for this information to be shared by different computer users. The global econ- and abuse from government programmes, although a side effect coukl be that the government
omy is dependent on the transfer of information, including personal information, builds up dossiers about individuals.
& An example of a shared database is that of the South Affican Insurance Association, who maintains
via global information networks.
a clames dataleme for all ix members. “The purpose of such a shared database is to combat fraud,
E-governance, where the gover has one dat base for all gy ay &
example of data sharing.
1 The Ronan Empire, for ined an system of ih 9 With so-called “knowledge discovery in databases” or tortoise crest new information is
who were identified through census aking. Similarly, Sean Tatas tema oe tecamne d in oki, These ly or “mined” by means of new
decreed that a variety of information was to be collected on his subjects and in 1086 bis scribes began ecco scchecipaise $e soap pesoonedy When Wdicevasisons ie pooeied. A sehinow concent ala
to keep records in the Demexday Book. See Roos “The kaw of data (privacy) protection: A comparative warehousing. This is a process in which an sation collects information from disparate sources
and theoretical study” (1.L.D thesis, Unisa, 2003). Also see Madsen Mandbook of Personal Daia Protec. and loads these data into a central integrated database for subsequent analysis and (re-)use. See By
tion 6-7; Rennet Regulating Privacy: Data Protection and Public Policy in Europe and the Uniled States 18 grave Data ProtectionLaw 306.
points out that historical research has traced the notion of a system of personal records to most of 10 create Sy N= Aas ac al ey fo Prchees, es Spm eons eeteec dy Sele Ae Lee ee
the ancient civilisations of the Far and Near Fast, Central and South America and the Mediterranean. 46-847 we are in the “Era of Revekution”, in a time period signified by the “Great Privacy Cive-
2 pk crc pia coe coor a pee ge Away” — people give out more and more personal information for various reasons.
ae storage, «tap retrieval, disch by 11 A cookie is a small text file, usually a sequence of numbers, which is stored by a website on the
blocki seca or dlese-actiin of wath de computer of a user when visiting the particular website. The computer can be identified by means of
Sr Get AUN ur Licata WA/AGrMi at des Mica Peston cael fe Conk a aa Ces the cookie and when the user browses the Internet, the browsing habits of the user can be traced
1996 on the Protection of Individuals with regard to the Processing of Personal Data and on the
darlene ent leoser nse oir ane mee 281/31). knowing about it Cookies can also be used by select web applications to store data which can later
3 See Roos “Data pre bi p and evaluting the current South be retrieved by the application (for example, an internet user's online shopping basket items or ¢-
African position”Sper bujal aot Teeter eekipiard oeenee 6. mail address) and that the web application may need in order to fulfil its function. ‘There are also
4 See Roos “Data protection” 2007 SAL 401 and “The law of data (privacy) protection” 6. more sophisticated and dangerous cookies that are not text files, which are difficult to detect and
which can collect much more detailed information about the user. See Hoofnagle, Soltani, Good,
Wambach
en Ayenson “Bahavioral advertising: The offer you cannot refuse” ‘2012 Flare L ce Pot Reo
iS cabin fa: Sie, rai tata oe cect acieerisingy prac sices S08 SA Al
Lf74l 742
 Chapter
9: Data Privacy Law 365
366 Information and Communications Technology Law

consumer items” or the use of scanners with which information on a mobile device
of which the Bluctooth or Wi-Fi has been activated, can be collected." It is not an spending habits, websites visited, credit-card details, and so on. This in turn enables,
exaggeration to say that the world is experiencing a “data deluge”. for example, the creation of a customer profile that can be sold to marketers and/or
used for the sending of unsolicited commercial ¢-mail.”
Processing of data for ecommerce purposes poses further privacy risks, such as
those related to the use of profiling,” traffic data," cookies” web bugs,” spyware” Providers of search engines also have the capability to draw up detailed profiles of
and spam.” Online contact with a consumer makes it possible for the data controller the interests of their users by combining traffic data with other data stored by them.
to follow the electronic “footprints” left by the consumer (in the form of cookies or Ata Data Protection and Privacy Commissioners’ conference,” the following was said
traffic data), thus enabling the collection of information on the consumer, such as about search engines:
“[Slearch histories stored by of search engines now in many cases may consti-
tute personally identifiable dats. Specifically, in cases where operators
of search engines
12 Information about the shopper's pr (where the shoppers is shoppi and what he, she or are also offering other services leading to the identification of an individual (e.g. e-mail),
it ts buying) is collected and can be used in targeted advertisement. trafic and content dats from searches could be combined with other personally idenu-
13. De Zwart, Humphreys and Van Dissel ig Data and democracy:Lessons for Australia fiable information derived from those other services during a single session (¢.g. based
from the US and UK" 2014 UNSWEJ713 715-716. on comparing IP-addresses). The percentage
of search history data that can be linked to
14 A variety
of p uy can be d in this such as the inke dividual: is likely to further rise in the future duc to the uptake of the use of fixed IP
of the person's acquaintances, friends or family members, or CPS information which indicates numbers in high-speed DSL or other broadband connections where users compulers
where the person has been. UN Clobal Pulse Big Data for Development: Challenges & Opportunilies are always online.”
{2012) &.
15 Bygrave “Minding the machine: Article 15 of the EC Data Protection Directive and automated pro- Internet e-mail containing personal information may be intercepted during uans-
Gig" 2001 Computer Law and Security Rep 17 defines profiling 25 “the process of inferring a set of mission or at any point where the e-mail is stored. This raises privacy and security
istics (| lly behavioural) about
an individual or col ective entity
and then treat- concerns, which again brings data privacy mules into play.
ing that person/entity (oF other persons/entities) in the light of these: characteristics”. The speedy, New wireless technology also introduces new privacy concerns. Mobilce-communi-
cheap and access to large of personal data gathered in various places and at
various moments enables the composition of a profile on an individual that may influence decisions
cations networks make iti possible to determine the geographical location of a user's
concerning, inter aba, the individual's qualifications, credit cligibélicy, health, insurance, consump- mobile equipment.” This feature can be very useful in the area of safety or security.
tion patierns, social security and emy For example, in an emergency situation a person’s whereabouts can be determined
16 Traffic daca are data that are processed in order vo cransmit an electronic message of to send a bill by tracing the location of his or her mobile phone.” However, other uses of this
for the service rendered. Such data include data indicating the origin, route and destination of 2 technology, such as location-based advertising, can be very intrusive, raising privacy
mesage, as well as the time, size and duration of the mesage. According to para. (15) of the pre-
concerms.
amble to the EU's Directive on Privacy and Electronic Communications 2002/58/EC, traffic daa
may, inéer alia, consist of data referring to the routing, duration, time or volume of 2 communi- Cloud computing and Big Data, wo of the more recent developments in IT, have a
ation, to the protocol used, the location of the terminal equipment of the sender or recipient, the huge impact on data processing. Cloud computing, in brief, is a way of providing IT
network from which the communication originates or at which it terminates, or to the beginning, services over the Interne A cloud computing services provider can offer various services
end of duration of 2 connection. Traffic data may also consist of the format in which the communi- such as data s space as well as software applications to multiple customers on
«ation is conveyed by the network.
demand. In other words, instead of storing data and sofiware on a user's hard drive, it is
17 See fm 11 above. Also see EU Data Protection Working Party Working Document 02/2013 providing
Cuidance om obtaining Consent for Cookies WP 208 (2013). now stored on various servers which could be located anywhere in the world and ac-
18 Web bugs are special links in a web page. ‘They are very small (often the size of a pixel) and usually cessed, when needed, via the Internet.” As a result, stored information can no longer
disguised. Web bags can be embedded in an ITTML document and can also be included in an e-mail
By using web bugs, websites can gather information such as when website users read their email and
so whow they forward their smesxages. See further Gratton Internet and Wirdes: Pricacy 9. 2 Spam is ued by directanarketing onjantsstions interested in advertising thelr prodect: w the broad.
19 Spy or “ET soft "isan type of soft . Cohen “low to protect your privacy: Who's est possible circke of p I buyers
in the ch
watching you?” Time Maguzine 31 July 2000, 56-43 discusses this new kind of software, referring to it 22 28* International Duta Protection and Privacy Commissioners" Conference “Resolution Gn privacy
as “sofware that commandeers your computer to spy on you™ (a1 38). According to Cohen, when protection and search engines” 2.
one downloads free software designed, for example, to help with online shopping, this software not 23 Some wireless networks determine location on the basis of the cellukar tower nearest the handset.
only does useful things like giving recommendations zbout products while one is shopping online Others use the handset itself — handsets equipped with a CPS chip can be located with CPS (Clobal
but also does other unpleasant things: “This software planes itself in the depehs of your hard drive Positioning System) technology. See also Craton Internet and Wireless Privacy: A Legal Guide to Clobal
and, from that convenient vantage poirt, starts digging up information. Often it's watching what Business Practices 29-32.
you do on the Internet. Sometimes it’s keeping track of whether you click on ads in software, ewen 24 For example, Vodacom, a leading cellular company in South Africa, offers a service called Looktme
when you are not hooked up to the Internet -. - ‘These programs are known as ET. applications which enables Voxkicom subscribers to locate other Vodacom cellphone users provided such users
because after they have lodged in your computer and learned what they want to know, they do what have consented to that
Steven Spielberg's extraterrestrial did: phone home. That may be the most paranoiainducing part. 25 See EU Data Protection Working Party Opinion 05/2012 on Cloud Computing WP 196 (2012); Lanois
ET. applications use your Internet connection t deliver espionage briefings on you, often without “Caught in the clouds: The Web 2.0, cloud computing, and privacy?” 2010 Nev J Teck & Intell Prop 29;
you realizing
it is happening” (at 38}. Carpenter “Walking from coud to cloud: the portability issue in cloud computing” 2010 Wash f 1.
20 Spam is unsblicited electronic mail (electronic junk mail, im other words). Tech & Arts | 2; Oppenheim “Legal issues for information professionals X: Legal issues asoctated
with cloud computing”
2011 Bus Inf Reo 25.
 368 Information and Communications Technology law
Chapter9: Data Privacy Law 367
Yet another new challenge posed by technology, is the so-called “Internet of
be linked to a physical place.” Goud computing provide many benefits,” but also things”. This refers to “the connection of everyday objects (for example, TVs, appli-
creates several challenges for data privacy law. A cloud service client loses the exclu- ances, and exercise equipment) to the Internet. It enables the real-time ADORE ite
sive control over the personal data in the cloud and docs not always have cnough and vast collection of data about property, people, plants, and animals.” The risks
information about the manner in which the data are processed, where the pro- posed by these devices arise out of their security vulnerability. They are often used
cessing takes place and by whom it is done. If the client is not in control of the data, outside an IT structure and do not have enough security built into them. Risks
it may also not have full knowledge of all the possible security risks and it may there- involve data losses, infection by malwarc, unauthorised access to personal data,
fore not be possible for the client to ensure that the required security measures are intrusive use of wearable devices, and unlawful surveillance.“
in place.™
“Big Data™ is a tcrm used to describe the creation and analysis of massive data
sets. Data collected in one area can be linked to data collected in other areas and the
9.2 Defining the field of law and certain key terms
data can then be analysed to produce new inferences. By making connections be- Data privacy law is that area of the law that regulates all the stages of the processing
tween pieces of data, patterns can be established and predictions be made about of personal data (or information). Only personal data, that is data that relate w a
persons or groups of persons. According to Anita Allen “Big Data” is a nickname for person or permit identification of a person, is affected. Such data or information
enterprises that collect, analyse, package, and sell data, even unintercstinglooking need not be private or sensitive.
data, to reveal tastes, habits, personality, and market behavior.™ This data is collect- The terminology used to describe this area of law differs from one jurisdiction to
ed from various sources, such as call logs, mobile-banking transactions, online user- another and has shown development over time. In the USA, the term “information
generated content from blogs or Tweets, online searches, satellite images, digital privacy” is preferred whereas in Europe, until recendy, the term “data protection”
photos and videos uploaded online, transaction information of online purchases, was used widely.” More recently the term “data privacy” has emerged in Europe as
and from GPS signals, to name but a few." “Big Data” challenges several data privacy the preferred way of describing this arca of the law.” Since data privacy law is a
Principles. Evidently data collected for one purpose, are being used for another better description of the field of study than either information privacy or data pro-
purpose. When discussing the data privacy principles, it will be explained that an tection,” this term will be used in this chapter.”
important principle of data privacy law is that data may only be collected for a legit-
imate purpose that is made know to the data subject before the collection takes
33 See Maras “Internet of Things: security and privacy implications” 2015 [DP1. 99_ Also see KU Data
place, and furthermore, that the data may not be used afterwards for a different
Protection Working Party Opinion 8/2014 om the recent developments om the internet of things WP 223
purpose, unless the data subject has consented to this. It is also a basic principle that (2014).
a data should be collected, only data relevant for the purpose it is 34 See EU Data Protection Working Party Opinion 8/2014 om ihe recent developments on the internet of things
collect WP 225 (2014).
3% “Information” and “data” are used interchangeably in this chapter. A distinction cin be drawn between
these concepts: data are unstructured facts or raw material that needs to be processed and organised
26 Are 8 Recon ae Deecen me How to Restore Trust 4. to produce: information, whereas information is data that are organised, structured and meaningful
27 Dara Protection Working Party Opinion 05/2012 on Cloud Computing WP 196 (2012)
ex- to the recipient. In practice it is difficult to maintain a distinction between these two concepts and
H

in most legal contexts it is also unnecessarily pedantic to do so (Bygrave Dala Preacy Lane An Interna
tional Perspective 20). The: South African legislature has chosen to use the term “information” rather
than “data” in South Africa's first omnibus data privacy law, the Protection of Personal Information
Act
4 of 2015.
36 ‘The term originates from the Cerman wrm Dolenwhutz See further Schwartz “Data processing and
government administration: The Gilure of the American legal response to the computer” 1992 IMas-
problem of “personal data’ in cloud computing: what tings Lf 1321. Most European laws is therefore called data privacy laws (eg the UK's law is the Data
information is regulated? — the cloud of unknowing” 2011 JDPI. 211; “Who is responsible for ‘per- privacy
Act I988).
sonal dara’ in cloud computing? — The cloud of unknowing, Part 2” 2012 DPI. 3. 37 See eg the titles of two recently published books on this topic: Bygrave Data Privacy Law: An Inierna-
29 UN Clobal Pulse Big Data for Development: eee Oiprrann en 22 tarts Bag Date tional Perspective (2014); Kuner Christopher Transborder Data Mows and Data Privacy Law (2013) as
“a popular phrase used to describe a massive volume of both structured and unstructured data that well as the: tithe of the journal International Dala Privacy Law (IDPI.).
is so large that it's difficult to process with traditional database and sofware techniques. The char- 38 In many jurisdictions, privacy refers not only to the protection of personal information, but includes
acteristics which broadly Big Data are sometimes called the “3 V's": more volume, more
aspects such as child-rearing, sexual preference and autonomy. In that sense, privacy & wider than
variety and higher rates of velocity. This data comes from everywhere - - This dara is known as
data privacy, since this concept only refers to 2 set of rales that regulate the processing of personal
“Big Data” because, as the term sujgests, it is huge in both scope and powes.”
information. Rut, in another sense, data privacy is wider than privacy, since it protects a broader
30 Allen “Privacy law: positive theory and normative practice” 2013 Harv I. Rev Rerum 241 246.
range of interests than privacy. Data privacy protects identifiable information, irrespec-
31 UN Ctobal
Pulse Big Data for & Opportunities
15.
tive of whether this information is private or not. See European Data Protection Supervisor (EDPS)
32 For a discussion of the challenges posed by Big Data to dara privacy, see Rubinstein “Big Data: The
End of Privacy or a New Beginning?” 2013 JDPL 74. Also see EU Data Protection Working Party Public access to documents and data privary (EC 2005) 15 21; Bygrave Data Preacy Law 26, Kokott and
Statement of the WP29 on the impact of the develofrment of big daia om the protection of individuals with regard Sobotra “The distinction between privacy and data protection in the jurisprudence of the CJEU and
éo the processing of their personal daia in the EL! WP 221 (2014)- contanued
 Chapter
9: Data Privacy Law 568 370 Information and Communications Technology Law

Data privacy law can thus be defined as a sct of measures aimed at safeguarding processing, purpose specification; minimality, quality; openness or transparency;
data subjects from harm resulting from the computerised or manual processing of data subject participation; sensitivity; security and confidentiality; and accountability.
their personal information by data controllers. These measures usually include a These principles will be discussed in more detail below.
group ofprinciples on the processing of personal information (known as data priva- The development of jon laws can be seen as a legal response to the
cy principles). threat posed to data subjects by the processing of their personal information/ data.
In this definition, there are certain key terms that need to be explained:
Persomal ¢ or data (in the USA referred to as identifiable infor- 9.3 Data privacy laws
mation or PI) can be defined as any information relating to an identified or identifi-
able person. An identifiable person is someone who can be identified directly or 9.3.1 The origin of data privacy laws
indirectly by reference to an identification number or w one or more other features The first data privacy legistation was adopted in 1970 in the German state of Hesse,
specific to that person's physical, physiological, mental, economic, cultural or social and in 1973 Sweden enacted the first national data privacy law, followed by the
identity.” United States in 1974. Since then numerous other countries have adopted data
Processing
is a wide concept and includes almost any action that can be performed privacy legislation or are considering such legislation. In faa, many countries have
on data, such as the collection, receipt, recording, organisation, collation, storage, already revised their first data privacy laws or have adoptcd completely new, second-
updating, modification, retrieval, alteration, consultation, dissemination by means of
generation laws.”
transmission, distunibution or making available in any form, merging, linking, re- By the end of 2011, there was an estimated 89 counties with data privacy laws.
striction, degradation, crasure or destruction of data” This number was expected to rise exponentially and it could probably be assumed
that the number is more than 100 at the time of writing.”
The dala subyct is the entified or kientiffable person whose personal data are
processed — in other words, the person to whom the data relate.
A data controller (sometimes also referred to as the responsible party) is the natural or
9.3.2 The aims of data privacy laws and instruments
juristic person, public authority, agency or other body determining the purposes for It isgenerally paccepted that the processing of personal information poses a threat to
and the means by which the data are processed. a person's privacy.” Another interest that may be threatened is identity, which is in-
fringed when incorrect or misleading information relating to a person isprocessed.”
A data controller could use a dala processor (sometimes referred to as the operator)
to do the processing on its behalf. The data processor is the person who carries out
It has often been said that privacy is difficult to define because it means different
things to different people.” Traditionally, privacy is defined “as the right to be Tet
the processing in terms of a contract without being under the direct authority of the
alone”, a definition made famous in 1890 by wo American lawyers, Samucl Warren
controller.
and Louis Brandeis.” With the emergence of information technology the necd arose
The dala user (or recipient) is a person who receives data and applics them for vari- for this definition to be adapted. A later definition describes privacy as “the claim of
ous purposes. individuals, groups, or institutions to determine for themselves when, how and to
Sometimes a third party is also distinguished. The third party is any party other
than the data subject, data controller, data processor or any person under the direct
authority of the controlicr or the processor. 43 For example, the Netherlands adopted its second.generation data-procection law in 2000 (the Wet
Bescherming Persoonsgegevens 2000) and the United Kingdom adopted its in 1998 (the Dar Pro-
Almost all data privacy laws contain a set of basic data privacy principles. These prin- tectionAct of 1998). On “generations” in dat-protection laws, see Bygrave Data Protection Law 87-88.
ciples may be formulated differently in the various laws, but in essence the following
principles are always contained in data privacy laws: The principles of fair and lawful London, School of Law Legal Studies Research Paper No. 98/2012.
45 For example, in the USA, in enacting the Privacy Act of 1974, Congress
found (s 2(a) (1) Pub 1. 93-
579) that “the privacy of an individual is directly affected by the collection, maintenance, use and
the ECU IR" 2013 iDPL. 222; Van der Sloos “Do data privacy rules protect the individual and shouki
disseminationof personal information” and, in the UK, the Lindop Committee on Data Protection
they? An assessment of the proposed Ceneral Data Protection Regulation” 2014 (DPI. 307. In Eu-
declared that “privacy is the starting point of our enquiry” (see “Report of the Commitee on Dara
Protection” 28). According to the EU Data Protection Working Party's report “Data protection law
rope, the right to privacy and the right to dam privacy are separately as fundamental
rights in the Charter of Fundamental
Rights of the European Union (2010) Of C 83/389. Respect and the media” 4, “[dJata protection comes within the scope of the protection of private life guaran-
teed under this article [article 8 of the European Convention for the Protection of Human Rights|”.
for private and family life is protected in art 7 and protection of personal cata in art 8.
6 ae Necthling'’s Law of Personality 36 define identity as “a person's uniqueness or i
39 Dara privacy has the added benefit of including i used both in the USA (privacy)
and in
which identifies or individualises him as a particular person and thus distinguishes him from others”
Europe (data protwction), providing “a bridge for synthesizing European and non-European legal
discourses”. See Bygrave Data law 2. 47 See Miller The Assaull on Privacy: Computers, Data Banks and Dossiers 25; Bernsicin
o Bester NO 1996 (2)
40 Bygrave Data Protection Law: Approaching its Rationale, Logic and Limit 21-22. SA 751 (CC) 787-788. Young Privacy 2 observes that “| p|rivacy, like an elephant, i more reaxlily
See EU Dara Protection Working Party “Opinion 4/2007 on the concept of personal data” 4. recognised
than described”.
o=

42 See the definition of “processing” in s | of the Protection of Personal Information Act 4 of 2013. 48 Warren and Brandeis “The right to privacy” 1990 Haroard LR 195.
 Chapter9: Data Privacy Law 371
372 Information and Communications Technology Law
what extent information about them is communicated to others”." This claim to self-
determination or control over one’s personal information is the essence of a per-
son’s interest in privacy,” and forms the core of data privacy." Through data privacy issue the conflict between the ideal of data privacy and the idea of the free Now of
measures, a data subject regains control over the usc made of his or her personal information between countrics. What is more, despite differences in language, legal
information by other pantics. traditions and cultural and social valucs, there has been a broad measure of agree-
The international character of data privacy necessitated the drafting of documents ment on the basic content and core rules that should be embodied in data pri
on data privacy by various international organisations. These international data legislation.” Examples of these core rules can be found in the OECD Guidelines and
privacy instruments have an added purpose, namely to harmonise data privacy laws the Convention on Data Protection, cach of which contains a sct of principles con-
in the signatory countrics. International organisations such as the Organisation for cerning data privacy.
Economic Co-operation and Development (the OECD), the Council of Europe and The 1995 EU Directive” on the Protection of Individuals with regard to the Pro-
the European Community have realised the necessity of harmonising data privacy cessing of Personal Data and on the Free Movement of such Data" (the General
laws to prevent the creation of data havens™ while at the same time enabling the free Data Protection Directive) evolved from the earlier OKCD Guidelines and the Con-
flow of data across national boundaries. Therefore, all international data privacy vention on Data Protection. All member countries of the European Union had to
documents issued since the 1980s, such as the OKCD Guidelines Governing the adopt data privacy laws that complicd with this Directive. It also served as a prime
Protection of Privacy and Transborder Flows of Personal Data” (the OECD Guide- example for countries outside Europe, such as South Africa, in the drafting of their
lines) and the Council of Europe Convention on Data Protection” (the Convention own data privacy law."
on Data Protection), have two primary goals: to lay down standards for the protec Although the laws adopted by the different European Union countrics all com-
tion of personal data at national level while, at the same time, allowing the free Sow plied with the 1995 Directive, the laws were nevertheless not identical and resulted in
of information across national boundarics. “In order to realise these two diverging national interpretations of the provisions as well as different local cn-
international data privacy instruments are intended to bring about aheeacs forcement of the provisions. Coupled with this, new technological developments and
between national rules on data privacy, the idea being that, if different countrics globalisation since 1995 brought significant changes in the way personal data was
provide the same level of data privacy, information can be transferred between those collected and processed. All this resulted in the European legislators considering
countries without limitations, since there would be no increase in the threat posed to changes in the current European Union data protection framework, which will be
the iinterests of the persons whose personal information is involved in the data wans- discussed below."
fer.” Although the various onganisations have approached data privacy from differ-
ent perspectives, reflecting their different purposes,” they all recognise as a basic
9.4 International data privacy instruments
49° Westin Privacy and Freatom
7_ 9.4.1 Introduction
30 Neethling et al- ene Neethling et al. 32 define privacy as “an individual It has been pointed out that data privacy has always been an international issuc. The
condition of life characterised by seclusion from the public and . This condition embraces Internet operates on the principle that information should be able to flow un-
all those: persorial facnt which the person concerned has himatif determined to be exctuded from
the knowledge of outsiders and in respect of which he has the will that they be kept private”. See al impeded over national borders. To allow this, standards for the protection of per-
so National Media Lid o foaste 1996 (3) SA 262 (A) 271-272. sonal information should be equivalent in all countries connected to the Internet. If
St Blume “Privacy as theoretical and practical concept” 1997 Inil Reo of Law, Comfruters and Tach 195. standards differ, countries with high standards of data protection may decide to
Seen ESS ek renee eee University of NSW Lf 279-281 .
52 Dara havens are countries with no dar-pr i U data are Text 10
eotsconcaini¢s take te chciesioeesie sauead tenet aaa yen amar ate: See EPIC 58 Bennett Regulating Pricacy 9%; Flaherty Protecting Privacy in Surveillance Societies: The Kederal Republic of
Privacy and Iuman Rights: An International Survey of Privacy favs and Decelofrments (2002) 14. Germany, Sweden, France, Canada, and the United States 379.
53 Paris (23 September 1980). 28 Dara-protection laws are universally built round 2 common core of data-protection principles formu-
54 Comeention No. 108/ 1981, Serashourg (28 January 1981). lated in various
ways. See, for example, the OECD Cuidelines paras 7-14; Convention No. 108/181
55 See Blume “The inherent contradictions in data protection lw” 2012 IDPL 26 27. arts 4-8: UK Data Protection Act of 1998 sch. 1 part1; Bygrave Data Protection Law 57-69; Bennett
56 For example, para. (8) of the preamble to Directive 9%5/46/EC provides that, “in order to remove Regulating Prieacy 9; Flaherty Protecting Prieacy in Surveillance Societies 379; Roos “The law of data
the obstacles to flows of personal data, the level of protection of the rights and freedoms of indiv- (privacy) protection” (LLD thesis, Unisa, 2003) 480-522.
iduals with regard to the processing of such data must be equivalent in all member states”. 60 Directives are a form of legistation within the European Union, used in the harmonisation of public
57 The Council of Europe has traditionally been a human-rights organisation. (The European Conven- policy throughout the Union. They are published in the Official journal.
tion of Human Rights was adopted under the auspices of the Council of Europe im 1950.) The Con- 61 Directive 9%/46/EC of the European Partiament and of the Council of 24 October 1995 on the Pro
vention on Data Protection therefore focuses on the human-rights aspect of data privacy. The tection of Individuals with regard to the Processing of Personal Data and on the Free Movement of
OECD Guidelines, on the other hamd, focus on the impact of data privacy on international trade Such Data 1995 Official fournal 1. 281/31.
and economic development (see Bing “The Council of Europe Convention and the OECD Guixie~ 62 Asis explained later in para. 9.4.2.6, below, the South African Law Reform Commission has used the
fines on Data Pri " 272; Hondius “A decade of international data pr ion” 106). Directive for guidance in drafting South Africa's first proposed data-protection law, namely
the draft
Ball on the Protection of Personal information.
63 See para. 9.3.47 below.
 Chapter9: Data Privacy Law 373 374 Information and Communications Technology law

impose legal barriers to the transfer of personal information on their citizens to sovereignty, national security or public policy.” The OKCD Guidelines recommend
other jurisdictions. This will impede not only the flow of information, but also inter- that two general criteria ought to guide national policies when limits arc imposed on
national trade. the scope of data privacy measures: (a) these limitations should be as few as possible
Some of the most important international data privacy instruments are discussed and (b) they should be made known to the public.”
below. Changes in personal data usage and new approaches to privacy protection since
1989 have moved the OECD to revise the Guidelines for the first time in 2013.”
9.4.2 The OECD Guidelines
on data protection According to the OF.CD website, “Two themes run through the updated Guidclines,
namely a focus on the practical implementation of privacy protection through an
9.4.2.1 Introduction approach grounded in risk management, and the need to address the global dimen-
The OECD" Guidelines Governing the Protection of Privacy and Transborder Flows sion of privacy through improved interoperability.”
of Personal Data were ad in 1980." The Guidelines were the first international 9.4.2.2 Data privacy principles
statement on data privacy.” They advocate the adoption of good data privacy prac-
tices lo prevent unnecessary restrictions on transborder data flows. They are formu- The OECD Guidelines are based on cight data privacy principles_
lated in general terms and member countries are expected to work out the details in O Collection limitation: There should be limits to the collection of personal data and
their own national laws. The Guidelines are not legally binding but merely recom- any such data should be obtained by lawful and fair means and, where
mendations made by the OECD to its member countries. The Guidelines do not appropriate, with the knowledge or consent of the data subject. Data which,
require legislation for their implementation and may even be adopted by private because of the manner in which they are to be processed, their nature, the con-
companies instead of the particular State in which they are located — the United text in which they are to be used, or because of other circumstances, are regard-
States has, for example, opted for this method of adoption in the le sector. ed as especially sensitive should be treated with extra care.”
The minimum standards of the Guidelines may be supplemented by additional OO Data quality. Personal data should be relevant to the purposes for which they are
measures. to be used, and, to the extent necessary for those purposes, be accurate, com-
The OECD Guidelines do not distinguish between the processing of data in the plete and kept up todate.”
private and public sectors, or between manual and automatic processing, since the U1 Purpose specification. The purpose for which personal data are being collected
processing of personal data in cither of these sectors poses a danger to privacy and should be specified not later than at the time of their collection. The subsequent
individual liberties. use of such data should be limited to the fulfilment of that purpose, or of anoth-
The Guidelines permit member countries to limit the scope of the measures they er purpose that is compatible with it. Any change in purpose should be made
introduce. For example, they are permitted to apply the Guidelines only to the auto- known. Although this principle allows for changes to the purpose, such changes
matic processing of data, to exclude personal data which obviously do not contain should not be introduced arbitrarily. The principle also requires that, when data
any risk to privacy and individual liberties, or to apply different protective measures no longer serve the purpose for which they were originally collected, they be
to different categorics of personal data” Exceptions may also be made for national erased or given in anonymous form.”
O Use limitation: Personal data should not be disclosed, made available or otherwise
used for purposes other than those specified in accordance with the purpose-
64 The Organisation forEF: ic Cone and Devel is an intermath specification principle, except with the consent of the data subject or by the
Sk hctneeenie Pooks ie cere ot Ba af the Leting teat Se teas eae oe
all European Union member States, Australia, Chile, Japan, Korea, Mexico, New Zealand, Norway.
Turkey and the United States of America) ing the: py of di acy, market 70 Para 4.
and respect for human rights (see the ORCD website at www.occd.org (accessed 6 August 2007). Para. 4{a)—(6}.
a

See also Kuner Kuropean Data Privacy Lax and Online Busines 36. According to Gereda “The Elec 72 At the beginning of 2007 almost all ORCD countries had enacted dat-privacy lows with authorities
tronic Communications and Transactions Act” 26% the OECD involves non-member countries in its to oversee the enforcement of those laws. Ic was realised “that the changes in the character and vol-
work. These ber countries subscribe to OECD agr: and The OECD's affili- series oft cxcome icarniee:clnta: Acqum, have: Shesatest peteacy, craks Soy. acheebscale ancl tehligpitest the mere
ation with 70 nonamember countries, of which South Africa is one, gives it global reach. for beter co r tg the d with pi jon”. The OECD
Recommendation of the Council Concerning Cuidelines Governing the Protection of Privacy and Council therefore adopted a Recommendation in 2007, setting forth a framework for co-operation
Transborder Flows of Personal Data, Paris (23 September 1980). by member States to enforce their privacy laws. See OECD Recommendation on Cross-border Co-
For an overview of the history, achievement and fature of the OECD Guidelines, sce Kirby “The openition in the Enforcement of Laws Protecting Privacy at wew.oced.ong (accessed 6 August 2007).
2.5

history, achievement and future of the 1980 OECD guidelines on privacy” 2011 /DPI.6_ These isons are now inchuded in paras 20-23 of the revised Guidelines.
See Waklen and data protection” 499 466; Roos “Vhe law of data (privacy) protection” 73 See the “OECD Privacy Framework” (2015) at www.oecd.ong (accessed
on 29 January 2016).
(LD thesis, Unixs, 2003) 156-157, 178, 196-197. 74. Para 7.
68 Para 2 of the OECD Guidelines 75 Para 8.
69 Para. 3(a)-{0). 76 OECD Guidelines “Explanatory memorandum” 30.
 Chapter
9: Data Privacy Law 375

authority of law.” The usclimitation principle deals with uses of data that deviate 376 Information and Communications Technology law
from the onginal purpose, and thus regulates the dissemination of the data. The
general rulc is that subsequent use made of data shouki be compatible with the
original stated purpose. However, this principle envisages that, with the consent Under the 2013 revisions, it is now required that a data controller should have a
ofa data subject or by the authority of law, exceptions can be made to this rule. privacy management programme. Essential clements of such a programme in-
clude privacy policies, employee training and education, provisions for sub-
Security safeguards. Personal data should be protected by reasonable security safe- contracting, audit process and privacy risk asscssment The revisions also intro-
guards against such risks as loss of or unauthorised access to, and destruction, duced mandatory data security breach notification. The data controller should
use, modification or disclosure of data.” This principle imposes an obligation on notify the privacy enforcement authority where there is a significant security
the data controller to ensure that reasonable security measures are in place to
breach affecting personal data. Individuals should also be notified where such a
protect the privacy of the personal data. Such security measures may be physical, breach is likely to adversely affect individuals.”
organisational or informational.” “Loss” of data includes accidental erasure and
destruction of data due to the damage to or theft of the storage media. "Modific- 9.4.2.3. The transfer of data to third countries
ation” includes unauthorised input of data, and “use” includes unauthorised
copying. The revised Guidelines emphasise that a data controller remains accountable for
personal data under its control without regard to the location of the data.” A mem-
Openness: This principle is considered as a prerequisite for the next principle, ber country should refrain from restricting transborder flows of personal data be-
namely the individual participation principle, since in order for the last men- tween itself and another country where (a) the other country substantially observes
tioned principle to be effective, it must be possible in practice to acquire infor- these Guidelines; or (b) satis cient safeguards exist, including effective enforcement
mation about the processing of personal data. There should therefore be a mechanisms and measures put in place by the data controller, to ensure
general policy of openness about developments, practices and policies in respect a continuing level of protection consistent with the Guidelines.” Any restrictions to
of personal data. Means should be readily available to establish the existence and transborder flows of personal data should be proportionate to the risks presented,
nature of personal data, the main purposes for which they are used, and the iden- taking into account the sensitivity of the data, and the purpose and context of the
tity and usual residence of the data controller.” processing.
Individual According to the Guidelines, the right of individuals to
access and challenge personal data is generally regarded as the most important 9.4.2.4 National implementation
privacy protection safeguard. Data subjects have the right to participate in the The revised Guidelines instructs member countrics to develop national privacy
processing of their data. Therefore, they have a right to access their personal da- strategies; adopt laws protecting privacy; establish and maintain privacy enforcement
ta, and to be given reasons for any denial of such access, and a right to challenge authorities; encourage and support selfregulation, for example in the form of codes
data relating wo them and, if the challenge isi successful, to have the data erased, of conduct; provide for reasonable means for individuals to exercise their rights;
rectified, completed or amended.” provide for adequate sanctions and remedies in casc of failures to comply with priva-
Accountability. Since cessing activities are carried out for the benefit of cy laws; consider the adoption of complementary measures, such as education and
the data controllers, the controllers should be accountable under domestic law awareness raising, skills development, and the promotion of technical measures
for complying with privacy-protection rules. They should not be relieved of this which help to protect privacy; consider the role of actors other than data controllers,
accountability merely because service bureaux (data processors) carry out the da- in a manner appropriate to their individual role; and ensure that there is no unfair
ta-processing activities on their behalf." Their accountability should be comple- discrimination against data subjects.”
mented by legal sanctions.
9.4.2.5 Conclusion
The members of the OECD include the most imponant countries in the information-
communications arena, among which are the United States, most European coun-
Part 10 of the OECD Guidelines. tics, Canada, Japan, Australia and New Zealand. Furthermore, through its affiliation
B33

Para. Il. with 70 non-member countrics, of which South Africa is one, the OECD has a global
Physical measures include the use of locked doors and identification cards; organisational measures
include giving only certain persons the use of access codes; and informational measures include en-
reach.” Consequently, the OECD Guidelines were very important at the time of their
Gphering or monitoring of unusual activities (OECD Guidelines “Explanatory memorandum” 31). adoption. However, because the Guidelines were not — and are not — legally binding,
OECD Guidelines “E: memorandum” $1.
Para. 12 of the OECD Guidelines.
reeee

Para. 13. 85 Para 15.

Para. 14. 86 Pare 16.
OECD Guidelines “Explanatory memorandum” $2. 87 Para. 17.
88 Para 18.
89 Para 19.
90 See fn. §2 abowe
 Chapter9: Dara Privacy Law 377 378 Information and Communications Technology Law

and because they allowed for considerable variation in their implementation by After a lengthy process of consultation an ad hoc Commitice on data protection
member, States," they were not adequate to ensure the functioning of the global (CAHDATA) of the Council of Europe approved in December 2014 the modernisa-
market” Nevertheless, the revised OECD Guidelines remain an influential statement tion proposals. A draft amending Protocol was prepared on the basis of the pro-
of the foundations of privacy protection.” posals.
The Convention is based on a number of basic principles of data privacy on the
9.4.3. The Council of Europe Convention on Data Protection basis of which cach member country is expected to draft appropriate legislation. A
9.4.3.1 Introduction country has to adopt data privacy legislation giving effect to the principles in the
Convention before that country can become a party to the Convention.” These
The Council of Europe™ _ Convention on Data Protection™ is a multilateral treaty
Principles guarantee data subjects in all countries a minimum level of protection
dealing with data privacy. * Iwas “the first legally binding international instrument
with regard to the automatic Processing of their personal data and should result in
with worldwide significance on data protection”. I was adopted in 1981 and has
harmonisation of the laws of the partics to the Convention, thus ensuring that the
been ratified by almost all of its member countries.” principle of the free flow of information will not be jeopardised." Member States
Thiny years after its adoption, it was felt that the Convention needed to be mod- may grant data subjects a wider measure of protection than that stipulated in the
ernised to deal with emerging privacy challenges resulting from the increasing use of Convention.
new information and communication technologies, the globalisation of processing
The Convention applies to the automatic processing of personal data in both the
and the ever greater flows of personal data. A modernisation process was started in
private and public sectors. However, member States may extend the provisions to
2010 and in 2012 a proposal for a revised instrument was released by the Consulta-
non-automatic processing of data. Although personal data are defined as information
tive Commiuce of the Convention” with the aim of modernising the Convention.”
relating to an identified or identifiable individual, parties may extend the scope of
the Convention to include information relating to groups of persons, associations,
91 For example, SLE SS Bak each eapeatvons Ay Se Betense iace, bo epicseces fe OPC Cee foundations, companies, and so on, whether or not they possess legal personality.”
lines, bur aged the pi sector to their pr
Blume “An EEC policy for data protection” 1992 Conmputey/Le joumal 4.
9.4.3.2 Data privacy principles
288

See Bygrave Data Law 50.

Founded in 1949, the © il of Europe (to be distinguished from the Council of the European The Convention lists a number of basic principles for data privacy.'”
Community) is an imtergovernmental instiuution with headquarters in Strasbourg. It consists of the
heads of State of 47 European countries, 28 of which are members of the EU. There are also observ- O Quality of data™ Personal data undergoing automatic processing should be
er countries, including the USA, Canada and Japan. It is a human rights organisation. All Council of — obtained and processed fairly and lawfully;
Europe member states have signed up to the European Convention on Human Rights (ECHR)
(CETS No 005, 1950). The right to protection of personal data forms part of the rights protected — stored for specified and legitimate purposes and not used in a way incompat-
under Art 8 of the ECHR, which guarantees the right to respect for private: and family life, home ible with those purposes;
and correspondence and lays down the conditions under which restrictions
of this right are permit-
ted. ‘The European Court of Human Rights (ECtHR) oversees the i of the Conven- — adequate, relevant and not excessive in relation to the purposes for which they
tion in the ber states. Individuals
can bring of rights violations to the are stored;
Strasbourg Court once all possibilities of appeal have been exhausted in the member state con-
cerned.
(See www.coe.int). — accurate and, when necessary, kept up to date; and
95 Council of F 's Ch for the Pr ion of Individuals with regard to AutomaticPro-
ee rend teas te 108/108, Strasbourg (28 January 1981). It is also referred
wo as Con-
vention 108, referring to its number.
96 Bygrave Data Privacy Law 147.
97 See wew.coc.int/t/e/legal_affairs/legal_co-operation/data_protection, 100 Consultative Committee of the Convention for the Protection of Individuals with Regard to
tion can be found
at http:/ /conventions.coc.int/Treaty/en/Treaties/Huml/
108i. Automatic Processing
of Personal Data (T-PD) Propesilions of Modernisation T-P1)_2012_04_rev4_E.
98 Russia has signed it but has not ratified it. San Marino and Turkey were the latest countries to ratify (Dec 2012).
the Convention during 2015. See ee ree pee ea Raa eae WL See CAHIDATA CM2014 40) Appendix 2. At the time of writing the amending Protocol has not yet
NT-LOBRCL-ENG. Non-Furopean may de to theC jon. All EU Memb
have ratified Convention 108 NonEuropran countries may acoede to the Convention. ino 102 Art. 4(1) of Convention 108/198).
do so was Uruguay which acceded in 2013. Also see Greenleaf “The influence of European data pri- 103 In 1999 the Convention was amended to allow the European Community (as an organisation) to
vacy standards outside Europe: implications for globalization of Convention 108° 2012 JDPL 68 who accede to it.
argues that there are potentially considerable advantages to both non-European and European 104 Paras
20 and 21 of the Convention 108/1981 “Explanatory report”.
statesif Convention 108 (plus the Additional Protocol) were to become a global privacy agreement 105 See art. 11 of Convention 108/1981.
See ene 106 Art. 3(2)(6).
99 The G jh d by the C to may make proposals with a view to Art. 5.
or hianpeernictioerney mercer oraentAepabmocaruespe irda ater convertion 108 In the draft Amending Protocol, the heading of An. 5 is amended to read “Legitimacy of dar
in accordance. See Chap V of the Convention 1068/1981. processing and quality of data” which is a better reflection of the content of the Article.
 380 Information and Communications Technology Law

Chapter$: Duta Privacy Law 379

(b) be able to obtain at reasonable intervals, and without excessive delay or ex-
pense, confirmation of whether personal data relating to him or her are stored
— preserved in a form which permits identification of the data subjects for no in the automated data file, and to have such data communicated to him or her
longer than is required for the purpose for which those data are stored.| Special of in an intelligible form; 8
categories of data or sensilise data Personal data revealing racial origin, political
opinions, religious or other beliefs, as well as personal data concerning health {c) be able to have rectified or erased personal data that have been processed in a
or sexual life or relating to criminal convictions, may not be processed auto- manner contrary to the basic principles of the Convention; and
matically, unless domestic faw provides appropriate safeguards.” The list is (d) have a remedy if a request for confirmation, communication, rectification or
not meant to be exhaustive and a aancina aState may include other catego- erasure is not complied with.”
ries of data in its domestic law." The draft amending Protocol supplements these rights with a right not to be subject
‘The draft amending Protocol add further categories, namely genetic data, bio- to automated decision making, a right to object to data Processing and a right to
metric data uniquely identifying 4 person and personal data revealing wade un- obtain knowledge of the reasoning underlying data processing the results of which
ion membership. It also claborates on the safeguards | that must be taken, stating are applied to the data subject. It also imposcs additional obligations on a data
that it must protect against the risk of discrimination." controller, such as the obligation to conduct an impact assessment of the intended
data processing on the nights of data subjects prior to the commencement of the
OO Data security. Appropriate security measures should be taken for the protection of
processing and an obligation to design the data processing in such a manner as to
personal data stored in automated data files against accidental or unauthorised
prevent or minimise the risk of interference with those rights.”
destruction or accidental loss and against unauthorised access, alteration or dis-
semination."” This implies that there should be specific security measures for
every file, taking into account its degree of vulnerability, the need to restrict ac-
9.4.3.4 Exceptions
cess within the organisation to the information contained in the file, require- A contracting State may derogate from all the provisions except those relating to
ments concerning long-term storage of the file, and so on. The security measures security, if this derogation constitutes a necessary measure in a democratic socicty to
should reflect the current state of the art of datasecurity techniques and meth- protect State security, public safety, or the monetary interests of the State, or to
ods in the field of data processing.'* suppress criminal activity, or protect data subjects or the rights and frecdoms of
The draft amending Protocol adds a duty to notify at least the data protection
others.” The draft amending Protocol mentions freedom of expression as a free-
dom that should be protected.”
authority of data breaches which may “seriously interfere with the rights and
fundamental freedoms of data subjects”. It also inserts provisions on the
“Transparency of processing”, requiring that the data controlicr should inform 9.4.3.5 Remedies and sanctions
data subjects of the controller's identity and habitual residence or establishment; The Convention requires contracting States to provide for sanctions and remedics
the legal basis and the purposes of the intended processing; the categories of for violations of the Convention.”*
personal data processed; the recipients or categorics of recipients of the personal
data; the means of exercising data subject rights and any additional information 9.4.3.6 The transfer of data across borders
necessary to ensure fair and transparent processing of the personal data.” With regard to the transfer of data to other contracting countries, the general rule is
9.4.3.3. The rights of data subjects that a contracting State may not, for the sole purpose of the protection of privacy,
prohibit or subject to special authorisation the transfer of personal data to the terri-
The Convention requires that any person should tory of another contracting State if the recipient country provides an equivalent level
(a) be able to establish whether an automated personal data file exists, what its of protection.” A country may restrict the transfer of personal data to another
main purposes are and the identity and habiwual residence or principal place of contracting State when the data will be re-exported from there to a third (that is, a
business of the controller of the file;"”

117 Art. 846).

109 Art 6. 118 Art. 8d.
110 Para. 48 of Convention 108/198) “Explanatory report”. 119 Art. 8(d).
IIL Art. 6(2) of the draft AmendingProtocol. 120 Art. # as amended by the draft Amending Protocol.
112 Art 7 of Convention 108/1981. 121) Art. 8is of the draft Amending Protocol.
113 Para. 49 of Convention 108/198! “Explanatory report”. 122 Art. 9{2).
114 Art. 7(2) of the draft Amending
Protocol. 123 Amperated Art 901)
115. Art 7 bis(1) of the draft Amending Protocol. The duty to inform the data subject does
not apply if 124
the data subject alredy has the infor or if the processing is expressly prescribed
by law, or 125 Aue 120:
if notification proves to be impossible or involves di efforts
— Art. 75is(2}.
116 Art. 8{a) of Convention 108/1981.
 Chapter9: Data Privacy Law S81 382 Information
and Communications Technology Law

non-contracting) State. This is to prevent such transfers’ circumventing the first be aware of when using the Internet. They also encourage users to take
county's legislation.” action to ensure that their Internet Service Providers comply with privacy
The Convention docs not explicitly deal with direct transfers of personal data to
principles.
non-contracting States; this issuc is addressed in an Additional Protocol adopted in Internet Service Providers (ISPs) are advised by the guidelines to inform users,
2001.” In terms of this Protocol, personal data may be transferred to a non- before they subscribe to the service, of the privacy risks presented by the use of the
contracting State only when an adequate level of protection for the transferred data Internet. ISPs are encouraged to tell users about the possibility of accessing the In-
is ensured by the receiving Statc, or if domestic law provides for it because of specific ternct anonymously. Also, ISPs must post privacy policies on their websites. The state-
interests of the data subject, or legitimate prevailing interests, especially important ment should be clearly visible on the introductory page and be hyperlinked to a page
public interests, or if safeguards, which can in particular cesult from contractual on which a detailed policy can be found. With regard to transferring personal data
clauses, are provided by the controller responsible for the transfer and are found to third countries, the guidelines suggest that ISPs seck advice from, for example,
the data privacy authorities about the permissibility of such a transmission.
adequate by the competent authoritics according to domestic law.™ The draft
amending Protocol adds the consent of the data subject as a ground on which data 9.4.3.9 Conclusion
may be transferred to a country without an adequate level of protection. =
A major weakness of the Convention is unenforceability against countries that fail to
9.4.3.7 Supervisory authorities comply with the basic principles — the Convention did not create any enforcement
The Convention is silent on whether a supervisory authority should be appointed in machinery. Nevertheless, the Convention has been an important stimulus for data
privacy legislation in member countrics of the Council of Europe. Before member
a contracting State; the 2001 Additional Protocol to the Convention addresses this
countries could ratify the Convention, they had to adopt their own domestic data
issuc. In terms of the Additional Protocol cach party to the Convention must provide
privacy legislation — the United Kingdom and the Netherlands, for example, adopted
for an independent supervisory authority to be responsible for compliance with the
data privacy legislation for this very reason. It has been said that “[tjhe force of the
provisions of the Convention in its domestic law.” It also prescribes that such au-
thorities must have powers of investigation and intervention, as well as the power to Council of Europe Convention, more than that of the OECD Guidelines, has con-
tinued to draw new countries into the data privacy community”.
engage in legal proceedings.’
Before the European Union issued a Directive on Data Protection, the Convention
9.4.3.8 Recommendation regarding privacy on the Internet formed the basis of data privacy laws in many European § States." “When the Europe-
The Committee of Ministers of the Council of Europe may make Recom- an Union drafted the 1995 Directive on Data Protection, ' © the starting point was the
mendations to member states on matters for which the Committee has provisions of the Council of Europe Convention." The Convention’s importance for
on a common policy. These Recommendations are not binding. European countries is also reflected in the fact that the European Community be-
came a party to the Convention in 1999. Accession to the Convention “reflects the
Several Recommendations dealing with the protection of privacy in specti-
ic sectors have been issued over the years, including a Recommendation European Union's wish to develop co-operation with the Council of Europe and
for guidelines on the protection of privacy on the Internet in 1999.'" help create - a stronger international forum on data privacy, particularly vis-d-vis third
countrics”.
These guidelines give practical information on what one ought to
9.4.4 European Union directives on data protection

126 Art. 12(3)(5)-

9.4.4.1 Kentcesciaats ioe
127 Council of Europe Additional Protocol to the Convention for the Protection of Individuals with re- The European Union™ is very active in the arca of data privacy. Its Charter of Fun-
gard to Automatic Processing of Personal Data regarding Su Authoritiesand Transborder damental Rights” not only guarantees the respect for private and family life in
Data Flows, Strasbourg (8 November 2001). The Protocol entered into force on | july 2004 after
the required number of % parties ratified it.
128 Art 2 of the Additional Protocol.
129 Art. 12(4)(a) of the draft Amending Protocol. The consent must be informed, free and explicit. protection of medical and genetic data (1997); and the protection of personal data collected and
130 Art.1. 997).
31 Ani? 133 Bennett Regulating Privacy 248.
132 Council of Europe Recommendation No. R (99) 5 Guidelines for the Protection of Individuals 134. Ausems “Council of Europe Convestion for the Protection of Individuals with regard to Automatic
with regard to the Collection and Processing of Personal Data on Information Highways, 23 Feb- Processing
of Personal Data” 539.
ruary 1999. Other subjeces on which Recommendations have been adopted are: mexical dara 135 Directive 95/46/EC, 24 October 199%.
banks (1981); scientific and other statistical research (1985); direct marketing (1985); social secu- 136 Ubid. para. (11) of the
rity (1986); police records (1987); employment data (1989); financial paymenes and related trans- 137 See wew.coe-int/T/E/Legalaffairs/L deal soca Te prnees sen Sarees 8 haart 2007)
actions (1999); communication of data to third persons by public institutions (1991); protection of 138 The European Union (EU) & an
personal data in the field of telecommunications, particularly in telephone services (1995); the countries based on the rule of bar anc BO ts tea aiaiadien en eee Chediak a
contanwed continued
 384 Information and Communications Technology Law
Chapter9: Data Privacy Law 383

Article 7, but also establishes the right to data protection as a fundamental right in In 2012 the European Commission proposed a reform package stating that the cur-
Anticle 8.'° rent rules on data protection needed to be modernised in light of rapid technological
developmenis and gtobalisation. (the reform package consists of a proposal for a Gen-
The first data protection directive adopted by the EU was the Directive on the eral Data Protection Regulation" meant tw replace the 1995 Data Protection Directive.
Protection of Individuals with regard to the Processing of Personal Data and on the At the time of writing, the proposals have not been finalised and the 1995 Data Protec-
Free Movement of such Data adopted in 19957 (referred to as the General Data tion Directive remains the principle legal instrument
on data protection in the EU.
Protection Directive or the 1995 Data Protection Directive). Subsequently directives
were adopted to apply the general principles of the 1995 Directive to specific areas, 9.4.4.2 The Data Protection Directive of 1995'*
such as electronic communications. *
A Introduction
Council of European Communities, the European Parliament and the European Court of Justice.
Member countries of the EC were expected to sign and ratify the Convention on
‘The Court of Justice upholds the rule of bw. "The Council of the European Union (also referred to Data Protection.” Although the Convention had been signed by all the EC member
as the Council of Ministers) is the Community legistator. (This Council should not be confused States by 1990, it had been ratified by only six.”
with the Council of Europe referred to previously.) The Commission of the EC became concerned about the effect discrepancies
139 Official journal C 326, 26.10.2012. The Charter protects EU citizens and residents” political, social
and economic rights. ‘The EU's institutions must uphold the Charter of Fundamental Rights. Na-
between member States’ laws and regulations might have on inter-community trade;
tional authorities must also uphold the Charter when they are implementing EU law. therefore in 1990 it made proposals for a Directive on the Protection of Individuals
140 Art 8provides: with regard to the Processing of Personal Data and on the Free Movement of such
“Protection of personal dare Data. After a protracted legislative process, the Directive was finally adopted on 24
L. Everyone has the right to the protection of personal data concerning him or her- October 1995." Member States may implement the Directive by adopting cither a
2. Such data must be processed fairly for specified purposes and on the basis of the consent of
the person concernexd or some other legitimate basis aid down by law. Everyone has the right
general data privacy law or data privacy laws for different sectors.
Se ee en a ee een oe ee and the right to have it

m ese Ui ka aaa a aay

For a discussion of how dam protection has come to be recognised as a fundamental human right
in the Electronic Communications Sector Official fournal 1. 201/37). The 2002 Directive was subse-
in the EU, see Comnilez Fuster The Emergence of Personal Daia Protection as a Mundamental Right of the
quently amended by the 2006 Data Retention Directive: (Directive 2006/24/EC of the European
Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Proceswsd
BU (2014). Also see Tzanou “Dara protection as 2 fundamental right next to privacy? “Reconstruct
in Connection with the Provision of publicly available Flectronic Communications Services or of
ing’ 4 not so new right” 2013 IDPI.S8.
Public Communications Networks and Directive 2002/58/EC Official journal 1. 105/55)
141 Four types of legislation exist in the EU:
(a) Directives are the most important and least common type of rules. Directives are used in the
and 2 2009 Directive (Directive 2009/136/EC of the European Parliament and of the Council of
Ree eae ae ee eae rie ten ene Pee
25 November 2009 amending Directive 2002/22/EC on Universal Service and Users” Rights Relar-
binding, but ber states are gr d some: | ng the actual form of imple-
ing to Electronic Communications Networks and Services, Directive 2002/58/EC Concerming the
Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sec-
ion and the detailed of the legistati Dosiseally ak ne prcucntlony ectrsomesots
tor and Regulation (EC) No 2006/2004 on Cooperation between National Authorities Responsible
in the EU were passxd as Directives.
for the Enforcement of Consumer Protection Laws). In 2014 the Data Retention Directive was de-
(b) Regulations have general application and pass into law without further action. The 2012
reform will be passed as a regulation and as a consequence all the member coun-
chred unconstitutional by the Court of Justice of the European Union (CJEU) Cases 293/12
thes will have the same data protection legistation in effect in their countries after its adop-
(Digital Rights Ireland) and 293/12 (Seitlinger)).
144 European Commission “Proposal for a Regulation of the European Parliament and of the Council
tion.
on the protection of individuals with to the processing of personal data and on the free
(c) Decisions are binding upon wh: they are addr. d to and are aimed at individual
movement of such data” COM(2012) [1 final, Bresels, 25 January 2012.
governments,
145. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
(d)} Recommendations and opinions have no binding force but cane wed to caf views o
Protection of Individuals with regard to the Processing of Personal Data and on the Free Mave.
42 Directive 95/46/EC:,24 October 1995, ment of Such Data 199% Official journal 1. 281/31 -
146 ‘The Council of Europe's
G fon for the Pr of Individuals with regard
to Automatic
143. In 1997 the EU adopted a Directive on the Protection of Privacy and the Processing of Personal
Processingof Personal Data No. 108/1981, Strasbourg (28 January 1981).
Data in the Telecommunications Sector (Directive 97/66/EC of the European Parliament and of
147 Denmark, France, Germany, Luxembourg, Spain and the United Kingdom.
See Lloyd /nformation
the Council of 15 Di ber 1997 C ng the: Pro ng of Pe: I Data and the Protection
of Private Life in the Telecommunications ‘Sector, 1997 Official Journal 1. 24/1). This Directive Technology Lav (2014) 37. In 1999 the Convention on Data Protection (108/1981) was amended to
allow the European Community as 2n organisation to become a party to it. Before these amend-
translated the general principles of the 1995 Directive into more specific principles for the public
ments were made, only countries could accede to the Convention.
telecommmunications networks and services sector. However, the 1997 Directive had to be updated
to take of technological d and to that the same Jevel of privacy protec-
148 1990 Official
fournal C 277/03.
49 As Directive 95/46/EC. Member States had to implement the Directive within three‘ years from
tion would be gi i for all over pablic tks, regardlessof the technology
used. The result was a new Directive, in 2002, on Privacy and Electronic Communications (also re-
that date years were al owed for 5 I filing, s> — before
24 October 1998
(art. 32 of Directing 95/46/EC).
Pia par ch es Aandi hace papier dese er 150 See para. (23) of the preamble to Directive 95,/46/EC_
Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy
contained
 Chapter
9: Dara Privacy Law S38
386 Information
and Communications Technology law
B Scope
The Directive applics to the processing of personal data of a data subject by automat- legitimate” purposes and not undergo further processing in a way incompatible with
ic or non-automatic means. In the case of manual processing, data have to be con- those purposes. The purpose for which data are collected must be determined and
tained (or should be intended to be contained) in a filing system structured made known to the data subject at the time of their collection." This purpose must
according to specific criteria relating to individuals, so as to permit casy access to the be a legitimate one. Further processing of data that is incompatible with this purpose
personal data in question. The t Directive makes no distinction between processing is not allowed. Processing for historical, statistical and scientific purposes will not be
in the private and public sectors,” or between the different stages of processing. The considered incompatible, provided that the member States lay down appropriate
Directive also applics to sound and image data (for example video surveillance data) safeguards.
relating to natural persons, proviied the processing of such data is automated or the The data-quality principle is reflected in the requirement that personal data must
data are contained (or are intended to be contained) in a filing system structured be “adequate, relevant and not excessive”,"” be “accurate”, complete and “kept up to
according to specific criteria relating to individuals, so as to permit easy access to the date”,"” and not be stored in a form which permits identification of data subjects for
personal data in question.™ longer than is necessary. Member States must lay down appropriate safeguards for
The privacy rights of juristic perons are not protected by the Directive,™ because personal data stored for extended periods for historical, statistical or scientific use."
a data subject is by definition “an identifiable natural person”. Furthermore, the The adequacy, relevance, accuracy and currency of the data are determined with ref
Directive does not apply to the processing of personal data by a natural person for erence to the purpose for which they have been collected or further processed.
purely personal or domestic activities.” “Every reasonable step” must be taken to rectily or erase inaccurate, incomplete or
outdated data."
C General rules on the lawfulness of processing personal data The data controller is responsible for ensuring that data are fairly and
The Directive lays down general cules determining under what circumstances per- lawfully and that the dataquality principles are complicd with. The scope of the
sonal data may lawfully be processed. It distinguishes between the processing of non- rights and obligations provided for by the data-quality principle may be restricted
sensitive and sensitive personal data. Stricter criteria apply wwhen sensitive data are when restriction is necessary to safcguard certain public interests” or protect the
processed or when data are processed for sensitive purposes."” data subject or the interests of others.

{a) Processing
of non-sensitive data (ii) Criteria for making data processing legitimate
The Directive spells ¢out the only six conditions under which personal data may law-
(i) Data privacy principles fully be processed.” In other words, for any data processing to be lawful, it must
In general, personal data must be processed fairly and lawfully.” Specifically, the comply with the data Privacy principles set out in paragraph (i) above and meet at
processing of personal data must comply with the purpose-specification and limit- least one of six criteria. The six conditions under which non-sensitive data may be
ation principle. In other words, data must be collected for “specified, explicit and processed can be summarised under the following three overarching principles:
C1 When the data subject has unambiguously consented.
ist Para. (15) of the preamble.
152 ht was realised that it is not possible to separate the private and public sectors. Simitis “From the
market to the polis: ‘The EU Directive on the Protection of Personal Data” 199% Jowa Lit 452 ex-
160 Art. 6{1}(6).
phins: “Patients in a private dinic are, as far as the use of their data is concerned, in the same situ-
161 Para. (28) of the to Directive 95,/46/EC.
ation as those treated in a hospital belonging to the state. Employees are confronted by the sume
problems with respect to their dara whether they are employed by a computer firm or by 2 tax au-
162 An_ 61) (c) of Directive 95/46/EC.
163 Art. 6{1)(d).
thority. The:i of pr if for do not charge bi a bank
is, as in many 164 Art 6(1}{e)-
Member States, owned by the state and organized in a form typical of state activities”.
165 Art. 6(1}(d).
153 Dir 95/46/EC recitals par (15). Also see Art 29 EU Data Protection Working Party Working Docu- 166 Art. 6{1)(a) and 6(2).
meni on the personal data by mexns of wideo surceillamce WP 67 (2002). 167 Namely national security, defence, public
154 Sce also para. (24) of the preamble to Directive 95/46/EC. of ethics
for regulated profes ions, and iaap
18S Art. 2(a) defines an “identifiable person” as “one who can be identified, directly or indirectly, in Seate or of the F. Union.
eee ee Eee 168 Art. 13(1) of Directive 95/46/EC.
ical, p mi tural or social identi 169 Art_7.
16 Art (2). 170 Korf¥ Data Protection faws in the Buropean Union 38.
157 Korff Data Protection Laws in the European Union 44. 17) Art. 7(a}. “The data subject's consent” is defined in art. 2(4) as meaning “any freely given specific
158 ser ard gren rkoisteienirrr asakey dria “Principles relating to data quality”, art.6 and informed indication of his wishes by which the data subject siqnifies his agreement to personal
contains general dara F iples, and not only p F wg to the quality of the do selsting to ees bn Fe d°. In this ii the must be biguous. ‘This
data.
bene i recaps oh mci oees te aciee seepeieee eagle: seomens ae tien eoeae fe
159 Art 6(1)(a) of Directive 95/46/EC_ When it comes to ative data, the Directi See also Korff Data Pro
fection Laws in the European Union 38-40.
 S388 Information and Communications Technology law

Chapter9: Data Privacy Law 387 O the processing relates to data which are manifestly made public by the data sub-
jece
OO When processing
of the data is “necessary” iin a contractual seuing'” or for some Othe processing is carried out by 4 non-profit-secking body for political, philosoph-
overriding (mostly public) interest." ical, religious or trade-union purposes; or
O When, in a “balancing” of the interests of the data subject, on the one hand, and O itis “necessary” for data controllers in order for them to
those of the data controller or third party, on the other hand, the interests of the — ¢arry out their obligations in the field of employment law;'"*
controller or third party outweigh the interests of the data subject."
— protect the vital interests of the data subject or those of another person; or
When processing is based on an overriding public interest or interest of the con-
— ¢stablish or exercise legal claims or defend themselves against such claims.”
troller or third , data subjects have a right to object to the processing of data
relating to them.” Processing may not take place if these interests are overridden by (ii) Sensiti: . sale
the data subject’s interests in his or her fundamental rights and {reedoms which are
protected by the Directive. Data on criminal offences
Processing of data that pertain to criminal offences, convictions and security
(b) Special categories of processing measures may only be carricd out under the control of an official authority. Member
Certain additional rules, over and above the general rules discussed above, are laid States may provide for exceptions, provided that a “suitable specific safeguard” is also
down for the processing of certain categories of personal data (sensitive data) or for provided in cach case. For exam) tive employers and grantors of credit
the processing of personal data for certain specific processing activities (sensitive and insurance may be allowed to keep information about criminal convictions of
processing). data subjects but must put in place safeguards suited to this type of processing.”
However, a.a complete register of criminal convictions may only be kept by an official
(i) Sensitive data authority.” Member States may extend the scope of the prohibition by providing
er
eee of personal data that are consiiered of a “sensitive” mature is prohib- that data relating to administrative sanctions or civil judgments must also be pro-
The categorics of sensitive data include personal data revealing racial or ethnic cessed under the control of an official authority.“
nigh: political opinions, re!‘ligious or philosophical beliefs, ade-union member-
ship, and health’” or sex life. National identification number or identifier of general application
However, the prohibition on the processing of sensitive data issubject to a list of The use of a national identification number or identifiers of general application is
exceptions.’ * it is not compulsory to insert all or any of these exemptions into na- not prohibited, but it is left to member States to determine the conditions under
tional Iaws. A member State may have stricter rules than those prescribed by the which such a number may be processed.”
Directive, but may not stop the free flow of data for this reason.
Fully automated decisions
In essence, sensitive personal data may only be processed if
In terms of article 15 of the Directive member States must grant every person the
C1 the data subject has explicitly consented;"” right not to be subjected to a decision which produces legal effects concerning or
significanuly affecting that person and which is based solely on the automated
processing of data intended to evaluate certain related personal aspects, such as
172 Art 7(6). See also Korff Data Protection Lanes in the Burepean Union 40-42.
173 Art. 7(d, (4. In European baw the “necessity” requirement usually means that the activity (pro- T8t Art 8(2)(¢ of Directive 95/46/EC. The intention of the data subject to publicise the specific per-
cessing) should serve a “pressing social need” or a “legitimate: aim” (see Korff Data Protection Lans sonal data must be manifestly evident from his or her actions. An example of such publication is
in the European Union 38)-
when a person running for public office during an election publicly expresses allegiance wo a specific
174 Art. 7(). See also Korf¥ Data Protection [avs in the European Union 42-43.
175 Art. 14(a). political party.
182 Art 8(2)(d). ‘The processing by such a body must be conducted in the course of its legitimate activ
176 In other words, personal data which are by their nature capable of infringing fundamental free-
ities, with app and on dition that the pr if relates solely
to the mem-
dors or privacy (see para. (33) of the preamble to Directive 95/46/EC)- bers of the body of to persons who have regular contact with it in connection with its purposes and
7 ‘The prohibition dors not apply when the processing of the data is required for the purposes of
that the data are not disclosed to a third party without the consent of the data subject.
preventive medicine, mextical di. the provision of care or treatment, or the management of
183) Art 8(2)(6). A member State must provide “adequate safeguards” in such a case.
health-care services, and, when those data are processed by a health professional subject, under
184 Art. 8(2}{¢)-
national lw or rules established by competent national bodies, under the obligation of profes
185 Art. 8{2)(e)-
sional secrecy or by another person also subject to an equivalent obligation of secrecy (art 8(3) of
186 See House of Lords Select Committee “Report on protection of personal data” para. 139.
Directive 95/46/EC).
187) Art. 8(5) of Directive 95/46/EC_
178 Art 81). 188 Art. B(5).
179 Simitis “From the market to the polis” 1995 Jowa LJ? 460-461 does not think that all the exceptions 189 Art. #(7).
are justified.
180 However, the member Stase may also that the prohibition may nol be lifted by the dara
subject's consent (art. 8(2) (a) of Directive 95/46/EC}.
 390 Information and Communications Technology Law
Chapter9: Data Privacy Law 589

performance at work, creditworthiness, reliability and conduct. Although the provi- are complied with.” In order to fulfil this responsibility, the data controller must
carry out certain duties.
sion is formulated as a data-subject right, it amounts to “an in principle prohibition
on the caking of fully automated decisions” based on a personality profile of the
data subject. This prohibition does not apply to decisions based on verifiable factual (a) The data controller's duty to notify the data privacy authority of
data (such as the amount of moncy in an account). processing
Exceptions may be provided for when the decision is taken in the context of a con- A data controller or its representative must notify the supervisory authority before
tract or is authorised by law, provided that the subject’s legitimate interests are safe- carrying out any automatic (or partly automatic) processing operation. The notific-
guarded." ation procedure is discussed in more detail below.”
Article 15 is an unusual data privacy provision in that its focus is not on data pro-
cessing but on a type of decision-making, namely “automated profiling”. Examples (b) The data controller's duty to inform the data subject
of this type of decision-making are the listing of applicants for a job in order of Apan from informing the supervisory authority, data controllers must also provide
preference solely on the basis ofa personality test, and the use of scoring techniques data subjects with certain information in order to ensure fair processing.” Data sub-
for the purpose of assessing creditworthiness. Anticle 15 is designed 10 protect jects must, at least, be informed of the identity of the controllers and of their rep-
individuals against | the perceived growth of automation of organisational decisions resentatives, and of the purposes of the processing for which the data are intended.
about individuals." Further information, such as the categories of data concerned,™ the recipients of
the data, whether replies to the questions are obligatory, the possible consequences
Processing operations likely to present specific risks to the rights and freedoms of of failure to reply,” and the existence of the datata subjects’ right to access data and
data subjects the right to rectify such data if they are incorrect, must be supplied “in so far as it is
Processing operations that might pose specific risks to the rights and freedoms of necessary, having regard to the specific circumstances in which the data are collect-
data subjects are subject to prior checking by cither theie supervisory authority or the ed, to guarantee fair processing”.
data privacy official in co-operation with that authority.™ When the data are collected from the data subjects, the latter must be given the
The risks posed by the processing of the data concerned can be due to the nature above-mentioned details unless they are already familiar with the details. *™ When the
of the data (as with sensitive data), their scope (for example, data of the whole popu- data have not been obtained from the data subjects, the details must be given to
lation) or their purpose (for cxampic, to exclude individuals from a right, benefit or them at the time of the data’s recording or, at the latest, when the data are disclosed
contract), or by the use of new technologics.”” Risks may be specified in Icgislation, to third partics fofor the first time, again unless the data subjects are already familiar
but “one can say that the authoritics regard with concern very lange scale processing of with the details.”
personal data, any linking or matchingof databases, as well as any processing that may When the data have not been collected from the data subjects, the requirement
result in the exclusion of individuals from contracts, and, of course, especially a combin- that information be given vo the data subjects docs not apply in certain instances, in
ation of these, in panicular (but not only) if the data include ‘sensitive data’”_ particular when processing is for statistical purposes or for historical or scientific re-
search. The information need not be given when the provision olof such information
D The data controller’s
duties proves impossible or would involve a disproportionate effon,”™ or if recording or
As has already been mentioned,” it is the responsibility of the data controller™ to
ensure that data are processed fairly and lawfully and that the data-quality principles
Art. 6(1)}{a) and 6(2) of Directive 95/46/EC.
‘BRES

Art 18(1).
199 Korfl Data Protection Laws in the Huropean Union 49.
In para. 9.3.4.2F (c).
Ig Art. 15(2){a) and (5) of Directive 95/46/EC.
Arts 10 and 11 (1) of Directive 99,/46/EC_ Processing of data cannot be fair unless the data subject
192 Bygrave “Minding the machine” 2001 Computer Law and Security Rep 17_
isi d of the exi: of such a pr i eration (para. (38) of the preamble to Direct-
193 House of Lords Select Committee “Report on protecnon of personal data”
194 Bygrave “Minding the machine” 2001 G Law and S ty Rep 20 ive 95/46/EC)-
normnatively important in terms of the principle it establishes and embodies. This principle is that
When the data have not been collected from the data subject personally (art. 11(1))-
SESE

fully ofa p "s d not form the sole basis of decisions that When the dara are collected from the data subject personally (art_ 10).
See para. 9.3.4.2
(a) below.
significantly impinge upon the person's interests. The principle provides a signal to peofilers about
where the limits of automated profiling should roughly be drawn”.
Art. 10 of Directive 95/46/ EC.
195 Art. 20(2) of Directive 95/46/EC.
Art. 11 (1).
196 Para. (53) of the preamble to Directive 95/46/EC, Korif Data Protection Lams in the European Union 54
For ple, be the address of the data subject is notk
Factors that can be taken into consideration in this regard are the number of daca subjects, the age
S

197 Korff Data Protection {aus in the European Union %4 (italics in original text) -
{8

of the data and any compensatory measure adogeed (para. (40) of the preamble to Directive
In para. 9.3.4.2C(a) (i) abowe.
199 For 2 definition of “data controller”, see fn_ 3 above. 99,/46/EC).
 392 Information and Communications Technology Law
‘Chapter
9: Data Privacy Law 591
QO The right to access “without constraint”, “at reasonable intervals” and “without
disclosure is expressly required by law. Once more, the data controller must provide excessive delay or expense” data relating to the data subject personally."
appropriate safeguards.”" OU The right to have data which are incomplete or inaccurate, or the processing of
The rights and obligations, as regards the duty to inform the data subjects, may be which otherwise docs not comply with the provisions of the Directive, rectified,
restricted when such a restriction constitutes a necessary measure to safeguard cer- erased or blocked.”
tain public interests” or to protect the data subjects or the interests of others.” O The right to have third parties to which the data have been disclosed notified of
Data subjects must also be informed of the existence of their right to object to the any subsequent rectification, erasure or blocking, unless such notification proves
processing of data for direct-marketing purposes.” impossible or involves a disproportionate effort.”
The first right can be broken down into three separate nights: (i) data subjects’ right
(c) The data controller's duty to ensure confidentiality and security of pro- to be given confirmation of whether data relating to them are being processed, as
cessing well as information on at least the purposes of the processing, the categorics of data
The controller has a duty to implement appropriate technical and organisational concerned, and the recipients or categories of recipients to whom the data are
measures to protect personal data from accidental or unlawful destruction or accid- disclosed; (ii) data subjects’ right to be given, in an intelligible form, the data under-
ental loss, alteration, unauthorised disclosure or access, particularly when processing going processing and any available information as to their source; and (iii) data
involves the iransmission of data over a network, and from all other unlawful forms subjects’ right to be informed of the logic involved in any automatic processing of
of processing.” The measures must ensure a level of security that is appropriate to data concerning them (at least in the case of the automated decisions).
the risks presented.” The scope of the rights and obligations in article 12 may be restricted by member
No person may process personal data, unless he, she or it has been instructed to States, provided such restriction constitutes a “necessary measure” tosafeguard certain
do so by the controller or isrequired to do so by law.” Even if the controller chooses public interests" or to protect the data subject or the interests of others.” Member
a processor to do the processing on its behalf, the controller remains responsible for States may also restrict the rights provided by article 12 when data are processed
solely for the purposes of scientific research or kept in personal form for a period
security and is required infer alia to choose a processor that provides sufficient guar-
antecs in respect of the technical and organisational security measures. The con- which docs not exceed the period necessary for the sole purpose of creating statis-
tics. Two iso are added to the last exception: member States must provide
troller must enter into a written contract with the processor, which contract
“adequate legal safeguards”, in particular to censure “that the data are not used for
stipulates that the processor will act only on the controller’ s instruction and that the
taking measures or decisions regarding any particular individual”; there must be no
security provisions are also incumbent on the processor.” risk of a breach of the privacy of the data subject.”
E_ The data subject's rights The restrictions on the right of access are not mandatory. Member States must
determine for themselves, against the background of the Directive, whether it is
An important aspect of any data privacy regime is that data subjects are granted necessary to impose any restrictions.”
specific rights regarding their personal information. This enables subjects to regain
control over the use of their personal information.
219 An. 12(a). This is an essential provision because it is only through individual access that the accu-
(a) The data subject’s right to participate racy of the data and the lawfulness of the processing cin be established (para (41) of the preamble
to Directive 95/46/E.C; House of Lords Select Commitice: “Report on protection of personal data”
Anticle 12 of the Directive requires that every data subject be given the following 131).
three rights: 220 Kr. 1208).
22t An. 12(¢)-
222 Art. 15(1). This provision should not be interpreted so as to affect trade secrets or in-
211 Art 11(2) of Directive 95/46/EC. For criticism of the “appropriate safeguards” provision, see telleaual_property rights, such as copyright protecting software (sce para. (41) of the preamble).
Sisnitis “From the market to the polis” 1995 Jowa 1.2458 and fn. 260 below.
212 Namely national security, defence, public security, Crisinal investigations, investigations of breaches and i i of
of ethics for regulated profe and imp: or of a bs State or of the European Union. in cartier drafts of the Directive the Comision proposed that it
State or of the B Union. should be required that the member State's interest must be “a duly established paramount in-
213 Art 13(1) of Directive 95/46/EC_ terest”. This was watered down in the final form of the Directive (see Simitis “From the market to
214 Art 14(5). the polis” 199% fous LR 459).
215) These measures must be implemented boch at the design stage of the processing system and at the 224 Art 13(1) of Directive 95/46/EC. It would be permissible, for example, to specify that access to
time of processing itself (para. (46) of the preamble to Directive 95/46/EC). medical data may be obained only through a health professional (para. (42) of the preamble to
216 Factors relevant to dewrmining the appropriateness of the measures are the state of the art, the the Directive).
cost of implementation, and the nature of the data to be processed (art. 17(1) of Directive Ari. 13(2).
BR

95,/46/EC). Simnitis “From the market to the polis” 1995 Joma LR 460 is of the view that the Commission and
217) Art. 16 of Directive 95/46/EC. the Council chose the wrong approach in this regard, and that they should have laid down rules
218 Art 17(2)-(4). continued
 Chapter9: Data Privacy Law 393
394 Ink and G ‘Technology law

(b) The data subject’s right to object to processing for direct-marketing

regulations relating to data privacy are drawn up.™ The authorities must be en-
purposes dowed with powers to investigate, to intervenc,”” and to engage in legal proceed-
Two instances where data subjects have the right to object to the processing of their ings when the national data privacy legislation is violated. The local data privacy Act
personal information are pointed out above.” Data subjects also have a right to must give the data subject a right to appeal to the courts against a decision by the
object to the processing of personal data for direct-marketing purposes. Subject supervisory body.
should be able to exercise this right at no cost and without having to give reasons. The functions of a supervisory body must include hearing claims about the in-
Data subjects should be made aware of the existence of their right to object to the fringement of persons’ rights and freedoms in the processing of personal data, and
processing of data for direct-marketing purposes.™ particularly claims for checks on the lawfulness of data processing and informing the
Although the Directive makes it clear that data subjects must have the right to person that such a check has taken place.” A further task of the supervisory authority
object to the processing of their personal data for direct-marketing purposes, the sys- is to draw up a repon on its activities at regular intervals. The report must be made
tem — that is, whether an “optin™ or “opt-out” system should be used — is not pre- public.
scribed. In an “opt-in” system, the data subjects must specifically be asked whether The members and staff of the supervisory authority are subject to a duty of pro-
they want to be included in a direct-marketing list before their data may be pro- fessional secrecy, even after their employment has ended, regarding the confidential
cessed lawfully. In an “opt-out” system, the data subjects are required to object information to which they have access.
should they want their names removed from a directamarketing list. The supervisory authority is competent to exercise the powers conferred on it
within the member State’s territory, even though national law of a different State
(c) The data subject's right not to be subjected to automated individual may apply.” The authority of one member State may approach that of another with
lecisi
a request that the other State's authority should apply that other State’s powers. The
In terms of article 15 of the Directive a data subject has the right not to be subjected supervisory bodies are instructed to co-operate generally with one another, to the
to an automated decision that significantly influences him of her and that is based extent necessary for the performance of their duties, in particular by exchanging “all
solely on a personality profile.” useful information”?

F Supervision, notification and enforcement (c) Notification and publication in register

{a) Introduction A data controller or its representative must notify the supervisory authority before
carrying out any automatic (or partly automatic) processing operation intended to
The Directive does not prescribe in any detail the regulatory scheme to be followed,
for example whether licensing, registration and the like are required. However, it is serve a single purpose or several related purposes. In other words, separate notifi-
clear that the Directive requires both a data privacy authority with the necessary
cation of processingof personal data is required for cach different, unrelated purpose.
powers to supervise compliance with the basic data privacy principles, and individual The notice must contain the following information: the mame and address of the
rights of enforcement independent of that authority_ controller and of its representative; the purpose or purposes of the processing; a
description of the category or categorics of data subject and of the data or categories
(b) Supervision of data relating to those subjects; the recipients” or categories of recipient to whom
Each member State must establish at least one independent public authority to mon-
itor the application of the data privacy provisions adopted pursuant to the Directive.”
These supervisory authoritics must be consulted when administrative measures or Art. 28(2).
F EE

For example, the power to access data and to collect all the information necessary for the perform-
ance of their supervisory
duties.
For example, the power to deliver an opinion after a prior check has taken place, to order the
Clearly stating that the dara subject's right to access can never be totally excluded bat can, at most, blocking, erasure or destruction of data, to impose a ban on processing, to warn or admonish the
be partially restricted or temporarily suspended in a series of unequivocally defined and specific controller, or to refer the matier to parliament or another political institution.
ally Isted cases, Art 28(3) of Directive 95/46/EC_
Art. 28(4).
BUR

See para. 9.3.4.2C(a)(ii) above (text

to fn. 199).
Art. 28(5)-
BBs

Art. 14(5) of Directive 95/46/EC.

See Bennett “The European Union data protection Directive: Lessons for the protection of privacy Art. 28(7).
See para. 9.3.4.2C, below, on jurisdiction.
n=s

in Canada” 5.
toto

See para. 9.3.4.2C(b)

(i) abowe. Art 28(6) of Directive 95/46/EC.
See Greenleaf “The 199% EU Directive on data protection: An overview" 1995 (2) Jnil Prieacy Bul Art 18(1). A member Sate must also specify the procedures for notifying the supervisory authority
B88

ietin 14. of any changes in the information conveyed to it (art. 19(2)).

Art. 28(1) of Directive 95/46/EC. 243 “Recipiem” is defined in an_ 2(¢) of Directive 95/46/EC as “a natural or legal person, public
authority, agency or any other body to whom cata are disclosed, whether a third party or not; haw-
contanned
 Chapter9: Data Privacy Law 395 396 Information
and Communications Technology law

the data may be disclosed; proposed transfers of data to third countries; and a gen- State must make the relevant information available wo a data subject upon such
eral description allowing a preliminary assessment to bes made of the appropriateness subject’s request.
of the measures taken to ensure security ofprocessing.“
(d) Judicial remedies, liability and sanctions
The notification process may be simplified, or controllers exempted from it, by Apart from an administrative remedy,™ individuals are also entitled to a judicial
individual member States in a few instances, for example when categorics of pro-
remedy for an infringement of their rights guaranteed by the data privacy law.”
cessing operation are unlikely to affect adversely the rights and [freedoms of data
They are entitled to receive compensation from the controller for damage suffered
subjects," or when the controller appoints a personal-iata privacy official. The
as a result of an unlawful processing operation. ~ Controllers may be exempted from
official will chen be responsible for ensuring the internal application of the national
this liability if they prove that they are not responsible for the event that caused the
provisions and for keeping the register of processing operations carried out by the
damage.” National data privacy legislation must also lay ddown the sanctions to be
controller”
imposed in the event of any infringement of its provisions.”
The notification procedure may also be simplified, or the controliers exempted
from it, in the case of non-automatic processing operations for processing activitics {e) Codes of conduct
the purpose of which is to produce a public register, or in the case of processing Member States are to encourage the drawing up of codes of conduct for the various
activities by non-profit-seeking bodies on condition that the processing relates to the sectors that process data, with a vicw to ) contributing to the proper implementation
members of the body and that the data are not disclosed to a third party without the of the national data privacy provisions.” The supervisory authority of the member
consent of the data subjects.” State must have the authority to inspect draft codes drawn up by trade associations
The notification process enables the supervisory authority to carry out prior checks or other representative bodics and to determine whether the codes are in accord-
on processing operations likely to present specific risks to the rights and freedoms of ance with national legislation.”
data subjects. The authority must publish the information supplied in the notice in
a register of processing operations. The register must be open for inspection to G Jurisdiction: Extraterritorial reach of national laws
any person.” Bygrave points out that it is difficult to make jurisdiction and choicc-oMaw rules
The notification procedure is designed to ensure disclosure of the purposes and when data privacy, is involved, because of the nature of the law and information
main features of any processing operation so that it can beverified whether the oper- systems involved.” Data privacy law straddles the boundaries between public and
ation is in accordance with the national data privacy legislation.” When processing private law, criminal and civil law. It is accordingly difficult to place data privacy law
is not subject to notification, the controller or another body appointed by the member within any one of the legal categories traditionally employed by the doctrines of
private international law. Also, the doctrines of private international law tend to rely
on a link to a geographical location. However, many information systems are increas-
ingly difficult to link to any fixed geographical location. The doctrines further tend
ever, authorities which may receive data in the framework of a particular inquiry shall not be re.
garded as recipients”. A recipient may thus include a third party, but is noe omy a third party. The
to presume that persons and organisations are able to identify the full parameters of
data subject, controller or processor all qualify as recipients. A “third party” is defined in art. 2(f) the informational transactions surrounding or affecting them, but this ability is
as “any natural or legal person, public authority, agency or any other body other than the dara sub- being challenged by the increasing complexity of informational transactions.
ject, the controller, the processor and the persons who, under the direct authority of the control-
ler of the processor, are authorized to process the dara”.
244 Art 19 of Directive 95/46/EC. ‘254 Art. 21(3) provides that “Member States may provide that this provision does not apply to pro-
245 Ant. 18(2). Cerin minimum information must still, however, be supplied. This includes the pur- cessing whose sole purpose is the keeping of a register which according to laws or regulations is in-
pose of the processing, the data or categories of dara undergoing processing, the category or cat- tended to provide information to the pablic and which is open to consultation either by the public
egories of data subject, the recipients or categories of recipient to whom the data are to be dis- in general or by any person who can provide proof of a legitimate interest”.
Closed, and the length of time the data are to be stored. 295 For example, recourse to the supervisory authority.
246 Art 18(2). 256 Art 22 of Directive 95,/46/EC.
247) Art. 18(5). Data controllers released from the notification requirernemt must still comply with all 257 Art 23(1)-
the other requirements of their national legislation (para. (51) of the preamble to Directive 258 Art 23(2). 6 hes of si where the control er may be d, are where
the data sub-
99,/46/EC). ject was at Euilt, oF in the case of force majeure (para. ('5) of the preamble to Directive 95/46/EC).
248 Art. 18(3). 299 Art 24. The sanctions can be governed by either public or private law (para. (55) of the preamble
249 Art. 18(4). to Directive 95/46/EC).
250 Art 20(1). See also para. 9.3.4.2C(b)
(ii) abowe. 260 Art. 27(1). The Directive also enviages the drawing up of codes of conduct at community level
251 Excepe
for the “general description allowing a preliminary assessment to be made of the appropri- (ant. 27(3))-
of the taken to security of pe a (art. 21{2)). 261 Art 27(2).
252 Art 21(2). 262 Bygrave
“FE Deter licable lavep to European
dam pro-
253 Para. (48) of the preamble to Directive 95/46/EC tection legislation” 2000
os Gaupais tas ante
 Chapter9: Data Privacy Law 397

Addressing the issue of jurisdiction the Directive that a member State's 398 Information and Communications Technology Law
national law is applicable to the processing of data when the processing is done by a
controller established™ on the territory of the member State, or when the control
ler is established in aplace where the member State's national law applics because of personal data can flow from EU member countries (as well as the three Euro)
international public law,” or because the controller uses equipment situated on the Economic Arca member countrics, Norway, Liechtenstcin and Iceland) to that
territory of the member State (provided the equipment is not used merely for the county without any further safeguards’ being necessary.” A finding that a country
transit of the personal data through the territory of the Community).™ In other ides “inadequate” protcction, however, obliges KU member countries tw cut off
words, a company that carries on activities in a European Union member State but the flow of personal information to that country and therefore has potentially grave
processes personal data rclating to that activity in a non-member State is subject to consequences for countrics outside the European Union. ™ No country has yet been
the member State's data privacy law. Likewise, a company that, while based in a non- blacklisted— in other words, no formal finding has been made that a particular
member State, uses processing facilities in a member State is also subject to the country does not provide adequate protection.”
member State's data privacy law_ Apan [rom a formal finding of adequacy, adequacy may also be determined on an
ad hoc basis concerning a particular transfer. All the circumstances surrounding the
In terms of article 4 of the Directive, the principal criterion for determining applic
able law regarding data privacy issues is the data controller's place of establishment, data transfer must be taken into account when the adequacy of the level of protec-
largely irrespective of where the data processing occurs. This criterion is the norm tion afforded by a third country is assessed. Factors that must be given particular
consideration are the nature of the data, the purpose and duration of the proposed
for all countries governed by the Directive.™
processing operation or operations, the country of origin and country of final destin-
ation, the rules of law, both general and sectoral, in force in the third country in
H Transborder
data transfers: The implications
of the Directive for third
question and the professional rules and security measures which are complicd with
countries in that country.
Once the national laws of the member States have been “approximated” with regard The European Commission is instructed to enter into negotiations with third
to data privacy, these. Staics may no longer prohibit the transfer of personal data countries that fall short of the adequacy provision
to remedythe situation. ™ An cxam-
between themselves. However, article 25 of the Directive imposes a prohibition on ple of an agreement reached between the Commission and a third county is the “Sale
the transfer of personal data to non-member countries that do not ensure an ade- Harbor” agreement that was concluded with the American Deparument of Commerce.”
quate level of protection:
In article 26 the Directive provides for derogations from the prohibition of the
The Member States shall provide that the transfer to a third country of personal data transfer of data to third countries without adequate protection of privacy. These
which are undergoingpos or are intended forprocessing afier transfer mity take exemptions concer cases in which the risks to the data subject are relatively small or
place only if, without prey with the d pur
Fcc te clr peoamesa Shae Boece, te tard ccoasy i alan cues a other interests (whether public interests or those of the data subject) override the
adequate level of protection. data subject's right to privacy. The exemptions are effective when
The European Commission™ may determine whether a panicular country OO The data subject has unambiguously consented to the proposed transfer.”
adequate protcctiion or not. Member States are obliged to comply with the Commis- O) The transfer is necessary to protect the vital interests of the data subject.”
sion’s decision.” Once a decision
is made that a country provides adequate protection,
272 The Commission has found that Andorra, Argentina, Canada (commercial organisations), Faeroe
263 “Established
on the territory” of a member State it “the effective
and real exercise:
of activity
Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,
and Uruguay ade-
through stable arrangements” (sce pars 19) of the preamble to Directive 95/46/80). According quate protection. As far as the USA is concerned, the US Department of Commerce's “Safe Har-
to this paragraph, the legal form of the — whether it is ly a by hora
bor” privacy principles, and the transfer of Passenger Name Record (PNR) data to the United
States’ Department of Homeland Security (the Bureau of Customs and Border Protection, US
ary with legal personality— is not the determining factor.
ee ee et ee nee nega have been accepted as
Art 4{1}(a) of Directive 95/46/EC. When the same controller is established on the territory of
providing add See iors on the adeq of the pr jon of
several member Seates, it must take the necexary measures to ensure that each of these establish
eed Ga aed er hop://eceuropa_cu/ justice /data-procection /document/
ments complies with the obligations laid down by the applicable national law (see para. (19) of the Internationalransfers/adequacy/index_en.bum {accessed 13 July 2015). However, in October 2015
preamble
to the Directive).
the Court of Justice of the European Union (CJEU) dectared the Safe Harbor agreement invalid.
‘265 Art. 4{1) (5). See par 9.3.5 below.
(266 Art. 4(1)(¢}. In these circumstances, the controller must designate a representative established in
3

See Schwarz “European data protection bow and restrictions on international data flows” 1995
the territory of that member State, without prejudice to legal actions which could be initiated Jowa LR ABT.
againstthe controller itself. Kuner Data Privacy Law and Ondine Business 135-
267 See Greenleaf “The 1995 EU Directive
on data protection” 1995 (2) Intl Privacy Bulletin 14.
BS55955

Art. 25(2) of Directive 95/46/EC.

268 Bygrave “European data protection” 2000 Computer Law and Security Rep 252. Art. 25(5).
269 Para. (9) of the preamble to Directive 95/46/EC_ See para. 9.3.5.2 below.
270 ‘The executive arm of the European Union. EU Data Protection Working Party “Transfers of personal dara to third countries” 24-
271 Art 25(4) and (6) of Directive 95/46/EC. Art. 26(1}(@) of Directive 95/46/EC_
preys csi rhental chars ber bape ar Hee a beed or ales cary Reiter
country from a member country in which the data subject has previouslybeen treated,
data subject has become seriously il while visiting the third country. “Viral interest” seas
contanned
 Chapter9: Data Privacy Law 399 400 Information and Communications Technology Law

OO The transfer is necessary for the conclusion or performance of a contract be- reconcile the right to privacy with the rules governing freedom of expression.™ This
tween the controller and provision is necessary in order for the Directive to give cffect to article 10 of the
* the data subject, in response to the subject's request;™ European Convention on Human Rights, which declares that “everyone has the right
© athird party, concluded in the interests of the data subject.” to freedom of expression”, including the right to “receive and impart information”
O The transfer is necessary (or legally required) on important public-interest The data controller may not be exempted from its obligation to put proper security
grounds,” or for the establishment, exercise or defence of legal claims.” measures in place.
The transfer has been made from a public register.”
J Conclusion
O The controller provides adequate safeguards for the protection of the¢ privacy of
The Directive on the Protection of Individuals with regard to the Processing of Per-
individuals, by means of appropriate contractual clauses, for example.
sonal Data and on the Free Movement of such Data has been responsible for some
1 The processing of data and freedom of expression real innovations in the area of data privacy: it abandoned artificial and outdated
When personal data are processed solcly for journalistic purposes or artistic or lit- distinctions such as those between the public and private sectors, “automated” and
erary expression, exemptions or derogations from the provisions relating to the law- “manual” files, and the different stages of processing (collecting, processing and dis-
fulness of processing, the rules relating
to the transfer of data to third countries, and the scminating). It introduced new data privacy principles, such as the right of data
provisions relating to the supervisory authority” must be made if they are necessary to subjects not to be subject to automated decisions based on personality profiles and
the right of data subjects to object to certain processing activities, such as direct mar-
keting.
interpreted narrowly, basen and must not include financial, property or family interests. See The Directive is a modern example of a data privacy instrument and a valuable
EU Dara Protection Working Party “Transfers of personal data to third countries” 25. modicl for countries which are considering adopting data privacy law. The Directive
21 Ast 26(19(0) of Derceaive 98/46/00. also represents a dramatic increase in the reach and importance of data privacy laws,
282 Art. 26(1)(c}. Examples of transfers to which the exemptions in art. 26(1)(6) and (¢} apply are
transfers made to reserve an airline ticket for 2 or to effect an international credit-card in that, in the words of Swire and Litan, “it provides a unified and comprehensive
payment. An example of a contract for the benefit of the data subject is one in terms of which the data privacy regime to all fifteen countries and 370 million people in the European
data subject is the beneficiary of a pay made by her p te the les. A“ Union”.””
test” must be applied in these cases all of the data transferred must be necesary for the perfor
mance of the contract. If additional nor-ewential data are transferred, or if the purpase
transfer is noe the
of the
of a contract but some other purpase (such as follow-up market K Proposals
for Reform
ing), the exemption will be last. See EU Data Protection Working Party “Transfers of personal data The current framework for data protection in the EU is considered to be sound as
to third countries” 24. Also see Swire and Litan None of Your Busines: World Daia Mows, Flectronic
far as its objectives and principles are concerned, but it has been implemented in an
Commerz, and the European Privacy Directive 34-30.
For example, the transfer of data may be necesury beoween tax or cusioms administrations or inconsistent way in the different countries. This fragmented approach, together with
between socialsecurity
services (para. (58) of the preamble to Directive 95/46/EC). a wide spread public perception that there are risks associated with online activity,
parle Sade presi chy boy mar lclrercr sale car ran arn ler rear has nvade the reform of the framework necessary. There is a need for a “stronger and
3

of legal proceedings
(KU Data Protection Working Party “Transfers of personal data to more coherent data protection framework in the EU, backed by strong enforcement
third countries”2%).
285 Art. 26(1)(f of Directive 95/46/EC In such a case the transfer must not involve the entirety of the that will allow the digital economy to develop across the internal market, put indi-
data or entire categories of the data contained in the register. When the register is intended for viduals in control of their own data and reinforce legal and practical certainty for
persons with a legitimate interest, the transfer must only be made at the request of those persons economic operators and public authorities."
of if they are to be recipients of the dara (para. (58) of the pu ibke). The:i of this
tion is to ensure that, when a register in a member State is available for consultation by the public
oF specific persons demonstrating a legitimate interest, the fact that the person who has the right 288 Art 9 of Directive 95/46/EC. The provisions of art. 9 naturally also apply to the processing of sound
to consult the register is sitmaied in a third country, and that the act of consultation would there- and image data carried out for journalistic purposes or for literary or artistic expression (para.
fore involve: a transfer of data, does not prevent the information from being transmitted to such a (17) of the preamble to the Directive). ‘The UK was opposed in principle to such 2 provision. [ts
person. See EU Data Protection Working Party “Fransfers of personal data to third countries” 25. view was that the right of free information and expression is not a special prerogative of the media
286 Art. 26(4)} of Directive 95/46/EC. The European Commission has issued model contracts for the bat is available10 everyone, and, bence, the media must not be given special exemptions at either
transfer of personal data to third countries, and also recognises Binding Corporate Rules (BCR) as Community of national level. In the UK no special privilege was given to the media granting them
2 legal busts to export personal data. BOR are “legally-binding data processing rulex adopted by a freedom of expression. It was also the UK's view that the media are capable of doing the gravest
company or group of companies and which grant rights to data subjects”. (Kuner Transborder Data damage if they infringe the right tw privacy (House of Lords Select Commitice “Report on protec-
Foos and Data Law 43.) See bup:/ /ec.curopa.cu/justice/ /document/ tion of personaldata” para. 142).
intern: index_en.hum (Accesexd on 13 July 2015). Also see Proust and Bartoli 289 None of Your Business24.
“Binding Corporate Rules: a global solution for international data transfers”2012 International Da 290 European Parliament and the Council for a Regulation om the protection of individuals with
pen ee to the data and on the free mooemen! of such data (Ceneral Data Protection Reg-
287 : from the provisi Acai x to the Working Party established by the ulation} COM(2012) 11 final. Also see Kotschy “The proposal for 2 new General Data Protection
eee oe Regulation — problems solved?” 2014 DPI. 274.
 402 Information and Communications Technology Law

Chapter9: Data Privacy Law 401

9.4.4.3. The Directive on Privacy and Electronic Communications
The Directive on Privacy and Electronic Communications (also known as the E-
The proposed Regulation™ is more detailed and stricter than the Directive. It en-
hances some of the current rights and introduces new ones. A particularly controver-
Privacy Directive) was adopted in 2002™ and amended in 2009. It replaced the
1997 Directive on the Protection of Privacy and the Processing of Personal Data in
sial right is the so-called right to be forgoucn, which is actually a strengthening of
the Telecommunications Sector™ with effect from 31 October 2003. It was not
the right of data subjects to request the erasure of data on them. Italso introduced
certain whether the 1997 Directive applicd to Internet-based communications. The
a new right of “data portability’, ~hew restrictions on the processing of data of
2002 E-Directive clearly covers Internet-based communications and electronic mes-
children under the age of 13 years,” a new obligation on data controllers to carry
saging services.
out a data protection impact assessment where processing operations present specil-
ic risks to the rights and freedoms of data subjects,” a new obligation. to notify data The aim of the E-Directive is to provide “for the harmonisation of the national provi-
protection 3 authorities and data subjects of a personal data breach,” and stronger sions required to ensure an cquivalent level of protection of fundamental rights and
sanctions.” The Regulation docs away with the requirement that data freedoms, and in panicular the night to privacy and confidendality, with respect to
controflers should notify the data protection authority of any processing activity the processing of personal data in the clectronic communication sector and to ensure
before it takes place, but replaces it with new obligations to document data pro- the free movement of such data and of clectronic communication equipment ard
cessing activities and to appoint internal data protection officers.“ The current services in the Community”.™ It complements ththe 1995 Data Protection Directive,”
Anicle 29 Working Party is replaced by a European Data Protection Board with a but also extends protection to juristic persons,™ something the 1995 Directive does
broader mandate. The provisions regarding the wansfer of personal data across not do.
borders, has been widened to include not only third countries, but also international In terms of the Directive on Privacy and Electronic Communications the provider
organisations, territories and processing sectors within the third country. mm ofa publicly available clectronic communications service must take 3 iate tech-
According to Bygrave, “these reform proposals. - .are extremely ambitious. ‘They nical and organisational measures to safeguard the sccurity of its service.
involve far more than a cosmetic makcover of the current framework...”" He con-
cludes that “It will take considerable time before the dust settles around the legisla-
3S Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning
tive reform. The process is complex and cumbersome . ..”." the Processing of Personal Data and the Protection of Privacy in the Electronic Communications
Sector Official journal L. 201/37. Directive 2002/58/EC forms part of the Telecoms Package, the
legislative framework governing the electronic communications sector. The Telecoms Package in-
291 For an evaluation of the efficacy of using a Regulation and not a Directive to regulate data protec- cludes four other Directives on the general framework (Directive 2002/21 /EC), access
and inter-
ton in the EU, see Mume “Will it be a better world? ‘The proposed EU Data Protection Regu connection (Directive 2002/19/EC), authorixation and licensing (Directive 2002/20/EC) and the
tion” 2012 (DPT. 130. For a discussion of the Regulation also see: Blume “The myths pertaining to universal service (Directive 2002/22/EC). ‘The Telecoms Package was amended in 2009 by two Di-
ee reopen ere Dee teen ee 2014 DPT. 269. Also see Mantelero “Competi- rectives (Directive 2009/140/EC and Directive 2009/136/EC) and as well as by the regulation ¢s-
tive value of data pr impact of data pre reg on behaviour” 2013 tablishing a body of European regulators for electronic communications (BEREC) (Regulation
SUPE ER. Manca demote 9 as ey acme es cote oe Mating Fhe Renta aoe (EC) No 1211/2009).
protection framework for the twenty-first century” 2012 IDPL 119. Directive 2008/136/EC of the European Parliament and of the Council of 25 November 2009

8
292 Art17 of the Proposed Regulation. The right to be forgotten has already been implemented in EU amending Directive 2002/22/EC on universal service and users’ rights relating to electronic com-
law with the decision of the Court of Justice of the European Union in Goagie Spain and Inc o Agen. munications networks and services, Directive 2002/58/EC concerning the processing of persorial
Ga Fspatiola De Proteccion iis Deaton ee fee Come Sas Ue The Court
held that Tee ee er ee eee
Google Spain had to remove links to information about the complainant which was outdated and No. 2006/2004 on peration ities Ps ible for the enfk
See Seley one ee ae Prone ce rege Ce Be at apace see Sartor “The right to consumer protection Laws.
be forgotten in the Draft Data Protection Regulation” 2015 [DPL 64; Facliogiu “Forget me noc: the Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 Con-
i

chsh of the right to be forgotten and freedom of expression on the Internet” 2013 /DPL 149. ceming the Processing of Personal Data and the Protection of Private Life in the Telecommuni-
‘The right of data subjects to transfer data about themsrlves from one information system cations Sector Official fowrnal 1. 24/1.
another —An IB of the Proposed Regutation. See abo Zanfir “he right to Data portability in the Art. 1(1) of Directive 2002/28/EC
(as amended by 2009 Directive).
context of the EU dara protection reform” 2012 DPI. 149.
88

Directive 95/46/EC of the European Parliament

and of the Council of 24 October 1995 on the
‘Their data may only be d with the of a dian — Art 8 of the Pro- Protection of Individuals with regard to the of Personal Data and on the Free Move-
2

posed Regulation. See further Jasmontaite and De Hert “The EU, ‘children taser 18 years: weed fn. ment of Such Data 1995 Official Journal 1. 281/31.
rental comsent: a human rights aralysis of 2 new, age-based brightline for the protection of Art. 2 of Directive 2002/58 / EC.
children on the Internet” 2015 IDPL.20-
Be

Art. 3. These measures must ensure a level of security appropriate to the risk presented, having
Art 33 of the Proposed Regulason.
regard to the state of the art and the cost of their i ‘The provider is also obliged to
SEeSRe

Art 31 and 32 of the Proposed Regulation.

Ee eee ne ne eee eee,
Art. 79 of the Proposed Regulation.
Amendment Directive, the idered on: The must
at a mini
is

mum:
8
é
&
z

* ensure that personal data can be accessed only by authorised personne! for legally authorised
adequacy decisions: the proposed new possibilities” 2015 DPI. 34. perpones,
Brees Hem frvey tee 7k: contznued
2
 Chapter9: Data Privacy Law 403
404 Information
and Communications Technology Law
The provider must also ensure the confidentiality of communications and related
traffic data by prohibiting their interception without the consent of the users con- The Directive also deals with the use of cookics.™ It requires from websites obtain-
cerned, unless the provider is legally authorised to intercept the communication and ing informed consent from. visitors before they store information on a computer or
relatcd data.” Anticle 15 of the Directive permits restrictions on the rights and any web connected device. It is mostly by using cookies that information is stored
obligations of this provision for law-enforcement and national-sccurity reasons. by a website on the hard drive of a user’s computer. Cookies are used for tracking
If there was a personal data breach, the service provider must inform the national visitors to a site. For cookies that are deemed to be ‘strictly necessary for the delivery
authority within 24 hours, where feasible.” If this infringement is likely to harm the of a service requested by the user’ the consent of the user is not needed.” An exam-
personal data or privacy of a subscriber or an individual, the service provider must ple of a ‘striclly necessary’ cookie is one that is used to complete a transaction when
also inform the subscriber or individual in question.” Notification to a subscriber a user has placed an order (‘add to basket’ or ‘continue to checkout’) when shop-
need not take place if the service provider has put in place technological protection ping online. The browser uses the information in the cookie to complete a successful
measures that make the data incomprehensible to any person without authorised transaction.
access.
In terms of this Directive subscribers have certain rights, including the right to re-
Traffic data™* must be erased ormade anonymous when it is no longer needed for
ceive non-itemised bills.” Also, when calling line identification (so-called caller ID)
the transmission of a communication.” ‘Traffic data that are necessary for subscriber
billing and interconnection payments may be processed, but only up to the end of is offered, the calling user must be given the capability to prevent the presentation
the period during which the bill may lawfully be challenged or payment pursued. ¥ of the calling line identification on aper-call basis, and the calling subscriber must
Traffic data can be used for the purpose of marketing clectronic communications be given thispossibility on a pertine basis. Exceptions atare allowed, for example for
services or for the provision of valuc-added services, if the subscriber or user to whom the tracing of nuisance calls or for emergency services.™ A subscriber must be able
the data relate has given his or her consent. Users or subscribers must be allowed to to stop automatic call forwarding by a third party to the subscriber's terminal.”
withdraw their consent to the processing
of traffic data at any time.*” In other words, Furthermore, before they are included in a printed or clectronic public directory of
subscribers must “opt in” before their data can be used for direct-marketing pur- subscribers, subscribers must be informed of their inclusion free of charge. They
poses in this context. Location daa” may only be Processed when they are made must be given the opportunity to determine whether their personal data are includ-
anonymous, or with the consent of the users or subscribers?” ed in a public directory, and, if so, which data. They must also be given the oppor-
tunity to verify, correct or withdraw such data free of charge.
The Directive also addresses unsolicited communications ("spam"). The use of
* protect personal data stored or ited against accidental or unlawful destruction, acc- automated calling systems without human intervention (automatic calling machines),
dental los or alteration, and horised or unlawful storage, p ing, access
or disch 5
and
facsimile machines or e-mail for direct marketing may only be allowed in respect of
* ensure the implementation of a security policy with respect to the processing of personal data.
310 Ar 5.
SIL Art 2(1) of Regulation (EU) No 611/2013 on the measures to the notificationof
personal data breaches under Directive 2002/58/EC of the European Parliament and of the 320 See fn 11 for a description of the term “cookie”_
Council on and electronic communications. S2b Art 53) (as amended by Directive 2009/136/EC) provides:
312 Art. 3(1) of Reguiation (EL!) No 611/2013. “Member States shall ensure that the storing of information, or the gaining of access to
313° Art 4(1) of Regulation (EU) No 611/2013. information already stored, in the terminal equipment of a subscriber or user is only al-
314 Boonen it par (ES), of te pesenbe > TNesetivd 2082/2 RG tealic dts ey conelit of date: towed on condition that the subscriber or user concerned has given his or her consent,
alia, data referring to the r jon, time
of volume of a to the protocol having been provided with clear and comprehensive information, in accordance with
used, the location of the terminal equipment of the sender or recipient, the network in which the Directive 95,/46/EC, inter alia, about the purposes of the processing. This shall not pre-
communication originates of terminates, or to the beginning, end or duration of a connection. Sent any technical siorage or access for the sole purpase of carrying owt the transmits
They may also ast of the in which the is ved by the rk ston of a over an wk, or as strictly
31S Art 6(1) of Directive 2002/58/EC_ necessary in order for the provider of an information society service explicitly requested
316 Art. (2). by the subscriber or user to provide the servioe.”
S17 Art 6(3)- (Directive 2009/136/EC is sometime referred to as the Cookie directive.) The EU Data Protection
318 Art 2{(c) of Directive 2002/58/EC as amended provides that “Location data means any dara renin acty lean leases peicescaces nes sla ocala nt coement Bex, Bae mae of connsen see Work-
processed in an electronic communications network or by an electronic communications service, ing Do 02/2013 providing on for co kies WP 208 (2015).
indicating the geographic position of the terminal equipment of a user of a publicly available clec- Art. 5{3).
tronic communications service”_ Location data may refer to the latitude, Jongitude and altitude of
FER

Art 7(1}.
the user's I excyusi to the direction of the jon's travel, the level
of accura- In terms of art. 2, 2 user is a 1 usinga publicly available el
© of the location information, the identification of the network cell in which the terminal equip- service without necessarily having subscribed to the service.
ment is located af a certain point in time, and to the time the location information was recorded. Art. 8(1)
and (2).
See para. (14) of the preamble to Directive 2002/58 /E.C and art. 2(¢). Art 10.
BRR

319 Art 9(1) of Directive 2002/58/EC_ Once more, the subscriber must “opt in”. Art. 11,
Art 12.
 406 = Information and Communications Technology Law
Chapter9: Data Privacy Law 405

Data™ was adopted. It relates only to data generated or processed as a consequence

subscribers who have given their prior consent.™ In other words, a subscriber has to
of a communication or a communication service. It covers fixed and mobile tcleph-
“opt in” before his or her e-mail address may be used for direct marketing. However,
ony, Internet access, Internet e-mail and Internet telephony and imposes an obliga-
when there is an existing customer relationship, the use of electronic contact details tion on communication service providers to retain certain types of traffic or location
for the offering of similar products or services is allowed by the company t that initially data, including data necessary to trace and identify the source, destination, datc,
obtained those contact details, unless the subscriber refuses (“opt our”).
time, duration, type and location of a communication.
When electronic contact details are collected, the collecting party must inform the On 8 April 2014, the Court of Justice of the European Union declared the Di-
customer explicitly about their further use for direct marketing and the customer rective 2006/24/EC invalid. {t held that the Directive entails a wide-ranging and
must be given the opportunity of refusing w permit such usage. This opportunity particularly scnious interference with the fundamental rights to privacy and to the
must be offered free of charge with cach subsequent direct-marketing message to
protection of personal data; that it fails to sufficiently circumscribe such interference
him or her.™ The Directive prohibits the sending of direct marketing clectronic mail to ensure that it is limited to what is strictly necessary for the purpose of fighting
that disguises or conceals the identity of the sender on whose behalf the communi- ‘serious crime’, thereby leaving it too open for member States to decide on the scope
cation is made or that does not include a valid address to which the recipient may
of data retention and fails to define the guarantees surrounding data retention, that
send a request for such communications to cease.” is, objective criteria to determine the retention periods, appropriate technical and
The Directive allows for restrictions on the rights and duties created by it, provid- organisational security measures and conditions for the access and use of the data by
ed such restrictions are necessary, appropriate and proportionate for public order competent national authorities.
within a democratic society. Such restrictions may be necessary to safeguard national
Member States will have to re-evaluate their data retention Taws. The Data Provee-
or public security and in the prevention, investigation, detection and prosecution of
tion Working Party is of the opinion that:
criminal offences or of unauthorised use of electronic communications systems.
“in particular, national data retention Jaws and practices should ensure that
9.4.4.4 The Directive on Mandatory Retention of Traffic Data there is no bulk retention of all kinds of data and that, instead, data are sub-
Several EU member States (such as the United Kingdom, Denmark and Italy) adopt-
ject to appropriate differentiation, limitation or exception. Also, access and
use by national competent authoritics should be limited to what is strictly
ed Icgislation providing for the retention of traffic data by service providers for the
necessary in terms of categories of data and persons concerned, and subject
prevention, investigation, detection and prosecution of criminal offences and to
combat terrorism. These national provisions varied considerably." On 13 July 2005, to substantive and procedural conditions. Moreover, national laws should
in its declaration condemning the terrorist attacks on London, the Council of Europe provide for effective protection against the risk of unlawful access and any
reaffirmed the urgent need to adopt common measures on the retention of tele- other abuse, including the requirement that the storage of the data is subject
communications data.“ The European Union consequently decided that it was to the control of an independent authority ensuring compliance with EU da-
necessary to adopt a Directive that will harmonise laws adopted by the member ta protection law™
countrics and aimed at ensuring that retained data are made available to law-
enforcement authorities. Thus, the Directive on Mandatory Retention of Traffic 9.4.4.5 Conclusion
The European Union has the most comprehensive data privacy regime in place. The
influence of its directives stretches much further that the Europcan Union member
529 Art. 13(1) provides: States; every cconomic transaction involving the transfer of personal data across
“The use of d callingand without h (auto
matic calling machines), cate naschaeee Chass or ohocmunic aad fer es panes of need
European borders between a person or enterprise in a European Union member
marketing
may be allowed only in respect of subscribers or users who have given their prior con- country and a third party necessarily means that the influence of the Directives
sent” reaches into that third country.
Art. 13(2) provides:
8

“Notwithstanding paragraph 1, where a natural or legal person obeains from its customers their
electronic contact desails for electronic mail, in the context of the sale of a product or a service,
in accordance with Directive 95/46/E.C, the sume natural or legal person may use these electron-
ic contact details for direct marketing of its own similar products or services provided that cus-
tomers clearly and distinctly are given the opportunity to object, free of charge and in an casy 336 Directive 2O06/24/EG of the European Parliament and of the Council of 15 March 2006 on the
manner, to such use of electronic contact details at the time of their collection and on the occa- R ion of Data C d or Pro din G with the Pri of Publicly Available
ston of each in case the customer has not initially refused such use.” Electronic Communications Services or of Public Communications Networks and Amending
Art 13(2) and para. (41) of the preamble. Directive 2002/58/EC
Official Journal 1. 106/55.
Art. 13(4).
BRBRe

337 EU Dar Protection Working Party “Statement on the ruling of the Court of Justice of the Europe-
Art 15. an Union (QJEU) which invalidates the Duta Retention Directive” WP 220 (2014) 2.
Para. (5) of the preamble to Directive 2002/58/EC.
338 W244.
Para. (10) of the preamble.
 408 Information and Communications Technology Law

Chapter9: Data Privacy Law 407

9.4.5.2 The “Safe Harbor” agreement
9.4.5 The United States and the “Safe Harbor” agreement After the¢ adoption iin the European Union of the General Data Protection Directive
in 1995," the question necessarily arose whether the Unites States would be deemed
9.4.5.1 Introduction to have “adequate” data privacy in the sense in which the term is used in article 25 of
The approach of the United States to data privacy (or information privacy, as Ameri- the Directive. In 1999 it was found that “the current patchwork of narrowly-focussed
can lawyers prefer to call it) is very different from that in Europe. This difference sectoral laws and voluntary self-regulation cannot... be relied upon w provide
can, to some extent, be explained by the experience of European countries during adequate protection in all cases for personal data wansfers from the European
World War Il with the threat posed by the large-scale collection of personal infor- Union”. Since article 25 prohibits the transfer of personal data from EU countries
mation.™ Data privacy in Europe has therefore always been considered a human- to third countries that do not provide adequate data privacy, commentators in the
rights issue as well as an economic one. The United States has not had a similar United States have raised the concern that the free Now of data bewween the United
experience, and tends tw believe that the information industry should be Icfi to States and Europe woukl be hampered.”
regulate itself.” In 1998 the United States and the European Union began negotiating a “Safe Har-
American policy-makers prefer to deal with data-privacy issucs as and when such bor” agreement in order wo ensure the free Now of personal information to the
issues become a problem; a specific event usually “triggers” the legislation process. United States.** The agreement consists of a set of privacy principles agreed upon by
The result is that legislation protecting data privacy in the United States is sectoral the American Depariment of Commerce and the Internal Market Directorate of the
and haphavard. At federal level, the United States does not have a general data European Commission. Organisations in the United States may decide to participate
privacy law; instead, different pieces of legislation are involved.” This means that by complying with the “Safe Harbor” requirements and by declaring publicly that
different types of personal information are given different levels of protection. they do so. Their names are added to a list maintained by the American Deparunent
Protection of personal information in the privatc sector especially is limited. The of Commerce. Organisations in the EU can consult this list to determine whether
United States is a member of the Organisation for Economic Co-operation and De- particular companies in the United States are participating. Participation in the U.S.
velopment (the OECD) and several hundred American companics have adopted the EU Safe Harbor Framework and scl-certification vo the list are voluntary, but once
OECD Guidelines on data protection. In the private sector one finds therefore that an entity clects to participate in the program, it is legally required to comply with the
fair information practices have been created through industry sclf-regulation. How- Safe Harbor Privacy Principles.
ever, the application of these principles is voluntary and they are not legally binding
At present, enforcement of the principles by the American government is through
on the companics. As such they may be changed at any time by the companics in-
the Federal Trade Commission (the FTC) and the Department of Transport (the
volved."* The lack of an independent data privacy authority is also seen by privacy
DoT) (with respect to air carriers and ticket agents), under laws that prohibit “unfair
commentators as a serious drawback.“
and deceptive acts”. At the time of writing, more than 5330 American onganisa-
tions had become signatories.
389 Madsen Handbook of Perwmal Data Protection 23. From its inception the Safe Harbor agreement was criticised by many privacy ad-
340 Roos “Data protection” 2007 SALJ 414.
vocatcs. It was criticised as being a self-regulatory system with litde enforcement or
341 For example, the Driver's Privacy Protection Act of 1994 was adopted after the death of an actress,
Rebecca Schaeffer, who was killed by an obsessed fan who obtained her address from her Califor-
nia Department of Motor Vehicle record; and the Video Privacy Protection Act of 1988 was adopt
ed in resp to congressi age over the di of the list of videos rented by Judge 345 Beer 06) AVL He oe Bop Parliament and of the Council of 24 October 199% on the
Protection
of Individuals with regard to the Processing of Personal Data and on the Free Move-
342 For example, in the public sector: the Privacy Act of 1974, the Family Educational Rights and Priv- ment of Such Duta 199% Official fowmnal 1. 281/31.
acy Act of 1974, the Right to Financial Privacy Act of 1978, the Pre Protection
Act of 1980, the: 346 EU Data Protection Working Party “Opinion 1/99 concerning the level of data protection in the
Computer Matching and Privacy Protection Act of 1988, the Driver's Privacy Protection Act of United Seates” 2.
1994, the Health Insurance ity and Accountability
Act of 1996; and in the private sector: 347 See Gellman “Can privacy be regulated effectively on a national level: Thoughts on the possible
the Fair Credit Reporting Act of 1970; the Cable Communications Policy Act of 1984, the Electron- need for international privacy rules” 1996 Villanows 1.2 129; Berkvens “Will the data protection
ic Communications Privacy Act of 1986, the Video Privacy Protection Act of 1988, the Telecom- Directive pr a global infor 27 1995 Comp ‘Law and Practice38; Schwarte
munications Act of 1996, the Chikdren’s Online Privacy Protection Act of 1998 and the Cramm- “European data protection law and restrictions on international <ata flows” 1995 fowa LR 471;
Leach-Biiley Act of 1999; Fair and Accurate Credit TransactionsAct of 2005. ‘Trubow “The European hi of data pr ion Laws th: US particiy in trans-
343 See Schwartz and Reidenberg Dasa Privacy Law: A Study of United States Data Protection 11. Sec also border data flow” 1992 Northovestern J of intl Law and Bus 149.
Clotal Internet Liberty Campaign Pricacy and Human Rights: An International Survey of Privacy Lanes EPIC Privacy and Human Rights (2002) 17.
ins

and Practice 23-24. See the website of Department of Commerce, on the “Safe Marboe” agreement, at www.export
344 See Maherty Protecting Prieacy in Surveillance Societies 967. The Federal Trade Commission
(FTC) has gov/safcharbor (accessed 9 August 2007).
oversight and enforcement powers for the laws protecting children's online privacy, consumer See, for eg, the Federal Trade Commission Act of 1914 (15 USC §§ 41-08). MySpace, Facebook
etedit information,and fair trading practices. Under the Privacy Act, the Office of Management and Coogle have all been the subject of FTC enforcement actions.
and Budget (OMB) is involved in setting policy for federal agencies. It has heen a requirement hups:/ /safcharbor.export.gov/listaspx (accessed 14 July 2015).
since 2008 that every federal agency appoint its own privacy officer in terms of the Consolidated
AppropriationsAct of 2005.
 Chapter
9: Data Privacy Law 409
410 Information and Communications Technology Law

systematic review of compliance; there was no individual right of appeal against

invasions of privacy and no individual right to compensation for infringements of policy on data protection. A bricf overview will be given of some other instruments.
privacy, and the agreement only applicd to companies overseen by the FTC and DoT, Most of them, apart from the United Nations document, are of more recent origin
which means that the financial and telecommunications sectors were excluded_ and their influence is not as wide spread as the documents discussed above.
The Snowden revelations concerning the scope of US surveillance programmes in 9.4.6.1 United Nations
2013 raised further concerns. According to a report by the European Commission in
The United Nations’ Guidelines Concerning Computerised PiPersonal Data Files was
2013 on the functioning of Safe Harbor, “all companies involved in the PRISM
adopted in 1990 by the United Nations General Assembly. The Guidelines have
programme, and which grant access to US authoritics to data stored and processed
two parts, Part A contains principles concerning the minimum guarantees that
in the US, appear to be Safe Harbour certified. This has made the Safe Harbour
scheme one of the conduits through which access is given to US intelligence authori- should be provided in national laws and Part B concerns the application of the
ties to collecting personal data initially processed in the EU." Negotiations were guidelines to personal data files kept by governmental international organisations.
staricd in 2014 on renegotiating the Safe Harbor agreement. Pan A gives member States “orientations” to follow when implementing regula-
These negotiations were overtaken by a decision of the EUC]. In October 2015 the tions conceming computerised personal data files. It sets out ten principles concern-
ing the minimum guarantees that should be provided in national legislation. The
EUC] was asked to evaluate the validity of the Safe Harbor agreement by the Irish
principles relate to Lawfulness and Fairness; Accuracy, Purpose Specification; Inter-
data protection authority. Schrems, an Austrian national, approached the Irish data
ested Person Access; Non-liscrimination (dealing with sensitive information); Power
protection authority requesting it to prohibit Faccbook, which had its European
to make Exceptions; Security; Supervision and Sanctions; Transborder Data Flows;
headquarters in Ireland, from transferring his personal data to the servers of Face-
and Field of Application.
book in the USA. This transfer of personal data was done in terms of Commission
decision 2000/520 which created the Safe Harbor agreement The cour held that The practical utility of the UN guidelines is hampered by an absence of definitions
Decision 2000/520 was invalid, inter alia because US public authorities are not them- of terms central to the Guidelines.
selves subject to it and national security, public interest and law enforcement re- Nevertheless, its adoption in 1990 “underlined at that time that data privacy had
quirements of the US prevail over the safe harbour scheme — the scheme therefore ceased to be exclusively a ‘first world’, Western concern.
enables interference, by US public authorities, with the fundamental rights of per-
sons. Another issue was the fact that it is not possible for an individual to pursuc 9.4.6.2 APEC (Asia-Pacific Economic Cooperation)
legal remedies in order to have access and to obtain rectification or erasure of per- APEC™ adopted a Privacy Framework in 2005. It is modelled on the OECD Guide-
sonal data. lines. It has a set of nine Information Privacy Principles, namely Preventing Harm;
This decision has created legal uncertainty for the thousands of cnterprises that Notice; Collection Limitations; Uses of Personal Information; Choice; Integrity of
make daily use of the Safe Harbor agreement. Given the importance of the transfer Personal Information; Security Safeguards; Access and Correction; and Accountabil-
of personal data between EU and US enterprises, the uncertainty created by this ity. The standards set by the principles are generally lower than that of the European
decision will have to be addressed as soon as possible, probably by the adoption of a data privacy documents.”
new agreement that more fully protects individuals’ fundamental right to data pro- APEC also has addressed the issuc of cross-border flow of personal data by adopting
tection. In the meantime the EU Data Protection Working Party advises that Stand- a Cross-Border Privacy Enforcement Arrangement in 2010 and endorsing a Cross-
ard Contractual Clauses and Binding Corporate Rules™ can still be used. Border Privacy Rules system in 2011."
Criticisms of the APEC Framework relate to the fact that economic concerns are
9.4.6 Other international
data protection codes clearly predominant over concern for privacy™ and that it is “indeterminate and
The instruments discussed above, are not the only international instruments on data
protection, but have been the most influential in the development of regulatory
357 UN General Assembly Resolution 45/95 of 14 December 1990.
S58 Byprave Data Privacy Lene 51.
852 EPIC Frney seed Leeman Rigs (20) 1k 359 APEG was f din 1989 in Canberra,A fica. Ie ist of* ib ies” from the Asta
953 EuropeanG i from the C to the European Parliament and Pacific region, namely Australia, Brunei Daruxcilam, ee ee oe ote ee
the Council on the Fi ing of the Safe Harb from the Pe ive of EU Citizens and Hong, Kong, tnd ia, Japan, Republic of Korea, Makzysi land, Papua New
Companies Established in the EU" COM(2013) 847 at 16. Cuinea, Peru, The Philippines, Russia, Singapore, Chios tual, Taso The United States, and
384 Maximilian Schrems 9 Data Protection Commissioner FUC] Case C-362/13, 6 October 2015. Vi kisan ic forum and it fe on regional i integration. Its mission is to
995 See Par. 9.3.4.2
H above. support sustainable economic growth and prosperity in che Asia-Pacific region (see wew.
356 See DP Working “Statement oc the i ion of the jadgement of the Court of Justice 360 Bygrave Data Privacy Law 76. It bas been referred to as “OECD lite”, Greenleaf “Australia’s APEC
of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commis- Privacy Initiative: The pros and cons of “OECD Lite"” 2003 Prieary Law and Policy Reporter |.
sioner case” 16 October 2015. For more information, see the APEC website (hitp://wewapec.org/)-
362. Bygrave Data Privacy Law 75.
 Chapter9: Dasa Privacy Law 411 412. Information
and Communications Technology Law

non-prescriptive, probably out of political necessity since APEC ‘has no treaty obliga- rocco (2009), Angola (2011), Gabon (2011), Ghana (2012), Lesotho (2012), Ivory
tions required of its participants .. and [its] commitments are undertaken on a Coast (Cote d'Ivoire, 2013), Mali (2013), and South Africa (2013)."
voluntary basis’. runt There are also initiatives in sub-regions of Africa and Africa as a whole to harmo-
So far its influence on national data privacy laws adopted in the region was insub- nise data privacy laws. Furthermore, the African Internet Rights Campaign | promotes
stantial when compared to the influence of the OECD or the EU Directive. the adoption of an African Declaration on Internet Rights and Freedoms.”
B African Union Convention
9.4.6.3 ASEAN (Association of Southeast Asian Nations)
On 27 June 2014, the African Union™ at the African Union’s Summit in Malabo,
ASEAN™ countries are concerned about data privacy because it recognised that the Equatorial Guinea, adopted a Convention on Cyber Security and Personal Data
absence of harmonised data privacy legislation may create trade barriers. ASEAN Protection.” The Convention covers a very wide range of online activities, including
therefore commiticd itself to the development of a harmonised legal infrastrucuure electronic commerce, data protection, and cybercrime, with a special focus on rac-
for ecommerce. In its ¢-ASEAN Framework Agreement adopted in 2002, it is stated ism, xenophobia, child pornography, and national cyber security. The Convention
in Article 15, that: will only come into force once 15 of the 54 member States have ratified it Data
“Member Settes shall adopt clectronic commerce regulatory and wena frameworks privacy is addressed in Chapter H: Personal Data Protection.
that create trust and fidence for sand Fecile fe ion of
towards the development ere To this end,Renee States shall:. Objectives
(e) take es Lo pr P data pr privacy... ”.
The objective of the Convention with respect to personal data™ is that party Srates
It is the aim of the ASEAN counties to transform ASEAN into an Economic Com-
should commit themsclves to establishing legal frameworks aimed at strengthening
munity by 2015 and to establish harmonised data privacy regimes bascd on “best
practices/ guidelines’
The time frame set seems to have been overly ambitious and so far litle infor- 369 Creenleaf and Cs “The African Union's data privacy Convention: A major step toward global
mation is available on the envisioned legal framework for data privacy.” consistency?” (2014) Privacy Laws & Business International
Report 18; Makublo “Privacy and dara
protection in Africa: 2 State of the Art” 2012 IDPT. 163.
370 The declaration was drafted in 2014 and launched im 2015. See African Internet Rights Campaign
9.4.6.4 African initiatives Resolution of Mecting held in Accra, Chana, on March 12 and 13, 2015. For a copy
of the declaration,
see htrp://africanimernctrights.org [accessed 17 July 2015].
A Introduction 37t The African Union was in 2002, replacing the Organisation of African Unity (OAU)-

Africa is a latecomer in the data privacy arcna, but recently has become a “growth
area” in the adoption of data privacy laws.™ The following countries have enacted for the people of Africa; defend states’ sowercigniy, territorial integrity and independence, eradi-
cate all forms of colonialism from Africa; pr . Riving
duc regard to
laws: Cape Verde (Cabo Verde, 2001, amended 2013), Seychelles (2003), Burkina the Charter of the United Nations and the Universal Declaration of Human Rights, coordinate
Faso (2004), Mauritius (2004), Tunisia (2004), Senegal (2008), Benin (2009), Mo- and hi I, diplomatic, health, welfare,
scientific, technical and defence policies. All the African states, apart from Morocco, are members
of the AU. (See www.au.int.)
363 Hargreaves “Inadequate: The APEC Privacy Framework & Articde 25 of the European Data Protec- ‘The AU has adopted
the African Charter on Human and People's Rights (ACHIPR) in 1981 (it
tion Directive” 2010 Canadian fournal of Law and Technology | came into force in 1986) and the African Charter on the Rights and Welfare of the Chiki
364 Greenleaf “The Influence of European Data Privacy Standards outside Europe: Implications for (ACRWC) in 1990 (it came into force in 1999). The ACIIPR does not provide for a right to priva-
Clobalization of Convention 108 (2012) (DPI. 68, 80. Two-thirds of the “member economics” have cy, but the ACRWC does. ht provides in Art 10:
adopted data privacy laws (see Greenleaf “Clobal Data Privacy Laws: 89 Countries, and Accelerat- “Protection of Privacy
ing” 2012 Privacy Laws & Business International Report (Special Supplement Feb 2012) 1. en ag a dar hconiey Aaa antrioaraeal fare si family home or
366 ASEAN is a political and economic organisation of tn Southeast Asian countries. It was estab- cd or to the attacks upon his by or rep par or le-
SS eter aid loc a rah cesar comand copes moor ts oto ok.
lished in 1967 in ‘Thailand by the founding member states of Indonesia, Malaysia, Philippines, Sin-
children. The child has the rigtt to the protection of the Low against such interference or at
gapore and Thailand. It aims are inter alia to accelerate the economic growth, social progress and
tacks
ee ee eee es nee The African Union's Declaration of Principles on Freedom of Expression in Africa (2002) refers to
Hab ic, soctal, cub- privacy when it states in Art XI12:
tural, eka saad eaalehaconer eae: ‘ocuat ivacy laws shall not inhibit the dissemination of information of public interest.
366 ASEAN Economic Community Mueprint (2008) available at www.asean.org/archive/5187-10.pdf EX.CL/846{XXV). The text of the Convention is available at
a8

at 5, 53 faccessed 15 July 2015]. hups-/ /codcoc.org/sites/default/

files /.../ AU-2706 14-CSConvention. pdf.
367 Bygrave Data Prieacy Law 79. Personal data is defined as “any information relating to an identified or identifiable natural person
368 According to Greenleaf and Georges (“The African Union's data privacy Convention: A major step by which this person cin be identified, directly or indirectly in particular by reference to an identi-
toward global consistency?” (2014) Privacy Laws & Business Intermational
Report 18). Europe was a fication number or to one or more factors specific to his/her physical, physiological, mental, eco-
growth area in 1980s, Latin America in 1990s, Eastern Europe in 2000s and Asia in 2010-2013. nomic, cultural or social identity” (Art | of the Convention).
 Chapter9: Data Privacy Liw 413 414 Information and Communications Technology Law

fundamental rights and public freedoms, particularly the protection of physical Automated decision making
data.™ Violation of privacy should be punished without prejudice to the principle of
free flow of personal data. States should establish mechanisms that shall ensure that The Convention prohibits profiling or automated decision making. A person may
any form of data processing respects the fundamental freedoms and rights of natural not be subject to a decision which produces legal effects concerning him/her or
persons while recognising the prerogatives of the State, the rights of local communi- significanuy affects him/her to a substantial degrec, and which is based solely on
ties and the purposes for which the businesses were established.” automated processing of data intended to evaluate certain personal aspects relating
to him/her.
Scope Data matching
The Convention regulates both the private and public sectors and includes automat-
ed and non-automated processing. It also covers processing relating to public secur Data matching (referred to as “interconnection of files”) may only take place after
ty, defence, criminal prosecution or State security, but allows exceptions” It authorisation by the data protection authority.” Data matching shoukl help to
exempts from its scope processing for an individual's personal or houschold activi- achieve the legal or stautory objectives which are of legitimate interest to data con-
ties, uniess iti is “for systematic communication to third partics or for dissemina- trollers. This should not lead to discrimination or limit data subjects’ rights, free-
tion”” Any processing for journalistic or research purposcs is exempt, if doms and guarantccs, should be subject to appropriate security measures, and
conducted within the ambit of professional codes of conduct. Processing for should take into account the principle of relevance of the data which are to be
artistic or literary expression is also exempt™ interconnected.”
Data privacy principles Direct marketing
The Convention has six basic principles governing the processing of data, namely Direct marketing is addressed in the Electronic Transactions chapter (outside the
the principles of Consent and Legitimacy; lawfulness and Fairness; , Rele- Data Protection chapter). Direct marketing through any kind of indirect communi-
vance and Storage; Accuracy; Transparency, Confidentiality and Security.” Sensitive cation is prohibited unless an individual has given prior consent to such direct
personal data (namely data revealing racial, ethnic and regional origin, parental marketing.™ Direct marketing by means of cmail is allowed if the particulars of the
filiation, political opinions, rcligious or philosophical belicis, trade union member- addressee have been obtained directly from him/her; the recipient has given con-
ship, sex life and genetic information or, more generally, data on the state of health sent to be contacted by the marketing partners; and the direct marketing concerns
of the dataa subject) may not be processed, unless certain specific exemptions are similar products or services provided by the same individual or corporate body.”
applicable.”
Data protection authority (DPA)
Data subject rights
Fach member state is required to have @ national data protection authority that must
In terms of the Convention, a data subject has a night to information; right of access; be an independent administrator with certain powers and dutics.” Most data pro-
right to object; and a right of rectification or erasure. cessing activitics may only take place after a declaration has been made before the
Data controller obligations
DPAL For cenain sensitive processing activities, the DPA must give prior authorisa-
tion.” Certain processing activities may only take place iin terms of Icgislation or a
A data controller has obligations relating to confidentiality, security, storage, and regulatory act, and in such a situation a DPA must give “informed advice” before the
sustainability.” Act or Regulation is enacted.

374 The Convention does not define “physical dani”. It is not clear why the term “personal data” is not SRB Art 14(5).
used in this instance S84 Art 10(4). In terms
of this section, dara processing involing a national identification number or
375 Art 8. any other identifier of the same type is also subject to prior authorisation.
376 Art. 9(1). 385 Art 15.
377 Art. 9(2). 386 Art. 4(3)-
378 Art 14(3). S87 Art. 4(4).
379. Art. 13. 388 Art IT and 12.
fo eee 389 Art 10(2).
Art. 390 Art 10(4). Pr ing involving sensitive information or ID) bers, data matching or pr if
382 Art. 20-28. The sustainability obligation is a novel one, and it states that: for a public interest.
“Art. 23 Sustainability Such Jared Si defe bli wit
{2} Fie data pomeroer sal tala Sppropeiter se: poten, oF i a Prev cael ‘eaten, Fee reece ae ee cosets
dara can be utilised regardless of the technical device employed in the .
{b) The processing official shall, in particular, ensure
ensure that technological ager a ieee (c) Popnstani mae n I data directly
or indirectly re-
Scting sari, cancer send cxig’ aitBinion, pained. phhamephicel of relegioms baie oF
stitute an obstacle tw the said utilisation.”
trade union membership of persons, or data concerning health or sex life.
 Chapter
9: Data Privacy Law 415 416 Information and Communications Technology Law

Cross border transfers before the ECOWAS Court of Justice. 1 The Supplementary Act was strongly influ-
Personal data may not be transferred to a non-member State, unless those States enced by the Data Protection Directive.™
“ensures an adequate level of protection of the privacy, freedoms and fundamental
rights” of the data subjects. The Convention does not provide criteria to determine 9.5 South Africa
adequacy. The prohibition is not applicable where, before any personal data is
transferred to the third country, the data controller requests authorisation for such
9.5.1 Legal protection
of privacy
transfer from the national protection authority.” The processing of personal information primarily threatens the privacy of the data
subject. Since 1994, privacy has been protected as a fundamental right in the South
The Convention’s section on “Personal Data Protection” was clearly influenced by African Constitution. At common daw, privacy is recognised as a personality interest
the European Union Directive.” It is still too carly to determine whether it will have and protected by the law of delict."”
an influence on the adoption of data privacy laws in Africa. At the time of writing, a
year after its adoption, no member State has ratified the convention. 9.5.1.1 Privacy in constitutional law
The right to privacy is protected in the Constitution, because, per O’Regan J-""
C Regional initiatives “although as human beings we live in a community and are in a real sense both consti-
Africa’s 54 countries are divided into cight Regional Economic Communities. In a tuted by and constitutive of that community, we are nevertheless entitled to « personal
few of these regions, data privacy has been considered.™ SADC, the economic com- from which we may and do cxchide that community. In that personal sphere, we
munity of which South Africa is part, has issued a Model Law on Data Protection.” htish and foster i hips and live our daily lives. This sphere in
The aim of the Model Law is to ensure that all member States provide the same level Set ee pe
is important to what makex bh life gful.~
of protection for data subjects when their personal information is processed. This
will allow the free flow of information between the SADC member States. It is not Section 14 of the Constivution provides as follows:
legally binding, but only serves as an example. lis provisions are consistent with the Everyone has the nght to privacy, which includes the night
not to have —
AU Convention. (a) their person or home searched;
An earlier and stronger development took place in ROOWAS. ECOWAS is the first (6) their property searched;
and only sub-regional body in Africa to develop a concrete data privacy kaw. In 2010, (co) their possessions seized;
it adopted the Supplementary Act on Personal Data Protection.” The Act sets out (d) the privacy of their communications infringed.
the content required to be in a data privacy law, should a member State enact a law. This section guarantees a general night to privacy, with specific protection against
This Act is annexed to the ECOWAS Treaty which means it forms an integral pan of searches and seizures and of the privacy of communications. However, this list is not
it Ic is therefore legally binding on the member States. Thus, once the framework is exhaustive: the protection given by this right extends t to any other method of obtain-
completed, a violation of the Supplementary Act by a member state can be enforced ing information or making unauthorised disclosures.”

28 [twas developed with the assistance of the EU/IT. See further Creenleaf and Georges “African
Art 14.
regional privacy instruments:
Their effects on harmonization” 2014 Privacy Laws and Business Inter.
$8

Greenleaf and Georges “The African Union's data privacy Convention: A major step toward global national Report 19-21.
consistency?” (2014) Privacy Laws & Business Iniernational Repent 18. 399 The right to identity is also infringed when false or misleading information on a person is pro-
394 CENSAD (Community of SahelSaharan Seates), COMESA (Common Market of Eastern and cessed. See Necthling et al. Law of Personality 270-271 and Comes de Antrade “The right to privacy
Southern Africa), EAC (Kast African Community}, EOCAS (Economic Community
of Central Afri- and the right to identity in the age of ubiquitous computing: friends or foes? A proposal towards a be-
can States), ECOWAS (Economic Community of West African States), ICAD (Intergovernmental Ral articulation” 19-43 in Akrivopoulou, C and Psygkas, A (eds) Persomal Data Privacy and Protection in
Authority on Development) and SADC (Southern African Development Community) and UMA @ Surceiliance Era: Technologies and Practices (2010). Identity
was recognised as an i person
(Arab Maghreb Union). See hetp:/ oria/ pages /african-union-au-regional— ality right for the first time in Unieersitell can Pretoria 0 Towumie Meyer Filmes (Edms) lik 1977 (4) SA 376
economic-communitiesrecs-africa, [accessed 17 July 215). (1) 386 and more recently by the Supreme Court of Appeal in Gnalter « Lombard 2007 (4) SA 89
395 See further Creenleaf and Georges “African regional privacy instruments: Their effects on harmo- (SCA). The SCA held that a person's name as a feature of his or her right to identity constitutes an
nization” 2014 Privacy Lavs and Business International Report 19-21 for a discussion
of all the initia pan tirplunad-wrwor peda. al pipers A person's interest in preserving his or her identity
tives taking place in Africa. against iP d by the - dignilas, which incorporates both
396 See hetpc//wewitw.int/en/T1UD/Projects/TTUECACP
/ HIPSSA/Pages/defaultaspx | Accesusd identity and privacy. Infring ort are th adered iniuriae in South AE
17 July 2015}. tt was adopted
by the SADC Ministers ible for Telecommunications,
Postal rican law and, as such, covered in terms of both liability and remedies by the law of delict.
and ICY in 2012. it was developed as part of the EU/TIPSAA (Harmonisation of ICT Poticies in 00 A serious infringement of the right to privacy is also actionable under criminal law as crimen ininria
SubSaburan Africa) Project of the ITU (the United Nations specialised agency for information (Snyman Criminal Law 403 457-458).
and communication technologies — ICTs}. See further Greenkaf and Ceorges “African regional NM o Smith 2007 (5) SA 200 (CC) 130.
s

privacy instruments: ‘Their effects on harmonization” 2014 Prieacy Lans and Business Iniernational 50 eer cee 181) Soe Oe right to identity is not explicitly protected in the
Report 19-21. Constianion, it is protected under the right two dignity (s 10); Currie & de Waal The Bill of Rights
397 A/SA.1/01/10.
 418 Information and Communications Technology law
Chapter9: Data Privacy Law 417

Neethling points out that the importance of the recognition of the right to privacy as
The instances of privacy enumerated in section 14 relate to the “informational” a fundamental (human) right lies in the fact that the legislauure and the executive of
aspects of the right to privacy.” The informational right to privacy has been in- the State may not pass any law or take any action which infringes or unreasonably
terpreted by the Constiuitional Coun as coming into play whenever a nm has the limits the right. Fundamental rights may only be limited by means of a law of
ability to decide what he, she or it wishes to disclose to the public. It extends to general application, provided that the limitation is reasonable and justifiable in an
those aspects of a person’s life regarding which he, she or it has a legitimate expecta- open and democratic society. Furthermore, the entrenchment of the right to privacy
tion of privacy. A person has a strong expectation of Privacy in relation to his or her in section 14 places an obligation on the legislavure to legislate in order to protect
home and family life and intimate relationships, but in communal relationships and the privacy of personal information."
activities such as business and social interaction his or her expectation of privacy The night to privacy, like the other rights on the Bill of Rights, applics against both
lessens and becomes more attenuated.” In Misiry 0 Interim Medicaland Dental Council of the Stateened individuals (in other words, it applies both vertically and horizontally) .“?
South Africa,” personal information was communicated by one medicines control
inspector to another for the purposes of planning and implementing a search of 9.5.1.2 Privacy
in the common law
premises to carry out a regulatory inspection. It was argued that this was an invasion AR
of privacy as protected by section 13 of the interim Constitution. In finding that the
applicant’s constitutional right to informational privacy had not been breached, the Privacy was recognised for the |first time in South African case-law in O'Keeffe 0 Argus
Constituaional Court held a number of factors important in considering whether a Printing and Publishing Co Lid." "In Financial Mail (Pty) Lid 9 Sage Holdings 1.td"* the
violation of the informational aspect of the right to privacy has taken place. These were right to privacy was also extended to juristic persons. The cours” have accepted
OO the manner in which the information was obtained (the information had not Neethling’s definition of privacy as:
been obtained in an intrusive manner); “an individual condition of life charac d by sech from the public and publici
Othe nature of the information (the information in question was not about intim- This condition embraces all these persomal facts which the person concerned has him-
ate aspects of the person’s life); self determined to be excluded from the knowledge of outsiders and in respect of which
he has the will that they be kept private.”
Othe purpose for which the information was initially collected (the information in-
volved was not initially provided for a purpose other than the one for which it B Infringement
was subsequently used); and
Since privacy relates to personal facts which a person has determined should be ex-
© the manner and nature of the dissemination of the information (the information cluded from the knowledge of outsiders, it follows that privacy can only be infringed
was not communicated to the press or the general public or to persons from when someone learns of truc private facts about that person against his orher deter-
whom the applicant could reasonably expect that such private information would mination and will.” Such knowledge can be acquired in one of wo ways: when an
be withheld, but only wo a person who had statutory responsibilities for carrying
out regulatory inspections for the purpose of protecting public health and who
was himself subject to the requirements of confidentiality). #09 Neethling et al. Neethting's Law of Mersonality 17.
410 $36 of the Constitution of the Republic of South Africa, 1996. Facamples of laws of general
cation that limit the right to privacy are the Promotion of Access to Information Act 2 of 2000 and
the Regulation of Interception of G ications amd Provision ofC ication Related In-
@3 ‘The cours have, however, also extended the constitutional right to privacy to “substantive” privacy formation Act 25 of 2002, discussed below in para. 9.4.2.2 and para. 9.4.2.6 respectively.
411 Neethling et al. Neethiing’s Law of 271-272.
412 S8 of the Constitution of the Republic of $ Africa, 1996.
SA 406 (CC); Bernsizin o Bester
NO 1996 (2) SA 751 (CC). 413 1954 (3) SA 244 (C). A photograph of an unmarried woman was published without her consent as
04 Sce Investigating Directorate: Serious Economic Offences and Others o Hyundai Motor Distributors (Pty) Lad part of an advertisement for rifles, pistols and ammunition. Other cases followed in which the
and Others: In re fyundai Motor Distributors (Pty) Lad and Others v Smal NO and Others 2001 (1) SA 545 right to be free from the public disclosure of private facts (MAlongo w Bailey 1958 (1) SA 370 (C))
(CQ) 5957. The court added that the expectation that such a decision will be respected must be and the right to be free from unreasonable intrusions into the private sphere (Cosschalk Rossouw
reasonable. 1966 (2) SA 476 (C)) were recognised. More recent cases include Jansen eam Vuuren o Kruger 1993
Bernsian o Bester NO 1996 (2) SA 751 (CC) 792; Protea Technology Lid 0 Wainer 1997 (9) BCLR 1225 (4) SA 842 (A); National Media Lid o fooste 1996 (3) SA 262 (A); Financial Mail (Pty) Lid o Sage Hold-
5 §

(W) 1241, [1997] 3 ABSA 594 (W) 608. pri mana ay (A); Janit o Motor Hund Administrators (Pty) Lid 1995 (4) SA 293
ing to the Constitutional Court, the protection of privacy lies along a continuum (Bemsiein (A); MBC for Health, Mpumalanga o M Na 2002 (6) SA 714 (1).
@ Bester NO.1996
(2) SA 751 (OC) 788) of can be described as existing in concentric circles (Maga- 414 1995 (2) SA 45! (A).
jane v The Chairperson, North West Camiling Board 2006 (10) BCLR 1133 (CC). The inner cirde or 415 See National Media Lid o fooste 1996 (3) SA 262 (A) 271-272.
“intimate core” (home, family, body) is entitled to more protection than the outer circle (where, 416 Neethling ct al. Neethiing’s Law of Personality $2.
for eamplk:, 2 person acts as part of 2 public enterprise regulated by government). See also Jroesti. 417 Tbid. 32-33. In contrast, infringement of identity involves the publication of untrue or false: infor-
gating Disectorate: Serious Exonomic Offences and Others 0 Hyundai Motor Distributors (Pty) Lid and Others: mation (ibid. 37}.
Jn re Hyundai Motor Distributors (Pty) Lid and Others o Swat NO and Others 2001 (1) SA 45 (CC); 418 en hie Seen ee ee ee eke TG Ch EK Oe
Cacriner 0 Minister of Finance 2014 (1) SA 442 (CC). (2) SA 751 (CC) 789. Compare Financial Mail (Pty) Lid v Sage Holdings Lid 1995 (2) SA 451 (A)
1998 (4) SA 1127 (CC) 1145. 462-463. See also McQuoid-Mason The Law of Privacy in South Africa 134.
&§

Mistry o Interim Medical and Dental Council of South Africa 1998 (4) SA.1127 (OC) 1145, 1155-1156.
 Chapter9: Daza Privacy law 419 420 Information and Communications Technology Law

outsider himself or herself learns of the facts— such interference with privacy is refer- public interests,” such processing will not be unreasonable, but will be justified.
red to as intrusion or acquaintance,” and when an outsider acquaints third parties Public interests that justify the processing of data are, for example, national security,
with personal facts which, although known to the ousider, nonetheless remain defence, public security and the prevention, investigation, detection and prosecution
private — such interference with privacy is referred w as disclosure or publicity.” of criminal offences or of breaches of ethics for regulated professions. Other public
Applying this distinction to the processing of personal data, it is evident that the interests include important economic or financial interests of the State {such as
compiling of personal information and obuining kk of that information monetary, budgetary or taxation maticrs), as well as a monitoring, inspection or
constitute acts of intrusion into another's privacy.” An act of disclosure, on the regulatory functions relating to the exercise of official authority.”
other hand, is involved when the recorded information or data are subscquenuy dis- Processing of information can also be justified by the data subject's consent. When
tributed and thus disclosed. a person who is legally capable of expressing his or her will frecly and lawfully con-
In South African law, privacy is protected by the commomiaw principles of the law sents to specific cc
conduct, the harm that ensues from such conduct is justified and
of delict. In terms of these principles, a right to privacy exists when a person's sub- therefore lawful. This idea is expressed in the maxim volen{i non fil IL is evi-
jective determination of the extent of his or her privacy is recognised by the boni dent from the discussion of the international data privacy instruments that the
mores as reasonable. One can say that, like the constitutional right to privacy, the consent of the data subject is an important ground that justifies the processing of
right to privacy in the common law extends to those aspects of a person’s life in re- personal data.
gard to which he, she or it has a legitimate expectation of privacy. Consent to injury is a unilateral act and therefore need not necessarily be made
It is submitted that a person has such an expectation in respect of personal infor known to the defendant.” However, when it comes to processing personal infor-
mation and that limits should therefore be imposed on the collection and use of that mation, it is generally required that consent be indicated in some way. Furthermore,
information.“ While individual pieces of personal information on their own may when sensitive data are processed, express consent is required. Moreover, consent
not be private, were they collected and put together a profile of a person would be may be unilaterally revoked by the consenting party at any time before the defend-
ant’s conduct Irrevocable consent tw invasion of privacy is considered contra bonos
created which could be considered private. “ Collecting information on a person is
therefore in principle unreasonable or wrongful- mores and as such invalid.” It follows that it is not acceptable to give consent to
unlimited processing of personal information. Consent is a legal act which restricts
However, the right to privacy is not absolute and always has to be balanced with the data subject’s rights. However, to qualify as a legal act it must be apparent or
the rights of others and the public interest. If the processing of personal information is manifest — it must be unambiguous.™ Consent can be given expressly or tacitly (by,
necessary to protect the data subject or the interests of others, or to safeguard certain for example, one’s Conduct). However, mere acquiescence docs not necessarily
amount to consent Data controllers should not therefore be allowed to infer
consent from a data sul ’s failure to respond to a communication, for example
419 For cxample, by unlawfully intruding on someone's property, searching and seizing that person's from a customer's failure to return or respond to a leaflet.
documents, or secretly watching or using surveillance equipment to gather information on him or
her (see
S$ oA 1971 (2) SA 298 (1).
420 An example of acquaintance through disclosure is when a doctor tells his friends about a patient's
Art. 13(1) of Directive 95/46/EC_ Roos “Core principles of dara protection law” 2006 CILSA 128-
HIV status
(see fansen vam Viewren & Kroger 1993 (4) SA 842 (A)).

68 @ 688
421 See Dean “South Africa” 385. 129.
Art. 13(1) of Directive 95/46/EC.
Neeshling et al. Neethiing’s Lase of Perematity 274; Necthling “Databeskerming: Motivering en righyne
Boberg The Law of Delict 724; Necthling et al. Law of Delict 108; Van der Walt and Midgley Principles
‘ir wetgewing in Suid-Afrika” 105 112; Du Plessis “Die reg op inligting en die openbare belang™
of Deficit 112-113
para. 89.
(LLD thesis, Potchefstroom University, 1986) 992. Boberg Vhe Law of Delict 724; Necthling et al. Law of Delict 109; Van der Walt and Midgley Principles
Bernsizin © Bester NO1996 (2) SA 751 (CC) 792; Proea Technology Lid 0 Wainer 1997 (9) BCLR 1225 of Dect 113 para. 89.
(W) 1241, [1997] 3 All SA 594 (W) 608. Also see NM e& Smith 2007 (5) SA 2) (CC). See, for example, art. 7(a) of Directive 95/46/EC. Also see NM o Smith 2007 (5) SA 250 (CC) 136
In NM o Smith 2007 (5) SA 2%) (CC) 182 where O'Regan J opines: where O'Regan J said:
“An implicit part of... privacy is the right to choose what personal information of ours is re- “There can be no doubt that private medical information, of whatever nature, but particular-
leased inte the: public space. The more intimase that information, the more important it is in ly where it concerts a life-threatening disease, is personal information, which is protected by
es BOSE dignity and amonomy that an indwideal makes the primary decision the righht to privacy. Morcover, it i information which the person concerned has the right to
infor ‘That d should not be made by others. This aspect inde whether to disclose. If thep does decide to disclose it, he or she is entitled to de~
Sc cg ts peep me er aga ap oc ce, ack ily ee ™ termine in what circumstances and to whom. ‘These choices are personal choices and must be
Roos “The law of data (privacy) protection” (LLD thesis, Unisa, 2003) 578. The expectation of respected not only by the state but by others. Of course, doctors and other medical personnel
y must be ble: in the cir —ap may not, for example, refuse
to pro-
vide proof of identification to a potice official when so requested (De Waal et al. Bill of Rights Hand-
book 20). Similarly, when an individual is under police investigation the police may hwfully com- 431. Necthling
et al. as of Delict 108-109; Van der Walt and Midgley Principles of Dedict 115 para. 89.
pile a dossier or file on that individual.‘The scope of the right to privacy also has to be demarcated 432 foosie » National Media Lid 194 (2) SA 634 (C) 647_ See also Schulze “The LOA life register: A snap
with reference to the nights of others and the interests of the community (Bemsian o Hester NO survey
of possible legal pitfalls” 1994 THRIIRS0.
1996 (2) SA 751 (CC); Mistry o Interim Medical and Dental Council of South Africa 1998 (4) SA 1127 433 Neethling
et al. Law of Delict 110.
(cc). 434 Thad.
 422 Information and Communications
Technology law
Chapter9: Data Privacy Law 421

needs to be developed in the light of the uscfulness of this remedy in the online envi-
Consent must be given before the prejudicial conduct (the data processing) and, ronment. Why should one suc for damages for an infringement of your privacy if you
as a rule, the affected person must consent himself or herself. Whether consent has can stop the infringement before it takes place?““*
been given in a specilic case is a question of fact which has to be proved.
Consent is only valid if itis given voluntarily and does not amount to submission.” C Conclusion
It can be argued, for example, that consent to the processing of personal infor- Unfortunately, traditional delicwal principles provide only limited protection for an
mation is invalid if it is set as a condition a employment, or the continuance of a individual's personal information, in that they do notgive the individual active con-
contract of employment, by an employer. The person consenting (the data sub- trol over personal information that is being processed. The traditional principles are
ject) must furthermore have full knowledge of the nature and extent of the possible useful in determining whether processing of personal information has taken place
harm. A data subject cannot therefore validly consent to the processing of personal lawfully or not. However, they cannot ensure, for example, that the data subject knows
information if he, she or it is not given all the necessary information explaining why that his or her personal information has been colleced, or ensure that he, she or it
his or her personal information has to be processed, what it will be used for, who will has access to that information or is able to correct incorrect information.” The iintro-
have access to it, and so on. This information must be giyen to the data subject duction ofa data privacy regime by means of legislation is thereforeiimperative.”
before the collection of personal itinformation takes place” The subject must also
subjectively consent to the harm.™ Finally, consent must be permitted by the legal
order — in other words, it should not be contra bonassores — and the potential impair- 9.5.2 Data privacy legislation in South Africa™
ment or harm must fall within the limits of the consent” 9.5.2.1 Introduction
As the law stands, in principle for data subjects to succeed with the actis iniuniarum
for solattum they have to prove that the infringement of their rights to privacy was South Africa adopted an omnibus data privacy law in 2013. There are a few other
statutes that contain some (limited) data privacy provisions, namely the Promotion
intentional.” " Negligence on the part of the ntis sufficient for the actio legis
Aguiliae with which patrimonial loss resulting from the infringement of personality of Access to Information Act, the Electronic Communications and Transactions
can be recovered. Act, the National Credit Act™ and the Consumer Protection Act. The relevant
Another remedy available to data subjects is an interdict to prevent a person from provisions of these Laws will be briefly discussed.
wrongfully processing or continuing to process personal data. An interdict may be The Regulation of Interception of Communications and Provision of Communi-
final or temporary (interim or interlocutory). The requirements for a final inter- cation-Related Information Act is also noteworthy. It deals with aspects that are dealt
dict are (i) a clear right (that is, a night to privacy); (ii) an infringement on such with in the European Union's Directive on Privacy and Elecrronic Communications.“
right has taken place or is reasonably apprehended to take place (by the data pro-
cessing) and (iii) the interdict should be the only z riate remedy. Fault is not 9.5.2.2 The Promotion of Access to Information Act
required. The interdict can be a very useful remedy for a data subject who wishes to The Promotion of Access to Information Act™ (the “PAI Act or PALA”) is essentially
put a stop to wrongful data processing. or to prevent such processing from taking a “Freedom of Information Act” and not primarily concerned with data privacy.“
As
place at all. ‘The last requirement, namely that there should be no alternative remedy,

«5 Thad. 111; Van der Walt and Midgley Principles of Defict 113 para. 89- 444 In We H 2015 (2) SA 530 (CS) 39 Willis | issued an interdic ordering the plainsff to remove a
456 Burchell Principles of Dect 68; Van des Walt and Midgley Principles of Delict 115 para. 39. defamatory pasting from a Facebook page. "The court was of the opinion that an interdict was a suim-
437 Seng ta Neethling's Law of Personality 274- ble remedy in the circumstances since “it would resolve: the issue without the needless expense, dra-
as ‘This 7. to the dara-pr inciple of or ma, trauma and delay that are likely to accompany an action for damages in a case such as this”.
a9 ‘The courts* formubion of consent, if consent j to be a: valed igrotaad of justificatiens, that dhe 445 See Neethling et al. 's Law of Persomatity 273.
injured party must have “knowledge, appreciation [of] and consent” to the injury (see Waring& 446 Mace “Thaen phism 2007 $409 228.
Cillowe Lid 0 Sherborne1904 TS 340 344). 447 ‘The mast important force behind legal reform is the legislature, not the judiciary (see Carmichele 0
440 Neethiing et al. Law of Delict 113-114; Van der Walt and Midgley Principles of Delict 115 para. 89. Mila sf Safi sel Seca (Cant fr Apa Lape Shale Tetewpming) 7001 (4) SA.938 (CC).
441 Butsee C o Minister of Correctional Seroices 1996 (4) SA 292 (T) 304-308 in which the State was held 448 Cerain parts of this paragraph
were previously published in Roos “Data protection” 424-433.
strictly liable for infringing the privacy of prisoners. Several South African authors argue that in a 449 Act 2 of 2000.
modem community it dees not make sense to persist with the intention requirement of the classi- 450 Act 25 of 2002.
al actio iniunarum amd that personality protection should be extended to include the negligent in- 451) Act 34 of 2005.
fringement of personality interests. See Neethling et al. Neethling’s Law of Personality 72 Knobel 452 Act 68 of 2008.
“Nalatige persoonlikheidskrenking™” 2002 THRUR 24 25; Visser “Nalatige krenking van die reg op 453 Act 70 of 2002. ‘This Act is discussed below in para. 9.4.2.6
ie fama 1962 TIIRIHR 168-174. See also Marais ¢ Crenewald 2001 (1) SA 634 (1) 646; Heyns & a4 Discussed above in para. 9.3.4.3.
Vender 2004 (3) SA 200 (TF). 45 Act 2 of 2000.
“2 Neethting et al_ Lan of Delict 269- 456 privacy and access to information is recognised in s 9(6) of the Act,
“3 In Setlogede w Setlogeio 1914 AD 221. For a temporary interdict, a further requirement must be met, Sea puliaes tan: Sarh Mesiccdan i a coomammatanal right by abs oba- Wr onsoenseds postion
namely that the balance of convenience must favour the granting of the interim interdict. See tion of peivacy” (Gurne and Klaaren The Promotion of Access to Information Act Cowementary 18 para. 2.5).
Knox D'Arcy Lid « Jamieson 1995 2 SA 579 (W) 293.
 Chapter9: Data Privacy Law 423

424 Information and Communications Technology Law

an Act promoting freedom of information, PAIA is unusual in owo respects: it
applics not only to information in the public sector, as such Acts usually do, but also
to information in the private sector. It is also unusual in that it is underlined by a of the body which are available in terms of other legislation; sufficient detail to
constivational right of access to information. facilitate a request for access to a record held by the body, a description of the sub-
jects ony which the body holds records and the categories of record held on cach
PAIA promotes the data privacy principle of access to personal information, by subject."
permitting individuals access to both manual and computer records” containing
PAIA makes it an offence w destroy, damage, alter, conceal or falsify a record with
personal information about them. “ The concept that determines the Scope of the
the intent to deny a right of access in terms of the Act. [t also makes provision for
Act's application is not “information”, as one would expect, but “record”. The def-
internal appeals and judicial review, for the resolution of disputes and the recon-
inition of record revolves round the concept of “recorded information”, which in-
sideration of decisions to grant or refuse access to information.” The powers and
cludes any information recorded in any form by employces of a public or private
duties conferred by PAIA are entrusted to the information officer of a public body;
body in the course of their duties. This definition thus includes electronic mail mess-
while the heads of private bodies are responsible for giving effect to the Act.
ages, audio or video tapes, computer fifiles, rough notes, notes on notepads aiand docu-
ments in any form.” The precise manner of access is regulated by the Ac™ Although the Human Rights Commission is entrusted with oversight and the im-
plementation of the Act, it has no real authority or power over private or public
The Act also gives effect to data privacy principles by prohibiting the granting of
bodies to enforce the provisions of the Act. Its functions are mainly to advise, assist,
access to third-party information if such access would fead to unreasonable in-
consult, make recommendations, submit reporis, train persons, develop educational
fringement of the privacy of the third party.” Furthermore, public and private
programmes, encourage participation, or monitor compliance with the Act Once
bodies must take reasonable steps to establish adequate and appropriate internal
the Protection of Personal Act becomesoperative,
© oversight of PAIA will move to a
measures providing for the correction of personal information.”
newly established Information Regulator.
PAIA imposes dutics on the information officers of public bodies to assist re- From a data privacy perspective, it can be said chat PAIA provides for a right of
questers.”” Furthermore, the Act that the information officer of a public access to personal information and attempts to provide for rectification of incorrect
body or the head of a private body must publish a manual containing inler alia his or information. It furthermore provides a measure of transparency by requiring that an
her Postal and street address, wlephone and fax number and clectronic mail ad- index of records be kept. [t also address the idea that information be kept secure, by
dress; a description of the guide compiled by the Human Rights Commission on
making it an offence to destroy, damage, alter, conceal or falsify a record.
how to use the Act, and how to obtain access to the guide; a description
of the records
PAIA provides for redress by giving a requester the right in certain circumstances
to approach a court fora remedy and by appointing the information officer or head
457 Sce EPIC and Privacy International Privacy and Jfuman Rights (200%) 632. of a private body as the person ultimately responsible for complying with the pro-
458 S 32(1) of the Constiaution provides individuals with 2 right of acces to information held by the visions of the Act. In the end, however, PAIA was never intended to provide for the
State or by anoth: If the infor is held by a p other than the State, applicants protection of personal information and cannot be considered a data privacy Acc
meant prove thatthe information i raqeired forthe exrcie or protection of any of thir righex
‘The facx that 2 person has access to his or her p.
the right to privicy and sectiva 5: According to Carrie and Kixéren The Promotion of Aacas te Pfr. 9.5.2.3. The Electronic Communications and Transactions Act
mation Act Commeniary 18 para. 2.5, section 32 “gives legal recognition to the claim that the collec-
A Introduction
restricted”. The Electronic Communications and Transactions Act™ (the ECT Act) has been in
Ss 3-8 of Act 2 of 2000-
force since August 2002. The main purpose of the Act is to facilitate ecommerce by
Bs

In both private and public sectors — ss 11 and 50, read with the definitionof “personal requester”
ins 1. Access to personal information in terms of the Protection of Personal Information Act 4 of creating legal certainty and promoting trust and confidence in clectronic twans-
‘2013 will also take place in terms of the provisions of PALA (see POPI Act s 25). The definition
of actions. The ECT Act contains various provisions that might have an impact on the
personal information in PAIA, is amended by the POPE Act in order to align it with the definition
of personal information in POPI.
See Currie and Kiaaren The Promotion of Access te Information Act Commentary 4) para. 4.1. #68 Ss l4 and 51. These sections are amended by the POPI Act 4 of 2013 to reflect that the Human
Thad.
‘Sa8f8R8

Rights Commission will no longer be ‘ible for oversight of the Act, but is replaced by an In-
Ss 17-32 and 53-61 - formation Regulator (see POPE Act 4 of 2013 Schedule of Laws amended by the Act.) These
Ss 34 and 63. changes will only take effect once POPI becomes operative. For a discussion
of the role that infor-
S88. It is not specified how this provision could be enforced. mation manuals play in implementing the vision of PAIA, see Wood Leslic-Ann “More than just
S19. details: buttressing the right of access to information with information manuals” 2011 SAMIR S58.
‘The Director-General of the national department responsible for government communication and 8 $90.
470 Ss 74 and 78
ATL See s 83(2).
‘There is no similar provision for privat bodies in the Act. 472 POPI Acts 39(¢)-
473 Act 25 of 2002.
474 See Chapier 6, above, on e-commerce.
 Chapter9: Data Privacy Law 425
426 Information and Communications Technology Law

privacy of consumers and provides for the limitation of service providers’ liability as
far as the content of a communication is concerned. Although these provisions are E_ Protection of personal information
discussed in relation to defamation,™ they are also applicable when the content of Websites that collect personal information may voluntarily subscribe to certain prin-
an clectronic communication infringes someone's right to privacy. ciples in Chapter VII of the ECT Act which are intended to protect a person's priv-
The provisions relating to unsolicited goods, services or communications, as well acy. Chapter VII of the Act aims wo address the privacy concerns of consumers by
as the provisions relating to the protection of personal information discussed below, enumerating principles that must be adhered to when a data controller electronic
will be repealed when the Protection of Personal Information Act becomes operative.™ ally collects personal information.“ aftowever, the Act docs not impose legally bind-
ing obligations on data controllers, but provides that “a data controller may volun-
B Unsolicited goods, services or communications tarily subscribe to the principles . .. by recording such fact in any agreement with a
The ECT Act contains provisions regarding the sending of unsolicited commercial data subject”_ “ The data subject and the data controller must therefore first reach
communications (“spam”). Any person who sends spam to consumers must give an agreement in terms of which the data controller will adhere to these principles,
them the option of cancelling their subscription to that person’s mailing list (in before the principles become applicable t the transaction. The rights and obli-
other words, of opting out). The person must, at request of the consumer, also give gations of the parties in respect of a breach of the principles are governed by the
the consumer the identifying particulars of the source from which the consumer's terms of the agreement between them.” Should the data controller conclude an
personal information was obtained. Failure to comply with these provisions rend- agreement with the data subject making the Chapter VII principles applicable jo
ers the person guilty of an offence. In addition, any person who sends unsolicited the transaction, all the principles must be subscribed to and not only pans thereof."
commercial communications to another person who has advised the sender that Section 51 of the ECT Act lists nine principles data controllers should adhere to
such communications are unwelcome is also guilty of an offence.” Furthermore, no when processing personal information.
agreement is concluded when a consumer fails to respond to an unsolicited commu- O) The first principle requires the express written consent of the data subject before
nication” the data controller may collect, collate, process or disclose personal information
on that subject, unless the data controller is permitted or required by law to pro-
C_ Unauthorised access to, interception of or interference with data cess data. The aim of this principle is to ensure that data are processed lawfully.”
The ECT Act makes it a crime to access data without authorisation and to intercept O The second principle provides that the data requested, collected, collated, pro-
or interfere with data, including, of course, personal data_
cessed or stored by a data controller must be necessary for the lawiul purpose(s)
D_ Providing information about security and privacy policy for which they are required. This principle emphasises that the data controller
must have a lawful purpose for the processing of personal information and that
A supplier “offering goods or services for sale, for hire or for exchange by way of an the data processing must be necessary for that purpose. Processing data for an
electronic transaction” must make certain information available to consumers on the unlawful purpose, or unnecessarily, is unreasonable and therefore unlawful. Data
website on which such goods or services are offered. This information includes infer
processing can have a lawful purpose only if the object of such processing is to
alia the supplicr’s name and legal status, physical address, telephone number, web-
further or protect a legitimate interest. An example of a legitimate interest in the
site address and e-mail address, membership of any self-regulatory or accreditation
ecommerce environment is a data controlicr’s (such as a supplicr of products)
bodies and their contact details, any code of conduct to which the supplier sub-
need for the name and address of the data subject (for example, a buyer of
scribes and how that code may be accessed electronically by the consumer, and, im-
portantly for our purposes, the supplicr’s security procedures and privacy policy in goods) in order to deliver the products and invoice the buyer. This is a legitimate
respect of payment, payment information and personal information. commercial interest.
The third principle states that the data controller must disclose in writing to the
o

data subject the specific purpose(s) for which any personal information is being
requested, collected, collated, processed or stored. Without such knowledge it

475 See Chapter 10, below, on defamation. SI defines a consumer as “any natural person who enters or intends entering into an electronic
8

476 See the Sch to the Protectionof P. I dit the Lawes ded by the Act. transaction with a supplier as the end user of the goods or services offered by that supplier”.
Mcaedaae Bests 4 we hl CoA ES ON oe coat Soi.
BE

477 8 45(1) of Act 25 of 2002. SI defines a data controller as “any person who electronically requests, collects, collates, processes
478 $8 45(3). Of stores personal information from or in respect of a data subject”.
479 $ 45(4). S0(2).
S0(4).
$2283

480 S$ 45(2).
Bt SB6(1) and (2). See Chapter 3 above for more detail. SA(3).
#82 S$43(1). S$osi{1).
A data subject's consent will make an otherwise unlosful processing of personal information lawful.
 Chapter
9: Data Privacy Law 427

very difficult for the data subject to judge whether a legitimate interest is being 428 Information and Communications Technology law
protected and whether the data processed are necessary for this purpose.
O The fourth principle provides that a data controller may not use the personal in- However, the following requirements, rights or duties are missing from the prin-
formation for any purpose other than the one disclosed, without the express writ- ciples:
ten permission of the data subject, unless the controller is permiticd or required Oa requirement that data must be accuratc, kept up to date, adequate, relevant
to do so by law. Presumably, the aim of this provision is to regulate the further and not excessive in relation to the purposes for which they are transferred or
use (secondary use) of the information. further processed;
O The fifth principle requires the data controller to keep a record of the personal a requirement that other relevant information, insofar as it is necessary to ensure

a
information, and the specific purpose for which the personal information was fairness in processing, be provided;
collected, for as long as the personal information is used and for a period of at an obligation on data controllers to provide appropriate security measures for

a
least one year after it was last used.” personal information;~
oO According to the sixth principle, a data controller may not disclose to a third
provisions regarding access to or correction of personal information;
pany” any of the personal information it holds, unless required or permitted by

ooaq
Taw or specifically authorised to do so in writing by the data subject. the right of the data subject to object to certain data-processing activities; and
O If personal information is disclosed to a third party, the seventh principle re- restrictions on onward transfers.
quires that the data controller keep, for as long as the personal information is Furthermore, the ECT Act docs not treat sensitive personal data differently from the
used and for a period of at least one year thereafier, a record of any third party way it treats non-sensitive personal data and has no provision regarding automated
to whom the information was disclosed and of the date on which and the pur- individual decisions.
pose for which it was disclosed. The purpose of this type of provision is usually to A major deficiency of the ECT Act is the fact that it does not impose legally bind-
enable the correction of data passed on to third parties and later shown to be in- ing obligations on data controllers. Subscription to the principles enumerated in sec
accurate. However, the ECT Act contains no provisions regarding such correc- tion 51 is voluntarily. Should the controller decide to subscribe to the principles, a
tion or deletion — PAIA deals with the correction of personal information. breach of them will only amount to breach of contract with the data subject. There is
OU) The eighth principle requires the data controller to delete or destroy all personal no external supervisory body or criminal sanctions to enforce the principles. In
information that has become obsoletc. Data are usually considered obsolete if addition, the Act does not have a mechanism allowing the individual to enforce his
they are no longer necessary for the purpose for which they were collected. or her nights rapidly and effectively. Data subjects can only enforce their rights under
O The ninth principle permits the data controller to use the personal information the contract in a court of law. The Act docs not provide for an institutional mech-
to compile profiles for statistical purposes and to trade freely with such profiles anism allowing independent investigation of complaints regarding breach of the
and statistical data, as long as a third party cannot link the profiles or statistical data-privacyprinciples.”
data to any specific data subjects. It is a generally accepted principle that data Should the data controller choose not to subscribe to the data privacy principles,
processing may take place for statistical purposes, provided that the anonymity of the data subject has no redress apart from delictual remedies. Should the data con-
data subjects is ensured. In such cases no one’s privacy is at stake. troller subscribe to the principles, breach of the contract can be independently
Evaluation: Should a data controller decide to bind itself to the nine principles adjudicated in a court of law and compensation awarded. However, this is an expen-
mentioned in the ECT Act, at least some data privacy principles will be complied sive process and an administrative remedy would be preferable.
with. For example, a lawful purpose for processing will be present, the data subject However, as already been pointed out, the provisions relating to unsolicited goods,
will be provided with information regarding the processing of his or her personal services or communications, as well as the provisions relating to the protection of
information; the further use of personal information will be limited; and the data- personal information discussed below, will abe repealed when the Protection of
quality principle will be somewhat addressed by the requirement that the data con- Personal Information Act becomes operative.”
troller must delete or destroy all personal information that has become obsolete.

491 tis unclear why the information should be kept for one year. Usually personal data processed for 493 S 86 of Act 25 of 2002 makes i coer, horised access
to or interfe with dara an
any purpose may not be kept for longer than is necessary for such purpose (see the UK's Data Pro- offence
tection Act of 1998 sch. | part | principle 5). 4 In this regard, the Promotion of Access to Information Act 2 of 2000 is applicable. This Act is dis-
492 A third party is defined in 5 1 of Act 25 of 2002 as “in relation 10 a service provider - . . a subscriber cussed in para. 9.4.2.2 above.
to the service provider's services or any other user of the service provider's services or a user of in- a5 4 may plain to the G Affairs C ites: in respect of non-compliancewith
formation systems”.
the provisions of
s 43 ( ion to be provided on the website) and s 4% (direct marketing).
486 _Sce the Sch to the Protection ofPersonal Information Act indicating the laws amended by the Act.
 Chapter9: Data Privacy Law 429
490 Infor and Ce acations ‘Technology Law

9.5.2.4 The National Credit Act Whenever a credit provider enters into a credit agreement with a consumer, the
The National Credit Act,’ which was assented to in March 2006, was introduced "to credit provider must supply certain information to either a credit bureau or a
promote a fair and non-discriminatory marketplace for access to consumer credit national register to be established by the National Credit Regulator in terms of the
and for that purpose to provide for the general regulation of consumer credit”, to Act™ This includes information about the credit provider, information about the
promote “improved standards of consumer information” and “to regulate credit consumer, such as the name, address, idenufying number (beit an identity number,
information”™ Any protection of personal information provided by the Aa, there- passport number or, in the case of a juristic person, a registration number), as well
fore, only applies to personal information in the credit industry.” as information about the credit provided, such as the credit limit, the principal debt
It should be kept in mind that the provisions of the Protection of Personal Infor- involved and date on which the agreement will come to an end.
mation Act™ will supplement the provisions of the National Credit Act. POP! applies Apart from “confidential information”, the National Credit Act also contains pro-
to the exclusion of any provisions of any other legislation that regulates the pro- visions relating to “consumer credit information”. This is information concerning a
cessing of personal information that is materially inconsistent with an object or person’s credit, financial, employment, education, professional, business, or carcer
specific provision of POPI.™ However, if any other legislation provides for condi- history and relating to his or her identity (name, date of birth, identity number,
tions for the lawful processing of personal information that are more extensive than marital status, past and current addresses, contact details, and so on)?”
that of POPI, the extensive conditions prevail.” Credit bureaux have certain dutics in respect of consumer credit information.
The National Credit Act sometimes deals with “persons” and sometimes with “con- They must imler alia take reasonable steps to verily the accuracy of such information
sumers” (or prospective consumers). A consumer is a person (including both natural to them, retain the information for prescribed periods, maintain consumer
and juristic persons) in respect of whom a credit agreement applies. credit records in accordance with prescribed standards and expunge information
that is not permitued to be stored. They must also issue a report to any person who
The Act provides that a person who receives, compiles, retains or reports confiden-
requires it for a prescribed purpose or a purpose contemplated in the National
tial information" pertaining to a Consumer or prospective consumer must
Credit Act and not knowingly or negligently provide a report containing inaccu-
the confidentiality of that information. ~ In order to protect such confidentiality, the
Act provides that the person must in particular do two things: (a) use the infor- rate information.”
mation only for a purpose permitted or required by the Act or other Iegislation, and The Act extends rights to access and challenge credit records and credit information
(b) report or release the information only to the consumer himself or herself. The to all persons, not only to consumers. Every person has the right to be advised of the
information may be released to a third party only if that third party is permitued by fact that a credit provider is going tw report adverse information on him or her oa a
legislation to receive it, the consumer has instructed the release, or the Coun or the credit bureau and to be given a copy of that information upon his or her request.”
‘Tribunal established in terms of the National Credit Act orders the release. Failure A person also has the right to inspect once a year and without charge any credit-
to comply with a compliance notice issued to enforce these provisions amounts to an bureau file or information concerning him or her. If'someone successfully challenges
offence.” the accuracy ofa bureau's information he, she or it may conduct a follow-up inspec-
tion — free of charge — of that information to check whether it is correct (or has been
corrected). A person may also access such records upon payment of an access fee.
Furthermore, a person may challenge the accuracy of any information concerning
him or her ina proposed report or in the records of a credit bureau or national
|

Act 44 of 2005. credit register. Once a challenge has been made, the credit provider, credit bureau
Preamble to Act 14 of 2005.
8a8

Not all the sections of this Act came into operation at the same time. Some of the sections came or national credit register must take reasonable Sicps to seek evidence in support of
into operation in June 2006, others in September 2006 and the rest in June 2007. The provisions the challenged information. If credible evidence is not found, the information and
dealing with the confidentiality of a iif and credit i (ss 67-73) all record of it must be removed from its files." If such evidence is found and the
became effective on I September 206.
Act 4 of 2013.
S$ 3(2) (a) of Act 4 of 2013.
SaRSS

S$ 3(2)(5) of Act 4 of 2013. WS S$ (3).

$f of Act 34 of 2005. 8 $68(2).
$1 defines confidential information as “personal information that belongs to a person and is not 510 S$ 70(1). This section will be subject to the compliance procedures set out in Ch 10 and
11 of the
generally available to or known by others” It ix not clear from this definition whether the person to Protection of Personal Information Act 4 of 2015, once POPI becomes operative (see the Sch to
po starkpr songme relapse gages cw haat ea RESCH RE A-BAT the Protection of Personal Information Act indicating the laws amended by the Act).
205 S$ 68(1). This will be subject to the ii di set out in Ch 10 and 11 of the SIL S70{2).
Echt of Aisi iso ArS 4 U0t8. nace POP bacuisics opessired (ice die Sich us S12 S 72(1)(a). This will be subject to the i. dures set out in Ch 10 and 1) of
the Pr i I Information Act indi the loess ded by the Act). the Protection of Personal Information Act 4 of 2013, once POPI becomes operative (see the Sch
6 SR(I)Ca) and (B to the Protection ofF infor Act indi i the: Laws lect by the Act).
WI STH). 513 S720Ko-
S14 S$ 72{3).
 Chapter9: Dara Privacy Law = 431

challenge docs not succeed, the person to whom the information relates may apply 432 Information
and C ‘Technology Law
to the National Credit Regulator to investigate the disputed information. Chak
lenged information may not be reported until the challenge has been resolved. The Act gives persons a right of access to their information and a right to request
The Act prohibits forced access, in that a credit provider may not require a prospec- rectification of incorrect information. However, it does not give them the right to
tive consumer to request a report f from a credit bureau in connection with an appli- object to certain processing operations, nor docs it impose restrictions on the on-
cation by the consumer for credit.” ward transfer of confidential or consumer credit information to countries without
A credit provider who refuses credit to a consumer must advise the consumer of adequate data privacy. In addition, the Act contains no special provisions regarding
the dominant reason for such refusal. When such a decision is based on an adverse sensitive information or automated individual decisions. On the positive side, it docs
credit record received from a credit bureau, the credit provider must give the con- contain provisions requiring that an opt-out option should exist for consumers
sumer the name and contact details of the credit bureau.” This provision enables a subjected to direct credit marketing.”
consumer to request access to the records of the particular credit burcau and to Credit burcaux and credit providers must register with the National Credit Regula-
challenge inaccurate information in its records.
tor. They are thus subject to the oversight of the National Credit Regulator and
Evaluation. When measuring the provisions of the National Credit Act against in- National Credit Tribunal which have certain enforcement mechanisms to ensure
ternationally accepted data privacy principles, it is evident that the Act attempts to compliance.” The Act also creates offences™' and introduces penalties for non-
address the purpose-limitation principle by limiting the use of confidential infor- compliance with itsprovisions.”
mation to a purpose permitted or required by the Act or other legislation and by
It is suggested that in those instances where the National Credit Act falls short of
releasing the information to only the consumer, or to a third party with the consent
providing adequate protection to the privacy of consumers, they will be able two make
of the consumer, or by reason of a court order or when it is permitted by legislation.
use of the more extensive provisions of POPI, since POP! applies to the exclusion of
The Act docs not specifically require that the purpose for which the information is
collected be spelled out before collection takes place. However, from the scope of any provision of any other legislation that regulates the processing of personal in-
formation that is materially inconsistent with an object or specific provision of
the Act it is apparent that consumer credit information can only be used for con-
POPI.
sumer credit purposes.
The Act also addresses the data-quality principle by imposing on credit bureaux 9.5.2.5 The Consumer Protection Act
the obligation to take reasonable steps to verify the accuracy of information reponed
to them, to retain such information for prescribed periods only (preventing the stor- The Consumer Protection Act (“CPA”) 68 of 2008 was adopted inier alia to “promote
ing of outdated information) and expunge information that is not permiucd to be a fair, accessible and sustainable marketplace for consumer products and services
stored. However, this provision relates to the accuracy of the data only. The Act does
and for that purpose to establish national norms and standards relating to consumer
protection”. The Act recognises certain fundamental consumer rights, one of which
not specifically provide that the data should also be relevant and not excessive in
relation to the purposes for which they are stored. is the sight to privacy.’ Section 11 of the Act protects the right of consumers to
restrict unwanted direct marketing.
The Act goes some way to addressing the transparency principle by giving every
person the right to be advised of the fact that a credit provider is going to report The provisions of the CPA are applied concurrently with other legislation which
adverse information about him or her to a credit bureau and by providing that a may provide protection to consumers, but if the other legislation extends greater
consumer be informed whether refusal to grant him or her credit is based on an protection to the consumer, such as the Protection of Personal Information (POPI)
adverse credit record. The proposed national register of credit bureaux will also help Act 4 of 2013, that legislation will prevail.” Unsolicited electronic marketing (spam)
implement the transparency principle. will be regulated by the POPI Act once that Act becomes operative, since its provisions
The Act purpons to deal with the security and confidentiality principle by instruct-
ing persons who receive, compile, retain or report confidential information to pro- 520 S74.
tect the confidentiality of that information.” At this stage, however, the technical 52. Ss 12-25.
and o isational security measures that a credit bureau has to follow are not 522 Ss 26-34.
523 Ss 54-09.
spelled out in the Act and it would seem the Act docs not comply sufficiently with
524 Ss 156-162.
the security principle. 525 S161.
526 S$ 3(2)(a)
of Act 4 of 2013.
527 Berea econ tee Cee nee See
515 S724). rket place; the "x rightto cho se; *s rightto ised
516 S72{5). ser hn dc Rr aad ounce eaAcig (ound hes edie us asa oko ESE Ae
S17 right to fair and honest dealing; the right to fair, just and reasonable terms and conditions;
and
AB SG2(2). the right to value, good quality and safery-
519 528 Unwanted direct marketing infringes on the privacy of a person, because personal information
about the person is collected, most often without the knowledge of the person, and then used to
approach the with an offer for a product or service.
529° $ 2(9) of the CPA. The POPI Act has a similar provision (s 3(2)(5))-
 Chapter
9: Data Privacy Law 433
434 Information and Communications Technology Law
regarding this type of direct marketing are stricter than that of the CPA™ As far as
direct marketing that docs not involve clectronic communications is concerned, The CPA also provides that a supplier may not contact a consumer at home for
POP! provides that the person who is approached may object to the processing of his direct marketing during a me that is prohibited in terms of the Regula-
or her information for the purpose of direct marketing, in which case the processing tions issued under the Act, unless the consumer has expressly or implicitly requested
must end” However, the CPA has more detailed ns regarding non-clectronic or agreed otherwise. The Act specifically mentions that the regulation of the time
direct marketing and its provisions will therefore remain relevant for non-electronic when consumers may be contacted, is in order to protect the privacy of consumers.”
direct marketing.
Evaluation: The CPA protects the privacy of consumers with regard to direct mar-
In terms of the CPA, a person has the night to refuse to accept an approach or keting. It is not meant to be an omnibus data privacy act and it is therefore to be
communication for direct marketing purpose, the right to require of a direct mar- expected that its impact on data privacy is limited.
keter to discontinue any direct marketing directed at him or her, and the right to
pre-emptively block any direct marketing, other than an ¥ h in person. This 9.5.2.6 The Protection of Personal Information Act
will, for example, include direct marketing by means of telephone calls or messages, ‘As lucti:
or by means of e-mail, mail, or text messages on a cell phone.” A person who has
been approached for direct marketing purposes may also demand that the direct The Protection of Personal Information Act 4 of 2013 (referred to subsequently as
marketer desist from any further communications. “the Act” or the “PoPI Act”) is the result ofa process that started in 2000 when the
The CPA provides for the possibility that the Consumer Protection Commission South African Law Reform Commission (SALRC) approved | the inclusion in its
may establish or recognise a registry in which a person may register a pre-emptive programme of an investigation on “Privacy and data protection”. In October 2005,
block against direct marketing communications. This may be a block in general, or the SALRC published a Discussion Paper on privacy and data protection, containing
only for“Specific
s purposes. ™ Regulations further provide for the functioning of the a draft Bill on the Protection of Personal Information. This resulted in a Bill on
registry. the Protection of Personal Information in 2009." After going through nine working
drafts, the Bill was adopted by Parliament and signed into law in November 2013.
The CPA imposes obligations on direct marketers. They must implement proce-
eo ne time of writing, only a few of the sections of the Act has come into opera-
dures in order to receive demands requiring them not to approach a consumer
This expected that as soon as regulations for the Act have been drafted and a
anymore and to ensure that such demands are met. They should also have proce-
Regibenie appointed, the rest of the Act will come into effect. All processing activi-
dures in place to ensure that persons who have registered a pre-cmptive block are
ties involving personal information must comply with the Act within one year of its
not contacted any more.” All this should take place at no cost to the consumer.”
commencement.

330 See: the discussion of s 69 of the POPI Act below. B Objects

St POPI Act s 11(3)(a)- The principle object of the PoP! Act is for the State to fulfil its constitutional obliga-
a82 CPAs 1i(1).
533 $ 11(2). The Regulation issued in terms of the CPA (CN 293 in Cowernment Cazetle 34180 off April
tion to give effect to the right to privacy provided for in section 14 of the Constitu-
2011 explains the mechanisms that may be used to block direct tion. The Act aims to do so while bearing in mind that the constitutional values of
“4(1) For purpases of section 11(1) and 11 (2) of the Act, if a consumer has— democracy and openness and the need for economic and social ress, within the
(a) informed
the direct OF framework of the information society, requires the removal of obstacles in the free
{b) placed any communication or sign on a postal bax, post office box or other con-
Seas ie Sal; Michcoliiag thd foe Ge chee cies Sack Sachs bes ecschew aay ase
flow of information, including personal information. The Act therefore aims to
lated to direct marketing, then the direct marketer—
(i) may not place or attach any material primarily aimed at direct marketing, in
whichever physical format, in or on or near the postal box, post office box, 538 S$ 12(1). In terms of the Notice attached to the CPA Regulations, 2011, CN 295 in Covernment
container, or in, on or near the fence, gate or any other part of the premises Cavite 34180, the prohibited dates and times are Sundays or public holidays, § before
of the consumer; and 09h00 and after 13h00 and all other days between the hours of 20h00 and G8h00 the following
(ii) must provide the consumer with written confirmation of the receipt by the day.
direct marketer of the notice referred in paragraph (a) above. 539 S$ 12(2).
(2) Display of the phrase “no adverts” or the image or a similar reproduction thereof South Africa Law Reform Commission “Privacy and data protection” Discusdon Paper 109, Project
in Annexure A is sufficiert to meet the requirements of paragraph (6) of sub- 124 at 1.
reguuiation (1).” mi South Africa law Reform Commission “Privacy and data protection” Discussion Paper 109, Project
S11(2). 124.
ae

S$ 11(6). See Regulation 4 of the CPA Regulations,

2011, GN 293 in Cowernment
Gazelle 34180 of I 542 Bill
9 of 2009.
Apeil 2011. For a discussion of s 11 of the CPA and the issued in terms thereof, sec m3 Protection of Personal Information
Act 4 of 2013.
Van Zt and De Stadler “Section 11° in Naudé & Eiselen (ects) Commentary om the Consumer Protection On 11 April 2014, s 1 (dealing with the definitions); Part A of Ch 5 (establishment
of the Infor-
Act (Original Service 2014).
mation Regulator); dak gered pacleurane faaiapectpe. daira oad and
s 115 (es
S E14).
S11). tablishing the 2g regu: ) came into operati Carte 37544
of H April 2014).
Stila.
 436 Information and Communications Technology Law

Chapter9: Data Privacy Law 435

does not form part of a filing system, processing it by non-automatic means will
not come within the scope of the Act. A “filing system” is defined as “any struc
regulate the processing of personal information by public and private bodies in a tured set of personal information, whether centralised or decentralised or dis-
manner that will be in harmony with international standards.” persed on a functional of ical basis, which is accessible according to
C Scope specific criteria”. The UK Data Protection Act, 1988 has a similar provision and
it has been heki that the reason for the requirement that the information must
(a) General application form part of a filing system is toensure that specific information regarding a par-
The PoP! Act applies, in general, to any processing activity involving personal infor- ticular person is aay: accessible.*
mation cither by a South African data controller (responsible party) or by a non- o Personal “The Act defines personal information as “information
South African data controller using equipment in South Africa. The operation of relating to an identifiable, living, natural person and, where it is applicable, an
other Acts that regulate the processing of personal information in specific sectors is identifiable, existing juristic person”. The Act goes on to list cight different types
excluded by the PoP! Act to the extent that are materially inconsistent with an of information which are included in this definition. The list is not intended to
object, or a specific provision, of the PoPI Act” If the other legislation provides for limit the definition. The list includes sensitive information, such as information
stnicter conditions for the processing of personal information than the PoPI Act relating to a person’s race, gender, sex, sexual orientation, religion, and medical
does, then the more extensive conditions must be given affect to." history, but also mundane, yet nevertheless personal, information such as the
More specifically, the Act applics to the “processing” of “personal information” person’s address.
entered into a “record” where the “responsible party” is domiciled in South Africa or
Several aspects of the definition need to be claborated on. First, personal infor-
make use of automated or non-automated means in South Africa, unless those mation about a natural person who is deceased or a juristic person that no long-
means are only used to forward information through South Africa.” The person
er exists is excluded from the list of personal information.
whose information is processed is referred to as the “data subject”. The processing
may also be done by an “operator” on behalf of the responsible party (who can be in Secondly, the personal information of both natural and juristic persons is pro-
the private or public sector). tected. This corresponds to the view of the South African common law and Con-
stitution, both of which, as has been discussed above, recognise that juristic
Next, the key terms referred to above will be analysed.
persons may have a right to privacy in particular circumstances.
O Processing: “Processing” is defined widely as meaning any operation or activity or
any set of operations, whether or not by automatic means, concerning personal
information, including 22 Sees I.
(a) the collection, receipt, recording, organisation, collation, storage, updating or 553 In Michael fohn Durant © Financial Services Authority [2003] EWCA Civ 1746 par oA) it was held that “a
moxtification, retrieval, alteration, consultation, or use, a by relevant filing system” for the purpose of the Act, is lirnited to 2 sysiern:
> distri bution or mak ilabh other form, “(1) im which the files forming part of it are structured of referenced in such a way as clearly
merging, Bisdkanigg ine well ss Bh king, re or destr ron lor to indicate: at the outset of the search whether specific information capable of amount
ing to personal data of an individual requesting it. ..is held within the system and, if so,
{b) dissemination by means of transmission, distribution or making available in in which file of files it is held; and
any other form; or
(2). which has, as part of its own structure or referencing mechanism, a sufficiently sophisti-
(c)_ merging, linking, as well as restriction, degradation, erasure or destruction of cated and detailed means of readily indicating whether and where in an individual file
information. Ser nce he eee Ren
This definition is so wide that one can % that “processing” could be any ‘The Ac ds the definition ofp fe in jon of Access to Information
‘Act 2.0f 2000 so that the definition is the same as the one in Act 4 of 2018 (s 110).
BE
action performed on personal information. It is important to note that all the S$} defines “personal information” as
ages of ‘essing, from the collection of personal information to the distribu- “(@) information relating to the race, gender, sex, pregnancy, marital status, national,
ethnic or
tion thereof, are included in the concept of “processing”. social origin, colour, sexual orientation, age, physical or mental health, well-being, disability,
Processing can be done fully or partly automatically or non-automatically. It is religion, conscience, belief, culture, language and birth of the pernon,
(5) tating to the exdi or the chi i, criminal
or employment
evident that the processing of personal information on the Internet will fall within
history of the person;
the definition of fully automated processing. In the case of non-automated pro- (ce) any identifying ib bol, e-mail ard: nysical acid: deph ber, Joca-
cessing (that is, manual processing), the recorded personal information must form tion information, oniine identifier or other particular azignment to the person;
part of a filing system or be intended to form part thercof.™ If the information the biometric information of the person;
the personal opinions, views or preferences of the person,;
() correspondence sent by the person that is implicitly or explicitly of a private or confidential
See the Preambleto Act 4 of 2015. nature of further correspondence: thas would reveal the contents of the original correspondence;
S$ 3(2)(a)-
BEsERE

(g) the views or of another individual about the person; and

S3(2) (6). the name of the person if it appears with other personal ii
S3(t). or if the disclosure of the name itself would reveal information about the person”.
SL of the Act,
S3(1) (a).
 438 Information and Communications Technology Law

Chapter9: Data Privacy Law 437

Personal information can be made anonymous by removing identifiable aspects,
such as the name of the person to whom the information relates. This is often
Thirdly, the information must “relate” to a person; in other words it must be
done in the context of research and statistics. Information that has been “de-
about that person (has a certain content that relate to the person), must be used
in relation to that person (has a specific purpose that relate to the person) or identified™™” to such an extent that it cannot be related again to a particular per
have an effect on that person (has a cemain result relating to the person)”
son is not protected
by the Ac.™
A “record” is any recorded information, regardless of the form or medium in
Fourthly, the person to whom the information relates must be “identifiable”. A
which it is stored. It must be in the possession or under the control of a respon-
person is identifiable if he or she can be distinguished from other persons by, for sible party, but it does not maticr whether it was created by the responsible party.
example, reference to his, her or its name, telephone number, carregistration It also does not matter when the record came into existence. A record can for
number, or identification number. example be writing on a picce of paper, adrawing ora phen Braph A list of ex-
The EU Data Protection Working Party is of the opinion that “the possibility of a aahofa record is included in the definition of “reco:
identifying: an individual ag longer necessarily means the ability to find out his or o ee A data subject is the person to whom the personal information
her name.” They explain: It is important to note that the Act does not provide protection only to
“it should
be noted that, while identification through the name is the most com- soa: ‘African citizens or to people domiciled in South Africa. The connecting
mon occurrence in practice, a name may itself not be necessary in all ceses to iden- factor before the Act will apply if it is cither the fact that the responsible party is
afy an individual. This may happen
when other ‘identifiers’ are used
to single
someone out. Indeed, computensed files registering personal data usually assign a
domiciled in South Africa, or that the responsible party uses equipment situated
unique identifier to the in order lo avoid confusion
between two in South Africa. A data subject may therefore live outside the borders of South
persons.in the file. Alsoon the Web, web traffic surveillance tools make it casy to Africa.
ify the behaviour of« machine and, behind the hine, that of its user. Thus, Responsible party. The “responsible party” refers to “the public or private body or
the individual's personality is pieced together in order to atinbute certsin decisions any other person which, alone or in conjunction with others, determines the
to him or her. Without even enquiring about the name and address of the indiadu-
purpose of and means for processing personal information. "It is evident that
al it is possible to citegorise this person on the basis of sodo-cconomic, psychologr
cal, philosophical or other criteria and attribute certain decisions to him or her
“responsible party” is synonymous with “data controller”.
since the individual's point (a ) no longer ly requires the ‘The responsible party is ultimately responsible for protecting the personal infor-
disclosure
of his or her identity in the narrow sense.” mation of the data subject in accordance with the provisions of the Act. If the re-
sponsible party delegates the processing of the information to an operator
(processor), the responsible party still remains responsible for the processing.
556 The EU Data Protection Working Party in its opinion on the concept of “personal information”
explains that in order for information to retate to a person, one of three elements should be pre-
sent, namely a “content’, “purpose” or “result” element. The content element corresponds to the
most obvious understanding of the word “relate” — the information is “about” a person, itrespec- ‘The POP! Act defines “deidemtfy” in s 1 as meaning, in relation to personal information of a data
tive of the parpose of the information or the result the information will have on the person, for eg, subject, to delete information that identifies the data subject, or that can be used or manipulated
the information in a person's medical file is about that person and therefore relates to that person. by a reasonably foreseeable method to identify the data subject, or that can be linked by a reason-
‘The purpose element can, for eg, “relate” information to a person, when the information is used ably foreseeable method to other information that identifies the data subject.
of is likely to be used with the purpose to evaluate, or treat in a certain way or influence the status S6(6).
of behaviour of a person. Information used in this manner relate to that person. Lastly, the result SL. The complete list is:
element can also “relate” information to a person, such as when the use of the information is likely (i) Writing on any material;
to have an impact on a certain person's rights and interests; in other words the information results (a) information produced, recorded or stored by means of any
in the person being treated differently from other persons as x result of the processing of such in-
formation. See EU Data Protection Working Party “Opinion 4/2007 on the concept of personal
dara”WP 136 (2007) 10-11. (ii) Label, marking, or other writing chat identifies or describes anything of which it forms part, or
557 In the 1995 EU Data Protection Directive and in the UK Data Protection Act, 1988 reference is to which it ix attached by any means;
made to “an identified oc identifiable” |. The difference benscen these two concepts has giv- (iv)
en rise to many a discussion. The EU DP Working Party stated that a person is identified when, wy
within a group of persons, be, she or it is distinguished from others in that group. A person is embodied so as to be capable, with or without the aid of some other equipment, of being re-
identifiable when in is possible to distinguish him or her. The Working Party further distinguished produced”.
between when a person is directly identifiable or indirectly identifiable — a personis for eg, directly Si
identifiable by means of his or her name, and indirectly by means of a telephone number. The ex-
288

SL
tent to which certain identifiers (such as a common family name) are able to distinguish one per- ‘The Dutch Wet Bescherming Persoonsgegevens (Personal Data Protection Act) of 2000 also uses
son from an«her will depend on the context in which it is used. See EU Data Protection Working the term vermntswondeiijke (responsible party}. See Roos “The law of dara (privacy) protection”
Party “Opinion 4/2007 on the concept of personal data” WP 136 (2007) 12-13. (LD thesis,
Unisa, 2003) 408.
EU Data Protection Working Party “Opinion 4/2007 on the concept of personal data” WP 136
(2007) 14.
 Chapter: Dara Privacy Law 439
40 Information and Communications
Technology Law

The extent to which a person has control over the purpose of and means for
processing will determine whether the person is an operator (processor) or a re- collaboration platform for an association or a Company, or when “access to pro-
sponsible party (controlier). It is not always clear cut whether a person is a con- file information extends beyond self-selected contacts, such as when access to a
troller or processor. The distinction is an important one, since the domicile of profile is provided to all members within the SNS or the data is indexable by
the controller is a factor which determines whether the Act is applicable or not. search engines”, or if“a) user takes an informed decision to extend access beyond
It is also important for data subjects to know against whom they should exercise self-selected “friends”
their rights and for a supervisory authority to know who to hold responsible for O The Act also does not apply to processing by or on behalf of a public body if the
compliance with the Act. processing involves national security (including activities that are aimed at identi-
A few examples may illustrate the complexity of the distinction.” In the case of fying financing of terrorist activitics), defence or public safety; or if the purpose
an intemet service provider (ISP) which provides a mailing service, the service of the processing is the prevention and detection of unlawful activities, combat-
provider is the responsible party in respect of the information it processes, such ting moncy laundering activities, investigating offences, prosecution of offenders
as the traffic data and billing data. However, in regard w the content of the or the execution of sentences or security measures.
email, the person from whom the message originates is the responsible party. In QO Furthermore, the Cabinet and its committees and the Executive Council of a
the case of an ISP which provides a hosting service, the customers who publish province are excluded from the scope of the Act; so too, a court when exercising
information online on the website is the controllers and the ISP is a processor. its judicial functions.
However, if the ISP further processes the data on the websites for its own purpos- O Last, but not least, is the exclusion of processing of personal information if the
es, then the ISP is the controller in regard to that processing. It is therefore possi-
processing is done solely for journalistic, literary or artistic expression. The exclu-
ble to have more ihan one data controlicr in regard to certain personal data. sion is only valid to the extent that such exclusion is necessary to reconcile, as a
maucr of public interest, the right to privacy with the right to freedom of expres-
(b) Exclusions from scope” “This means that if a Journalist, writer or artist includes personal infor-
oO It has already been pointed out that processing of “de-identilicd” data docs not mation in an article, book or piece of art, a balancing of the two nights must take
fall within the scope of the Act” place. Only if the person's right to privacy is outweighed by the interest of the
o The processing of personal information in the course of a purely personal or public in learning of the private information, will this exclusion be available.
houschold activity is also excluded. Anyone who keeps a directory of telephone If the processing of personal information for solcly journalistic purposes is done
numbers and addresses of friends and acquaintances for personal use processes by a person who is subject to a corde of ethics, because of the office, employment
data for a purely personal or houschold activity. Clearly this type of activity ought or profession the person is in, then the provisions of the Act are excluded and
not to be regulated by legislation, since the risk posed to the privacy of third par- the processing must be adjudicated in terms of the code of ethics, provided such
ties is minimal. code Spcorides adequate safeguards for the protection of personal infor-
In some instances it may be difficult to draw the line between processing for mation”. Should there be a dispute about the adequacy of the safeguards pro-
purely personal or houschold purposes and processing that goes wider than that. vided for by the code of ethics, the Act lists certain aspects that should be
Someone who uploads personal information (including that of other persons) considered, namely (a) the special importance of the public interest in freedom
on an online social network service (SNS), such as Facebook, would in most in- of expression; (b) domestic and international standards balancing the public’s
stances qualify for exemption from the obligations imposed on data controllers interest in the free Now of information through the media and the public inter-
in terms of the “purcly personal or houschold activity” exemption. However, SNS est in safeguarding the protection of personal information of data subjects; (c)
users can in certain instances go beyond the scope of the exemption and will the need to secure the integrity of personal information; (d) domestic and inter-
then be considered as data controllers, for example when the SNS is used as a national standards of professional integrity for journalists and (c) the nauure and
ambit of self-regulatory forms of supervision provided by the profession.
‘The examples are taken from the EU Data Protection ‘Working Party “Opinion 1/2010 on the
&

conceps of ‘controller’ and *processor ers

The Act provides for The South Africa Law Reform
3

Commission “Privacy and data protection”Swear anagem asciepr opting Pela 5)

difference between them. Exceptions are made to privacy principles. ‘The exceptions limit the na- 48 See BU Data Protection Working Party “Opinion 5/2008 on online social networking” WP 163
ture of the principle itself, Exempdons, on the other hand involve lifting a burdensome (2009) 6.
from a responsible party while the burden continues to apply to others. With exclusions certain 570 $7.
chases of responsible parties are exchoded completely from the coverage of the law. sit The “adequate safeguards” which must be in the code, will of course be something less than the
S$ 6(6).
S 6(a)-
fron the provisions of the Act, would be defeated
 Chapter9: Dasa Privacy Law 441 442 Information and Communications Technology Law

(c) Exemptions
D Conditions for processing personal information
Section 37(1) of the Act provides that the Regulator to be established by the Act
The processing of personal information can only be done lawfully if the responsible
may, in wo specific situations, grant an cxemption to a responsible party to process
pany complics with cight information-protection principles listed i in the Act™ The
personal information, even though the processing would otherwise be in breach of a
processing of special (that is, sensitive) personal information” and the personal
condition for the processing of such information. Exemptions must be published in
the Government Gazette. information of a child,™ is generally prohibited, unless specific exemptions are
applicable. In other words, special information and the personal information of
Firsiy, processing activities may be exempted if the Regulator is satisfied that, in children are subject to heightened protection.
the circumstances of the case, they are in the public interest.” The public interest in
the processing must outweigh, to a substantial degree, any interference with the {a) Processing in general
privacy of a data subject that coukt result from such processing. “Public interest”
The cight conditions for lawful processing of personal information in the Act are
includes the interests of national security, the prevention, detection and prosecution
similar to, but not exactly the same as, the data privacy principles found in the
of offences, important economic and financial interests of a public body, historical,
OECD Guidelines™ and the 1995 Data Protection Directive.
statistical or research activity, or the special importance of the interest in freedom of
expression.” (i) Condition 1: Accountability
Secondly, processing activities may be exempted if the Regulator is satisfied that, The first condition the PoPI Act lists for the processing of personal information is
in the circumstances of the case, the processing is in the interest of cither the data
the condition of accountability. In general terms the accountability principle aims to
subject or a third party. The Regulator may only grant the exemption if the interest
ensure that the obligations imposed by a particular data privacy law are given teeth
of either the data subject or a third party outweighs to a substantial degree, the
and are effective. This principle includes provisions that ultimately make the data
interference with privacy that could result from the authorised processing. An exam-
controller responsible for complying with the law, even if a data processor is ap-
ple ofa situation in which the interests ofa data subject are protected by infringing
pointed to process the data. It also includes provisions that give judicial remedies to
his or her privacy is when medical information needs to be made known to medical
personnel who have to treat the data subject who is unconscious after an accident a data subject whose rights in terms of the law has been infringed and provisions
and cannot himself or herself supply the medical information. which impose sanctions on data controllers for non-compliance with the law.™
The Regulator may impose reasonable conditions in respect of the exemption The accountability condition of the PoP! Act requires that the responsible party
granted. must ensure compliance with the conditions in the Act set for the processing of
personal information, as well as with the measures giving effect to these conditions.™
Section 38(1) provides that processing of personal information for the purpose of The Act stipulates that the responsible party must ensure compliance at the initial
discharging a “relevant function” is exempted from certain provisions of the Act to stage when the purpose and means of the processing is determined, as well as during
the extent that the application of those provisions to the personal information would
the processing. Since the responsible party refers to body or person who, alone or in
be likely to prejudice the proper discharge of that function. The specific provisions
conjunction with athers, determines the purpose of and means for processing per-
from which exemption may be granted are sections 11(3) and (4) (granting the data
sonal information, it is clearly the senior person or body in an organisation who
subject the right to object on reasonable grounds to the processing and thus stop-
ping the processing), section 12 (requiring that personal information must be col- will ultimately be held responsible for a breach of the principles.
lected directly from the data subject), section 15 (requiring that the further The Act makes provision for the appoinument of information officers to work with
essing of personal information must be compatible with the pu of the the Regulator. In terms of the Act, the head of a public body or a private body is
initial collection) and section 18 (requiring that the data subject must be notified designated as the information officer of that body. The Act also provides that
when his or her personal information is collected). deputy information officers may be appointed and the powers and duties of the
The “relevant function” in respect of which an exemption is granted, is any func-
tion of a public body, or a function conferred on any person in terms of the law 576 Sees 4(1) and Ch 3.
which is performed to protect members of the public against dishonesty, malprac- 577 See s 4(3) and s 26.
tice, seriously improper conduct, unfitness or incompetence, and malaciministration S78 Sees 4(4) and s 34.
579 Guidelines Governing the Protection of Privacy and Transborder Plows of Personal Data.
by persons in the financial sector (such as banking, insurance and investment) or by
S80 Directive 95/46/EC, 24 October 1995.
the management of bodies corporate; or financial loss due to the above.” S81 Roos “Core principles of data protection law” 2006 CILSA 127.
82 SR.
83° $2.
572 Sees 37(1) (a). 584. S$ 1. “Infor officer”is defined with ref rence to the definition of infe officers
in the
573 $37(2). Promotion of Access to Information (PAI) Act. The same person who in terms of the PAI Act is
374 S$ 37(3). acting as the information officer of an entity will also be the information officer in terms of the
575 Sees 38(2). Po?l Act,
 Chapter9: Data Privacy Law 443

444 Information and Communications Technology Law

information officer may be delegated to these deputy information officers. Ah-
hough they will perform the day-to-day work relating to the protection of personal
information in an organisation, it is important to note that the “responsible party”, also be justified by other conditions, such as the fact that processing of infor-
and not the deputy information officer, ultimately is the person accountable in mation is necessary to protect the public interest or the interests of the data sub-
terms of the Act. ject or of a thied party. In terms of section 11 of the Act, personal information
The PoPI Act provides the data subject with remedies and also imposes sanctions may only be processed if at least one of six grounds of justification ispresent”
on data controllers for noncompliance with the Act, but these provisions arc not 11 (1) Personal information may only be processed
if —
formally included under the accountability condition and will be dealt with below. (a) the data subject or a competent person where the data subject ts a child
consents
to the processing;
(ii) Condition 2: Processing limitation (4) processing
is y to carry out for the conchuss or perfor
mance of a contract to which the dats subject is party;
This principle deals with four aspects: namely lawfulness of processing, minimality of
information; consent, justification and objection; and collection directly from data (proces ing complics with an obligation imposed by Law on the responsible
subjects. All four aspects emphasise limits to the processing of personal infor party;
mation in order to ensure that the processing is done lawfully. In other words, there ({d) processing protects a legitimate interest of the data subject; or
should be limits to why personal information is collected, the type of information {e ec ee ea eterna ee
that is collected and whom it is collected from. Apart from the fact that there should a public bey;
be a ground of justification for the processing (such as consent) in order to ensure (f pe ing is y for ing the begat interests of the re-
qe poi sae prt Us lca hr ect er cea.
that the processing takes place lawfully, limits are also imposed by the requirement
of the minimality of information and the requirement that personal information be
collected directly from the data subject. In other words, processing of personal information may take place only if one of
O Laapfulness of processing: In terms of the Act, processing should always be done the following grounds of justification is present:
lawfully— that is, in accordance with the law and iin a reasonable manner that — The data subject, or in the case ofa child the competent person, has consent-
does not infringe the privacy
of the data subject.” ed.™ The Act defines consent as “any voluntary specific and informed expres-
sion of will in terms of which permission is given for the processing of personal
O Minimality. The Act provides that personal information may only be processed
information”. The 1995 Data Protection Directive requires “unambiguous
when, given the purpose(s) for which it is collected or subsequently processed, it
consent”.™ Although the word “unam! ous” is not used in it, the Act argua-
is adequatc, relevant and not excessive.” In terms of the requirement of mini-
bly requires the same type of consent.“ It is important to note that the Act
mality, the amount of personal information collected should be limited to what is
places the burden to prove that consent was given, on the responsible party.”
necessary to achieve the purpose(s) for which the information is processed. The
It is suggested that a responsible party will not be able to prove that the data
minimality requirement aims to ensure that the personal information held for a
particular purpose is not more than adequate or sufficient for that purpose. In subject has consented in a situation where the data subject has stayed silent. In
other words, it must be recognised that the Processing: « of unnecessary infor- other words, if the responsible party has sent a notice to the data subject stat-
ing that “consent will be assumed unless you respond in the negative”, the fact
mation cout render data processing wrongful.” This requirement indicates that
that the data subject has not responded (has stayed silent) will not be suffi-
even when processing takes place for a lawful purpose, such processing should
be done within certain limits for it to be reasonable and thus lawful. cient to prove that the data subject has consented. The Act also specifically
provides that the consent may be withdrawn at any time. The lawfulness of
O Consent, justification and objection: For information to be processed lawfully, a valid cessing of information that took place before the consent was withdrawn
ground of justification is needed. As mentioned earlier, consent is a ground of will not be affected.”
justification that is often present when information is processed. Processing may
— Iris “necessary” in a contractual setting (either to conclude the contract or to
perform in terms thereof)”
S85 SH.
586 S$9-12. The pr i dition of the Act hines the OECD Guideline’s principl
of ds qaley snd leo of mn eocce: Siece rocendng bet only sheet ic ase ‘These conditions are very similar to those of the EU's General Data Protection Directive 95/46/E.C.
SRREERSE

of infor it is that the di as i in the Act is a better formulation S11(1)(a) of the Act.
than that of the OECD. St.
S87 S9. Art 7(a) of Directive 95/46/EC.
S88 S 10. See also the discussion of the requirements for valid comsent above in para. 9.4.1.21.
589 Roos “Core principles of data protection law” 2006 CILSA 128. S11(2)(a).
S11(2)(5).
S11(1)(6) of the Act.
 Chapter9: Data Privacy Law 445

446 Information and Communications Technology law

— It complies with a legal obligation imposed on the responsible party,"
— It protects a legitimate interest of the data subject.”
O Collection directly from data subject: The Act also requires that personal information
— It is “necessary” for the proper performance of a public law duty,” be collected directly from the data subject.” This requirement is not laid down
— Itis “necessary” to uphold a legitimate interest of the responsible party or of a in the 1995 Data Protection Directive and at first glance may seem unnecessarily
third-party recipient of information. strict. However, in terms of the Directive, processing of personal information is
The term “necessary” is used in several of these grounds of justification. When will only be fair if the data subject knows about the processing.“" One way a data sub-
processing be “necessary” in terms of the Act? It could be interpreted in wwo ways. It ject can learn about this is to be approached directly for the information.
could be interpreted narrowly to mean that the processing is necessary when there is Furthermore, the Act contains a long list of exceptions which dilutes the effect of
no other way in which the particular interest could be protected or the particular this seemingly strict requirement The information need not be collected directly
object be reached. On the other hand a more Nexible interpretation could be that from the data subject if:
the processing is necessary when there is a social pressing need to do so and the — the information is contained in or derived from a public record;
interference in the data subject’s rights is proportionate and fair.”
— the information has deliberately been made public by the data subject;
The Act provides the data subject with the right to object to the processing of per-
sonal information if the processing takes place pursuant to one of the last three — the data subject, or a competent person if the data subject is a child, has con-
grounds, namely to protect a legitimate interest of the data subject, to comply with a sented to the collection of the information from another source;
public law duty or to uphold a legitimate interest of the responsible party or of a — non-compliance would not prejudice the legitimate interest of the data subject;
third-party. The objection must be on reasonable grounds relating to the data sub- — compliance would prejudice a lawful purpose of the collection;
Ject’s particular situation. Processing may not be objected to if takes place in terms of — compliance is not reasonably practicable in the circumstances of the particular
legislation.
Case;
The data subject may also object to the processing of personal information for Collection from another source is necessary:
purposes of direct marketing. This docs not include direct marketing by means of
— for certain public interests, namely to prevent prejudice to the mainte-
unsolicited electronic communications (spam). The sending of spam is in general
prohibited, unless certain specific conditions are present. This form of direct mvar- nance of the law by any public body, including the prevention, detection,
keting is regulated in detail in section 69 of the Act and will be discussed below. investigation, prosecution, and punishment of offences;
The Act provides that if the data subject has objected to the processing of personal — to comply with an obligation imposed by law or to enforce Icgislation con-
information on the grounds provided for, then the responsible party may no longer cerning the collection of revenue;
ess the personal information.” One assumes that an objection to the processing — for the conduct of proceedings before any court or tribunal (being pro-
of personal information for direct marketing purposes is absolute in the sense that ceedings that have been commenced or reasonably contemplated);
processing shouki be stopped as soon as an objection is made. However, when the — in the interests of national security; or
processing is based on the grounds of protecting the legitimate interest of the re- — for upholding the lawful interests of the responsible party or ofa third par-
sponsible party or a third party, or to comply with a public law duty, then the objec-
ty to whom the information is supplied.
tion cannot be absolute. The Act states that the objection must be based on
reasonable grounds relating to the data subjects particular siuration. It would seem
(iii) Condition 3: Purpose specification
as if the rights of the interested parties should be balanced by the responsible party
to determine whether the objection is justified or nov In this regard reference can The purpose-specification principle entails three aspects: specifying a purpose; infor-
be made to the 1995 Data Protection Directive, which provides that theprocessing ming the data subject of this purpose; and retaining data for not longer than they
may no longer involve the data objected to, if the objection was justified. are needed for the purpose.
1 Specifying a purpose. Personal information should be collected for a purpose that
is specific, explicitly defined and lawful. It must also relate w a function or activi-
STI(K(e- ty of the responsible party.” The purpose for which personal information is col-
SHOMA-
SRSRSSERE

SHC). lected must be established defore any information is collected and may not be
sua. vague, uncertain or unlawful. This purpose determines every aspect of the pro-
Sce Jay Data Protection Lan and Practice 407-208. cessing of the data, such as the mature of the data that may be collected, the
S11{3)(a)-
$1113) (8).
S114). 7 S$ 12(1)
of the Ac.
Dir 95/46/ECa 14(a). 08 Para. (38) of the preamble to Directive 95/46/EC
9 S$12(2)of the Ac.
@10 SIs.
 448 Information and Communications
Technology Law
Chapter9: Data Privacy Law 447
(iv) Condition 4: Further-processing limitation
length of time the data may be kept, whether and what further processing may Usually the further processing of information is dealt with as part of the purpose-
be done, and the disclosure of information to third parties, and so on™ limitation principle. However, it may be wise to make it a principle on its own in
Informing the data subject: Subject to exceptions, adata subject must be informed order to emphasise its importance. In terms of the Act, personal information must
of the purpose of the collection of the information.” The steps that must be not be further processed in a way incompatible with a purpose for which it was
taken to inform the data subject is funher claborated on under condition 6 collected."”
(Openness).
The responsible party must determine the compatibility of the further processing
Retention and restriction of records. Subject to certain exceptions, records of person- with the original purpose by looking at the following aspects:
al information may not be kept for any longer than is necessary for achieving the (a) the relationship between the purpose of the intended further processing and the
original fpose for which the information was collected or subsequently pro- purpose for which the information hax been collected;
cessed.” After it is no longer permitted to keep the record, the responsible
Sine (6) the nature of the information concerned:
must destroy, delete or “de-identify” it as soon as reasonably practicable. fe} the consequences of the intended further processing for the data subject;
deletion must be done in such a manner that it cannot be reconstructed in an in- (d) the manner in which the information has been collected, and
telligible form.” (2 any contractual rights and obligations between the parties.”
Again, the Act provides for exceptions to the limitation on the retention of Exceptions. As expected, the Act makes exceptions to this principle, too. Further
records. For example, records may be retained for longer periods if it is retained processing is not regarded as incompatible with the original purpose of the collect-
for historical, statistical or scientific purposes. Appropriate safeguards must, ing of data if
however, be taken to ensure that the records are not used for any other purpos-
Os such further processing is authorised by the data subject, or a competent person
es."" Records may also be kept for longer periods if it is required or authorised
if the data subject is a child;
by law to do so, or if the responsible pany reasonably requires the record for
purposes related to its operation, or the record is retained in terms of a contract ©) the information is publicly available, cither because its source is a publicly availa-
berween the parties, or the data subject, or a competent person where the data ble record, or because the data subject himself or herself has deliberately made
subject is a child, authorises such retention.” the information public;
In certain circumstances, the Act provides that, instead of destroying or deleting O the further processing of the information is necessary to prevent or mitigate a
the information, the processing of specific personal information must be re- serious and imminent threat to public health or public safety or the life or health
stricted. This would, first of all, be the case if the accuracy of the personal infor- of the data subject or another individual;
mation is contested by the data subject. Processing of the personal information Othe information is used for historical, statistical or research purposes, in which
must then be restricted for as long as the responsible party need to verify the ac case the responsible party has to ensure that the further processing is carried out
curacy of the information. Processing must also be restricted if the responsible solely for such purposes and will not be published in an identifiable form;"*
party no longer need the information, but must retain it for purposes of proof. Othe further processing is necessary to protect certain public interests,area as the
Another situation where processing should be restricted is if the data subject op- maintenance of the law, collection of revenue and judicial proceedings;
poses the destruction or deletion of the information that is unlawfully processed_ © the further processing is in accordance with an exemption granted Sade sec-
Instead of destroying the information, its processing must then be restricted. tion 37 of the AcL™
Lastly, where a data subject requests that his, her or its personal information
should be transmitted to another automated processing system, the personal in- (v) Condition 5: Information quality
formation should not be deleted or destroyed, but the processing thereof should The fourth condition simply states that the responsible party must take reasonably
be restricted.
practicable steps, given the purpose for which personal information is collected or

619 Sisal).
ot Roos “Core principles of data protection law” 2006 CILSA 117. 20 S$ 152).
612 $132). 20 S 15(3) (a).
613 S140). 622 S 19(3)(6).
6l4 S144). 23 S si3)(@).
615 S14(5). 24 S13).
616 $14). 625 S$ 15G)(0.
617 SM()(a)-(d. 626 S133).
618 S$ 14(6)(a)-(d.
 Chapter9: Data Privacy Law 449 4) Information and Communications Technology Law

subsequently processed, to ensure that the personal information is complete, up to drafts of the PoP! Bill required of the data controller to notify the Regulator of the
date, accurate and not misleading.’ The Act admits of no exceptions to this principle. processing activities before the particular data processing commenced and the
A few general remarks can be made with regard to this principle. It should be kept Regulator was supposed to keep a register of the processing activitics. These re-
in mind that information can be factually accurate but still be misleading. For exam- quirements are no longer part of the Act. Although the requirement that data con-
ple, if the responsible party records the fact that the data subject refused to pay for a trollers must register with or give notification of processing activities tora supervisory
product or service, but does not record that the subject refused to pay because he, authority is a requirement that is present in many data protection laws, "registration
she or it was dissatisfied with the service or product, the information is incomplete or notification has come to be considered bureaucratically burdensome for both the
and therefore misleading. In other words, the impression created by the information data controllers and the supervisoryauthorities.“ The newest proposals for a Regu-
should not be misleading and should give a complete picture of the data subject's lation for data processing by the EU do not contain notification as a requirement
situation. for processing activities. It is therefore to be welcomed that the South African legisla-
The obligation of the responsible party to ensure accuracy is not, however, abso- ture has taken heed of this new development in data privacy law and has not includ-
lute; the responsible party is not required to guarantee the correctness of the data. ed the notification requirement in the POPI Act.
The responsible party need only take “reasonably practical steps”™ to ensure accura- Information manuals: Instead of registcring with a data protection supervisor, the
cy, taking into account the pu for which information is collected or subse- responsible party must maintain the manuals required by the PAI Act. In terms of
quently processed.™ For example, it could reasonably be expected of a responsible the PAI Act, the manuals must contain “in sufficient decail vw facilitate a request for
party to accept information only from reliable sources and to take such steps as are access w a record of the borly, a description of the subjects on which the body holds
practicable to verily the information before subjecting it to processing. records and the categories of records held on each subject”
The necessity for updating information is determined by the purpose for which Informing the data subject: Subject to exceptions, before personal information is col-
the information is held. For example, updating is unnecessary if the information is lected, or, if that is not reasonably practicable, as soon as reasonably practicable after
part ofa historical record, but is necessary if it is used fora purpose such as credit rating. the information has been collected,” the responsible party must take reasonably
practicable steps to make the data subject aware of certain information. The data
(vi) Condition 6: Openness subject must be made aware of the information that is collected and the source from
The openness principle is a very important clement in data processing. According to which it is collected (if it is not collected dircetly from the data subject), as well as
Bygrave, “[t]he primary principle of data privacy law is that al data shall be the purpose of its collection. The data subject must be given the name and address
processed ‘fairly and lawfully’ and processing cannot be done fairly and lawfully if of the responsible pany and told whether the supply of information is voluntary or
the processing of personal data is not transparent for the data subjects.“ This mandatory. The consequences of his, her or its failure to reply must also be ex-
means that the processing of personal information should not be done in secret plained by the collecting party. When the collection of information is authorised in
This principle requires that data subjects should be made aware of the fact that terms of any law, the data subject must be told under which particular law the infor-
their personal data are being processed, the purpose(s) for which this is donc, mation is collected. If the responsible party intends to transfer the information to a
the identity of recipients of their personal data, as well as the identity and usual third country or international organisation, the data subject must be made aware of
residence of the data controller. According to the OECD Guidelines, the openness
principle can be complied with in any onc of several ways, examples of which are: that fact and must be informed about the level of protection afforded to the infor-
regular information from data controlicrs to data subjects; publication in official mation by that third country or international organisation. Any other relevant in-
registers of descriptions of activities concerned with the, processing of personal data: formation which is “necessary” for the data subject to know in order to make the
and registration by data controllers with public bodics. processing in respect of that particular data subject in his, her or its specific circum-
The PoPI Act requires in its openness condition that the data controller maintain stances reasonable, should also be made known to the data subject. Such infor-
documentation of its processing operations and supply the data subject with cer- mation may include who the recipients of the information will be and the nature of
tain information when his, her or its personal information is collected. The first the information. It may also be relevant to inform the data subject of his, her or its
rights in terms of the Act, such as the right of access to information; the right to
Beggs |

S16. 685 See eg the UK Dara Protection Act 1988 s 17(1); Dir 95/46/EC
art 21 _
5 16(1). 686 Bygrave Data Privacy Law 186.
S 16{2). 687 Proposal for a Regulation of the European Parliament and of the Council on the protection of
Bygrave Data Privacy Law 147. individuals with to the processing of personal data and on the free movement of such data
See also Bennett Regulating Privacy 103: “The very existence of record-keeping
systems, registers or COM (2012) 11 final 2013/0011 (COD).
data bunks should be publicly known” $17. This must be done as referred to in PALA ss 14 and 51.
Roos “Core principles of data protection law” 2006 CILSA 117.
£228

a (public bodies)
and s 51(1)(e) (private bodies).
$17. This must be done as referred to in PALA ss 14 and 51.
£88

PoPI s 17 and 18. S t8{1).

 492 Information and © Technology Law
Chapter9: Dara Privacy Law 451
panty must have duc regard to generally accepted information-security practices and
rectify mistakes in the information collected; the right to object to the processing of procedures that may apply to it generally or are required in terms of specific industry
personal information in specific instances; and the right to lodge a complaint to the or professional rules and regulations.” The Act requires that technical as well as
Information Regulator — the contact details of the Information Regulator should organisational measure must be taken. Organisational measures will for example be
then also be provided. the use of access codes. Technical measures will be measures imbedded in the tech-
nology used to process the information.
If the responsible party previously gave the necessary information to the subject
about the collection of the same kind of information for the same purpose from 1 him To prevent unauthorised processing, the Act stipulates that a person who processes
or her, the responsible party need not do so again with a subsequent collection.”* information under authority of the responsible party or operator (processor) must
do so only with the knowledge or authorisation of the responsible party, except
Exceptions are made to the duty to inform the data subject if one of the follow-
where otherwise required by law or in the proper performance of their duties. Per-
ing situations prevail: the data subject (or in the case ofa child, a competent person)
sons processing information are also under a duty of confidentiality in respect of the
consents to non-compliance; the legitimate interests of the data subject would not be
personal information that comes to their knowledge, except when the communica-
prejudiced by non-compliance: a lawful purpose of the collection would be preju-
tion of such information is required by law or in the proper performance of their
diced by compliance; or compliance is not reasonably practicable in the particular
dutics.”
circumstances. The data subject also need not be informed if information is used for
historical, statistical or research purposes or if the data subject is not identifiable Should responsible partics choose an operator to do the processing on their be-
from the information. Similarly, the data subject need not be informed if it is neces- half, the responsible partics remain responsible for security and must ensure that the
sary to withhold the information to protect certain public interest, namely to prevent prescribed measures are complied with. The processing activitics of the operator
prejudice to the maintenance of the law by any public body, including the preven- must be governed by a wriuen contract beeen the responsible party and the opera-
tion, detection, investigation, prosecution, and punishment of offences; to comply tor, which agreement must include an obligation on the part of the operator to
with an obligation imposed by law or to enforce legislation concerning the collection establish and maintain security safeguards.
of revenue; for the conduct of proceedings before any court or tribunal (being The Act also i imposes an obligation on the operator to notify the responsible party
proceedings that have been commenced or are reasonably contemplated); or in the of a security compromise resulting in unauthorised access to personal information.”
interests of national security. The Act imposes an obligation on the responsible party to notify the data subject
(unless the data subject cannot be identified) and the Regulator if there was a secu-
(vii) Condition 7: Security safeguards rity compromise resulting in unauthorised access of personal information. The
The sccurity-safeguards condition requires the responsible party to implement notification must be made as soon as reasonably possible after the security breach.
reasonable, appropriate technical and organisational measures to secure the integr- The reasonableness of the time taken to make the notification is determined by
ty and confidentiality of personal information by safeguarding against the risk of referring to the legitimate needs of law enforcement and the time necessary to
damage to or loss or destruction of personal information and against unauthorised determine the Scope of the compromise and to restore the integrity of the infor-
or unlawful access to or processing of personal information. mation system. Notification may be delayed if the Regulator or the law enforce-
The Act identifies the following specific measures that should be taken by the re- ment body investigating the compromise determines that notification will impede
sponsible party to comply with this principle: the criminal investigation.” The notification of the security compromise must be in
(a) identify all reasonably foreseeable internal and external risks to personal infor- writing, cither sent by mail or email to the last known address or email address of the
mation in its possession or under tls control; data subject, or by placing a prominent notice on the responsible party’s website, or
(6) establish and maintain appropriate safeguards against the risk identified: by announcing it in the news media, or by any method determined by the Regula-
(Q regularly verify that the sifeguards arc effectively implemented; and tor. The notification must provide sufficient information so that the data subject
(d ensure that the safeguards are continually updated in response to new risks or can take protective measures against any possible negative consequences. This in-
deficiencies in previously implemented safeguards. formation must include a description of the possible consequences of the sccurity
In general it can be said that “appropriate” security measures mean that the
measures should guarantee a level of security that is appropriate to the risks present- 6 S 193).
ed by the processing and the nature of the information to be processed. The Act 7 S20.
directs that in deciding what are “appropriate” security measures the responsible 648 S21(1)
649 S$ 21(2}.
600 $22(1)-.
S 18(8). nt S$ 22(2).
S18(4). 52 S 22(3).
SEER

$1941). 3 S$ 224).
51912).
 Chapter9: Data Privacy Law 453
454 Information and Communications ‘Technology Law
compromise, the measures that is being taken to address the security breach, the
steps that are recommended for the data subject to take, as well as the identity 0of the destruction or deletion of a record that the responsible party is no longer au-
unauthorised person who may have accessed or acquired the information. The thorised to retain because the information is no longer needed for the purpose it
Regulator may instruct the responsible party to publicise the fact that the security was collected for.”
breach has taken place, if the Regulator believes, on reasonable grounds, that such
Afier receiving the particular request, the responsible party must do one of four
action will protect the data subject involved.
things: correct the information, destroy or delete the information, provide the
(viii) Condition 8: Data subject participation data subject with credible evidence that support the information, or if the re-
sponsible party is unwilling to make the correction, attach a statement to the in-
The individual-participation principic as found in data privacy documents worldwide formation explaining that a correction was sought but refused.*
usually entails the data subject having a right of access to his, her or its personal
information, a right of correction of inaccurate information and a right to object to The responsible party must inform the data subject of any correction made or
the processing of personal information in certain situations, for example in direct whether a statement has been attached. Third parties to whom the incorrect or
marketing. The data subject participation condition in the PoP! Act only deals with misleading information has becn disclosed prior to its correction must also be in-
the data subject's right of access to his, her or its information and the night to request formed of the steps taken, provided that it is reasonably practicable for the re-
correction of information. The right to object to certain processing activitics is provid- sponsible person to do so.”
ed for in PoP!, but form part of the processing limitation principle, discussed above. (b) The processing of special personal information
OO Right of access The right of access to personal information in the Act gives the
Particular categories of personal information is treated as “sensitive” (or in the case
data subject three entitlements, provided he, she or it can provide adequate
of PoPI as “special”) information because it is assumed that misuse of these types of
proofof identity to the responsible party. The data subject is entitled to:
information could have more severe consequences for a data subject's fundamental
(a) obtain (free of charge) confirmation of whether or not the responsible rights, such as the right to privacy and non-liscrimination, than misuse of other non-
party holds personal information about him or her, sensitive personal information. “Misuse of sensitive data, such as health data or
(b) have the record, or a description of the personal information, communicat- sexual orientation (for example, if publicly revealed), may be irreversible and have
ed to him or her by the responsible party, including information on the long-term consequences for the individual as well as his social environment.”
identity of all persons who have had access to the personal record, and” The Act lists as “special personal information” any personal information con-
(c) be told that he, she or it may request the correction of information.” cerning a person's religion or philosophical beliefs, race or ethnic origin, tade-
The manner of access is regulated by the PAI Act." The information must be union membership, political persuasion, health or sex life or biometric information,
given within a reasonable time and in a reasonable manner. It must be in a form or criminal behaviour to the extent that such information relates to the alleged
that is generally understandable. The responsible party may require of the data commission of an offence or proceedings in respect of that offence. The Act does
subject to pay a prescribed fee.™ not define any of these concepts, apart from explaining what biometrics is: “A tech-
nique of personal identification that is based on physical, physiological or behav-
The responsible party may or must refuse to disclose the information on the
same nds that access to information may or must be refused in terms of ioural characterisation inching blood typing, fingerprinting, DNA analysis, retinal
PAIA.” The provisions in PAIA regarding access to health records are made ap- scanning and voice recognition_
plicable to PoPI.™ If only part of the information must not be disclosed, the rest Apart from the reference to criminal offences, this list of “special information” is
of the information should still be disclosed.” similar to the list of sensitive information in anicle 8 in the European Union's 1995
Right to request correction. The Act gives the data subject the night to request a
o

correction or deletion of incorrect information, as well as a right to request the

$ 24(1).
8828

S 24(2).
S$ 24(4).
S 22(5). S 24(3).
RESELL REE

S$ 22(6).
EU Art 29 EU Data Protection Working Party Adetce paper on special calegories of data (“sensitive dain”)
S 23(1) (a) and (6). Ref. Ares (2011) 444105 — 20/04/2011 4.
S 23{2).
$ 26. An example of the last ground would be if a person who has a disability, actively campaigns in
S$ 25. See PAIAs 18 and 55.
the public eye for support for people with this disability. The fact that the person has this disability
S$ 25(1)(6).
is “special” information, secing as it concerns the person's health. Since the person has deliberate-
PoPI Act s 23(4)(a). See PAIA Ch 4 of Part 2 and Ch 4 of Part 3.
PoP! Act s 23(4) (6). See PALA ss 50 and 61- ly made this information known, however, its processing would only have to comply with the provi-
PoPl Act s 23(5)_ sions set out for processing of personal information in general and not with the heightened
protection for special information.
PoP Acts 1.
 496 Information and Communications Technology Law
Chapter9: Data Privacy Law 456
(d) this
is done for historical, statistical or research purposes (to the extent
that the
Data Protection Directive.” Guidance given on when personal information will be purpose serves a public purpose and the processing is necessary for the purposc
considered “sensitive information” in terms of the Directive or European laws may concemed; or it appears to be impossible to ask for consent or would involve a
therefore be helpful for interpreting the meaning of special information in PoP!. disproportionate effort to ask for consent);
For example, a UK Court has held that a belief in climate change is capable of (c) the information has deliberately been made public by the data subject;
amounting to a philosophical belief." It is also pointed out that images of persons (one of the specific grounds for processing special information ispresent.”
captured on surveillance cameras, may reveal a person’s cthnic ¢ origin or health
The responsible party may also apply to the Regulator to be allowed to process
status and should then be considered as “special” information.” Health data in- special information in the public interest The Regulator may then authorise the
cludes information concerning the physical or mental health of an individual, in- responsible party, by means of a publication in the Government Gazelle, to do the
cluding information relating to alcohol abuse or the taking of drugs™ The
processing. The Regulator may impose reasonable conditions under which the
European Court of Justice has held that reference on a website to the fact that an
processing must take place.™
individual has injured her foot and is on halftime on medical grounds constivutes
personal data concerning health within the meaning of Article 8(1) of Directive The draft Bill proposed by the Law Commission required “express consent” for
95/46." the processing of sensitive information, meaning that implicd or tacit consent was
insufficient. This proposal was in agreement with the provisions of the EU 1995 Data
Special personal information is subject to heightened protection in that the pro-
Protection Directive, which requires “unambiguous” consent for the processing of
cessing of such information is generally prohibited, unless an exemption is applica-
regular personal information, but “explicit” consent for the processing of sensitive
bie.™ In this regard, there are general exemptions that apply to all types of sensitive
personal information. However, the PoP1 Act requires merely “consent”. It means
information and specific exemptions that are only applicable to certain types of
that in terms of PoP! there is no difference between the consent needed for pro-
sensitive information. cessing regular personal information, and that needed for special personal infor-
(i) General exemptions mation. The Act’s definition of consent (which was referred w earlicr) is “any
voluntary specific and informed expression of will in terms of which permission is
Special personal information may gencrally be processed when
given for the processing of personal information” It was pointed out that the
(a) this is carried out with the consent of the data subject; consent required by the Act can be regarded as similar to the “unambiguous” con-
(b) this is necessary for the establishment, exercise or defence of a right or obliga- sent of the Directive. It was also pointed out that when regular personal information
tion in law; is processed on the basis that the data subject has consented to it, the Act places the
(c) this
pence
is to comply with an obligation of international public law; or burden of proof that consent was given on the responsible party. ™ Although the Act
does not repeat this provision when stating that consent can be a ground for allow-
ing processing of special personal information, it is submitted that the same position
670 Directive 95/46/EC,
24 October 1995. The reason why the Directive dors not refer to information should apply. The processing of special personal information should be subject to
of criminal behaviour, is that criminal law falls outside the scope of Community law and the Di-
rective can therefore not make provision for it (see para. (13) of the preamble to the Directive). heightened scrutiny, and it therefore follows that the burden of proof should not
671) Grainger Pie & Others 0 Mr Nichole (a decisi of the Fs ploy Appeal Tr }). The court shift to the data subject in this instance.
belief (in this case specifically for the As stated, one of the general exemptions when special information may be pro-
2003): cessed is when the data subject has “deliberately made public” the special infor-
.

© Tt must be a belief and not an opinion of view based on information currently available. mation. “Deliberatcly made public” means that the data subject must have chosen to
. I ceons es a Remotes us 2 eangpeymticomemle mapent ot hescaes iie ns kemeraoee reveal that specific aspect about himself or herself For example, when a person
. hh must attain a certain level of cogency, seriousness, cohesion and importance. openly aligns himself or herself with a political party, he, she or it has manifestly
© Tt nwust be worthy of respect in a dh iety, not be i patible with bh dignity made public his, her or its political persuasion.
and not conflict with the fundamental rights of others.
In Farrell © South Yorkshire Police Authority an Employment Tribunal had to decide whether 2 belief in As stated above, a general exemption applics to the processing of sensitive person-
a conspiracy theory surrounding a “New World Order’ and the terrorist attacks in 2001 and 2005 al information for the purpose of historical or scientific rescarch or statistics, i
constituted a philosophical belief. The Tribunal held that the belief did meet most of the require ed certain conditions are met. The research must cither serve a public interest for
ments set out in the Crsinger case, Ee at re eens
sion as required and therefore did not aph F
672 EU Art. 29 EU Data Protection Working Party Adoice paper om special categories of data (“sensitive 677 S27(1).
dala”) Ref. Ares (2011444105 - SA 678 S$ 27(2)and (3).
673 Convention 108/198! Expkanatory Report 679 Art R(1).
674 Bodil Lindgvist 0 pa yc Case COL/O1- 680 SI.
675 $26. 6BL S11(2)a)- For the earlier discussion, see 444 supra-
676 The meaning
of “necessary” was considered
above in par (a) (ii).
 458 Information and Communications Technology Law
Chapter9: Data Privacy Law 457

which the processing must be necessary, or asking for consent must appear to be (c) The processing of personal information of children
impossible or involve a disproportionate effort, and sufficient guarantecs must be The information of children (meaning a natural person under the age of cightecn)
provided to ensure that processing does not adversely affect the individual privacy of is given heightened protection in the Act. The rational for this is that children need
the data subject to a disproportionate exten more protection because they have not yet reached physical and psychological ma-
turity. In terms of the South African Constiuntion, a child's best interests are of
(ii) Specific exemptions paramount importance in every matter concerning the child. This means that
The Act also contains excm: specific to every type of special information.” For when the personal information of a child is processed, the child's best interest
cxample, personal information concerning a person's: should always be considered.
O religious or philosophical belicfs may be processed by the church or other organ- In terms of the PoP! Act, the processing of the personal information of children is
isation to whom the data subject belongs — the information of the member's fam- prohibited, unless the processing is authorised in the Ac™ The grounds on which
ily may also be processed if the organisation has lar contact with the family processing of the personal information ofa child is allowed, is the same as the gen-
members and they do not object to the processing; eral exemptions for special information already discussed above,” apart from the
O race or ethnic origin may be processed to identify data subjects when processing fact that a competent person acts on behalf of the child.
information on the race of a persons is essential to identify the person, or to The first ground on which processing is allowed, is the prior consent of a compe-
comply with laws or measures designed to protect persons disadvantaged by un- tent person.” The Act explains that a competent person is a person who is legally
fair discrimination;™ competent to consent to any action or decision being taken in respectal anyt matter
O trade-union membership may be processed by a trade union to which the data concerning a child. In terms of the Children’s Act, a person who acts as
subject belongs if it is necessary to achieve the aims of the trade union; ofa child, must give or refuse any consent required by law in respect of the child.
UO political persuasion may be processed by a political pany to which the data sub- A competent person is therefore the guardian of the child.
ject belongs if the processing is necessary for forming apolitical party, participat- As said, the other grounds has already becn discussed above, and can be briefly
ing in the activities of the party, or campaigningfor the party; summarised as processing being necessary for establishing, exercising or defending
O) health or sex life may be processed by 4 number of persons or institutions, such legal rights or obligations or to comply with an international public law obligation;
as medical professionals and health care facilities, insurance companies, medical or processing is done for historical, statistical or research purposes (subject to the
schemes, schools, institutions managing the care of children, pension funds, provisos explained); oor the information processed has dcliberatcly been made public
prison authorities and many more. In cach case the processing must be neces- by the data subject”
sary for the instiuutions to provide care to the data subject, or properly adminis-
As is the case when processing special information, the Regulator may authorise
trate the particular instiuntion, or perform their lawful dutics and obligations.
processing of personal information of a child if it is in the public interest.” Once
The persons processing the information must be subject to an obligation. of con-
fidentiality, or must in any case treat the information as confidential. If it is more, the Regulator may impose reasonable conditions in respect of this authorisa-
necessary for the proper treatment or care of the data subject, any type of special tion, but in this instance the Act provides a more detailed explanation of the condi-
information (race, gender, ctc) may be processed; ™”
tions. The Regulator may impose conditions with regard to how the responsible pany
must allow the competent Person to review the personal information and to refuse
criminal behaviour or biometric information may be processed by bodies
to permit further processing.” The conditions may also require that the responsible
o

charged with applying criminal law and by responsible partics who have obtained
party must give notice about the nature of the information, how the information is
this information in accordance with the law.™
In every case in which processing is allowed, the Act contains detailed provisions
regulating the circumstances in which the exemption applies.”

$ 28(2) of the Constitutionof the Republic of South Africa, 1996,

ESE
RRSSERSR

S31(2). $34 of the Act.

RESsRRRSLaR

Scess 28-33. See par (b)(i) above.

See s 28. $35(1)(a).
Sces 29. SL.
See s 30. Act 38 of 2005.
See
s 31. $ 18(3) of Act $8 of 2005.
Sees 32. $35(1) of the PoPI Act.
Sce s 32(2) and (3). $35(2).
Sees 32(4). $35(3}(a).
Sees 33. $353) ().
For more detail, see s 28-35 of the Act.
 460 Information
and Communications Technology Law

Chapter9: Duta Privacy Law 499

subject.”* The responsible party need only apply once for prior authorisation as long
as the Processing does not depan from that for which authorisation has originally
personal information about himself or herself than is reasonably necessary given the been received.” Prior authorisation is not required if the specific sector of which the
purpose for which it is intended.™ Lasdy, the conditions may provide that the re- responsible party is part of has adopted a code of conduct as provided for in the PoPI
sponsible party should have reasonable procedures protecting the integrity and
confidentiality of the personal information.
If the responsible party fails to notify the Regulator of processing that is subject to
(d) Special . soe prior notification, he, she or it is guilty of an offence” and is liable to a fine or to
imprisonment for up to a year, or both a fine and imprisonment”™
Certain processing activities are considered larly troublesome because they
carry a high risk for the individual rights and freedoms of the data subject. These (ii) Direct marketing by means of unsolicited electronic communications
activities include, for example, using a unique identifier to link information ofa data We have seen that the Act gives the data subject the right to object to the processing
subject from various sources and create a profile of a data subject, using personal of personal information for purposes of direct marketingi in which case the respon-
information for direct marketing by means of unsolicited electronic communications sible party may no longer process the personal information.” Note that this right to
and making automatcd decisions about someone. The Act contains special provi- object is provided for direct marketing in general. When the direct marketing is
sions for these types of processing. done by means of unsolicited clectronic communications (sometimes referred to as
(i) PB A iring pri horisati “spam”), even stricter rules apply.”
The Act requires that a responsible party must get prior authorisation from the Direct marketing is defined in the Act™ as "to approach a data subject, either in
Regulator for specific types of planned processing activities.” Prior authorisation person or by mail or electronic communication, for the direct or indirect purpose
must be applied for when the responsible party plans to: oF
(a) promoting
or offering to supply, in the ordinary course of business, any goods or
0 fink personal information on the data subject from different sources by means of
services to the datssubject; or
a unique identifier for another purpose than the one the identifier was collect-
(6) requesting the dats subject to make
a ¢: of any kind for any reason.”
ed for,™
In terms of PoPI, direct marketing by means of unsolicited electronic communica-
O process information on the data subject's criminal behaviour, unlawful or objec-
tions, such as automatic calling machines, facsimile machines, SMSs or e-mail, is
tionable conduct on behalf of third parties;
prohibited, unless a data subject has consented to the processing, or if the data
O process information for the purpose of credit reporting: ” or subject is a customer of the responsible party, in which case further conditions arc
O transfer special personal information or personal information of children to applicable.”
third countrics without adequate levels of protection for the processing of per- In the case of data subjects who are not customers of the responsible party, the Act
sonal information.”" follows an “opt in” approach — the data subject must first consent before his, her or
The responsible party must notify the Regulator about the planned processing that its personal information may be processed and only after such consent has been
requires prior authorisation™ and may not carry out such processing activities until given may the data subject send direct marketing material. The responsible party
the Regulator has completed its investigation or has informed the responsible party may approach the data subject only once in order to ask for consent.” This is to
that a detailed investigation will not be conducted.” prevent the data subject from being harassed by direct marketers for consent. The
The requirement of prior authorisation may be rendered applicable to other types consent must be, per the definition in the Act, a “voluntary, specific and informed
of information processing, by means of an Act or by regulations, when such pro- expression of will in terms of which permission is given for the processing of personal
cessing carries a panticular risk for the individual rights and freedoms of the data
7i4 S57(2).
71s $57(4).
S$ 3313)(0- 716 $57(3). Codes of conduct is dealt with in Ch 7 of the Act.
S$ 35(3) (a).
S382

77 SA.
S$57(1). 718 S$ 107()-
The Act defines a unique identifier in st as “any identifier that is assigned to a data subject and is 719 $1144).
See par 44% abowe.
used by a responsible party for the parposes of the operations of that responsible party and that 720 S$ 11(3)(6). Direct marketing by means of unsolicited electron: communications, is also regulated
uniquely idestifies that data subject in relation to that responsible party.” by the Electronic Communications and Transactions Act 25 of 2002 (s 45(1)); the National Crexfit
$57(1)(a). Act M4 of 2005 (s 74(6)) and the Consumer Protection Act 68 of 2008 (s 11).
S57(1)(6).
aiiced

72t St.
S57(1)(o- 722 S$ 68(1). These provisions are similar to those of the E-Directive see par 9.3.4.3.
S57(1)(a). 723 S$ €9(2).
Ss8(1).
S$ 58(2).
 Chapter9: Data Privacy Law 461

462 Information and Communications

Technology Law
information”. This means that there should not have been any duress on the data
subject to give the consent, that the consent must not be general or vague, but must
be for a specific purpose of which the data subject must have been informed. the purpose of the directory and the further uses that the directory may possibly be
put to.
In the case of data subjects who are customers of the responsible party, the Act
follows an “opt out” approach in that the customer must be given the opportunity to (iv) Fully automated decision making
object to the processing of his, her or its personal clectronic details. The personal Automated decision-making is also referred to as “profiling”. In profiling personal
information of a customer may only be for direct marketing purposes if
information of the data subject from various sources is combined resulting in a pro-
three stipulations arc met: the responsible party should have obtained the contact
file of the data subject who is then treated in the light of this profile. The creation of
details of the customer (the data subject) in the context of the sale of a product or
a profile entails processing information in scarch of patterns, sequences and re-
service; for the purpose of direct marketing of the responsible party's own products
lationships, whereas the application of the profile involves making a decision about a
or services of a similar nature; and, importantly, if the data subject has been given a
person based on the profile. As Byprare explains, “profiles are essentially assump-
reasonable opportunity to object to the use of the data subject's electronic details.
tions based on probability equations".” The quality of a profile is obviously depend-
The opportunity to object should exist both at the time when the information is
ent on the quality of the data (in terms of correctness, relevance and so on) put into
collected and, if the data subject has not objected at the time of collection, then again
the profile. A real danger with profiling is that unfair or unwarranted assessments
each time a communication is sent to the data subject for marketing purposes. can be made about data subjects.
The Act further prescribes that any direct marketing communication sent to a data According to the Act, a data subject may not be subjected to a decision to which
subject must contain the identity of the sender or the person on whose behalf legal consequences are attached, or which substantially affects the data subject,
the communication has been sent and an address or other contact details to where this decision has been taken solely on the basis of the automated processing
of
which the recipicnt may send a request that such communications end.™ personal information intended to provide a profile of certain aspects of the data
(iii) Directories subject’s personality or personal habits. This profile may, for cxample, be on the
data subject’s performance at work, creditworthiness, reliability, location, health,
The Act contains jal provisions forpublicly available directories, be it in printed
personal preferences or conduct.”
or electronic form.” It gives the subscriber™ (ic the data subject) to such a directory
a right to be informed about the inclusion of the subscriber's personal information In other words, a data subject may not be subjected to an automated decision based
in the directory, as well as the right to be informed about the purpose of the directo- on a personality profile of that data subject.
ry and the further uses that the directory may possibly be put to. "The subscriber Exceptions are provided for in the Act. First of all, automated decision making is
must also have a reasonable opportunity to object to the use of his, her or its infor- allowed for purposes of concluding a contract, provided the request of the data
mation, or to request verification, confirmation or withdrawal of the information if subject in terms of the contract has been met, or “appropriate measures have been
the subscriber has not initially refused such use. taken to protect the data subject’s lawful interests.“ These measures must allow the
data subject to make representations about the decision and must oblige the respon-
These provisions are not applicable to the existing editions of printed directories sible party to give sufficient information about the underlying logic of the automated
or offline electronic directories produced before the commencement of the Act™
processing to enable the data subject to make the necessary representations. ™
These provisions also docs not apply to the personal information of subscribers to
fixed or mobile public telephony services, if the personal information has been Automated decision making is also allowed if the decision is governed by a code of
included in the public directory prior to the commencement of the Act. The infor- conduct in which appropriate measures are laid down for protecting the lawiul
mation may remain in such a directory, but the subscriber must be informed about interests of data subjects.
the inclusion of his, her or its personal information in the directory, as well as about
E Duties of the responsible party
The responsible pany is ultimately responsible for protecting the personal infor-
724 St. mation of the data subject in accordance with the information-protection principles.
725 S$ 69(5). This requires the responsible party to carry out certain dutics. What follows is 4
726 Se5{4). summary of some of the dutics ofa responsible party, most of which are discussed in
727 Atelkep clit y as ined in a “teleph book” is an phe of a publicly available
directory. detail elsewhere in this chapter.
728 $70(5) dchines a subscriber for purpcers of this section, . 45 meaning “any person who is party to 2
with the provider of publicly availabt services
for the supply
of such services.”
729 S$70(1). Data Protection Law 309.
aeeaR

730 S$ 70(2). $7101).

731 S70(3). S$71(2}a).
S$ 71(3).
$71(2)(8).
 Chapter9: Data Privacy Law 463

464 Information and Communications Technology Law

o Duty to ensure conditions for lawful processing. The accountability condition dis-
cussed above, requires of the responsible panty to ensure that all the measures OO Duty to obtain prior authorisation: The responsible party must inform the Regulator
that give effect tuto the conditions for processing, are complied with throughout if certain sensitive processing activities is planned (such as using a unique ident-
the processing. fier to link personal information, processing information on criminal behaviour
Duty to collect information directly from the data subject: The responsible party must on behalf of a third party, processing information for credit reporting purposes,
collect personal information directly from the data subject, unless certain excep- transferring special personal information or the personal information of chil-
tions are applicable.” dren to a third country without adequate data protection measures) and must
Druty to inform the data subject and/or Regulator. The purpose-specification condition
first obtain authorisation from the Regulator before such processing takes
and the openness condition impose obligations on the responsible party to in- place.“
form the data subject of the purpose for which the subject's information is being
collected and of the intended recipients of the information,™ and to notify the OU Dhuly fo ensure confidentiality and security of processing. The principle of security and
data subject of the planned processing of personal information, the name and confidentiality places a duty on the responsible party to take appropriate
address of the responsible party and whether the supply of information is volun- measures to ensure the security of the processing activity and the confidentiality
tary or mandatory, and so on. The responsible party must inform a data subject of the information.”
about the underlying logic of any automated processing of information relating 1 Duty to get prior consent for direct markeling by means of unsoliciled communications.
The
to him or her." The responsible party must also inform the data subject and the responsible party must get the prior consent of the data subject if the data sub-
Regulator of security compromises_ jectis not an existing customer of the responsible party, before sending unsolic-
Duty to give the data subject access to his, her or ils information: Should the data subject ited electronic communications for direct marketing purposes.
request access to his, her or its information kept by the responsible party, the re- O Duly t comply with Information notice and Enforcement notice: A responsible party
sponsible party is under an obligation vo confirm whether he, she or it holds per- must furnish the Regulator with information if requested to do so by the Regula-
sonal information on the data subject and to give the data subject access to the tor in terms of an Information notice.” The responsible party must also comply
information. with an Enforcement notice served by the Regulator.”
Duty to keep personal information up to date. A responsible party must take reasona-
ble steps to ensure that the personal information is complete, accurate, up to F Rights of the data subject™
date etcetera.™
The overarching right of the data subject is to have his, her or its personal infor-
Duty to correct information: The responsible party must correct or destroy infor-
mation processed in a lawful and reasonable manner.” Flowing from this general
mation if the data subject requests the responsible party do so, when the infor-
right certain specific rights can be identified. The following specific rights, which are
mation is inaccurate, irrelevant, excessive, out of date, incomplcte, misleading or
discussed in detail elsewhere in this chapter, can be identified:
obtained unlawfully.
Duty to delete records: The responsible party must not retain records containing O Right to be informed: The data subject has a right to be notifiedchat the infor-
personal information longer than is necessary to achieve the purpose for which mation about him, her or it is being collected, as well as about the fact that an
the information was collected, or longer than is allowed by law. Should the re- unauthorised person has gained access to his, her or itspersonal information.
sponsible pany no» longer have the night to retain the records, it must be de- A data subject must also be informed about a security breach.”
stroyed or deleted.”* O Right to participate. The data subject participation condition gives the data subject
Duty fo maintain documentation. The responsible party must maintain the docu- a right of access to his, her or its personal information and a right to request cor-
mentation of all processing activities he, she or itis responsible for.” rection of inaccurate information.” The data subject also has the right to object
to the processing of personal information in certain instances, for example when
personal information is processed for direct marketing purposcs.™

737 $8.
S120). 747 S57.
S 13(2) and s 18(1). 748 Ss 19 and21
740 749 S90.
S18(1).
7a S71(3).
742 ot ‘Ale soe 55.
$221).
743 752 S89.
S23.
744 753 S18.
S16.
S14.
746 S17.
757 511(3).
 Chapter9: Duta Privacy Law 465 466 Information and Communications Technology Law

C1 Right not to be subjected to fully automated decision making. upon a resolution by the national assembly on the ground of a member's miscon-
O Right not to have his, her or its information processed for direct marketing tnirposes by means duct, incapacity or incompetence.” The Act prescribes how vacancies must be
of unsolicited electronic communications.” filled,” how conflict of interests must be handled,” and what the remuneration of
OO Right to submit a complaint wo the Regulator: The data subject may submit a com- members should be.”
plaint to the Regulator if there was an interference with the protection of per- The Regulator must cstablish its own administration to assist in the performance
sonal information of any data subject. The data subject may also lodge a of the functions of the Regulator. A chief executive officer and other members of
complaint with the Regulator ifthe data subject docs not agree with the deter- staf should be appointed in terms of the Act.™ The chief executive officer is the head
mination made by an adjudicator.™ of the administration as well as the accounting officer and is responsible for the man-
o Right to institute ctoil proceedings: A data subject may institute a civil action for dam- agement of the affairs of the¢ Regulator.” The Regulator may establish committees to
ages against a responsible party for breach of a provision of the Ac.™ perform specific functions.” A specific committee which must be established by the
Regulator is the Enforcement Commiticc. At least one of the members of the Regu-
G Supervision lator must be on this committee. The other persons on this commitice may be ap-
Oversight of the implementation of the Act is through an independent oversight pointed by the Regulator. The function of this committee is to hear complaints
body established by the Act, namely the Information Regulator, assisted by infor- referred to it by the Regulator. The chairperson of the Enforcement Commitee
mation officers to be appointed by every responsible party. must be a judge or magistrate with at least ten years’ experience.
The Regulator is funded by parliament and fees collected in terms of the Act.”
(a) Information Regulator A person acting on behalf of the Regulator is protccted from criminal and civil
The Regulator is tasked with oversight of both the PoP! Act and the PAI Act. ™ The liability for anything done in good faith in the exercise of a power, duty or function
Act ch stipulates that the Regulator is independent in the performance of its in terms of PoP! or PAIA.™
functions.” The Regulator is accountable to the national assembly. A person acting on behalf or under the direction of the Regulator is subject to a
duty of confidentiality during or after his or her term of office or employment, as
(i) Members and staff
regards the personal information which comes to his or her knowledge in the course
The members of the Regulator are recommended by the National Assembly and of the formance of his or her official duties, except if the communication of such
appointed | by the President. [t is composed of a chairperson and four ordinary information is required by law or in the proper performance of his or her duties.™
members.” One of the members must have experience as a practising attorney,
advocate or professor of law, whereas the others must have qualifications, expertise (ii) Powers, duties and functions of Regulator
or experience that relates to the functions of the Regulator. The chairperson and The Act contains extensive provisions on the powers, dutics and functions of the
two ordinary members must be appointed fulltime. One of the permanent members Regulator.”
must perform the duties confirmed in terms of the PAI Act, and the other the duties OF The Regulator must provide education by promoting an understanding and ac-
in terms of the PoPI Act” They are appointed for 5 years and may be reappoint- ceptance of the conditions for the lawful processing of the Act and of the objects
ed.™ Members must be citizens of South Africa. They may not be public servants; of these conditions. This must be done by undertaking educational programmes,
members of parliament, provincial legislatures or municipal councils; office-bearers or making public statements and giving advice to data subjects, Ministers, private
employees of a political party; unrehabilitated insolvents; declared mentally ill or unfit; and public bodics.”™™
or have been convicted of any offence involving dishonesty.” Members may resign o
The Regulator must also monilor and enforce compliance by public and private bodies
from office” and may also be suspended or removed from office by the President with the provisions of the Act, by undertaking research into and monitoring

S71(1). S 41(6).
ae2sgIIIIIITII

Sa.
JPAARTZFAAAIIE

$42.
S74. S45.
sx. S46.
Sa. S47.
The Promotion of Access to Information Act 2 of 2000_ See PoP 1 Act s 39. $48.
PoP Acts 39(6). S49.
S3(@). sm.
$41(2). S52.
S 43(2) (a). $53.
S41 (3). Sm.
$411). Sees 40 of the Act for more detail.
S415). $ 40(1 a).
 468 Information and Communications Technology Law
Chapter9: Duta Privacy Law 467
(iii) Regulator to have due regard to certain matters
developments in information-processing and computer technology to ensure
that any adverse effects of such developments on the protection of the personal The Regulator must, in the performance of its functions and the exercise of its
information are minimised, and reponing the results of the research and moni- powers gives fair consideration and attention to cenain matters, namely:”
toring to the Minister, by examining proposed legislation and government policy Othe conditions for the lawful processing of personal information;
that may affect the protection of personal information of data subjects and re- Othe protection of all human rights and social interests that compete with privacy,
port the results to the Minister, by reporting to parliament on policy matters aF such as the desirability of a free flow of information and the recognition of the
fecting the protection of information privacy, by submitting a report to Parliament legitimate interests of public and private bodies in achicving their objectives in
about its activities; by assessing the compliance ofa public or private body with the an efficient way;
Act by conducting an assessment of the body; by monitoring the use of unique
identifiers of cata subjects and reporting on that to parliament; by maintaining O international obligations accepted by South Africa;
the registers prescribed in the Act and by examining proposed legislation that 0) any developing general international guidelines relevant to the better protection
provide for information matching and report to Parliament about tha.” of individual privacy.
The Regulator must consult with interested parties by receiving representations from In performing its functions with regard to information matching programmes, the
the public on any matter affecting the protection of personal information; by co- Regulator must have particular regard to whether or not:
operating with national and international bodics concemed with the protection 01 the programme aims to serve a matter of significant public importance;
of personal information; and by mediating between opposing partics on maticrs 01 the use of the programme will result in significant and quantifiable monctary
that concerns the need for action by a responsible party for the protection of the savings or have other comparable benefits to society;
personal information of a data subject.™ 0 an alternative means is available that will achieve the same results;
The Regulator must also Aandle complaints by receiving and investigating com- Othe public interest in allowing the matching programme outweighs the public
plaints of alleged violations of the protection of personal information and making
interest in adhering to the conditions for the lawful processing of personal in-
reports to complainants; by gathering information that will assist it in its func-
formation; and
tions; by attempting to resolve complaints by means of disputc-resolution mech-
anisms such as m n and conciliation; by serving notices in terms of the Act the scale of the information matching is excessive, taking into account the num-

Oo
and further promoting the resolution of disputes.” ber of responsible parties or operators that will be involved in the programme;
and the amount of detail about a data subject that will be matched under the
The Regulator must conduct research and report to parliament on the desirability programme.
of South Africa’s acceptance of any international instrument relating to the pro-
tection of the personal information and draw parliament's attention to other {b) Information officer
matters as the Regulator deems necessary.”
The Act makes provision for the appointment of information officers in public and
The Regulator may also from time to time issue, amend or revoke codes of conduct; private bodies to work with the Regulator. In terms of the Act, the head of spk
ive guidelines to assist bodies to or codes of conduct, and consider body or a private body is designated
as the information officer
of that body.
the determinations by adjudicators under codes of conduct.™ PoP! Act defines an “information officer” with reference to the definition of caine
The Regulator must facilitate cross-border cooperation in the enforcement oof privacy mation officers in the PAI Act. The same person who in terms of the PAI Act is
laws by participating in any initiative that is aimed at such cooperation.™ acting as the information officer of an entity will also be the information officer in
The Regulator must in general do anything related to or helpful to the perfor- terms of the PoPI Act. The responsibilities of such an officer include the encour-
Oo

mance of its functions; perform any other functions, powers and dutics imposed agement of compliance by the body with the conditions for processing, dealing with
by legislation; require the responsible party to disclose security compromises to requests made to the body pursuant to the Act, helping the Regulator with its inves-
affected persons; and exercise the powers conferred upon it by the Act in matters tigations of the body, and otherwise cnsuring compliance by the body with the provi-
relating to the access of information as provided by the PAI Act.™ sions of the¢Act™ These officers must be registered by the responsible party with the
Regulator." The Act provides that deputy information officers may be appointed
and the powers and dutics of the information officer may be delegated to these
S$ 40(1)(6). The Act fists certain matters that the Regulator must pay attention 10 when evaluating deputy information officers.”
Bezaae 2

information matching programmes — see s 44(2) discussed below.

8 40(1)(o.
S 40(1) (a). S44.
gzegz

8 4011) (6. St.

$ 40(1) (). Also see Ch 7 of the Act and = 5%, 60-62. Soa{1).
$ 40(1)(g)- Also see Ch 9 of the Act and s 72. S$ 55(2).
S 40(1)(4). The powers and duties of the Regulator in terms of the PAL Act are set out in Part 4 Sm.
and 5 of that Act (see PoP Act s 40(4)).
 470 Information and Communications Technology Law
Chapter$: Data Privacy Law 468

The Regulator must give everyone who has “a real and substantial legitimate inter-
H Codes of conduct est” in the matters in the guidelines an opportunity to comment on them.™ The
The purpose of a code of conduct is to translate legislative provisions into practical guidelines must be published in the Gazelle.
application in the specific information-sector involved. The Regulator must keep a register of all approved codes of conduct. This register
must be available to the public.
{a) Issuing codes of conduct The Regulator may on its own initiative review the operation of an approved code
In terms of the Act, the Regulator may issue codes of conduct for any specified of conduct. The Regulator may consider the process for dealing with complaints,
information, body, activity, industry, profession or vocation or any class of infor- inspect the records of the adjudicator or interview an adjudicator for the codec,
mation, bodies, activities, industries, professions or vocations.™ A code of conduct consider the outcome of complaints or appoint experts to review provisions of the
must incorporate all the conditions for lawful processing of personal information code that requires expert evaluation.
and prescribe how the conditions are to be applied in the panticular sector of socie-
ty. The code must also specify appropriate measures to protect the interests of data (b) Dealing with complaints under the code of conduct
subjects if information matching programmes are used, or if automated decision The code must provide for the appoinument of an independent adjudicator to whom
making is employed. A code of conduct must provide for the review of the code by complaints must be made. The adjudicator is in other words responsible for the
the Regulator and for the expiry of the code.™ supervision of information processing activitics in the particular sector covered by
The Regulator may issue the code on its own initiative or on the application of a the code of conduct. The Regulator will, however, retain oversight authority.
body which is sufficiently representative of the bodies, industry, profession, or voca- A code may prescribe procedures for dealing with complaints alleging a breach of
tion for which the code is to be issued.” When considering issuing a code of con- the code, provided the code meets the standards and guidelines for dealing with
duct, the Regulator must give notice of this in the Gazelle. The Regulator must also complaints prescribed in terms of the Act” The adjudicator must have regard to the
invite submissions on the proposed code.” The code may only be issucd once the same matters that the Regulator must take duc regard of when considering com-
Regulator has considered the submissions and is satisfied that all persons affected by plaints.’ The adjudicator must annually submit a report to the Regulator on the
the proposed code have had a reasonable opportunity to be heard.” operations of the code in that year. The report must also include the number of
Once the code has been issued, the regulator must give notice of this in the Gazette
complaints made and the nature of the complaints made in that year."”
and make copies of the code available for inspection or for purchase.” Ifa responsible party docs not agree with an order or direction issued by an adju-
dicator who investigated a complaint in terms of the code, the responsible party may
The Regulator may also amend or revoke a code, by following the same steps as
when the code was issued.
submit a complaint to the Regulator."
Representative bodies may also propose codes of conduct which the Regulator (c) Effect of failure to comply with the code of conduct
should then consider for approval. The Regulator may provide written guidelines to
Failure to comply with a code of conduct is considered to be to be a breach of the
help the bodics to develop codes of conduct, or to help them apply approved codes
conditions for lawful processing of personal information. Such a breach has specific
of conduct. The guidclines may also provide guidance on handling complaints consequences which is dealt with under chapter 10, dealing with enforcement of the
under the approved codes or may give guidance on the issues the Regulator takes Acu™*
into account when deciding whether to approve a code of conduct, or amend or
revoke an approved code.” When the code of conduct is for the processing of I Enforcement
personal information for exclusively journalistic purposes, the Regulator must take The provisions of the Act are enforced by the Regulator or by private parties who insti-
into account the guikiclines provided in the Act in the relevant section. tute civil actions.

5 60(3).
S$ 60(2).
SSRRSSTITE

5S 60(4).
S61(1).
$61 (2). 810 S63(1).
S$ 61(3). SIL Discussed above in C a (iii) at 468 supra.
562. 812 S$63(2).
Sos. 813 $63(3).
S$ (1). Si4 S68.
$ 682). S 7(3) (a)—() lists the issues the Regulator
must consider.
Sec par 440 abow.
 472 Information and Communications Technology Law
Chapter9: Data Privacy Law 471
The Regulator may also impose administrative fines on responsible partics who
(a) Enforcement by the Regulator have committed an offence, instead of instituting a criminal prosecution. Offences
and fines will be discussed below.
(i) Overview
Before discussing the : specific provisions in more detail, an overview is given of the (ii) A complaint of “interference with the protection of personal information of a data
enforcement process.”
Under the Act, a person can cither lay a complaint about an infringement or ask
for an assessment (audit) of processing activitics. Complaint
A complaint can be made to the Regulator that there is an interference with Any person (not only a data subject) who feels that an interference with the protec-
the protection of personal information of a data subject. The Act lists specific actions tion of personal information of a data subject has taken place may approach the
which will be considered as an interference with the protection of personal Regulator with a complaint, in the prescribed manner and form. A data subject or
information. After receiving the complaint, the Regulator can take certain actions, msible party who has lodged a complaint in terms of a code of conduct and
such as to conduct a pre-investigation, act as conciliator between the parties, conduct who feels aggrieved about the determination of the adjudicator may also submit a
a proper investigation, refer the complaint to an Enforcement Committee, refer the complaint to the Regulator.” The Regulator may also on its own initiative decide to
complaint to another Regulatory body, or scule the complaint. The Regulator may launch an investigation into an interference with the personal information of a data
also decide w take no action. Should it decide to investigate the proceedings, the subject.”
Regulator may summon persons to give evidence or produce records, administer The Act lists certain activities which are considered to be an interference with the
oaths, and receive evidence. If required, the Regulator may also request that a war- protection of personal information of a data subject namely, a breach of the condi-
rant be issued cnabling the Regulator to enter premises, carry out inspections, seize tions for lawful processing.” * non-compliance with the requirement that notification
anything covered by the warrant and have private interviews with persons on the must be given to the Regulator and the data subject of a security compromise?" non-
premises. A complaint may also come to the Regulator via a process followed in compliance with the duty of confidentiality imposed on persons working for the
terms ofa code of conduct. Any person may lay a complaint, including a data subject Regulator?” non-compliance with the provisions for direct marketing by means of
and a responsible party. The Regulator may also decide on its own initiative to unsolicited clecuronic communications; non-compliance with the provisions re-
launch an investigation. garding directories?” non-compliance with the Provisions regarding automated
Instead of examining a complaint, an assessment (audit) can be made of pro- decision making; non-compliance with the provisions regarding wansfers of per-
cessing activities. The Regulator may issue a report requiring the responsible party to sonal information |outside South-Africa” and lastly, a breach of the provisions of a
take specific steps to implement any recommendations. Such a report is equivalent code of conduct.”
to an enforcement notice. The complaint must be made in writing, but if the person cannot do that on his or
The Regulator may serve an information notice on a responsible party in order to her own, the Regulator must give reasonable assistance to the person to put the
supply the Regulator with information needed to cither evaluate a complaint that complaint in writing.”
interference with the personal information of a data subject has taken place, or to
make a proper assessment Actions on receiving complaint
After completing an investigation into a complaint, the Regulator may decide to On receiving a complaint, the Regulator must decide which steps to take. The Regu-
refer the maticr to an Enforcement Committee who must make recommendations to lator may decide to act as conciliator between the panics, conduct a proper investiga-
the Regulator on the actions which should be taken. After considering the result of tion, refer the complaint to an Enforcement Committee, refer the complaint to
the investigation by the Enforcement Committee the Regulator may serve the re- another regulatory body, scale the complaint, or take further action as contemplated
sponsible party with an enforcement notice if the Regulator is of the opinion that
there was an interference with the personal information as stated in the complaint.
The enforcement notice will direct the responsible party to stop processing infor- 816 S74.
817 S3.76{5).
mation or to take certain steps, or refrain from taking certain steps. S18 Ch 3.
A responsible party has a right of appeal against an information notice and an en- 819 $22.
forcement notice. 820 S54.
&2r Se.
Any person who obstructs the responsible party in performing its functions or who 822 $70.
fails to comply with an information notice or an enforcement notice is guilty of an 823 S71.
offence. 824 S72.
825 S73.
$26 S75.
S15 Ss 73-98.
 474 Information and Communications Technology law
Chapter9: Dara Privacy Law 473
Information notice
by the Act. The Regulator
may also decide to take no action.” The Regulator must To make assessments or investigate complaints the Regulator may serve a responsible
inform the complainant and the responsible party involved of the course of action it party with a so-called “information notice”. In this notice, the Regulator may require
will follow.” the responsible party to furnish the Regulator with a report indicating that the
The Act lists several grounds on which the Regulator may decide not to investi- processing is conducted in compliance with the principles of the Act or with other
gate, such as that an investigation of the complaint is no longer practicable or de- specified information relating to the notice or to the party’s compliance with the
sirable, because of the length of time that has clapsed after the alleged infringement principles.”
took place; or because the subject-matter of the complaint is trivial or the complaint
Enforcement Committee
frivolous or vexatious or not made in good faith; or that the complainant docs not
have a sufficient personal interest in the complaint; or that the complaints proce- Afier finishing an investigation, the Regulator may refer a complaint, or any other
dure of a code of conduct that it is applicable has not been properly followed_ matter investigated, to the Enforcement Committee established by the Regulator.™
The Committee must inform the Regulator of its finding and make a recommendation
The Regulator could also act as a conciliator and try to reach a seulement
in respect of the action that should be taken by the Regulator. ™ The Regulator may
between the parties if that appears to be feasible."”
also refer matters to the Commitce in terms of the PAT Act.” The Committee must
The Regulator may refer the complaint to another regulatory body if the com- make recommendations to the Regulator about both the PoPI Act and the PAI Act.
plaint relates to a matter that falls within the jurisdiction of that body.
The Regulator may decide to investigate the complaint. Before doing the investiga- Enforcement notice
tion, the Regulator must inform all the parties involved of the Regulator’s intention to Another notice available to the Regulator is the so-called “enforcement notice”.
conduct an investigation. The responsible party must receive details of the complaint Whereas the pu of the information notice is to gather information, the en-
and should have an opportunity to give a written response to the Regulator. forcement notice secks to enforce the responsible party’s compliance with the Act. If
For the purposes of investigating a complaint, the Regulator may summon and the Regulator is satisfied that a responsible party has interfered or is interfering with
enforce the appearance of persons before it. It may also compel them to give oral or the protection of a person’s personal information, it may scrve the party with a
written cvidence under oath and to produce any rerecords and things the Regulator notice requiring it to take certain steps, or to refrain from taking certain steps,
considers necessary to investigating the complaint and/or to refrain fromn processing personal information ofa certain description or
for a certain purpose." The responsible party may apply for a cancellation of the
The Regulator may obtain a warrant from a judge or magistrate on the grounds
enforcement notice if duc to a change in circumstances it is no longer necessary to
that there is reasonable grounds for suspecting that a responsible party is interfering
comply with all the provisions of the notice.”
with the protection of the personal information of a person, or that an offence
under the Act has been or is being commited, and that evidence of the contraven-
tion or of the commission of the offence is to be found on any premises specified in
Right
of appeal
A person on whom an information or enforcement notice has been served may
the information.™ After receiving a warrant, the Regulator may enter the premises
within thirty days of such service appeal to the High Court having jurisdiction for
in order to search, inspect, examine, operate and test any equipment found there
cancellation or variation of the notice.” A complainant, who has been informed
and used or intended to be used for the processing of personal information. The
about the quécome of an investigation, may also appeal against the result of the
Regulator may also inspect and seize any record, other material or equipment found
investigation. The Court will allow the appeal and sct aside the notice or decision if
which it considers evidence. Communications between a legal advisor and his, her
the Court is of the opinion that the notice or decision against which the appeal is
or its client are exempt from these powers of search and seizure.”
brought, is not in accordance with the law, or that the Regulator has not exercised its
discretion correctly.”

$90.
eFeR23288

S876.
SS). See discussion
above at 466.
$762). Also
s 77(3); s 78(2) and 94.
SGSBR28888

$92.
S77(1).
S93.
S 76(1)(6). Sos.
S$ 78(1).
8s.
$97(1).
S81{a).
$97(2).
S 8201). S98.
S82(2).
S85.
 476 Information and Communications Technology law
Chapter9: Dara Privacy Law 475
responsible party or a third party in connection with an account number. Less
(b) Civil remedies serious offences include the failure by a responsible party to notify the Regulator of
A data subject may instivute civil action against a responsible party for the interfer processing that is subject to prior notification; a breach of the duty of confidential-
ence with the protection of personal information of the data subject. The data sub- ity imposed on persons: acting on behalf of the Regulators any person intentionally
ject need not prove intent or negligence on the part of the responsible party. The obstructing the execution of a warrant or, without a reasonable excuse, failing to
defences normally availabic to a defendant who is held strictly liable are available to give assistance to a person executing a warrant; a responsible party knowingly or
the responsible party, namely vis major, consent of the plainuff and fault on the pan recklessly making a false statement when served with an information notice; and an
of the plainuff. It is also a defence that compliance was not reasonably pracucal in unlawful act by a witness.
the circumstances, or that the Regulator has granted an exemption in terms of A magistrate’s court has jurisdiction to impose these penalties.””
section 37."
(b) Administrative fines
The Regulator may also institute the action on behalf of the data subject if the fat
ter requests it. Internationally it is expected from data privacy laws providing The Regulator may decide to offer the offending party the option of paying an
“adequate” data privacy protection to provide, inter alia, support and help to individ- administrative fine, rather than instituting criminal proceedings. This is done by
ual data subjects in the exercise of their rights. The last-mentioned provision is serving an infringement notice on the offending party. In the notice, the offending
therefore commendable.
The data subject (or Regulator) may claim compensation for patrimonial and non- 857 S105 (responsible party) and s 106 (third party). An account number is any unique number
patrimonial damages suffered by him, her or it as a result of the responsible party's assigned to a data subject or jointly to more than one data subject (s 105(%)). A responsible party
commits an untawful act with regard to a uni number if it fails to ensure that the conditions for
interference. Aggravated damages may also be claimed. The amount awarded as lawful processing are complied with (¢ 105(1))- Such failure will only be considered an offence if it
aggravated damages is left to the discretion of the coun.”” The manner in which is of a serious and nature and likely to cause substantial damage or distress to the dara
damages recovered by the Regulator should be distributed is provided for in detail. = Te ee ee. ented eee dann ne ek ec ee
A civil action may be withdrawn, compromised or abandoned, but any agreement to prevent the ng that the jon is likely to occur and that it
wot iy ate smal damage de he dasa 105). Iisa valid defence
or compromise reached must be made an order of the court. that the responsible party has taken all reasonable steps to comply with the conditions
for lawful
processing
(s 105(4)).
J Criminal offences, penalties and administrative fines A third party commits an unlawful act with regard to a unique number if the third party
(a) Criminal . knowingly or recklessly, without the of the resp party, obtains or disch adr
's account number or procures the disck of the ber to hi
(s 106(1)). It is also an unkoeful act to sell the account number after obtaining it unlawfully
The Act creates several offences for which a person can be fined, imprisoned, or
(s 106(3)). An advertisement
that an account number is for sale, is considered
an offer to sell the
both. Some offences are considered more serious than others. A person convicted of information {s 106(5)). The following will be considered valid defences under this section: (a) if
a serious offence is liable to a fine or to imprisonment for a period not exceeding the obtaining, disclosure: or procuring of the account number was (i) necessary for the purpose of
ten years, or to both a fine and imprisonment. For less scrious offences, a fine or the prevention, detection, investigation or proof of an offence; or (ii) requiredor authorised in
imprisonment for aperiod not exceeding 12 months, or both a fine and imprison- terms of the kw or im terms of a court order; (b) if the third party acted in the reasonable belief

ment, may be imposed. that he or she was legally entitled to obtain or disclose the account number or, 2s the case may be,
to procure the disclosure of the her to the other 3 (c) if he or she acted in the
Serious offences include the hindering, obstruction or unlawful influencing of the reasonable belief that he or she would have had the consent of the responsible party if the respon-
Regulator, ¢ or someone acting on its behalf, in the performance of its duties and sible yay tat known ofthe bing, daclnng or procuring ad he ccummances of o 2
functions; the failure by a responsible party to2» comply with an enforcement no- if in the particular ci ing. disc % OF procuring was in the public interest
(s 106(2))-
tices a witness knowingly giving false evidence; and an unlawful act by either a sx.
S54 and s 101.
RSSEE

$102.
$99(1). S 103(2).
$99(2), S 104(1). tn terms of s 104(1) the ing is adered to be acts by wi If the
SESERESTESE

S99(1). person without sufficient cause fails to amend the proceedings where he or she must be a witness,
$99(3). or fails to in in cha until dusion of the pr dings or until he or she is excused
In s 99(4)-(5). from further attendance; or having attended, refuses to be sworn or to make an affirmation as wit-
$9918). ness; oc having been sworn or having made an affirmation, failing 10 fully and satisfactorily
S 107(a). any question lawfully put to him or her: or failing to produce any book, document of object which
a

S 107(8)- he or she has been summoned to produce.

5S 100. 5 108.
S$ 103(1). S 109(1).
8 104(2).
 Chapter9: Data Privacy Law 477 478 Information and Communications Technology Law

party must be informed that he or she must, within 30 days, pay the fine, arrange African borders if the information will be subject to adequate data privacy protection
with the Regulator to pay the fine in instalments, or clect to be tried in a court in- rules in the foreign country.”
stead." failure to comply with the notice within the permitted time will result in
Other grounds on which personal information may be transferred, are if the data
the administrative fine becoming recoverable. The Regulator may file a statement subject consents to the transfer, or the transfer is necessary for the performance of a
with the clerk or registrar of a competent court setting out the amount payable, contract between the data subject and the responsible party, or for the implementa-
whercupon the statement has the same effect as a civil judgement. The maximum tion of pre-contractual measures taken in response to the data subject’s request; or
fine that may be imposed isis RIO million.” This amount may be adjusted by the the transfer is necessary for the conclusion or performance of a contract concluded
Minister from time to time. in the interest of the data subject between the responsible party and a third party; or
Once a criminal prosecution has been stared against the offending party, the the transfer is for the benefit of the data subject, and it is not reasonably practicable
Regulator may no longer impose an administrative fine on the same set of facts. to obrain the consent of the data subject to that wansfer and if it were reasonably
Equally, once the offending party has paid an administrative fine, the Regulator may practicable to obtain such consent, the data subject would be likely to give it™
not prosecute the offending party on the same set of facts,” These provisions are very similar to those of article 26 of the General Data Protec-
tion Directive. All the explanations provided there are also relevant here.”
K_ Transborder information flows
L Evaluation of the Protection of Personal Information
Act
Anicle 25 of the European Union’s 1995 Data Protection Directive™ prohibits mem-
The Act sets out to establish mechanisms or procedures in harmony with interna-
ber States of the European Union to allow the transfer of personal information to
tional prescripss to protect the privacy of personal information. It is important that
third countries without an adequate level of data protection. The reason for this pro-
the data privacy law adopted by South Africa should be considered as providing
hibition is, of course, to prevent the circumvention of data-protection laws in EU
“adequate” data privacy in order to secure South Africa’s participation in interna-
countries by data controllers’ sending personal information out of EU member
tional trade.
countrics and processing it in non-membcr countries without data-provection laws.
The Act complics in all important aspects with international standards. It is a
It has also been pointed out that one of the objects of the Act is to establish mech- comprehensive, general law that governs the processing of personal information by
anisms or procedures in harmony with international prescripss. In order to meet both the public and the private sectors. It provides for a sct of data privacy princi-
international standards, therefore, South African data privacy law will have to regu- ples; provides heightened protection for sensitive information; establishes an in-
late wansboerder information flows of personal information to countries without dependent oversight body to ensure compliance; and gives data subjects such rights
adequate data privacy protection. as the right to be informed of the processing of personal information relating to
The Act therefore deals with transborder information flows in Chapter 9. In terms them, of access to that information and to have incorrect information rectified, and
of the Act, a responsible party many only transfer personal information about a data provides subjects with civil remedies to enforce their rights. In addition, the Act
subject to a third party who is in a foreign county, if certain grounds for the transfer addresses the transfer of personal information across national boundaries, the taking
are present. First of all, the transfer may take place if the recipient of the infor- of automated decisions about individuals and the use of personal information for
mation is subject to a law, binding corporate rules™ or binding agreement which direct marketing.
effectively upholds principles for reasonable processing that are substantially similar All in all, the Act is an excellent picce of legislation and it is hoped that it will be-
to the conditions for lawful processing as found in the Act. It must include provisions come fully operative soon.
relating to the further transfer of information from the recipient to third partics in
foreign countries which are substantially similar to the provisions of the Act” In 9.5.2.7 Interception of electronic communications
essence this provision means that personal information may be sent across South
A Introduction
865 S 109(2)_ The privacy of communications is expressly protected under the Constitution”
866 S 109(5)- However, as stated above, any fundamental right may be limited by means ofa law of
867 S 109(2){c). general application, provided that the limitation is reasonable and justifiable in an
S68 S £09(10). The section prescribes 4 formula as to how the increase must be determined.
869 S 109(6) and (7).
870 Directive 95/46/EC 873 The EU Working Party has found that a lw which does not include provisions relating to the
S71 Binding corporate rules are defined in Act 4 of 2013 s 72(2)(a) ax meaning “personal information further transfer of information once it has been transferred from the original country, cunnot be
processing policies,within a group of undertakings, which are adhered to by a responsible party or considered as providing adequate data protection.
operator within that group of ui hen Semateceny pemenl ietecrmnion 10 8 pore 874 S$ 72(1)(H)-(0-
bte party or operator within that same group of undertakings in a foreign country’ 875 See para. 9.34.21.
872 S72(1)(a). 876 Constitution of the Republic of South Africa, 1996 s 14(d)_
 Chapter9: Data Privacylaw 479 480) Information
and Communications Technology Law

open and democratic society.” The Regulation of Interception of Communications B Provisions of the Regulation of Interception of Communications and Provision
and Provision of Communication-Related Information Act™ is an Act of general of Communication-Related Information Act relevant to privacy
application. Whether all itsprovisions are reasonable and justifiable in a democratic
socicty, has not been tested yeu”
(a) Provisions
relating to communications
The South African Law Commission started a project in 1998" researching the (i) General prohibition on interception of communications
possibility of amending the then current interception Act, the Interception and The RIC Act prohibits the milentional interception of (or attempt to intercept, or
Monitoring Prohibidon Act,” to bring it in line with international standards and the authorisation or procurement of any other person to intercept) “any communication
requirements of the South African Constitution. [t was also important to bring any in the course of its occurrence or transmission in the Republic”, unless an excep-
new legislation in line with the Council of Europe Convention on Cybercrime," tion is applicable.
given that South Africa is one of the signatory States to the Convention™ and that Intercepting™ a communication means intercepting the content of the communi-
signatories to this Convention are required to enact measures Consistent with it cation; in other words, a device is used to make some or all of the content of 4 com-
The Regulation of Interception of Communications and Provision of Communi- munication available to someone other than the intended recipient of the
cation-Related Information Act™ (RIC Act or RICA) was eventually cnacted on 30 communication. Interception includes monitoring, viewing, examining, or diverting
December 2002. It came into operation on 30 September 2005" and repealed the the communication from its intended destination.
Monitoring Prohibition Act, which focused primanily on tclephone and postal com- Interception of a communication in contravention of the Act is an offence,” and
munications; the RIC Act covers all communications networks. Crucially, it conforms the person committing it could be fined an amount not exceeding R2 million or be
to the requirements of the Convention on Cybercrime.” imprisoned for a period not exceeding ten years”
The RIC Act distinguishes between two types of communications, namely direct
The RIC Act regulates the interception and monitoring of communications in
both the public sphere (by law-enforcement agents for law-enforcement purposes) and indirect communications. While the prohibition on interception relates to both
and the private sphere (including, for example, the interception by employers of types of communication, the distinction is of importance for the exceptions the Act
employees’ e-mails)."" It also regulates the provision of real-time or archived com- provides.
munication-related information (that is, traffic and location data) by a telecommu- “Direct communication” means audible, oral communication between two or
nication service provider.” more persons that occurs in the immediate presence of all the persons participating,
or an utterance by a person participating in an indirect communication if that utter-
ance is audible to another person in the immediate presence of the person panici-
pating in the indirect communication. There are therefore two requirements for a

RRO $ 2(8) of Act 70 of 2002. A direct communication must be intercepted “in the course of its occur-
rence” and an indirect communication “in the course of its transmission by means of a postal ser-
vier or telecommunication system” (s1(2)(a)). An indirect communication can also be
8 36 of the Constitution of the Republic of South Africa, 1996. intercepted while it is being stored, since in terms of s (1), “the time during which an indirect
communication is being transmitted by means of a telecommunication system includes any Gime
335

Act 70 of 2002 (the RIC Act}. Also see par 2.6.4 above for an overview of the Act.
See par 2.4.4.1 above. when the telecommunication system by means of which such indirect communication is being, or
South Africa Law Reform Commission AGukan ee Project 105, 78, has been, transmitted is used for storing it in a manner that enables the intended recipient to cot-
available at www.doj.govza/salre (accessed 20 May 2007) lect it or otherwise:
to have access to it.”
Act 127 of 1992. A referencein the Act to the intercp ofa does not include a refe ne te the:
Convention on Cybercrime (Budapest, 23 November 2001: TS [8 (2004))- interception of any indirect ication broad or ited for x 1 rec p
Ofane

Also see Chapter 10, below, on defamation and Chapter 4, above,

on cybercrime. {s 1(3))-
Act 70 of 2002 (the RIC Act). Also see par 2.6.4 above for an overview of the Act_ 890 According to 5 1(1) intercept means “the aural or other acquisition of the contents of any com-
5S 40 came into effect on 30 June 2006. In terms of this section, no telecommunications service pro- munication through the ase of any means, including an interception device, so as to make
some or
vider may activate a SIM card, or allow the use of any cellular phone on its telecommunication sys- a sham coca et 3 emer ations esa Berne OPTEe Came Ase eee it pape OF.
: andi
tem, unless the service provider records and stores the particulars of the SIM card or cellular of that
phone.
The full names, identity ami fal, business and postal of cach per- fa) the monitoring of any sich communication by means of a monitoring device:
son who requests that 2 SIM card be activated or a cellular phone be allowed to be used with a SIM (b) the viewing, or insp of the of any i i and
card must also be recorded and stored. ‘This means that “pay-as-you-go” services can no longer be (ce) the diversion of anyi ication from its i ded to any other
usexd desstincati i paion” hasa ponding ing”.
EPIC and Privacy International Prieacy and Inman Rights (2005) 627. SE S1(E).
See also Bawa “The Regulation of the Interception of Communications
and Provision of Commu- 992 S$ 49(1).
pie

nication-Related Information Act” 308. 893 S51(1)(6).

Ss 12-15 of Act 70 of 2002. 894 SIL).
 Chapter
9: Data Privacy Law 481
482 Information and Communications Technology Law

direct communication: the communication must be audible and the persons partici-
pating must be in each other's immediate presence. Face-to-face conversations will (ii) Exceptions
to the general prohibition
obviously be a direct communication. Direct communications can be intercepted by The RIC Act allows the intentional™ interception of communications
means of monitoring equipment™ such as hidden microphones or equipment that QO under an interception direction;™
can pick up voices over a distance.
by a party to the communication?
“Indirect communication” means the transfer of information, including a message

ooo
or a part thercof, whether in the form of sound, such as speech or music, or data, with the consent of a party to the communication”
text, visual images, signals, radio frequency spectrum or a combination of forms that in connection with the carrying on of a business (this applies to indirect commu-
is transmitted by means of the postal service or a telecommunication system. ™ Indi- nication only);
rect communications must be transmitied between the participants to the communi-
cation because they are not in cach other's presence. Examples of indirect to prevent serious bodily harm:

oo
communications are tclexes, faxes, SMSs, e-mails or interactions with a website.” for the purposes of determining a person’s location in an emergency; and”
The question arises whether a conversation between the two partics on a tcle- O when the interception is authorised by certain other Acts."
phone is a direct or an indirect communication. The parties are not in cach other's The monitoring of signals or radio frequency spectrum is allowed for
immediate presence, and it thercfore scems as if in terms of RICA a telephone conver-
sation is an indirect communication. However, traditionally telephone conversations 01 the installation or maintenance of equipment, facilities or devices," or
were considered to be direct communications for the purpose of concluding an O managing radio frequency spectrum."
agreement, because, it wyas argued, the parties are for all intents and purposes in
each other's presence," and following this reasoning, VOIP will Il also be a direct RP re see eerrcege emeseee Se ay meer re
communication.” Some commentators on RICA support this view.” An interception direction is a written™ * direction issued by a designated judge” at
In my opinion the legislaure intended telephone conversations to be a form of the request of a law-enforcement officer.”* The interception
i direction authorises the
indirect communication. For example, the definition of “cellular phone” expressly person to whom it is addressed to intercept any communication to which that direc-
states that it means any fixed or mobile cellular apparatus or terminal which is capa- tion relates.”” An indirect communication may also be intercepted by a postal service
ble of connection to a cellular telecommunication system and which is used by a if the postal service is directed to do so in the interception direction.
customer to transmit or receive indirect communications over such telecommunication The issuing of the direction is within the discretion of the judge. Before the judge
system.
can issuc the direction he or she must be satisfied that there are reasonable grounds
for believing that the matter involves the commission of a serious offence or that the
gathering of information concerning an actual threat to the public health or safety,

895 “Monitoring device” means “any ¢h chi Mor other ii device, i or An unintentional interception does not fall within the ambit of the Act (see s 2)-
apparatus which ts used or can be used, whether by itself or in combination with any other instrument, $3.
device, equipment or apparatus, to listen to of record any communication” (s I of Act 70 of 2002). SRSse2R8 S4.
Sich). Ss.
See par 6.2.2.3 above.
#88

$6.
See Tel Pada Investigation Bureau (Pty) Lid 9 Van 7st 1965 (4) SA 475 (E}; S 0 Henckert 1981 (3) SA $7.
445 (A) 4518. S8
See par 6.2.2.2 and 6.2.23 above. Such as the Correctional Services Act 111 of 1998 —s 9.
8 88

See eg Aldaheff and Cohen “Functionality of valueadded network service providers and their 910 For more detail, see s 10 of Act 70 of 2002.
liabélity” 240_ SIE For more detail, see s 11.
$ 101). See also Tana Pistorius “Monitoring, interception and big boss in the workplace: is the 912 S 1616).
devil in the details?” 2009(1) PERT: 913 Ins | a “designated judge” is defined as any judge of a Iligh Court discharged from active service
“Indirect communication includes telephone calls (land line and cellular); intranet, internet, or any retired judge who is designated by the Minister to perform the functions of a designated
facsimile facilities, private and personal email messages, tracking devices in company cars; SMS
judge for the purposes of the RIC Act.
messages and voicemail mexages.”
914 Ins} an “applicant” for an inspection direction is defined as including all of the following: an
And see Luck “Walking a fine fine between crime prevention and protection of rights” 2014
officer of the SAPS, an officer of che Department of Defence, a member of the Intelligence Ser-
(fan/Feb)
De Refus 30-
RICA regulates ‘direct communications’ and “indirect i
"which
are defined vies, a ber of
2 Lnw-enfe anda ber of the Independent Complaints Di-
broadly to include, bat are not limited to, e-mail and mobile phy and
nications that deploy text, data and visual images or a combination of the above. 915 S$3ta.
96 S38).
 484 Information and Communications Technology law

Chapter9: Duta Privacy Law 483 grounds to believe that the party who has given consent will participate in a direct
communication, or send or receive an indirect communication, and that the intercep-
national security or compelling national economic interests is necessary — the so- tion of such direct or indirect communication is necessary in terms
of section 16(5).”
called section 16(5) grounds.” Interception to prevent serious bodily harm
Conditions and restrictions may be attached to the direction” This exception is only available to law-enforcement officers. A law-enforcement officer
must be of the opinion that the communication must be intercepted urgently to pre-
Interception by a party to the communication
vent serious bodily injury to another person and that it is not reasonably practicable
Any person may intercept a communication if he or she is a party to the communi- to do so pursuant to an oral or writen direction. However, the sole purpose of the
cation, unless the communication is to be intercepted for the purposes of committing interception must be to prevent serious bodily harm. The tclecommunications ser-
an offence.” In other words, should the communication be intercepted to, for vice provider is obliged, upon receipt of such a request, to route the duplicate signals of
example, blackmail the other party, the interception will not be permitted by the the indirect communication concerned to a designated interception centre. As soon
Act. When a law-enforcement officer wants to intercept the communication on this as practicable after issuing the request, the law-enforcement officer must provide the
ground, the officer must be one of the partics to the communication and the inter telecommunications service provider with written confirmation of the request, sct-
ception must be necessary in terms of section 16(5)"” ting out the relevant information. This confirmation must also be submitted to a
. together with an affidavit setting forth the results of the interception and the
Interception with the consent of a party to the communication information obtained.”
Any person may intercept a communication if one of the partics to the communi-
cation has given prior wrillen consent to such interception, unless the communication Interception for the purposes of determining a person's location in an emergency
is to be intercepted for purposes of committing an offence_ o When a party to a communication receives information from the other party to the
communication (the “sender”), which reasonably leads that party to belicve that an
When a law-enforcement officer wants to intercept the communication with the
emergency exists (for example, that a person’s life is in danger— be it the sender's or
consent of a party to it, he, she or it must be satisfied that there are reasonable
someone clse’s) and the sender's location is unknown to him or her, he, she or it
may ask a law-enforcement officer to request the telecommunications service provid-
917 $8 16(5) provides
as follows: er to intercept the communication from the sender. The law-enforcement officer
Phe d rece irorr}-< ater ry eebaen sy oiireee mer a tamed must be of the opinion that determining the location of the sender is likely to be of
the facts alleged in the application concerned, that - assistance in dealing with the emergency. The request can be made orally, but must
(a) there are reasonable grounds to believe that — be confirmed in writing afterwards.
(i) a serious offence has been or is being or will probably be commited:
(ii) the gathering of information concerning an actual threat to the public health or The party to the communication cannot personally make the request to determine
safety, national security or compelling national economic interests of the Republic is the location of the sender; the request must be made by a law-enforcement officer.
necessary; The tclecommunications service provider must comply with the request and deter-
(iii) the gathering of information conceming a potential threat to the public health or mine the location in any manner it deems appropriate.
safety of national security of the Republic is necezaary;
{iv) the making of a request for the provision, oe etree Sorcerer ser Interception authorised by the Correctional Services Act
oritiesof a country or territory ide: the Republic, of any axa
Sak xb: Mk Gren, as hagas Gl Concnsalcacicas sadaetag ts seigeoheaed
Any communication may be intercepted in a prison, provided such interception
crime or any offence relating to terrorism oc the gathering of information relating takes place in terms of regulations made under the Correctional Services Act.”
to organised crime or terrorism, is in —
{aa} accordance with an international mutual assistance agreement; or
Interception of indirect communication in connection with the carrying on of a
(66) the interests of the Republic's international relations or obligations”. business
918 S$ 16(6). Interception of electronic communications in the workplace is regulated by section 6
919 S$ 4. For purposes
of s 4, a “party to the communication” is defined in s 1 im the case of a direct of the RIC Act. Only indirect communications (such as telephone calls, e-mail, faxes,
communication (face-to-face communication of wlephone call) as any person participating in the
communication or to whem such direct communication is directed, or in whose immediate pres-
ence the communication occurs and is audible to that person, regardless of whether or not the di- 922 S$5(2)
Tect communication is directed to him or her. In the case of an indirect 923 S$7(1).
RE OTe ra a et on ein 924 S$ 7(2). Interception centres are established in terms of s $2(1)(a)-
or ad of such ii ion, or any other person who, at the time of 925 Sees 7(3) and (4) for more detail.
the occurrence of the indirect communication, isin the immediate presence of the sender or the 926 SR.
recipient it. 927 Act LL of 1998, See s 9(1) of Act 70 of 2002.
920 S 4(2). 928 Also see Pistocius* imterception and big boss in the workplace: is the devil im the
921 Ss. tn sas salghalnd end oe eereyreneu is defined in s 1 as in the case of a direct details” 2009 (1) PERI.
any p ication or to whom such direct com-
tmunicalon i directed, Inthe cate of an indirect communication, the sender or the recipient(s}
or i d recipient(s) of suchi
 Chapter9 Data Privacy Law 485

SMSs, and interactions with websites) may be intercepted. Face-to-face communica- 486 Information and Communications Technology law
tions are therefore excluded. Leucrs will also be excluded since it is not transmiued
over a telecommunication system.
a specific provision that informs the user that ~muail, including personal email, may be
The meaning of indirect communication is limited by section 6(1) to an indirea monitored and intercepted by the employer. Employees should similarly be advised to
communication by means of which a transaction is entered into, or which otherwise inform the reapients of their emails that their emails may be monitored and inter-
relates to the business, or takes place in the course of carrying on of the business. cepted. An easy method of informing users that emails may be monitored and inter-
Arguably, most personal indirect communications of cmployces (such as their c- ee ee eer Once rae
mails), in respect of which such employees make use of their employers’ communi- e-mail signatures informing users that the emul may be monitored
and intercepted.”
cation systems, can be said to “otherwise [take]} place in the course of carrying on of
the business”. (b) Provisions relating to location and transaction (or traffic) data
The RIC Act prohibits a telecommunication service provider or its employees from
Section 6(2) of the RIC Act sets certain requirements that must be met before in-
terception will be permitted in terms of section 6(1). intentionally providing any person other than the customer to whom the information
relates with realtime or archived communication-related information.” Communi-
First ofall, the intercepdon must be effected by, or with the consent of, the system cation-related information is the same as traffic and location data. It is defined in
controller. “System controller” is defined at length, but in the case of a juristic section 1(1) of the me as
person, for example, it is the chief executive officer of the juristic person.” any information ry = to an indirect ication which ts available in the records
Second, the system controller should have made all reasonable efforts to inform in of a tcl y service pr ad. + and i chuck s vichi 8, dialling or signalling
advance intended users of the tclecommunication system that interceptions may take information that identifies the origin, dé ter
place, or the interception must i take place with the consent of the person who uses ieee sper at ek cages meunsrtn uleried is vccte by a customer or
that telecommunication system.” user of any equipment, facility or service by such # telecommunication service
provider and, where xpplicable, the location of the user within the telecommunication
Third, the telecommunication system concemed should be provided for use whol- system.
ly or partly in connection with that business. It is obvious from this definition that location and traffic data only relate to indirect
Fourth, the interception must be carried out for certain purposes, namely (a) to communications.
monitor or keep a record of indirect communications in order to establish the Realtime or archived communication-related information may be provided by a
existence of facts, investigate or detect the unauthorised use of that tclecommunica- telecommunication service provider under a communication direction™ or on the
tion system, secure the effective operation of the system, or where this is done as an written authorisation of the person to whom the tclecommunication service is pro-
inherent part of the effective operation of the system; or (b) to monitor indirect vided. The RIC Act also contains a procedure for applications for a decryption
communications made to a confidential voice tclephony counselling or support direction.™
service in certain circumstances.
Bawa explains the effect of section 6 for employers and employces: {c) Miscellaneous
“It is evident that section 6 permits the monitoring and interception of the e-mail of The RIC Act deals with various other aspects which fall outside the scope this chap-
and others who use email systems in a sundae manbaheanse ter. The most important of these are the following:"
ing and climinating viruses and the like, and for theas es control
over company communications where it serves a legitimate interestand is done O No telecommunications service provider may offer a tclecommunication service
tn the coune of carrying ona fuses by or ender the approval of the sateen control that is not capable of being monitored.
ler. Employers should inform ECS, li and others who use their email 1 All the costs of ensuring surveillance capacity must be borne by the tclecommu-
y's email pol y- Employees should also advise them of the ar- nication service provider.”°
cumstances under which the ees ee to monitor and intercept the use of
its telephone, facsimile facilities, Internet and e-mail. Care should be taken to include Telecommunication service providers are required to store personal information
o

on the persons to whom they supply a telecommunications service."

See Bawa “The Regul: of the fi ion of © S12 of Act 70 of 2002.

8

cation-Related Information Act” 315. S13.

2 £8288

S$ 6(2) (a). Si.

gfae28

Sees 1. $21.
S$ 6(2)(a- of Interception ofC and Provisions of C
$6(2)(0-
S$ 6(2) (8). S$ 30(1): “Noowithstanding
any otter baw, 3 I ication service provider must (a) provide 2
Thad. 317. telecommunication service which has the capability so be intercepted: and (8) store commu
&%
 Chapter9: Data Privacy Law 487

OA person who sells or provides cellular phones or SIM cards to other persons must
keep personal | information on the persons to whom such phones or SIM cards
are provided.”
QO The owner ofa cellular phone or SIM card (or another person who had it in his,
her or its possession) that is lost, stolen or destroyed must report this loss, theft
ord destruction at a police station within a reasonable time of becoming aware of
it. Failure to do so is an offence.”
O Any person found in possession of any cellular phone or SIM card, in regard to
which there is reasonable suspicion that it has been stolen, and who i is unable to
give a satisfactory account of such possession, is guilty of an offence”
O The Act imposes a general prohibition, subject to certain exceptions, on the dis-
closure of information by a person who has obtained the information in the
exercising of his, her or its duties in terms of the Act"
O Any electronic, electro-magnetic, acoustic, mechanical or other instrument,
device or equipment which can be uscd for the interception of communications
must be declared by the Minister “listed equipment”. Subject to exceptions,
such equipment may not be manufactured, asscmbled, possessed, sold, purchased
or advertised.”
© Various offences and penalties provided for in the RIC Act™

(d) Conclusion
Any Act permitting surveillance and monitoring of communications will, of course,
raise privacy concerns. It is argued, however, that a law of this nature is necessary in
any modern county, including South Africa, given the threat of terrorism | and the
criminal uses to which certain telecommunications equipment is being pu.”

$4001).
EE

S411).
RESeeS5

Ssa(1).
$52.
$42.
S441).
S4s(1).
See Chapter
9 of Act 70 of 2002.
See Cohen “the Regulation of ption of © ications and Provisions of Cs
cation-telated Information Act” 12_
 49) Information and Communications Technology Law

10
open and democratic socicty based on human dignity, equality and freedom”. Limits
may therefore be set on the freedom of expression by the common law and Iegis-
lation.
The Internet works on the principle that there should be an unrestricted flow of
information across national boundaries.” Freedom of expression in the Internet en-
Freedom of Expression vironment Cconsequenily means that Internet users should have the right to “receive
and impan information and ideas™ across national boundaries.
However, no State considers freedom of speech an absolute right and most
countries impose limitations on freedom of expression. Freedom of expression is
balanced with other rights (for cxamplc, an individual's night to fama, dignity or priv-
10.1 Introduction acy) or with the State's interest in upholding public order (by for example enforcing
Freedom of expression is recognised and protected as a fundamental right in all laws prohibiting obscenity). These limitations may vary from country to country,
democratic socicties." Several international treatics contain provisions cxpressly depending on the value placed on freedom of speech as measured against these
guarantecing this freedom. The right to freedom of expression i is also guaranteed in other interests.
section 16 of the South African Constitution, 1996" and is considered essential to our
This means that a publisher of a web page which is accessible from anywhere in
democratic society.’
the worki may in principle have to comply with the most stringent limitations on
Section 16(1) protects all aspects of communication, in particular the freedom of freedom of speech in order to escape liability in a specific jurisdiction.
the press and the media, the freedom to reccive or impart information or ideas, free-
The rest of this chapter deals with some of the legal restrictions that may be im-
dom of artistic creativity, academic freedom and [{reedom of scientific research. posed on freedom of expression on the Internet, namely rules pertaining to the in-
However, section 16(2) excludes propaganda for war, incitement of imminent fringement of a person's reputation (defamation) and prohibiting hate speech and
violence, or advocacy of hatred based on race, ethnicity, gender or religion from the pornography. The South African position is discussed, as is that in other jurisdictions
protection of section 16(1). Furthermore, the right to freedom of expression is not where such a discussion is considered helpful or important.
absolute but is limited, as are all other rights in the Bill of Rights, by the limitations
clause of section 36. In terms of this section, a right can be limited by a “law of gen-
eral application to the extent that the limitation is reasonable and justifiable in an 10.2 Defamation on the Internet
10.2.1 Introduction
See, for example, Amendment I to the American Constitution, which provides inter aba that “Cong. The law of defamation requires a balance to be struck between the claimant's right
ress shall make mo law . the freedom
of speech, or of the
to reputation, on the one hand, and the defendant's freedom of expression, on the
2For example, an. 19 ofthe Univeral Declaration of Ihaman Rights (UN Res 217A (1948) declares
that “lelveryone has the right to & dom of opinion and expression; this right inchad to
other." In order to strike the appropriate balance, a court must consider the general
hold tference and to seck, ive andi informationand ideas principles in the common faw and iin the Constitution which protect a person's dig-
any media and regardless of frontiers”. See also ant. 10 of the Convention on Human Rights (1950) nity and freedom of expression.”
and art. 19 of the International Covenant on Givil and Polisical Rights (1966).
$8 16 of the Constitutionprovides that
“

“(1) Everyone has the right to freedom of expression, which inchodes — Burchell Personality Rights and Kreadom of Expression: The Modem Actio Injuriarum 139.

Sanaa
(a) freedom of the press and other mextia; Reed Internet Law: Tet and Materials 2eci 256.
(8) freedom to receive or impart information or ideas; See art 10 of the European Convention on Human Righs, 19%.
(9 freedom of artistic creativity:
and An example of such a difference concerns the distribution of Neo-Nazi material, which is prohibited
(@) academic freedom and freedom of scientific research. in Germany and France (by s 86 of the German Criminal Code and art. R645 of the French Criminal
42) ‘The right in subsection (1) does not extend toc Code) but not in the United States.
(a) propaganda
for war; 10 Reed Iniernet Law 257.
(6) incitement of imminent violence; or 11 National Madia Lid » Bogoshi 1998 (4) SA 1196 (SCA) 1207. See also Dower Jones & Ce Inc 0 Cuinick
(0 axtvoracy of hatred that is based on race, ethnicity, gender or religion, and that constitutes 12002] HCA 56 (10 December 2002) in which the Australian High Court held that “the law of def
incitement
to cause harm”. amation seeks to strike a balance benseen, on the one hand, society's interest in freedom of speech
4 Khumaio o Holomisa 2002 (5) SA 401 (CC) 417; Director of Public Prosecutions (WC) w Midi Television t/a and the free exchange of information and ideas (whether or not that information and those ideas
£72006 (3) SA.92 (C) 98-99 para. [23]. find favour with any particular part of society) and, on the other hand, and individual's interest in
5 See also Rautenbach and Malherbe Comsditutional Lax 338-339. maintaining his or her reputation in society free from unwarranted slur or damage. The way in
which those interests are balanced differs from society to society” wew austliieduau/ /cgi-bin /dixp.
pl/au/special /highered/ cases (accessed 22 October 2006).
12 Burchell Personality Rights and Mreedom of Expression 139.
 Chapter 10: Freedom
of Expression 491 492 Information and Communications
Technology Law

The right to a good name or reputation has always been recognised in South Afri- South African law, the plaintiff need not allege or prove that the defamatory state-
can common law. Although the South African Constitution, 1996 does not specifical- ment is false.” Defamatory words that arc true may therefore in principle also be
ly mention a right to good mame as a constitutionally protected right, it makes actionable.”
provision in section 10 for a right to human Mignity. This right is considered broad
enough to include the right to a good name."
10.2.3 Requirements for liability
10.2.2 Defamation is a delict 10.2.3.1 Publication (of words or behaviour)
Under South African law," defamation is a delict” that consists of the intentional In any delict, there needs to be conduct, namely a voluntary human act or omission.
(or, in the case of the mass media, negligent) infringement of another person’s right In the case of defamation, conduct consists of publication. In order to succeed with
to a good name. “This iniuria’’ consists of the publication of words or behaviour that an action for defamation, the plaintiff must first allege and prove that publication or
causes injury to the personality of the plaindff, specifically his or her good name or disclosure of defamatory words or behaviour took place. Without publication, the
reputation” or the esteem in which he or she is held by the community. Injury to the esteem in which the plaintiffis held by others cannot be infringed.” In general, pub-
personality is caused by the defamatory nature of the publication, which publication, lication takes place if the defamatory words (or behaviour) are made known to at
in order to constitute an miuria, should be made without justification and accompa: least one other person, apart from the plaintiff.”
nied with the necessary intent (or negligence)” on the part of the defendant.” In
On the Internet, publication can take place by, for exampic, one’s sending some-
one an e-mail message containing defamatory remarks about another (natural or
13 National Madia Lid 0 Rogoski 1998 (4) SA 1196 (SCA) 1215; Khumalo o Ilolomisa 2002 (5) SA #1 (OC) juristic) person (or its products).” posting a defamatory message on a bulletin board,
418-419; Burchell Personality Rights and Freedom of Expression 62; Necthling et al. Necthling’s Law of Per- or making a defamatory statement in a discussion forum of a website” or during a
sonality
27 fn. 283.
4 erro saa Aorigast orem nett eerie pT: in most jurisdic
videoconference taking place via the Internet
the publi fon about the plaintiff that resules in damage Publication may consist of defamatory words, sketches, cartoons or digital photos.”
siege er eeu perp cram measase carat roma ce MEI When another person, other than the person being defamed, reads the defamatory
someone other than the plaintiff. In some jure fons fault ix not required, whereas in others it is
required in one form or another. In the USA, for example, a public figure can only be: defamed if
e-mail, message oF statcment, oF sees the video, sketch, cartoon or photo, publi-
“actual malice” was present. See Reed /nierna Law 113; New York Times Co 0 Sullican 376 US 254 cation takes place.”
(1964).
6 (Common law juriadictions such as those of the USA and England wie the term “tort”, not “delict™. In
South African law, the State:
may also pr serious ch ion as a crime (Sny Criminal Law 2 ‘This position differs from that in the USA, where, owing to the influence of the First Amendment
48-461)- However, Teer e Pine Renner Bee ce te he on the bow of di fon, truth
is an and the rests on the plaintiff
to estab-
of the “ inhibit freedom of expression and media freedom” (see Burchell lish the falsity of the defendant's statements (see New York Times Co o Sullioan 376 US 254 (1964)).
Prins of Criminal a3 74). An may claw cours detaraton sarge 3 cried tat South African law of defamation further differs from Anglo-American law in that it does not draw a
ter (see UK Law € r jom and the I AP 7 Investigation
(2002) 33 para. distinction between libel (which involves a statement in fixed form such as writing) and slander
4.26, available at www lawcom.gov.uk/docs/defamation2 paf (accessed 26 Sepeember 2006)).. (which refers to a statement in cransient form, such as speech). See Phockin et al. (eds) E-Commerce
16 Please note that the ordinary principles of defamation low are also applicable to defamation pub- Law and Business § 13.02; Smith Internet Law and Regulation 172.
lished on social networks such as Facebook, and ‘Twitter, (see Duich ReformedChurch Vergesig 22 Neethling ct al. Necthling’s Law of Perwnality 131; Van der Wah and Midgley Principles of Delict 117
wv Rayan Sooknuman2012 (6) SA 201 (CSP; Heroldt © Wills 2013 (2) SA 5%) (CS}); Isparta
o Richter para. 82. In National Media Lid » Rogoski 1998 (4) SA 1196 (SCA) the court pointed out that, although
2013 (6) SA 529 (CNP); Mo B 2015 (1) SA 270 (KZP); > Facebook en the falsity of a statement is not an element of the defict to be pleaded and proved by the
Persoonlikheidsbeskerming
— uich Reformed Church o Sooknunan 2012 (6) SA 201 (CSI): Heroidt plaintiff, the truth may be an important factor in deciding the legality of the publication. Therefore,
Wills 2013 (2) SA 530 (CS)); Isparta o Richier 2018 (6) SA 529 (CNP)” 2014 Litnet Akademics the defendant may rely on the truth of the matter in justifying the publication. However, the ruth
http./ /wew litnet.co.za/ Article: / facebook-en-persoonlikheidsheskerming {accessed 10 Jan 2015)) a alone is not enough to justify publication: the publication must also be in the pubtic interest. See
well as other forms of defamtion on the | (see Keiler f OL t/a Ketler P e Neethling et al. Necthling’s {aw of Personality 131 fn. 18 and see para_ 10.2.3.28
below.
Internet Sercice Prowider'’s Associahon 2014 (2) SA M8 (CS])). Neethling and Potgieter Law of Delict 23 The element of publication distinguishes this inmuria from insult (infringement of dignity). Sec
Ted 382; Singh “Social media and the Actio Iniuriaum in South Africa — An exploration
of new Neethling et al. Neethling’s Law of Personality 131.
challenges
in the online era” 2014 Obiler 616; Roos and Shibbert “Defamation on Facebook: Sparta o 24 See Neethling et al. thid.; African Life Insurance Lid o Robinson & Co Lid 1938 NPD 277 29s;
Richter 2013 (6) SA 529 (CP)" 2014 PER 285. Tsichlas © Towch Lime Media (Pty) Lid 2004 (2) SA 112 (W) 120; Le Roux 0 Dey 2011 (3) SA 274 (OC)
17_A distinction is made benween delicts that @use parrimonial damage (damnum imiuria datum) and 4.
those that cause injury t© personality (iniuria) (see Neethling and Poggieter Law of Delicl). Defama- 25 See, for example, Delia Moter Corporation (Pty) Lid o Van der Merwe 2004 (6) SA 185 (SCA) in which
tion infri ity and is therefore an iniuria {Marais v Richard 1981 (1) SA 1157 (A) 1166). the defendant had written an email to other persons in g about a product of the defend
18 See Le Roux o Dey 2011 (3) SA 274 (CC) 304. ant. In this case it was held that the e-mail was not defamatory of the plaintiffs product.
19 Negligence may suffice in specific instances — for example, in establishing the Inability of the mass 26 See Tsichlas 0 Towch Line Media (Pty) Lid 2004 (2) SA 112 (W).
a een re 27 See Ehersdhn “Online defamation” 2003 (Nov) De Rebus 18; Van Zyl “Online defamation: Who is to
20 Neethling et al. Neethiing’s 1. rads itierarror Seemed eee pray parr cg acl blame?”2006 THRIR 139.
sonality Rights and Freedom of Expression 142: Necthling and Potgieter Laas of Detict 362- 28 See Tsichdas » Towch Line Media (Pty) Lid 2004 (2) SA 112 (W) 120.
 Chapter 10: Freextom
of Expression 493

Since conduct can also consist of an omission, a website owner's failure to remove 494 Information
and Communications Technology Law
defamatory material after becoming aware of it also constitutes conduct by the web-
site owner.” words, publication is deemed to have taken place.” By analogy, when a defamatory
In certain circumstances, publication is presumed to have taken place; the onus email message is sent to a person who cannot open or read it because the message is
is then on the defendant wo rebut this presumption. This is the case when the de- encrypted, it is suggested that publication docs not take place until such time as the
famatory words are uttered within hearing distance of other persons,” contained ina recipient can open and decrypt the message.”
telegram or postcard or appear in a book, magazine or newspaper which has been Ann important aspect regarding publication isi that in South African law, as in English
sold." In these instances a presumption of publication exists because it can be ex- law,” a new cause of action accrues each time a defamatory statement is disseminated.
pected, and is therefore probable, that others will hear or read the words.” By anal- Therefore, publication takes place every time someone accesses a website containing
ogy, all messages posted on electronic bulletin beards or on discussion forums
defamatory words and reads the words,” and every time an online archive containing
should be presumed to have been published.”
defamatory material isi “hit”. The United States, on the other hand, follows a “single
In the case of e-mails, publication takes place once the e-mail has been delivered publication” rule.* This rule states that a single edition of a newspaper or book is
to, opened and read by the recipicn.™ The question arises whether it is appropriate considered a single publication, however many copies are distributed.” American
to work with a presumption of publication once the defamatory e-mail has been sent courts also apply this rule to publications on the Internet; the datc of publication is
by the plaintiff” The problem is that e-mails sometimes do not reach their intended
the date on which the defamatory words were first put on the Internet, not when
destination, because, for example, the e-mail address of the recipient is typed incor
they were downloaded by a plaintiff.“
rectly, a firewall blocks the message, or the software of the recipient docs not support
the file type used by the sender and cannot display the message properly. Midgley” Publication takes place even if it was by mistake.“ However, once it is clear that
argues that a presumption of publication should arise when a defamatory e-mail that publication has taken place, the plaintiff must also show that the defendant is re-
is not encrypted is sent to a third party. The presumption can then be rebuuced if the sponsible for the publication.” As a general rule, the defendant will be considered
defendant can show that the e-mail has not been delivered, opened and read. How- responsible for the publication if it was foreseen, or reasonably foresceable, by the
ever, when it comes to encrypted e-mails, publication cannot be presumed. defendant.
The cours do not consider the disclosure of defamatory words or conduct to An issuc that had to be addressed in the past was whether a defendant who sent a
another person publication when that person is unaware of the meaning of the words defamatory letter to the piainult could be held fiable for publication if another
or conduct or the defamatory nature thereof, because, for example, he or she is person opened the letter.” The courts held that when the leuer is addressed to the
deaf, blind or illiterate, or because the words appear in a foreign language or secret plainuiff in his or her private capacity, it is not reasonably foresecable that someone
scrip.” However, should the person become aware of the defamatory mature of the

2 Also see Ehersahn “Online defamation” pcan f clare aioe paiantgiord ecrainp ar the per- regarding 2 third party betwen two spouses is also not conddered as constituting publication ( Whilfineton
son who Gils to the di y to have republishedit. In Byrne & o Boudles 1954 EDL. 142). ess rims Estey Coomera hots on oct eaee af ake
Deane {1987} 1 KB B18, for example, the proprietors and directors of a golf clab Failed to remene a such cases publication does take place, but that liability is correctly denied on the grounds of public
defamatory lampoon from the club's bulletin board and were held responsible for republication. policy.
See also feller o Bianco 111 Cal App 2d 424, 244 P2d 757 (1952) where the proprictors of a public 38 Seomiek e Ven der Meon te SASS IN) BS:
tavern failed to remove defamatory writing relating to the plaintiff from their toiles wall after being 39 See also
requested to do so by the plaintiff's husband. ‘The court held that knowingly permitting the matter 40 preps mana Seaiee Rerexoeniy « Michaels [2000| | WIR 1004: Louichansiy o
to remain after a reasonable opportunity to remove it made the owner of the tavern guilty of repub- The Times Newespapers [2002| | Alt ER 662 676, 2002 OF 321.
lication. 41 Tsichlas v Touch Line Media (Pty) 14d 2004 (2) SA 112 (W) 1200-11. This is important for the deter-
30 By contrast, under American law it is not publication if a third party merely overhears a defamatory mination of jurisdiction, in terms of the question where the cause of action arose, and prescription,
statementor intercepts a message without Tarte satin Liberty Lobly Inc 0 Dow since prescription will start to run 2s soon as publication occurs.
fones & Co 838 F2d 1287 1298 (DC Cir 1988) cert denied 488 US 825 (1988 42 See Restatement (Second) of Torts (1977) § 577A_
31 See Neethling
et al. Neethling’s
Law of Personality 133;Wabsiies 2 Recaa Yona wt, 142 146; Pretorius 43 See Wolfson o Syracuse Neaspapers, Inc (1939) 279 NY 716; Gregoire o GCP Putnam's Sons (1948) 258 NY
wo Niehaus 1960 (3) SA 109 (O); African Life Insurance Society Lid @ Robinson & Co Lid 1938 NPD 277 119. See further UK Law Commission Defamation and the Internel para. 2-51.
295-297. 44 In Firth o State of New York (2002) 98 NY 2d 365 a report of a press conference was placed on a web-
32 See Necthling et al. Necthling’s Law of Personality 133. site on the day of the press conference. ‘The plainaff filed a claim more than a year later. The court
33 See Midgley “Cyberspace issues” 396; Van der Walt and i of Delict
117 para. 82. held chat the limitation period (prescription) had started when the information was first published
34 See also Nel “Freedom of e: and the Internet” 198; Van Zyl “Online defamation: Who is to on the Internet.
blame?” 2006 TI/RHR 142-143. 45 pap eres nea eshte ns 5's Aemeedales rebetmaariero rarest str no
35 See Chapter 6, above, for the rules in this regard. or she acted obj ing the pe P of wrongfulness), or not
36 Mikigley “Cyberspace issues” 397. intentionally, ends aces eome
37 Vermaak o Van der Merwe 1981 CSSA 75 ON) 22-00: Aico Life nmermnes Society Lt» oben Gy C148 46 See Necthling ct al. Necthling’s Law of Personality 133; Pretorius 0 Niehaus 1960 (3) SA 109 (O).
1938 NPD 277 295; Suiler v Brom 1926 AD 1 164. The communication of defamatory material 47 See Neethiing
et al. ibid_
continued 48 pare, daprsnaany Sona <rvirouin spared puree ar aa
the letter. However,
if the defamtion is lication: will be: po
 496 Information and Communications Technology law
4%

ors, libraries and booksellers) of a “hard copy” publication carrying defamatory con-
else will open the leer. When the leucr is addressed to a company or firm, however, tent are also deemed to have published the defamatory material,” one cannot, in an
it is foreseeable that a clerk, for example, in that business could open the letter.” online context, always hold distributors of defamatory content liable for such con-
Can an analogy be drawn between the sending of a letter and the sending of an tent [t is not advisable to treat service providers and other third parties involved in
e-mail? Can the situation in which a defamatory c-mail, intended for the person providing the infrastructure through which information can be distributed on the
being defamed in the e-mail, is opencd by someone else — for example, by a col- Internet as one would distributors of hard copies: doing so would pose serious con-
league substituting for the defamed person while he or she is on Icave — be consid- sequences for such third parties. Holding all of these third parties liable for publi-
ered analogous to that in which a letter addressed to a person in his or her private cations made by (often anonymous) users of the infrastructure is unreasonable.
capacity is opened by someone clse? [1 has been suggested that an encrypted email These third partics are sometimes involved as mere conduits of information, with no
could be seen as analogous to a letter marked “confidential” (that is, addressed to a knowledge of the content of the material they transfer. In such circumstances it is
person privatcly) . whilst an uncnerypted cmail is analogous to a leucr in an un- more appropriate to treat them as tclephoneline providers rather than as distrib-
sealed envelope.” If this analogy holds truc, “interception” by a third panty should utors or vendors of publications in hard copy.
not be considered foreseeable in cither case, because it is not reasonably foreseeable
This highlights the first of two special issues regarding defamation on the Internet
that a letter posted to someone in his or her private capacity will be opened by some-
that needs to be discussed in more detail, namely intermediary liability for the con-
one other than the addressee; therefore the sender should not be considered respon-
sible for the publication to the third party. tent of publications on the Internet. The second problematic issue that needs to be
considered in more detail is where publication takes place on the Internet. The answer
In addition to the person who orginally made it, everybody who repeats, confirms,
is important for establishing jurisdiction and determining the applicable law.”
ordraws attention to the defamatory statement will be held responsible for its publi-
cation." Therefore, the recipient of a defamatory e-mail who forwards it to other
10.2.3.2 Defamatory nature (wrongfulness)
recipients is guilty of republication. The original publisher will not be held respon-
sible for damage that flows from the republication, unless (i) republication was A General test for wrongfulness: Boni mores
authorised or intended by the original sender, (ii) the republication was a natural or
In order to be considered a detict, the conduct complained of must be wrongful in
probable result of the first publication, or (iii) the first recipient was under a moral the sense that it conflicts with the legal convictions of the community (its boni mores)-
duty to repeat it to a third person and the original publisher was aware of that facc™ As far as defamation is concerned, the wrongfulness lies in the infringement of a
In other words, the first publisher will be held liable for the republication if he or person’s right to his good name. In order to determine the wronglulness in a specif-
she foresaw the republication or the republication was reasonably foreseeable.” Fur- ic scenario, the question of whether the good name of a person has in actual fact
thermore, when a website owner supplies a hyperlink on his or her website to a web (factually) been infringed, is irrelevant” In terms of the judgment handed down in
page containing defamatory matcrial, he or she draws attention to the defamatory Lz Roux 9 Dey," the enquiry wo determine the prima facie wrongfulness must now be
material and is thus responsible for its publication.“ done in two stages. The aim of the first stage of the enquiry is to determine the
In the case of the mass media (for example, magazines and newspapers), in ordinary meaning of the statement — this is an objective enquiry as seen through the
addition to the author of a defamatory statement, the editor, printer, publisher and lens of the ordinary reasonable reader of the statement. During the second stage of
owner of the publication carrying the defamatory content are considered respon- the enquiry it has to be established whether the meaning of the statement is defama-
sible for publication.“ The same principle should apply to magazines or newspapers tory. This is also an objective enquiry, namely, whether in the opinion of the reason-
published online.” However, not all publications on the Internet should be equated able person with normal intelligence and development, the reputation of the person
with publications by the mass media.” Whereas the distributors (such as newsvend involved has been injured” If this is indeed the case, then the words or behaviour

49 See Necthling ct al. Necthiing’s Law of Personality (35; Pretorius 0 Niehaus 1960 (3) SA 109 (0). = Neethling et al. Neethling’s Law of Personality 134.
20 Midgley “Cyberspace issues” 398. 59 These issues are discussed below in paras 1.2.7.1 and 10.2.7.2 respectively.
SL See Necthling et al. Necthiing’s Law of Perwmality 134; [assen o fost Newspapers (i ) Lid 1965 (3) SA 60 Neethling and PotgieterLaw of Delict 3%.
562 (W) 564-65; Afncan Life Insurance Society Lid 0 Robinson & Co Lid 1938 NPD 306. 61 2011 (3) SA 274 (CC) 305.306. The Court introduced into the law of defamation a new variation of
52 See Vengias » Nydoo 1963 (4) SA 358 (D) 393. the test for wrongfulmess. This has been criticised 2s very unfortunate. The kaw of defamation, de-
53. Neethling
et al. Neethling’s
Law of Personality 134 fn. 48. veloped over a Jong period of time, has attained a certain clarity regarding its interpretation and
54 Midgley “Cyberspace issues” 398 argues that a dischimer on the original website, indicating that no application — introducing this new variation into the law of defamation has been unnecessary. See
liability arises from material found in linked sites, may be effective in helping the proprietor of the Neethling and Potgieter The Law of Delict 354 and the sources mentioned in fn 130.
website
avoid such liabdlity: 62 Merholdt o Wills 2013 {2} SA 530 (CSJ) 542; Cele o Aowsa Madia Limited {2013} 2 All SA 412 (CS)) par
55 See Nevthling et al. Nerthling’s Law of Personality 134; Potter o Badenhorst
1968 (4) SA 446 (IE); Robinson 10; Méhimurye ¢ RCP Media 2012 (1) SA 199 (1) 202, South African National Defence Union 0 Minister of
ee ee ee ee Defence 282 (4) SA 382 (CNP) 398. CY Ketler Ineestments OC (/a Ketler Preeniations @ Inlermet Seroice
36 See also Midgley “Cyberspace issues” 392. Provider's Association 201 4 (2) SA 569 (CS]) S81. Neethling and Potgieter Law of Delict 354.
57 ‘This aspect is also of importance to the element of fault. See para. 10.2.3.3 below.
 Chapter 10: Freedom
of Expression 497 498 Information and Communications Technology law

are defamatory, and in principle (prima facie) wrongful in respect of that person. website relating to a person who has been suspected, but not convicted, of being a
Necthling and Potgieter point out that this objective reasonable person test is of paedophile could give rise to a defamatory innuendo.” Both the primary and sec-
“decisive imporiance with regard to the question of wrongfulness in cases of dcfama- ondary meaning must be ascertained objectively by means of the reasonable person
tion. This test must be seen as a particular embodiment of the boni mores or rcasona- test.” Where the words or conduct are capable of being understood with more than
bieness criterion, which is the general yardstick for wrongfulness (and must not be one meaning, the courts will evaluate them on a balance of probabilitics (which is
confused with the reasonable person test for negligence)” the standard of proof
in civil cases). If it is found that an allegedly defamatory state-
The reasonable reader or listener is someone with normal emotional reactions, is ment can be understood as having both a defamatory as well as an innocent (non-
a member of the wider community and not of a smallsegment thercof, is not over- defamatory) meaning, the court must adopt the non+icfamatory meaning.”
sensitive and subscribes to the values of the Constitution.
It may be difficult to decide what the boni mores are when one decals with publi-
Burns“ points out that the ordinary reader may differ from one instance to anoth- cations on the Internet: the users of the Internet are from different countries with
er — for instance, a higher standard of education and intelligence may be imputed to different values.” It is probably to be expected that the court that exercises jurisdic-
the readers of certain newspapers or journals than that ascribed to readers of other tion over alleged defamation will apply its own value system, but it is hoped that the
newspapers or journals. If the alleged defamatory publication takes place on the court will also take note of the values of the wider Internet community.
Internet, the yardstick for determining wrongfulness should, logically speaking, be Examples of defamatory publications include derogatory remarks concerning a
the reasonable Internct user. person’s physical condition or mental disposition, moral character or lifestyle, pro-
When applying the reasonable-reader or reasonabletistener test, the defamatory fessional competence,financial position or racial views.”
words must be interpreted in the context in which they appear. Abusive language is Once the plaintiff has proved the defamatory nature of the words or behaviour, he
generally not defamatory, because it docs not have the effect of lowering the esteem
or she also has to prove that the publication refers to him or her.” This is especially
in which a person is held in the community.” On the Internet, the use of abusive
relevant when the defamatory remark is directed at a group of people. The test is,
language is referred w as “flaming” and is a common occurrence on some news-
once more, that of the reasonable person: in the opinion of the reasonable person, can
groups or bulletin boards.” the defamatory publication be linked to the plaintifY personally?” The size of the
The general presumpdon is that words have an innocent meaning until the plain- group and the generality of the remark made play a role in this determination.”
tiff proves otherwise." Words should be given their primary meaning, but the plain-
Once a plaintiff proves that, according to the reasonable-person test, the defend-
ait may demonstrate that the words have a secondary, defamatory meaning (innu-
ant made a defamatory publication that refers to him or her, two presumptions arise:
endo).” When innuendo is present, words or pictures which are seemingly innocent
(1) that the publication was prima facie wrongful, and (2) tat the publication was
become defamatory because of inferences drawn by the reaciers. For example, innu-
endo can arise in the Internet context if seemingly innocent information on one
website is read with information on another website to which the reader is directed 70 See also Reed Interna Law 117-118.
by the first website. A website relating to paedophiles which contains a link to another TL Le Roux o Dey 011 (3) SA 274 (CC) Ws.
72 In Le Roux @ Dey 2011 (3) SA 274 (CC) 307 the court explains that where the statement “is ambigu-
ous in the sense that it can bear more than one meaning which is defarnatory and others which are
not, the courts apply the normal standard of proof in civil cases, that is, a preponderance of prota
63 Neethling ct al. Necthling’s Law of Mersonality 136-137; Van der Walt and Midgley Principles of Delict bilities. If the defamatory meaning is more probable than the other, the defamatory nature of the
129 para. $2. Since rightthinking members of the community subscribe to the values of the Consti- statement has heen established as a fact. Mf, on the other hand. the meaning & more
tutior, it i mot defamatory to say that someone is homosexual, although this may still infringe the probable, or where the probabilities are even, the plainuff has failed to rebat the onus which be or
person's dignity (see Neethling et al. Neethiing’s Law of Personality 136-137 fn. 77). she bears. Consequently it is accepted as a fact that the statement is not defamatory.” Neethling and
64 Barns CommunicationsLaw 12/9. Potgieter Law of Delict 356. See also Cele » Acusa Media Limited [2013] 2 AN SA 412 (CS)) par 38. CF
fs As Van der Walt and Midgley Principles of Delict 119 para. 82 poént out, *in a democracy, Neethling 4 al Nerthling’s Lav af Personality 139.
criticism, wild accuxations and innuendos — often unfair and unfounded— are part and parcel of 73 For i of the USA's defe to fre dom of speech, it may
be peableto make
political activity and right-thinking persons in society generally do not think lexs of politicians who pro-Nazi statements on a website in the USA, but such statements will constitute a crime in many
are subjected to derogatory staternents by opposing politicians or political commentators. The con- European countries. See the discussion of La Ligue Contre le Racisme et UAntisemilisme 0 Yahoo! Inc
Ann (TCI Paris, 22 May 2000, interim court orders 00/05308, 00/05309)
in para. 10.2.7.2B(b) below.
66 Abusive words may, however, infringe the individual’s di 74 Necthlinget al. Nechiing’sLaw of Persomalily 140-143. The law requires public figures, politicians and
67 See Van der Merwe Computers and the Law 2 ed 13%. Fears cal accompa see also the facts
of public officers to be more robest and thickskinned with regards to criticism — see the discussion in
Ysichlas 0 Towch Line Media (Pty) Lid 2004 (2) SA 112 (W). Neethling and Potgieter Law of Delict 356 and the sources mentioned in fn 155.
Neethling et al. Necthling’s Law of Personality 138-139. 75 Tid. 139; AAIL (SA) Mustim Judicial Council 1983 (4) SA 89% (C) B66; A Newman CC 0 Beanty Without
te

Lz Roux o Dey 2011 (3) SA 274 (OC) 504-205; Keller Incestments OC t/a Keller Presentations ¢ Iniernet Cruelty International 1986 (4) SA 675 (C) 679-680.
Service Provider's Association 2014 (2) SA 569 (GS)} 581-583. To establish the meaning of an innucnda, 76 Isparta o Richter 2013 (6) SA 529 (CNP) 534-537_
see Gowar and Viewer “Ds in g the ig Of an i do: Can the be 77 See in general Necthling ef af Necthling’s Law of Personality 140, in particular with regard to group
from the words?: notes”
2011 Obiter 411. defamation.
 Chapter 10: Freedom
of Expression 499
300 Information
and Communications Technology law

made with the intention to defame (that is, with animus iniuriand?) or, in the case of
the press or mass media, that the defendant was negligent.” The burden is then on ant role in the evaluation of whether a privileged occasion exists or not. Even if'a
privileged occasion exists, the defendant must only make assertions that are rel-
the defendant to rebut these presumptions.”
evant to the situation™ and not act with malice, since malice exceeds the bounds
Grounds
for justification of the defence. Relative privilege also exists in regard to judicial or quasijudicial
proceedings, publication of the proceedings of the courts, Parliament and cer
The presumption of prima face wrongfulness may 1 be rebutted by the defendant by tain public bodies.
proving the presence of a ground of justification.” Such grounds include privilege,
fair comment, truth in the public interest (also referred to as justification) and Truth and public interest Derogatory remarks that arc substantially fre do not
media privilege (which is the reasonable publication of an untrue statement). Other constitute defamation, provided | that they are in the public interest." The boni mores
traditional grounds such as private defence, provocation and consent may also be determine whether a remark is in the public interest. The time, manner and oc-
relevant. The grounds of justification do not form a mumerus dausus and new grounds casion of the publication play a role in this regard.” The public interest is served,
can be developed in accordance with the beni mores." for example, when information about the criminal actions of a public
o or privileged occasion. Privilege exists when someone has a right, duty or official is published. In this instance, malice on the part of the defendant docs
interest to make specific defamatory assertions and the person who learns of not negate the defence.”
them has a corresponding: right or duty to learn, or interest in learning, of such Media privilege As a general rule media reports should be accurate and fair.
statements.” A distinction is made between absolute privilege, which protects the Initially the courts held chat the public interest in itself could not justify the pub-
defendant completely from liability for defamation, and relative privilege, which lication of false statements.” However, the constitutional recognition of freedom
exists only until it is proved that the defendant has exceeded the bounds of the of specch as a fundamental right necessitated the Supreme Court of Appcal’s
privileged occasion. recognising in National Media Lid o Bogoshi” that the publication in the press of
Absolute privilege is regulated by statute. The Constiuution, for example, gives false defamatory allegations of fact will not be regarded as unlawful if, upon con-
complete freedom of speech to members of Parliament during the proceedings sideration of all the circumstances of the casc, publication of the particular facts
of Parliament. Similar protection is given to members of provincial legislatures. in a particular way at a particular time is found to be reasonable. It is su;
Note that a defamatory statement made by a parliamentarian outside Parliament, that the electronic mass media can also avail themselves of this defence. The lim-
for example on a website or in an e-mail message, is not privileged. its of this defence are still being developed through new casetaw.”
Relative privilege exists when a person has a legal, moral or social duty (as deter- Fair comment: A defendant may make aprima facie defamatory remark if it is fair
mined by the reasonable-person test) to make, or a legitimate interest in making, comment based on facts that are tue and in the public interest. Four require-
defamatory remarks and the person learning of the assertions has a correspond- ments are set for this ground of justification" the remark must, in the opinion of
ing duty or interest to learn of such statements. A particular reladonship between the ordinary reader, be a comment and not a fact; the comment must be consid-
the parties (for example between members of a trade union)™ plays an impor ered fair in terms of the boni mores (if uhe defendant acts with malice the remark
is not fair); the facts on which the comment is based must be substantially (rue,

78 Herselman
0 Botha 14 (1)
SA 28 (A) 85; SAUK
© O'Malley 1977 (3) SA 394 (A) 401-402; Naylor #
Jansen: fansen & Naybor 2006 (3) SA 546 (SCA) 951 para. [7-
ri) In the case of wrongfulness and negligence, the burden is the normal onus of proof, bur in the cise Whether the statements were relevant to the occasion involves a value judgment. See National Fdu-
of intent it is an evidentiary burden which merely requires the bearer to do something to counter cation. Health and Allied Workers Union o Tsatsi [2006] 1 All SA 583 (SCA) 587 para. [12]; Var der Berg
the evidence by the other party. See Neethling et al. Necthling’s Law of 143 fn. 153, 163 In. 2 Coopers & Lybrandt Trust (Pty) 14d 2001 (2) SA 242 (SCA) 254 para [26].
See also fn. 22 above. See also Meroidi w Wills 2013 (2) SA 530 (CS]) 542: Gold Reef City Theme Park
360, 167 fn. 396. See also Naylor o Jansen: fansen v Naylor 2006 (3) SA 546 (SCA) 551 para. [7].
(Pty) Lid; Akane Fgoli (Pty) Lid w Flectromic Media Network Lid 2011 (3) SA 208 (CS]) 224-226 Ketler In-
Grounds of justification are the practical expression of the beni mores or reasonableness criterion with
vestments OC t/a Keiler Presentations o Internet Service Provider's Association 2014 (2) SA 569 (CS]) S836.
reference to typical factual Grcumstances which occur regularly in practice (Neethling and Poegier-
er Law of Delict 357; Van der Walt and Midgley Principles of Defict 125 para. 85). Because thes: Patterson » Engelenburg and Wailach's Lid 1917 TPD 224) 364.
Kicinkans o Usmar 1929 AD 121 126.
grounds are embodiments of the 6oni mores which are subject to change, the existing grounds do not
form a mumerus dausus (Burchell Principles of Delicl 67; Necthling and Potgieter Law of Delict 357-358; Necthling ¢ Dhs Preex; Necthling e The Weekly Mail 1994 (1) SA 708 (A). This case was decided before the
Van der Walt and Midgley Principles of Delict 12%). introduction of the 1998 interim Corstiution which protected freedom of expression ax a funda
nr ieee Necthiing's
Law of Peremadily 143-161 for a detailed discussion of the grounds of mental right
justification. 1998 (4) SA 1196 (SCA) 1211-1213. See also Kiumale o Holomisa 2002 (5) SA 401 (CC) 414-415,
See Necthling et al. Neethfing’s Law of ity 157.
882

Ibid. 145. Keller Investments OC: Ufa Ketler Presentations v Internet Service Provider's Association 2014 (2) SA
69 (CS]) AL. Ibid; Marais o Richard 1979 (1) SA 83 (1) 89 (on appeal 1981 (1) SA 1157 (A)); fobmson wo Becket
Ss 58(1) and 71(1) of the Constitution of the Republic of South Africa, 1996. 1992 (1) SA 762 (A) 778-779; The Citizen 1978 (Pty) (Lid) « McBride
2010 (4) SA 148 (SCA) 199; Ter
See, for example, Pooulingam v Ne eek aldt 7 Wills 2013 (2) SA 530 (GSJ) 542.
National Education, [eaith and AlliedWorkers Union o Tsatsi [2006] 1 All SA 583 (SCA) 587-588 paras In general this means that the comment must be relevant the particular facts and be the honest
3}-(41. and bona fade if the defendant (Manas v Richard 1979 (1) SA.83 (T) 89 (on appeak: 1981 a
SA 1157 (A); Delia Motor Corporation (Pty) Lid o Wan der Merwe 2004 (6) SA 185 (SCA))-
 Ch 10: Freedosn of F: i OL 502 Information and Communications Technology Law

and the comment must deal with a matter of public inlerest, as dewermined by the The same principles apply to the authors of defamatory material made on the In-
boni mores. ternet. If such authors intended the defamatory publication to defame someone, or
if they did not intend that outcome but foresaw that it could possibly arise from their
Other defences that may exclude wrongfulness are™
publication, reconciled themselves therewith and knew that their conduct was
O Consent A plaintiff can validly consent to the infringement of his or her good name. wrongful, they acted intentionally and will be held liable for defamation.
In accordance with the principle volenti non fil iniuria the defamation is justified.
OO Private defence A person may defame someone in order to defend himself or her- B Negligence
self against an imminent or actual threatening wrongful act against him or her. Qur kaw long ago adopted the principle of English law that distributors and retailers
UO) Rixa, provocation, compensatio: Defamatory statements made during a quarrel of reading material (such as newspapers and magazines) could escape liability for
(7ixa) or in reaction to ive behaviour may be justified in certain circum- defamation on the basis of the absence of igence on their ‘This was an
stances. Compensatio relaics to the situation in which two persons have defamed exception to another principle of English law, namely that the press is strictly liable.
each other and as a consequence their iniuriae cancel each other out The principle of negligence liability for distributors of printed material has not
changed and still hokts truc today.” By analogy, the distributors of defamatory on-
10.2.3.3 Fault line publications (in the sense of books, newspapers or magazines) on the Internet
A Ani inturiandi (i ) should be liable only if the reasonable Internet user in their position would have
acted differently (that is, would not have distributed the defamatory material) be-
For a defendant to be held liable for a delict, his or her wrongful conduct must cause he or she would have foreseen the possibility of the material’s being defam-
usually be accompanied by fault. In the case of an imiuna, the required form of fault atory and would have taken steps to prevent the distribution of the material.
is generally intent. To be liable for defamation, the author of defamatory material Our Taw initially also adopted the English rule of strict liability, or liability without
must therefore have acted anime iniuriandi or intentionally.” fault, of the owner, editor, publisher and printer of a newspaper.™ After the adop-
To act intentionally, an author (the defendant) must direct his or her will vo de- tion of the Constitution and the recognition of the freedom of expression of the
fame the plain.” with the knowledge that his or her actions are wrongful. If cither press and other media as a fundamental right,'™ the court in National Media Lid 9
direction of will or consciousness of wrongfulness is absent, the defendant did not Bogoshi™ held that the democratic imperative of the free flow of information, and
act intentionally. As indicated, however, once a plaintiff proves that, according to the the role played by the mass media in this respect, is not served by imposing strict
reasonable-person test, the defendant made a defamatory publication referring to liability on the mass media. The court also was not prepared to reinstate the common-
the plaintiff, presumpdons of wrongfulness and that the defamation was made with law position of liability based on intent or animus iniunandi, because it would then be
intent to defame arise. too easy for the mass media to rely on the absence of consciousness of wrongfulness.
Instead, the court held that the mass publication of defamatory statements raises a
A defendant can rebut this last-mentioned presumption by producing evidence
presumption of negligence." Considerations of policy, practice and fairness inter
which shows cither that he or she lacked direction of will or that consciousness of
partes require that the onus be placed on the defendant to rebut this presumption.”
wrongtulness was absent. Consciousness of wrongfulness is absent if, for example,
the defendant mistakenly believed that that his or her conduct was tawful.” In other
words, mistake excludes fault 100 Trimble o Central News Agency Lid 1934 AD 43; Willoughly 0 McWade; Cahill o McWade 1931 CPD) 537.
10) The test for negligence is that of the reasonable person. The defendant is negligent if reasonable
Remarks made in jest also do not lead to liability, since direction of will, and there-
person in his or her position would have acted differently and would have done so were the unlaw-
fore intent, is absent. The courts, however, also require the defendant to prove that ful of damage and p ible. See Kruger o Coetzee 1966 (2) SA 428
the (reasonabic) bystander would have considered the words ajoke.” (A) 430.
102 Pakendorf o De Naming 1982 (3) SA 146 (A); SAUK » O'Malley 1977 (3) SA 394 (A). The reason for
this was that it was difficult to prove iment on the part of the media, which inevitably resulted in
negation of the plaintiff's right to a good name whenever the defendant was part of the mass media.
95 See Neethling ct al. Necthling’s Law of Personality 199-161 for more detail on these defences. 103 S16(1)(a)
of the Constitution, 1996.
96 Neethling et al. ibid. 907. 104 1998 Se ea
97 Direction of will can take the form of dofus dotusi or dolus fis. See Neethii 105 See Neethlinget ee ee eee (4) SA
et al. Law of Delict 112-113. 1196 (SCA) 1214 the court stated: ~ are compelling reasons for hokding that the media
QR Nydoo o Vengtas 1965 (1) SA 1 (A). Sekt Wl as os maa ecg ts cy Sema a aly fag
99° Masch o Leask 1916 TPD 114 116, 117. In Le Roux o Dey 2011 (3) SA 274 (OC) S08fT 314 the coun
pointed out that a reasonable observer would accept that jokes about teachers by their learners
should not be taken too seriously, but there is a line that may not be crossed because teachers are Holomisa
2002 (5) SA 401 (CC) 415-416;
Marais ¢ Groenewald 2001 (1) SA 634 (1) 644-646;
also entitled to protection of their dignity and reputation. The line will be crossed when the joke be- ssspiplevactnimmoboris. niscane apetie eirte wage Camnstalnnenge sah enema,
litded the plaintiff and subjected him to ridicule; cf also [2 Roux o Dey 2010 (4) SA 210 (SCA) 224- dia Lid 0 BogeshT
1999 SALJ 1; Neethling and Potgieter “Die lasterreg en die media: Serikie
225. aansprecklikheid
word ten gunste van nalatigheid verwerp en ‘n verweer van media privilegic
contanued
 904 Information and Communications Technology Law

to speech on social media. The courts are slowly coming to grips with the new tech-
These principles should by analogy be extended to the owners, editors and publish- nology and have extended the traditional principles to deal with the new challenges
ers of online news material, provided they can be considered part of the mass media. posed by social media. Since the normal principles of defamation law are applicable
Newspapers and magazines that are (also) published clectronically and available on to social networks, a detailed discussion is unnecessary. However, the application of a
the Internet should logically be considered part of the mass media, as should online few principles will be highlighted."
news services.” As soon as one moves away from websites that clearly carry news and
other articles of public interest, it becomes more difficult to draw the line between In Dutch Reformed Church OER i Di Pa ORT ER ES REE
mass media and mere individual publishers who will be held liable for intentional t/a Glory Divine World Mt a Facebook page was created for a particular cam-
defamation only. Whether bulletin boards and newsgroups are regarded as mass paign, but it also contained defamatory messages [rom anonymous posters. As to the
media should depend on the extent of editorial control exercised over them: if no question of who would be liable for these defamatory messages left on the Faccbook
editorial control is exercised, postings cannot be regarded as having been published page by anonymous posters, the court held that the creator of a Facebook profile
by the “mass media”.
responsible for posts made on the profile wall (currently known as the Timeline on
Facebook) — he has “made available the opportunity for such unlawful content and
The view has been expressed that negligence liability should be extended to all is, in effect, the publisher thereof— much as a newspaper takes responsibility for the
cases of defamation (in fact, to all cases of personality infringement) and not only content of its pages”.
when the mass media are involved.™ This development in the common law of iniuria The recent social media cases” dealt mostly with defamatory messages that were
is necessary, it is argued, for that law to conform to the spirit, purport and objects of
the Constitution."” Whether the courts will develop the common law in this manner left on the social network site, Facebook. A person who finds himself or herself a
victim of such defamatory messages, can approach the court for an interdict to
remains to be scen. The Electronic Communications and Transactions Act” has
influenced the common-law liability of service providers for the content of their remove the messages. In Herholdt 0 Wills” the court referred to Setlogelo v Setlogelo
(1914 AD 221 227) where it was stipulated that an interdict can only be used when
transmissions and should, of course, also be taken into account when one deals with
there are no other remedies available. The court held that neither social media nor
electronic publications.
electronic media were foresecable when the j ent was handed down.
10.2.3.4 Defamation on social networking sites These days comments on social media can be posted and removed almost instanta-
neously at minimal cost. This, he stated, was “qualitatively different” from the situa-
There seems to be a misconception amongst a lot of people that social networking tion of newspapers in hard copy. It was thus imperative that the courts responded to
sites’ such as Faccbook, MySpace, Twitter, etc offer an opportunity to voice opin- the changing dmes."" The court explained that there was no evidence before it to
ions without any conscquences. However, the law of defamation is equally applicable assure it that Facebook would have complied with a request to remove the messages,
and stated that if intrusions such as these are to be effectively curbed, onc should act
gevestig” 1999 THIRUR 442. Bar see Midgicy “Intention remains the fault criterion under the actio against the wrongdocrs themselves instead of the providers of the social media.”
injuriarum” 2001 SALJ 438 and Van der Walt and Midgley Principles of Delict 160 para. [106] for a This approach is more effective than merely relying on an administrative process. 7
different viewpoint.
106 See National Media » Bogeshi 1998 (4) SA 1196 (SCA) 1215.
107 The defences available to service providers in terms of the Electronic Communications and Trans- 114 Por the of an tule due to technology: In CMC Woodworking Machinery (Pty) Lad &
actions Act 25 of 2002 should not therefore be available to the owners and editors of websites that Pieter Odendaal Kitchens 2012 (5) SA 604 (K/1)) Steyn J allowed the applicint to use Facebook to serve
can be considered part of the “mass media”, because they are not intermediaries (see also Van Zyt @ court notice on the in circumstances in which the defendant's anorneys withdrew and
“Online defamation: Who is to blame?” 2006 THRIR 143). the defendant consistently tried to evade service. ‘The notice was also to be published in a local news-
108 Nel “Freedom of expression and the Internet” 200. paper. See also Chauke “Service by Facebook” 2013 Without Prep 100; Roos A and SiabbertM
109 Marais ¢ Groemewald 2001 (1) SA 634 (1) 614-646; Heyns & Vender 204 (3) SA 200 (T) 209; Necthling “Defamation on Facebook: Isparta v Richier 2013 (6) SA 529 (CP)" 2014 PER vol 17(6) 2849.
etal. Necthiing’s Laue of! 16% Knobel “Nalanige persoonii P2002 THRIIR24 25. 115 Dutch Reformed Church Vergesig Comgregation and Another « Sooknunan t/a Dieine
110 See Neethling et al. Neethling'’s Law of Personality %, Necthling “Nalatigheid as aanspreck- World Ministries [2012] 3 All SA $22 (GS]); Dutch Reformed Chusch o Rayan Sooknunan 2012 (6) SA
likbeidsveretste
vir die actio iraurianam by faster” 262-264; Knobel “Nalatige persoonlikheidskren- 201 (CS).
king” 2002 TH/RUR 31. 116 YR ii i il i i Wil ii WS i po eo
HL Act 25 of 2002. See para. 10.2.7.1.Bid) below. SE re ea ene aT Reveed Se Peet neice ee ne ee
112. For an explanation of the difference between “social media” and “social network sites”, see Roos in contentor impact.” Dutch Reformed Church Vergesig o Sooknunan supra para
and Slabbert “Defamation on Facebook: /spariav Richler 2013 (6) SA 529 (CP)" 2014 PER vol 17(6) 117 Dutch Reformed Church Vergesig fohannedurg cna ied kee meecaaians Clory Divine
2845 2848 fn 8 and the sources mentioned there. World Ministries | 2012] 3 AR SA 322 (CS]); Dutch Reformed Chusch 0 Sooknunan2012 (6) SA
113) ForUK cases with defamation on Twitter, see also Cairms « Modi [2010] EWIIC 2859 (OB), 201 (CS)); Meroidt o Wills 2013 (2) SA 530 (CS]); Isparta & Richter 2013 (6) SA 529 (CNP); MoB
Cruddas v Adams (2013| EWHC 145 (QB) and the case of McAlpine o Rercow [2013] EWHC 1342 2015 (1) SA 270 (KZP)-
(QB) where Lord McAlpine, was i identified 2s being implicated in a chikiabuse scan- 118 2015 (2) SA 530 (CS)).
dal. ht is estimated that over 10 000 Twitter users in the UK eweeted or retweeted messages which 119 Heroidt » Wills supra 544 prara 31.
were defasnatory of him. Since be couki not sue all of them, he took a pragmatic approach by of- 120 Heroidt © Wills 2013 (2) SA 530 (CS)) 546 para 38.
fering to settle with all users who have less than 500 followers. In return for an apology and a do- 121 Roos and Slabbert “Defamation on : Isparta @ Richter 2013 (6) SA 529 (CP)" 2014 FER vot
nation to BIC Children in Need, be would undertake to take no further action. Murray A 17(6) 2845 200.
Information Technology Law (2nd ed) 2013 195.
 Chapter 10: Freedom
of Expression 505

With regard to the respondent’s argument that the appropriate remedy should 96 Information and Communications Technology Law
rather have been an action for damages instead of an application for an interdict,
the court held that such an action would likely be accompanied by “needless ex- Users of social networking sites should be careful not only of what they themselves
pense, drama, trauma and dclay”.” The court granted the interdict and ordered the post, but also of the posts of others which may include them. This is equally im-
respondent to remove all the postings which she had posted on Facebook or any portant when social networking sites are used to post comments in the workplace or
other site on social media which referred to the applicant. with regards to workplace issues, the employer or fellow employees. The same prin-
One of the questions raised in Isparta v Richier 2013 (6) SA 529 (GP) was whether ciples of defamation law apply, but in this context there is also the risk of disciplinary
an individual can be liable for defamatory posts not made by himself personally, but action or dismissal for an employee for derogatory comments made on social media
in which he has been tagged. The court held that he (the second defendant) knew — see for example Sedick & Another v Krisray (Pty) Lid [2011] JOL. 27445 (CCMA);
about the defamatory messages (when he was t he allowed his name to be [2011] 8 BALR 879 (CCMA). Regarding the use of social media in the workplace
coupled with that of the first defendant). This is in line with the established prin- by employees the commissioner concluded:
ciple that everyone who repeals, confirms or draws allention lo a defamatory statement The internet ts a public domain and its content is, for the most part, open to anyone
will be held responsible for its publication. In the same way anyone who “likes” or who has the time and inclination to search it out If employees wish their opinions to
“shares” a defamatory posting can also be-h held liable for defamation since such a remain private,they should refrain from posting them on the internet.”
person confirms and repeats the posting. The husband had the opportunity to The possibilities surrounding creative engagement that Web 2.4) provides, have led
remove his name from the message when he was “tagged” in order to distance him- to the establishment of social media accounts.” Our law recognises parody
sclf from the defamatory posting — since he did not take any steps to remove the and satire as protected forms of speech. Parody accounts should however be distin-
“tag”, he was considered to associate himself with the defamatory statement and was guished from impersonation accounts and may be extremely damaging, for example
held liable with the first defendant when someone sects up a Facebook account in your name and posts defamatory
To determine the amount of damages to be awarded, the court referred to case comments in your name, or sects up a Twitter account in your company’s name
law.” The court pointed out that an apology iin the same medium (Facebook) would oweeting offensive, objectionable content which snubs customers and tarnishes the
have gone a long way towards mitigating the plainufls damages.” However, the image and brand of your company. Although most websites prohibit impersonation
defendants in this case had not apologised but continued to hold their view that they accounts, it is questionable whether and how quickly these accounts will be removed
were entitled to publish “whatever they liked”.'™ Since the defendants did not apolo- upon request. When the reputation of 4 person or company has been tarnished by
gise or retract their defamatory comments, an amount of R40 000 was considered to such an impersonation account, a claim for defamation will be available. In the UK
be appropriate in the circumstances”
as well as an order as to costs against them.” case of Applause Slore Productions Limited & Anoro Raphael“ a fake Facebook profile
was set up for Matthew Firsht, including his date of birth, relationship status, pur-
ported sexual preference and religious views, as well as a Facebook group linked to
122 Heroidt e Wills 2018 (2) SA 530 (CS}) 546 para 39. the fake profile, called "Has Matthew Firsht lied to you?” This contained material
123 Isparta © Richter 2013 (6) SA 529 (GP) para 35; Roos and Slabbert “Defamation on Facebook: that was defamatory of him and his company Applause Store — it was alleged that he
Isparta
0 Richter 2013 (6) SA 529 (CP)" 2014 PER Zins. owed sums of moncy which he avoided paying while offering lics and implausible
124 Hasen » Post Newspapers (Pty) Lad 1965 (3) SA 962 (W) 561-565; Neethling and Potgieter Necth-
Bos osgieees eser Leet iets ot excuses indicating that “he is not to be trusted in the financial conduct of his
12s and Slabbert “Defamation on Facebook: Jsparia « Richier 2015 (6) SA 529 (GP)” 2014 PER business and represents a serious credit risk”. After having successfully removed
~
126 Tsedu © Lekota 2009 (4) SA S72 (SCA); Mogale o Seima 2008 (5) SA 637 (SCA); Mohimunye
o RCP
Media 2012 (1) SA 199 (CNP).
127 Isparta # Richter 2013 (6) SA 529 (GP) par 40. Regarding the aspect of an apology for defamation,
pic isrersagenaateed a ammo Serctemecestaeri ost for defamation are inap- 131 The Commissioner
stated that some of the cly and,
if noe
peopel 2 minority judgment in Media 24 0 Taxi Securilisation 2011 (5) SA 329 (SCA) at paras ing insubordination, Geatslnly Guuaained pron mlones” at para 4 and further “I find that the
1-72 Nugent JA referred to a 1995 report of the New South Wales Law Commission, referrest
to
comments served to being the management into disrepute with persons both within and outside
by Willis | in Mineworkers
Ineestment (Ze (Pty) Lid
© 2001 (6) SA 512 (W) at para 26 which called the employment and that the potential for damage to that reputation amongst customers, suppli-
damages as the sole remedy for defarnation “remedially crude". Nugent JA said in par 72: “As it is, ers and competitors was real” at para 55. For other cases dealing with Facebook postings that
an order that damages are payable implicitly dechres that the plaintiff was unlawfully defamed, beought the employer imo disrepute with similar findings see also Mredericks o fo Barkett Fashions
thereby clearing his or ber name, and there can be no reason why 2 phintifl should be forced to
[2011| JOL. 27923 (CCMA) and SACCAWU obe Halinell « Extrabold t/a Moliday
Inn Sandion [2012] 3
have damages as 2 precondition for having the declaration.” The Court in casu confirmed that an
BALR 286 (CCMA).
apology to the plaintiff, or a retraction in writing, in the same forum that the offending statements 182 Sedick & Another o Krisray (Pty) Lid (2011) 8 BALR 879 (CCMA) at para 62.
had been made, also dears the mame of the plaintiff.
133 ee tee ne en ne a a ee
128 Jsparta w Richter 2013 (6) SA 529 (CP) para 41. their lives in a tongue-in-cheek ae eee en Se Oe Ren Peony Teter ae:
129 Isparta © Richter 2013 (6) SA 529 (CNP) para 41. An order as to costs was made on the magistrate’s counts: @Queen_UK, @Not/uckerberg
and @CSElevator.
court scale, bat including the casts of counsel. 184 [2008] EWLIC 1781 (OB).
130 An order as to costs was made on the magistrate’s court scale, but including the costs of counsel.
135 Se i Perens te gr ale nad Taam EWC 1781 (QB) paras 3-4; Murray
information Technology Lass 2 ext 193.
136 ‘ipinunr Stow Pradetioos Liccied &7 Ana Rnphad (2008 EWIVC 1781 (QB) para 79.
 Ch. 10: Fre dom of F: i 307 308 Information and Communications Technology law

the false profile and group from Facebook, Firsht obtained a Norwich Pharmacal suffered injury or that injury is reasonably apprehended), and (c) the absence of
Order” against Facebook for disclosure of the registration data of the person who another suitable remedy.” The granting or refusal of an interdict is always within
created them. The evidence indicated that both the profile and group page were the discretion of the court’
created by a former friend of Firsht In a defamation claim heard by the UK High Generally an interdict will be refused if the threatened harm is small, if it is capable
Court, Firsht was awarded £15000 in damages (including aggravated damages to of being estimated in moncy and adequately compensated for by the award of a
reflect that Mr Rapael denied making the defamatory comments) with £5 000 in small monetary payment, and if the granting of the interdict would be oppressive to
damages awarded to his company.” the respondent” The granting of an interdict to prevent publication of defamatory
information could in effect amount to an infringement of the right to free speech
10.2.4 Remedies and might therefore be seen as a kind of censorship. Before deciding whether to
grant an interdict, a court has to consider all the competing interests, including the
A plaintiff who succeeds with a defamation action can claim damages for the infringe-
importance of allowing free speech.”™ It has been said that “save in exceptional cir-
ment of his or her reputation with the aciio miuriarum. Should the plaintiff also suf-
cumstances, prior restraint is not an appropriate remedy against the constivutional
fer patrimonial loss as a result of the defamation, the iate remedy is the actio
right to free speech. The appropriate remedy is an action for damages”."”
legis Aquiliae, in terms of which negligence on the part of the defendant suffices as a
form of fault. One of the first reported decisions in South Africa dealing with defamatory publi-
cations on the Internet was Tsichlas 0 Touch Line Media (Pty) Lid In this case an
Someone who wants to prevent an impending publication of defamatory material application was brought by the club secretary (Mrs Tsichlas) of a South African foot
about him or her, or to prevent the continued publication of such defamatory ma-
ball club (Mamelodi Sundowns) to interdict the respondent, the owner of a website
terial, may apply for an interdict." The interdict may take the form of a prohibitory that incorporated a discussion forum, from publishing material defamatory of her. It
or a mandatory court order. A prohibitory order prohibits the commission or con- was further asked that the respondent be ordered to monitor the website in future
tinuation of a wrongful act (such as the continued publication of defamatory materi- and to remove defamatory material placed by participants on the website within one
al on a web page). A mandatory order requires a positive action (for example, hour of such publication. The respondent hosted, and ran a website, named
removing or blocking access to defamatory material) on the part of the wrongdoer “Kick-Off”, aimed at the supporters of football. The website auracted many thou-
to terminate the continuing wrongful act. sands of postings contributed by various users. These postings remained on the web-
An interdict may be final or temporary.” A temporary interdict is granted pendente site indefinitely, until they were removed.” Before bringing the application for an
file (that is, pending an action between the partics concerned). The requirements interdict, the applicant had not requested the respondent to remove the defamatory
for such an interdict are (a) a prima facie ight, (b) a well-grounded apprehension of statements. She also instituted an action claiming damages for the alleged defamation
irreparable harm if the interim relief is not granted, (c) that the balance of con- appearing in the respondent's print magazine, also called Kick-Off.
venience favours thegranting of the interim interdict, and (d) that the applicant has The court denied the application, characterising it as an application for a perma-
no other satisfactory remedy.'* nent interdict interdicting both past and future publications. As regards the inter-
A final interdictL prohibits the wrongful conduct of the defendant unconditionally dicting of future publications, the court held:
and permanently.” The requircments for a final interdict are (a) a Clear right, (b) In the present matter, the pluntiff secks ... to impose what would be drastic constraints
an actual or threatened infringement of that right (the requirement that plainufl on the "s freedom to publish certain matter on its website discussion forum.|
am of the view that the rights embodied in s 16 of the Constitution [providing everyone
with the nght to freedom of expression] would be grossly curtailed if I were to make
137. A Norwich Pharmacal Order is an order chat a person who assists another in committing a tort such an order. In any event, there is no basis at common kaw for the court to do so,
must reveal the identity of the wrongdoer to allow the party who has suffered harm to take action. particularly in respect of material not yet known, presented or published and not being
Murray Information Technology Law 198. See also Dougherty and Saunderson “A Practical Cuide to in @ position to evaluate, in advance whether such material would not only be defamatory
Norwich = Pharmacal 9 Orders” htip:/ /www_2tg.co.uk/assets/docs/newslerier_documents/ but may be met by a good defence.
@_practical_ guide_to_nerwich_pharmacal_orders.-_spring_2014-pdf,
138 [tis also possible to rely on the Protection from Harassment Act 2011 if the comments sent from
the impersonation account constitute harassment.
139 Neethling et al. Neethiing’s Law of ersomalily 67. 145 See, for example, © Seilogeio
1914 AD 221 227; Patz o Greene and Co 1907 TS 427; Hall o
140 In order to force a poster of defamatory messages to remove those messages from social networks, Hens 1991 (1) SA SHI (C) 395; Tichlas & Touch Line Media (Pry) Lad 2004 (2) SA 112 (W).
such as Facebook and MySpace, a claimant may apply to the court for an imerdict. See Duich Re 146 Knox D'Arcy Lid @ Jamieson 1995 (2) SA 579 (W) 992, Hix Networking Technologies « System Publishers
formed Chusch Vergesig© Sooknunan 2012 (6) SA 201 (CS}); Heridt © Wills 2013 (2) SA 530 (Py) Lad 1997 (1) SA.391 (A) 399; Van der Walt and Midgley Principles of Delict 212 para. 141.
(CSP); Isparta @ Richter 2013 (6) SA 529 (CNP); M e 82015 (1) SA 270 (KZP)- 147 Van der Walt and Midgley Principles of Delict 213 para. 141.
141 Neethiing and Potgicter Law of Delict 26547. 148 Burchell ity Rights and Freedom of Expression
490.
142 Pbid. 237; Knobel “Dhe right to the trade secret” (LD thesis, Unixa, 1996) 264. 149 Van der Walt and Midgley Principles of Delict 212 prara. 141.
143 Hix Networking Technologies « Sysiem Publishers (Pty) Lid 1997 (1) SA 391 (A) 398; Burchell Personality 150 2004 (2) SA 112 (W).
Rights and Freedom of Expression 479. 151 Tsichlas 0 Touch Lime Media (Pty) 14d 2004 (2) SA 112 (W) 118.
144 Van der Walt and Midgley Principles of Delict 212 para. 141, 152 Thad. 129.
 Chapter 10: Freedoen
of Expression 509

510 Information and Communications Technology law

As regards the interdicting of past publications, the court heki that the applicant
had not proved two of the clements, namely that she would continuc to suffer injury
and that she did not have another suitable remedy. The court held that there was no Retraction of and apologies for defamatory publications can be effected swiftly on
reason to believe that defamatory publications would continue to be published. In so the Internet and are therefore seemingly well suited as remedies in the Internet
far as the published statements might have caused her injury, the applicant was environment. According to Geist, however, “Internet defamation is far more difficult
entided to claim, by way of action, such damages as she had suffered. Their contin- to retract, since the materials can be distributed worldwide with such rapidity that
ued publication would merely add to the quantum of the damages. The court pointed retraction may prove insufficient”.
out that, had the applicant prior to the application taken steps to draw the atiention
of the respondent to the defamatory material, the application might have been 10.2.5 Vicarious liability
avoided. The applicant’s contention that no other suitable remedy was available was A person is held vicariously liable for a delict when he or she is held liable not for his
also incorrect. Not only was she free to challenge and respond to the material on the or her own conduct but for that of another party with whom he or she has a particu-
website itself by engaging in the ongoing debate at the time, but she retained the lar relationship. Vicarious liability is, in other words, a type of strict liability (liability
fright to suc for damages, which action she had indicated she intended to take. The without fault) on the part of the person who is finally liable. Onc relationship that is
court argued that to give an interdict for past publications would have the same especially relevant in defamation is that bewween employer and employee."
effect as “trying to ‘close the stable door afier the horse has bolted’. An employer can be held liable for a delict committed by an employec, but only if
The respondent also raised as a defence the immunity given to service providers i in (a) an employer-employce relationship existed when the delict was commiued (as
specific instances by the Electronic Communications and Transactions Act, put the is normally the case if one person has the right to exercise control over another
court rejected this argument. person in the performance of his or her dutics)
From this case it is apparent that a permanent interdict for a defamatory publi- (b) the employee committed a delict (that is, the action complained of complies
cation is appropriate only when an applicant has knowledge of a defamatory publi- with all the requirements for a delict and there is no defence that could have
cation that has been written but not yet published. In the case of the printed media been raised by the employee), and
this could happen when, for example, a newspaper contacts a person to comment on (c) the employee acted within the scope of his or her employment when the delict
a story it intends to publish at a later stage. However, in the Internet environment was committed.”
the availability ofa permanent interdict as remedy would seem to be limited, at best. The last-mentioned requirement is not always casy to determine. The Appellate
Necthling et al. indicate that the Roman-Dutchtaw remedy of amende honorable, Division in Minister of Police v Rabie" held that a test that is both subjective and object-
in terms of which a plaintiff in a defamation matter couki claim that the defendant ive should apply. For the subjective part of the test the intention of the employee is
retract the allegations and publish an apology, has been abrogated in South Africa relevant. An act performed solcly for the employee's own interests and purposes falls
by disuse for 150 years. However, an analogous remedy was revived in Mineworkers outside the scope of his or her employment, even if the act was occasioned by his or
Investment Co (Pty) Lid 0 Modibane” Necthling ct al. support this development her employment. As to the objective component of the test, if there is nevertheless a
because an apology will in most instances be more appropriate to repairing the rep- sufficiently close link between the employee's act for his or her own interests and
utation of the plaintiff than an amount of moncy would be. An apology will also purposes and the business of his or her employer, the employer may still be liable.
serve beuer the constitutional balance that has to be reached between the right to a For the employer to escape liability for the employee's actions, therefore, the em-
good name, on the one hand, and freedom of expression, on the other. Freedom of ployee must have both subjectively promoted his or her own interests and objectively
expression may be curtailed if potential defendants become hesitant to publish disengaged himself or herself completely from his or her dutics."™
because of the possibility that ruinous compensation awards may be awarded against A factor that plays a role in the determination of whether the employee acted with-
them.” The fear of reprisal has been described as having a “chilling” effect on free- in the scope of his or her employment, especially when the act complained of was
dom of speech.” forbidden by the employer, is whether the relevant act fcll within the risk created by
the employer.”

161 Geist Internet Law in Canada 179.

153 hid. 162. The relationship between principal and agent could also be relevant. For other instances of vicari-
154 See Chapter XI of Act 25 of 2002. This Act is discussed in para. 10.27.1BMd) below. ous liability, see Neethling and Potgieter Law of Delict 389-
155 For more on this, see text to fn. 287 below. 163 Neethiing and Potgieter Law of Defict 390-397. For the position in English law, see Smith Inéernet
186 Necthling ct al. Nethting's Law of Personality 171. Law and 213-217.
157 2002 (6) SA 512 (W) 521. 164 1986 (1) SA 117 (A) 134. See also K o Minister of Safety and Security 200% (6) SA 419 (CC); Minister of
158 Neethling
et al. ain Font Deepal 7 See also Isparta o Richter 2013 (6) SA 529 (CP). Ne ted ne ne een ee See further Neethling and Potgieter Law of Delict
159 See also Nel “Freedom
of expression and the Internet” 209.
160 Dow jones & Co Inc » Cutmick [2002] TICA 5 para. 152. 16 NE Law of Delict 34
166 Masia of Polar © Rake 1986 {15 2A 117 (A) 134; Minister oan Wet en Onde Wilson 1992 (3) SA 920
(A) 927-928;
Grobler © Naspers Hpk 2004 (4) SA 220 (C).
 512 Information and Communkations Technology law
Ch 10: Freedom of F: i sit

In these last-mentioned instances, service providers should dearly’ not be treated

Midgley points to e-mails scnt during office hours by an employee, making defam- as the authors of the information. However, as previously indicated, in addition to
atory comments about a co-worker, as an example of a situation in which an employ- the author of a defamatory publication, the cditor, printer, publisher, owner, distrib-
er may incur vicarious liability for online defamation.” utors (including librarics) and vendors of the publication carrying the defamatory
material can be held liable for defamation.” This is not peculiar to South African
10.2.6 Juristic persons as plaintiffs law— the Faw of most countries (including that of the United States and the United
South African courts have held that Juristic persons have certain personality rights, Kingdom) imposes liability not only on the author of defamatory material, but also
namely a right to a good name, or fama," and a right to privacy.”” These two person- on persons involved in the distribution of the material."™
ality interests can be infringed without feclings’ being injured, in other words with- In the Internet environment, any intermediary involved in the dissemination of
out the plaintiffs actually suffering sentimental or affective loss. Logicalluly speaking, defamatory material may therefore be at risk of incurring liability for defamation.
therefore, these personality rights can be extended to juristic persons. This view- Generally, whether liability is imposed depends on the function or role played by the
point is also accepted by the Bill of Rights, which provides that juristic persons are particular intermediary, as well as on the function the law presumes or cxpects the
entidied to the rights in the Bill of Rights to the extent L required by the nauure of the particular type of intermediary to play. A distincuon may be drawn between infor-
rights and the nature of the juristic person involved.” It follows that, in South Afri- mation carriers, information distributors and information controllers.'”
can law, a juristic person can sue for defamation.
(a) Information carriers
10.2.7. Specific issues of defamation
on the Internet An information carrier is an intermediary that serves as a conduit of information.
The information is merely conveyed from one point to another without any monitor-
10.2.7.1 Intermediary liability (liability for third-party content) ing of or control over the content. Information carriers are considered immune
from liability. Cubty Inc 2 Compuserze Inc” is an carly American case on this issue. In
A Introduction it a service provider — who merely acted as an information carricr, taking no steps to
Service providers offer a range of services to customers. They may offer email monitor or control the content of the information — was held not to be liable for a
accounts, host websites, and offer newsgroups. Sometimes they also ide content, tortious (delictual) statement made by a third party using its service.
as, for example, online magazines. Service providers may have editorial control over
some of these services, but in other instances they have no control, or very liule (b) Information distributors
control — they may, for example, only have the authority to decide the duration of An information distributor's primary function, like that of a carricr, is to convey
the period of time after which material must be taken down. information, but the law presumes that the distributor has the opportunity to cxam-
When service providers can be considered the authors or primary publishers of ine the content of the information. Thus the law ascribes to a distributor additional
matcrial, the normal rules of liability for defamation apply. In most cases, however, functions with which it must comply if it wants to escape liability. In other words, as
service providers cannot be considered the authors or primary publishers of infor- pointed out by Reed,” an information carrier and an information distributor do not
mation. In many cases their function is merely to transmit information without stor necessarily function differently; it depends on the model adopted by the applicable
ing it (they act as “mere conduits”) or sometimes to store such information tem- law whether a particular entity is considered a carrier or a distributor.
porarily before transmitting it to clients in order tw make the onward wansfer more
efficient (this storing is referred to as “caching”). Service providers can also act as
“hosts” when they store information supplicd by the recipients of the service at the
173 See para. 10.2.3.1 above.
request of those recipients. 174. Necthling
et al. Nethling’s
Law of Penomality 134
175 publishers are held strictly liable in the USA and the UK, it is usually required of
Secthaken Has Reg knee cs dudes henck sous eed he oesey Seaton ie
be held liable. See para. 10.2.7.1B(b) below, On the required form of fauh for defamation in
167 Midgley “Cyberspace ixsues” 396. South Africa, see para. 102.33 above.
168 Angus Printing and Publishing Ce Lid 2 Inkatha Freedom Party 1992 (3) SA 579 (A); Dilomo e Nalal 176 Reed Internet Law 115. Sec also Nel “Freedom of expression and the Internet” 198_
See ee ee rece eerie neck 177 776 F Supp 135 (SDNY 1991}.
Friend Newspapers Lad 1916 AD 1. For the development of the law in this area, see Necthling et 178 The federal district court of New York equated CompuServe with a library or news service, since
SS pecamarteea, 68-69. CompuServe contracted with a third party to provide “an electronic library of news publications”
169 ee et tenes (A) 46. (776 F Supp 13% (SDNY 1991) 143). Once CompuServe was considered similar to a library or news-
170 See Neethling
et al. eee vendor, a First Amendment protection applied to its publications,
and CompuServe
171 S8(4) of the Constitution,
1996. Sent aay be hada Mekic Wr eco tena Mane cance ces nocd
172. See, for example, Delia Motor Corporation (Pty) Lid © Van der Merwe 2004 (6) SA 18 (SCA)
in which mation at the time it appeared on its service.
a motor manufacturer sued for alleged defamation (contained in an email) of its commercial 179 Reed Internet
Law 115.
reputation.
 514 Information and Communications Technology Law
Chapter 10: Freedom of Expression 513
Also important are the “Good Samaritan”” isions of section 230(c)(2) which
Reed considers the UK Defamation Act of 1996 a clear example of an information- provide protection for a service provider that removes, in good faith, objectionable
distributor model. By virtue of this Act, most intermediaries are not publishers, but content from its service or restricts access to such content
to escape liability they will nevertheless have to comply with other conditions. For No provider . . . of an interactive
computer service shall be held Hable on account of .. .
example, they have to show that they had no reason to believe the statement was any action voluntarily taken in good ath lo restrict access to or availability of material
defamatory and that they took reasonable care in relation to the publication. that the provider-.. considers to be obscene, lewd, lascivious, filthy, excessively violent,
harassing, or otherwise objectionable -.
(c) Information controllers Section 230(e)(3) provides that, while actions may still be brought under state law,
An information controller is an intermediary that purports to examine the content no liability may be imposed under state law that is inconsistent with section 230."
of the information and takes it upon itself to prevent transmission if the content is The leading
case on section 230 is Zeran v America Online Inc.” In this case an un-
unlawful. Such an intermediary can be held liable for thi y content. This issue known person posted a series of fraudulent messages on message boards operated by
was considered in Stratton Oakmont Inc v Services Co. In this case a New York America Online (AOL), advenising T-shirts with offensive slogans relating to the
State trial court held that the operator of a bulletin board on which third parties could bombing of Oklahoma City’s federal buildings. The person responsible for the publi-
post messages is similar to a publisher, such as that of a newspaper, and therefore cations gave Zeran’s name and address as contact information. As a result Zeran,
liable for defamatory publications “posted” by third parties on the bulletin board. who had never subscribed to AOL, received several abusive and threatening telephone
calls. Zeran complained to AOL, who removed the fraudulent mailings and terminat-
B A comparative look at intermediary liability in the United States of ed the account from which the postings had come. However, the impostor sct up
new accounts and posted new messages also using Zcran’s details. Zcran sued AOL,
alleging that it was negligent in failing to remove the advertisements more quickly
(a) The United States of America and in failing to block all later The district court granted judgment in favour
In the United States civil liability for third-party content is regulated by 47 USC § of AOL, who argued that section 230(¢) of the CDA gave it immunity in respect of
230. This section forms part of the Communications Decency Act (CDA) of 1996. It the false advertisements. The Fourth Circuit affirmed this decision, stating that,”
was introduced partly” oe of the uncertainty that existed after the carlicr cases By its phun language. § 230 creates federal immunity to any cause: of action that would
of Cubby Inc 0 Compuserse Inc™ and Stration Oakmont Inc 9 Prodigy Services Co./" The fa make service liable for information onginating with a third-party user of the
ter decision particularly clicited a public outcry. The implication of Straitlon Oakmont service. Speci § 230 precludes courts from entertaining claims that would place a
was that the risk of liability increased if a service provider engaged in any kind of computer service Ae eile fen lawsuits seeking to hold a service
editing or screening of content, even if it only removed clearly objectionable con- provider liable for tts exercise of publisher's traditional editorial functions— such as
tent. This increased risk discouraged service providers from engaging in any scli- ch ig Whether
to publish, withdraw,p or alter o ~are barred.
regulation. The Stralion Oakmont decision was eventually overruled by the Court of The court pointed out that “[njone ‘of this means, of course, that the original par-
Appeals of New York, in Lunney v Prodigy Seres Co,"" which held that under New York ty who posts defamatory messages would escape accountability”. According to the
common law, Prodigy was not a publisher of third party messages and could not be court, “Congress made a policy choice ... not to deter harmful online speech
compelled to guaranice the content of the messages on its bulletin board. through the separate route of imposing tort liability on companies that serve as inter-
Since its enactment, section 230 of the CDA has become the yardstick for deter mediaries for other parties’ potentially injurious messages”.
mining third-party content liability in the United States."” The most significant pro- Zeran was followed by several other cases in which America Online was, more often
vision is section 2%4)(¢) (1), which states that “No provider or user of an interactive than not, the intermediary involved. In none of these cases was the service provider
computer service shall be treated as the publisher or speaker of any information pro- held liable for third-party content, = not even when the service provider paid t the
vided by another information content provider”- author of the defamatory material for the right to provide access to the material."

180 This Act is discussed in more detail in para. 10.2-7.1B(b) below. 187 A “Good Samaritan” chuse is 2 type of provision that protects a party who is acting to protect
I8L 23 Media L Rep 1794 (NY Sup Ct 1995). another when there is no obligation to do s-
182. The CDA was originally passed to deal with “cyberporn”. It criminalised
the acts of making available 188 47 USC § 230(¢) also contains exceptions fromm its reach. For example, it dors not impair enforce-
obscene and indecent materials to minors and providing any telecommunications facility for such ment of any federal criminal stanste, does not limit or expand intel tow, and does
use. Most of the CDA was struck down as unconstitutional on First Amendment grounds by the US nm limit the application of the Electronic Communications Privacy Act 18 USC § 2510 or any sim-
Supreme Court in Reno o American Cioil Liberties Union 921 US 844 (1997). Because § 230 was not ilar state statute.
unconstitutional, it survived. See further Carome and Jain “Third-party content liabilicy” 235 236- 189° 129 F 3d 327 (4th Cir 1997).
237 and Reed Internet Law 123. 190 Zeran o America Online Inc 129 F 3d 327 (4h Cir 1997) 330.
183. 776
F Supp 135 (SD NY 1991). Discussed above in para. 10.2.7.14. 191 bad.
184 23 Media L Rep 1794 (NY Sup Ct 1995). Discussed above in para. 10.27.14. 192. Ubid.
18% 701 NYS 2d 684 (1999), cert denied 529 US 1098 (2000). 193 See, for example, Blumenthal« Dnadge 992 F Supp 44 (DDC 1998); Doe » America Online, Inc No.
186 As a result, Cubby and Stratton Oakmont have become “nothing more than a historical footmote” SC94306, 2001 W1. 2284 (Fla Mar 8, 2001); Ben Koa, Wendan & Co # America Online inc 206 ¥ xt
according to Bauersby and Grimes “Defamation” 7-31. contanwed
 516 Information and Communications Technology Law
Chapter 10: Freedom
of Expression 515

liability for the republication of defamatory content on the Internet. The Supreme
The interpretation given section 230 by the court in Zeran and subsequent cases in Court agreed with the reasoning in Zeran that subjecting Internet service providers
effect granted service providers absolute immunity from civil liability for third-party and users to defamation liability would have a “chilling” effect on online speech. The
content However, this section is cqually open to the interpretation that service pro- Barrett case is the first to interpret section 230 as providing an individual Internet
viders are liable for such content if they knowingly distribute defamatory material. uscr, as opposed to a service provider, with immunity from liability.
On the contrary, section 230 has also been held to provide complete immunity from
civil action alleging negligence on the part of the service provider in failing to pre- (b) The United Kingdom
vent continued solicitation to purchase child pornography made via the service pro- Under English law the publisher of a defamatory statement is held suricdy liable” A
vider’s system.” person, such as a newsagent, distributing material containing the defamatory state-
Reed and Angel™ were optimistic when writing in 2006 that change was afoot and ment can escape liability on the basis of the defence of innocent dissemination: he
that online intermediaries in the United States may in fuvure not be entitled to the or she has no knowledge of the fact that the publication contains defamation or that
extreme fevel of immunity from defamation liability that they enjoyed then in re- the publication is by its nature likely to contain defamation, and the absence of such
spect of third-party content. knowledge is not due to negligence on the part of the distributor. This common-
In Barrett v Rosenthal™ a Californian Court of Appeals overturned the decision ofa law defence was potentially open to online intermediaries, but in practice it was
lower court which heki that Rosenthal, an individual user of an online bulletin superseded by the Defamation Act of 1996.
board, was entitled to rely on the immunity provided by section 230. Rosenthal par- The Defamation Act was introduced following a recommendation by the Law
ticipated in an online discussion forum and in the process reposted defamatory Commission that a statutory defence of “innocent dissemination” should be intro-
remarks made by other participants. The Court of Appeals found that Zeran and the duced for online intermediaries.™ The Act is an example of the “information distrib-
cases following it were Mawed in their analysis of section 230 and had created a utor model” which requires the service provider to perform certain functions before
broader immunity than that intended by Congress. The Court of Appeals was of the it can avoid liability.
opinion that the legislature had not intended w do away with the traditional distinc-
The relevant Se of section | provide as follows:
tion between primary publishers (who were held strictly liable) and subsequent dis-
(1) Indefs ; dings
a p has a defe if he shows that—
tributors (to whom an awareness standard was applied). The appellants argued that (a) he was not vei elie bv pubes OF the statement complained of,
section 230 does not prevent users or service providers from being treated as distrib-
(4) he took reasonable care in relation to the publication, and
utors and therefore liable on the basis of an awareness standard. The Court of Appeals
{od he did not know, and had no reason to believe, that what he did caused or
concurred with this reasoning.’ It held that section 230 could not be interpreted as
contributed to the publication of a defamatory statement - - -
overriding the commontaw principle that the republisher (distributor) of defama-
aes
tion is liable if he or she knows, or has reason to believe, that the article in question
(3) A person shall not be considered
the author, editor or publisher
of a statement if
is indeed defamatory.” Recd and Angel were hopeful that, were this new develop- he is only involved —
ment to continue, the position in the United States would be brought more in line (a) ...
with thatin Europe.”
(b>-
However, the California Supreme Court overturned the decision of the Court of (din processing, making copies of, distributing
or selling any electronic medium
Appeals.” ‘The majority was of the opinion that the plain language of section 230 in or on which the statement is recorded, or in operating or providing any
shows that Congress did not intend an Internet user to be treated in a manner differ- equipment, system or serice by means of which the statement ts retneved,
ent from that in which an Internet provider would be. Both had immunity from copied, distributed or made available in electronic form:
(d)-
980 (10th Cir 2000); Batzel o Smith CV 00-9990 SVW (AJWx) (USDC Central District of California, {e) a ee P or provider of toa ica by of
2005), as quoted by Reed and Angel (ects) Computer Law: The Law and Regulation of Information Tech- which the statement is transmitted, or made available, by a person over whom
nology 262 fn. 134. See also Nel “Freedom of expression and the Internet” 202. he has no effective control.
194 Blumenthal o Drudge 992 F Supp 44 (DIC 1998). In other words, to escape liability in defamation proceedings, service providers have
195 Dee o America Online, Inc No. SC34355, 2001 WL. 2284 (Fla Mar 8, 2001). See further Reed Internet
Laws 131-152.
to show (in terms of section 1(1)(@)) that they are not authors, editors or publishers
196 Reed and Angel (exis) CompruterLaw 263. of the defamatory material (they are helped by the provisions of section 1(3) in this
197 112 Gal App 4th 749 (2003); 5 Cal Rpir $d 416 (Cal App I Dist, 2003).
198 In other words, § 230 should only be interpreted as meaning that a service provider cannot be
treated as a publisher of third-party content and cannot therefore be hekd strictly liable. 202 Reed and (eds) Comprter Lan 263.
199 ‘This decison was taken on appeal to the Supreme Court of the State of California (Reed and 203) Hulton o fones {1910} AC 20.
Angel (eds) Computer Lav 265). 26 Bmmers o Poulle (1885) 16 ORD; Reed and Angel {exts) Comprter Lane 255—357_
200 Reed and Ange! (eds) Computer
Law 265. 205 Lloyd Legal Aspects of the Information Society 223; Reed and Angel (eds) Computer Law 256_
QO! Barrett # Rosenthal SC Cal, Alamexta County, Ct. App. 1/2 A096451_
 518 Information and Communications Technology Law
Ch — 10: Freedoen ofEF: mo i S17

MorlandJ held that the service provider was in the same position as that of “second-
regard) and that they have complicd with section 1(1)(4) and 1(1)(¢) in that they ary” publishers such as bookshops, librarics and magazine wholesalers. The defend-
took reasonable care in relation to the publication and did not know, and had no ant could not be said to have played a passive role, because it had decided whether
reason to belicve, that they had published defamatory statements. to store the material and for how long to store it Once the service provider had
Reed and Angel comment as follows on these provisions: been informed of the defamatory nature of the posting, it could no longer rely on
ee eee intermedianes from the section | defence. In the absence of another defence (such as justification or
being ally and bly ct blishers and exposed to strict liabili privilege) the service provider was liable. The judge commented that any award for
for defamatory material eis sectoblc ex acs eansicia Ask intermediary must exercise damages to the plaintiff was likely to be small.” The partics subsequently reached a
caution, however, in fulfilling the section 1(1) requirement to take reasonable care in settlement before trial.
relation to what is made avaiable via their servers — should it, in doing so, slep over the
boundary by asuminga level of editorial control over the material on its website,it can The Godfrey decision was approved in Tolalis plc v0 Motley Fool Lid?" In the latter
fall outside the parameters
of section 1($) and end up subject to the sume strict liability case, the court also required the service provider — in order to avoid liability— to
standard as a pont publisher. hand over“any details held by it from which the source of the defamation could be
Reed” argues that section 1(1)(6) imposes a minimum obligation on the service identified.”
provider to monitor information content, and that, as soon as the intermediary In the United Kingdom, a service provider is liable under the Defamation Act for
learns oft the defamatory content, it can no longer satisfy the requirement of section third-party content if it knew or should have known of the defamatory content at the
1(1)(e)- ™ On the other hand, if the service provider monitors too closely, itruns the time of the service provider's publication of it. This would seem to place some min-
risk of losing the protection of section 1(3) and of being treated as apublisher.” imum obligation on service providers to monitor information content”
‘The most important casc dealing with the Defamation Act of 1996 is Godfrey 2 In 2002, the United Kingdom adopted the Electronic Commerce (EC Directive)
Demon Internet Lid” This casc involved a defamatory posting to 4 newsgroup on Thai Regulations," in order to implement an EU Directive on ccommerce agreed to in
culture, which was distributed to Usenet subscribers. The newsgroup also operated a 2000." The provisions of the Defamation Act must be read with these regulations.
discussion forum where subscribers could contribute to the discussion. Dr Godfrey Whether these regulations willI supersede the section 1 defence, or whether they will
subscribed to the newsgroup and received his information through Demon Internet. both be available, is not clear.”
Demon Internet in turn received the information from an American service provider. In most respects, the regulations follow the e-commerce Directive. In essence, they
A message purporting to come from Godfrey but originating in the United States provide with immunity from liability service providers who act as mere conduits,
appeared in the newsgroup. The message was a forgery and its tone “squalid, ob- cache information or are hosts, provided that certain conditions are met Service
scene and defamatory””" On learning of the posting, Godfrey sent a fax to the providers lose immunity if they fail to remove defamatory material once they have
defendant demanding the removal of the defamatory message. However, the mes- actual knowledge thereof.
sage was only removed after 14 days, the period of time after which messages were
routinely removed from the servers of Demon Internet. Godirey consequently sued The regulations differ from the EU Directive in that they make it clear that the
Demon Internet for tibel- qualificd immunity for intermediarics applies in respect of third-party material
Demon Internet relied on section 1 of the Defamation Act as a defence. It sought
to show that it was not responsible for the posting but had played a purcly passive 212 Gedfrey 0 Demon Internet Lid (1999) 4 AIL ER 342 352.
role similar to that of a telephone company. However, in a preliminary hearing held 213 [2002] 2 All ER 827 (CA).
214 The defendant operated websites which included di jon hoards fori
to establish whether the Demon Internet could avail itself of the section | defence, ings were made on a website of Motley Fool Lid which Faulusicekaed wcordaneemn: Sieg
ae ashes ik ae SF ar ere in ope ae sec Us Sevens ae
the order and Motley Foot the d information
Reed and Angel (eds) ibid. 257. Sal Wiss tn itches os ec dco orb sews once sas ts Solera moo Gan mee
Internet Law 116. lish law a journalist may be held liable for contempt of court for refusing to reveal the identity of a
tert

Sore int bbe te [2001] OP 201. source, unless non-disclosure of the source is in the interests of justice (see further Reed Iniernet
In Law 117. Edwards “D. and the " 194 (cited in Reed Internet
Law Law 1 3 fn. 100).
Tinie: 1th ka ein Wee creer aaeee “But [s 1(3}(4]
is problematic im that 215 Reed Internet Law 116.
it seems
to require... that to get the benefit of the s 1 (1) defence, the ISP mast only provide Inter- 216 Statutory Instrumem
2062 No. 2013.
net accent; and not do ‘anything elec — not, for example, exercise extitorial control or spot-check 217 Directive 2000/31 /EC on Certain Legal Aspects of Information Society Services, in Particular Elec-
content— for if they do, it would seem they will be exercising “effective control’ over the maker of tron: Commerce, in the Internal Market (Official Journal L. 178 (17 July 2000). The relevant pro-
the defamatory statement. Yee it scems unlikely that a service provider which neither monitors nor visions of the Directive are discussed below in para. 10.2.7.1.B{c).See also Chapter 6 above.
edits can succeed in proving, as 5 1(1)(6} requires, that it took reasonable care to prevent the pub- 218 In Bent o Telly {2008} EWTC 407 (QB) the court referred biter to both the and the
lication of the defarnatory statement, There is thus an inherent catch 22", =) defe one takes preced: over the other (Reed and Angel (eds)
210 [1999] 4 All ER 542, [2001] OB 201. Comprater Law 258).
211 Canifrey & Demon Internet Lid |1999) 4 All ER 342 345, [2001] OB 201.
 520 Information and Communications Technology Law
Chapter 10: Freedom of Expression 519

(6) select the receiver of the transmission;

and
which is unlawful at both civil and criminal law." Furthermore, they do not contain (¢) select or modify the information contuned in the transmission.™
a provision similar to article 15 of the Directive which provides that there is no gen-
eral obligation on service providers to monitor information.” As long as a service provider takes no initiative in the transmission, it will be con-
sidered a “mere conduit” and have immunity from liability for third-party content.
(c) The European Union The service provider must have neither knowledge of nor control over the infor-
mation transmitted.” A “mere conduit” is essentially an information carrier™ similar
Directive 2000/31/EC on Certain Legal Aspects of Information Society Services, in to a postal service or a telephone network; this means that websites and web-based
Panticular Electronic Commerce, in the Internal Market” (the ecommerce Direct- e-mail services which store information cannot be mere conduits.”
ive), adopted in 2000, contains provisions on the liability of intermediary service pro-
“Intermediate and transient” storage of the information for the sole purpose of
viders. The deadline for European Union member States (including the United
carrying out the transmission is also covered by article 12, provided that the infor.
Kingdom) to translate the Directive into national law was 17 January 2002.7
mation is not stored for longer than is reasonably necessary for the transmission.”
The provisions dealing with intermediary liability were included in the Directive “Intermediate and transient” storage refers to bricf and automatic storage of infor-
because the disparities between member States’ legislation and casclaw concerning mation by a computer in a network before that information is passed on to the next
the liability of service proviicrs acting as intermediaries prevented the smooth func- computer in the network.
tioning of the internal market of the European Union.
Article 12 does not do away with the power of a court or administrative authority
It ts important to keep in mind that the exemptions from liability established in to order a mere conduit to terminate an infringement or prevent it from taking
the ecommerce Directive cover only cases in which the activity of the service provider place.” According to Smith™ exposure “to an injunction would therefore ... be
is limited to the technical process of operating and giving access to a communication assessed by reference to the underlying national law regarding the intermediary's
network over which information is made available by third parties.” It should also possible liability for the tort or crime in question”.
be borne in mind that the immunity provided is aimed not only at online defamation
but also at any unlawful activity, such as infringement of privacy or of copyright. (ii) Caching
Furthermore, the exemptions extend to both civil liability (such as liability for def In terms of article 13 of the ecommerce Directive, service providers that perform
amation) and criminal liability (such as liability for pornography).”* “caching” while transmitting information are also exempted from liability on cerain
conditions. Caching is described as the automatic, intermediate and temporary storage
(i) Mere conduit
of information for the sole purpose of making the information's onward transmission
In terms of article 12 of the e-commerce Directive, “mere conduits” are not liable for more efficient.” Service providers frequently store commonly accessed web pages
third-party information that is transmitted by them. A “mere conduit” is a service temporarily on their computer systcms so that the pages will be more quickly access-
provider that provides a communication network or provides access to a communi- ible to their subscribers. A service provider will not be liable for “caching” infor-
cation network and that docs not mation provided
(a) initiate the transmission; (a) the provider does not modify the information;
(6) the provider complics with conditions
on access to the information;
219 Sce the discussion below in para. 10.2.7.1 B(c). See also Reed and Angel (eds) Compruler
law 244;
Reed Intermet Law 134 fn. 158. Art. 12(1) of Directive 2000/31 /EC.
BRERER RD
220 See the discussion below in para. 10.2.7.1.B(c). Para. (42) of the preamble to Directive 2000/31 /EC.
221 Official Journal 1. 178 (17 July 2000). See para. 10.2.7.1A(a) above.
222 Directives are 2 type of legislation in the EU. They are used in the harmonisation of public policy UK Law Commission Defamation and the internet 7 para. 2.12.
throughout the EU. "The goals expressed in directives are binding, but member States are granted Art 12(2) of Directive 2000/81 /EC
some fatitude in deciding the actual form of implementation and the detailed convent of the legis- Art 12(3).
lation (Roos “The bow of data (privacy) protection: A comparative and theoretical study” (LL.D Smith /niernel Law and Regulation 207-
thesis, Unisa, 2003) 192-193 fn. 211). Although Directives set dates by when the member Seates Art. 13(1) of Directive 2000/31 /EC. The Directive's definition of caching does not necessarily
must have translated the Directives into national law, these deadlines are often not met by the reflect what happens in practice, which is that third-party information is sometimes retained in 2
member States, with no apparent reprisal from the EU Commission. cache for more than 2 moment. Longer-term storage is not considered by the law as “caching” bat
Para. (40) of the preamble to Directive 2000/31 /EC. rather
as “hosting” (Reed
and Angel (eds) Compruter
Law 242)_
BRR

Para. (42) of the preamble. For exampl:, ia service has to be paid for by the user, the cached page may not be free of charge.
¥

See Lodder and Kaspersen directives: Cuide bo European Union Law on I-Commerce 87; Smith Internet Also,
if the comp ig the loses i from b that appear on the
Lane and Regulation 204, 207, 208 (“the intent of the Directive app to be to provid hsite but now app on the service provider's cached web page, the service provider must pay
from both civil and criminal liability”). However, criminal tow mauers fall outside the remit of the compensation to the original website (Lodder and Kaspersen Directives 88).
EU (Reed and Angel (eds} Compuier
Law 270 fn. 199).
 522 Information and Communications Technology law
Chapter 10: Freedoen of Expression 52
order a service provider to terminate an infringement or prevent onc from taking
(od the provider ccnp Sith rules regarding the updating of the information, speci- place. Member States may also provide for procedures governing the removal or dis-
fied in a ty recognised and used by i % abling of access to information.
(d)_ the provider does not interfere with the Lawful use of technology, See A host is in essence an information distributor.” Anicle 14 of the Directive con-
and used by industry, to obtain data on the wae of the information:
cerns, inler alia, postings by third partics on newsgroups or discussion forums. It also
(e) the provider acts di y tor or to ticsbsl to the information it covers websites under control of third partics. The “illegal activity or information”
ed up sng ati hw fhe that rman a the
referred wo in article 14 includes the posting by a third party of a defamatory state-
initial of the ission has been d from the rk, or
ithas been disabled, or that a court or an administrative seesis has eedsoodaneh ment to a discussion forum’ or on the website itself, and the exchange of infor-
removal or disablement. mation on where to find the defamatory material.” It is not clear, however, whether
service providers need only know that a prima facie defamatory publication is madc,
A problem with caching iis that the subscribers do not necessarily have access to
or whether they should also know that no defence (such as truth in the public in-
the most recent version of the cached pages. Therefore service providers are obliged
terest, or justification) is available, before they are obliged to remove or disable access
to comply with the industry standard regarding updating.” Also, as soon as the
to the information. In practice, service providers may decide wo remove the posting
service provider learns of the fact that the original pages have been removed (for
or the website once they become aware of the fact that it contains prima facie defama-
example, because they contained defamatory material), the service provider may be
tory material, even when a ground | of justification may exist justifying such publi-
liable if it docs not act quickly to remove the cached version of such pages.
cation, rather than risk being sued.” On the other hand, removing prima facie dc-
A court or administrative authority may order a service provider that performs famatory material the publication of which is justified may lead the recipient of the
“caching” to terminate an infringement or prevent one from taking place.” service (the website owner) to institute a claim against the service provider for the
latter's breach of contract. This dilemma places service providers in an unenviable
(iii) Hosting situation.
“Hosting”, unlike “caching”, involves the storage of information that is not tempor- Service providers have come to be seen as “tactical tangets” in defamation actions
ary. In terms of article 14 of the e-commerce Directive, when a service provider acts and plaindfls often go after them rather than after the primary publisher (whose
as a “host” by storing information for a recipient of its services at the request of the identity may be difficult to establish or who may be the proverbial “man of straw”).”*
recipient, it is not liable for the information it stores, on condition that” The pressure on service providers to remove material, even if it is true and in the
(a) the provider does not have actial of illegal activity or information
and, public interest, affects freedom of expression negatively.” However, according to
as regards chums for damages, is not aware of facts or circumstances from which the preamble to the e-commerce Directive, the removal or disabling of access to
the illegal activity or information is apparent; or
information has to be undertaken in the observance of the principle of freedom of
(6) the provider, upon obtining such knowledge or awareness, acts expeditiously to
expression and of procedures established for this purpose at national level. The
remove or to dixable access to the information.
Directive also does not affect the possibility that member States may establish specific
Liability is not excluded when the recipient of the service acts under the authority
requirements that must be fulfilled expeditiously before the removal or disabling of
or the control of the service provider.” A coun or administrative authority may still
information.

285 For example, the statistical program that keeps track of the number of users visiting the website is
not allowed to get fewer hits solely as a result of the caching of the web page. It is therefore beter
not to cache all the information on the original web page, so that the statistical program can still 243 Art 14(3).
be downloaded from the original website (Lodder and Kaspersen eDirectives 88). 244 See para. 10.2.7.1A(b)abowe-
286 Art 13(1) of Directive 2000/31 /EC 245 Or storing child pornography or copyrightinfringing material (Lodder and Kaspersen eDireclives
287 Art 13(1)(e). 8).
238 Art 13(1) (2). See also “Liability of service providers for third party material” wew.outlaw.com/ 246 Loxider and Kaspersen eDirectioes 88_
page488 (accessext
27 June 2006). 247 UK Law Commission Defamation and the Internet 12 para. 2.30.
239 Art. 13(2) of Directive
2000/31 /EC 248 Wbid. 11 para. 228_
240 Art 14(1). 249° Ibid. 13-16 paras 2.36-2.47.
241 According to Lodder and Kaspersen eDirectioes 88-89, in the case of actual knowledge no exemp- ‘250 Para. (46) of the preamble to Directive 2000/31/EC. Such requirements
may assist a service pro-
tion applies in respect of civil and criminal liability. A service provider who does not have actual esac ar bear rir gt cc es TA aT
knowledge of an illegal activity but is aware of facts and circumstances from which the illegal activi- the removal of which could result in the service sued for breach
of contract
ty is apparent is not exempt from civil liability (claims for damages), bat is exempt from criminal (Ladder and Kaspersen Directives 89)_ In Sosth Affica, «'77(1) of the Electronic Comanundeatsons
liability. On whether the immunity provided by the Directive also extends to criminal liability, see and Transactions Act 25 of 2002 has introduced a takedown notice as a requirement for the re-
in. 241.
242 Art 14(2) of Directive
2000/31 /EC
 Chapter 10: Freedom of Expression 523 524 Information and Communications Technology law

(iv) No general obligation to monitor Furthermore, the immunity provided by the ECT Act is aimed not only at online
The e-commerce Directive provides in article 15 that member States may not impose defamation but also at any unlawful activity, such as infringement of privacy. The Act
a gencral obligation on service providers, when the latter provide the services covered specifically provides in cach instance that, nowwithstanding the particular section
by anticles 12, 13 and 14, to monitor the information they transmit or store or to seek giving immunity to service providers, “a competent coun may order a service provid-
facts or circumstances indicating illegal activity. Clearly the ecommerce Directive er to terminate or prevent unlawful activity in terms of any other law
does not want to change service providers into “cyberpolice”. Although the prohib- The provisions of the ECT Act regarding the liability of service providers are
ition is aimed at the imposition of a general duty to monitor, it is not aimed at mon-
similar to those of the ecommerce Directive. As the Act was adopted after the
itoring obligations in a specific case.” Member States may impose an obligation on
e-commerce Directive one may assume that the drafters of the Act made use of the
service providers to disclose illegal activities undertaken or information provided by
recipients of their service, as soon as the service proviiers become aware of such act- provisions of the Directive. This is to be welcomed because it harmonises South Afri-
ivitics or information. Member States may also impose obligations on service providers can Taw with that of the European Union. In addition, directives are adopted after
to disclose the identity of recipients with whom they have storage agreements. scrious deliberations between experts from the European Union member countrics
and thus represent good examples to follow.
The Directive encourages organisations to draw up of codes of conduct for the
proper implementation of the provisions of the Directive™ and for the use of alterna- A point of difference between the ECT Act and the ecommerce Directive is that
tive dispute resolution of disputes between service provider and recipients.” Mem- the limitations of liability established by the Act only apply to a service provider if the
ber States are also required to guarantee victims the means to sctle disputes effect- faucr is a member of a recognised industry representative body”? and has adopred
ively and must therefore ensure that their legal procedure is adapted to provide and implemented the official code of conduct of that body.™ Service providers who
prompt court actions.” do not belong to such a body or who did not 1 adopt the code of conduct of the body
cannot rely on the prowction of the Ac.™
(d) South Africa
The representative body must be recognised by the responsible Minister.” The
The liability of service providers in South Africa is limited by the provisions of Chap-
Minister may recognise such a body if he or she is satisfied that the members of the
ter XI of the Electronic Communications and Transactions Act.™ These limitations
body are subject to a code of conduct, that adequate criteria are set for membership,
do not exclude any defences available in terms of the common law or the Consti-
tution. Nor do these provisions affect the service provider's obligations in terms of that the code of conduct requires continued adherence to adequate standards of
an agreement or ofa licence. They also do not affect any obligation imposed on the conduct and that the representative body is capable of monitoring and enforcing its
provider by law or by a court to remove, block or deny access to any data message. code of conduct adequatcly.™* It is obvious that the Minister will only recognise
bodies that have a system of self-regulation in place.
Like those in the e-commerce Directive, the exemptions from liability established
in the ECT Act cover only situations in which a third party supplies the information Like the e-commerce Directive, the ECT Act distinguishes between service pro-
and the role of the service provider is limited to the technical process of operating viders that act as mere conduits, those that cache information during transmission
and giving access to a communication network. Service providers that act as primary and those that act as hosts.”
publishers of information do not fall within the provisions of the ECT Act and can-
not therefore rely on the immunity provided by the Act. (i) Mere conduit
In terms of the ECT Act, a service provider acts as a mere conduit if it provides access
251 Art 15(1) of Directive 2000/31 /EC to or for operating facilities for information systems, or transmits, routes or stores data
252 Para. (47) of the preamble to Directive 2000/31 /EC_ Member States may also require service: pro- messages via an information system under its control.” In terms of section 73a
viders who host information provided by recipicnss of their service 10 exercise duties of care, which
can reasonably be expected from them and which are specified by national law, to detect and pre-
vent certain types of legal activities (para. (48) of the preamble).
Art. 15(2) of Directive 2000/31 /EC Ss 73(3), 74(2) and 75(3).
‘The Minister of Communications may recognise a body upon application by the body (s 71(1)}.
BEES

Art 16.
BSeee

$72.
Art. 17. ‘The respondent in Tsichlas 0 Touch Line Media (Pty) Lid 2004 (2) SA 112 (W) argued that it was en-
Art. 18. See Lodder and eDirectioes
91. titled to the immunity of Act 25 of 2002 by virtue of the fact that it, the respondent, was a member
Act 25 of 2002 (the ECT Act). For the purposes of Chapter XI, a service provider is defined as “any of the Online Publishers Association. The court pointed out that the respondent failed to mention
person providing information system services” (s 70). “Information system services” is defined in whether this body was recognised by the Minister as a representative body or whether it has an
Sy eee ene tee ete ee ene ere Sane official
code: of conduct.
the provision of access to inf or ng Of data mess- BED ENG Eee
ae

ee teil ee uenany pean apertien bg heer as prncaaiaegg a arma ae ane.

individual request of the recipient of the service”_ For a description of these furictions, see para. 10.2.7.1B(c} above.
5 79(1)(@)
of Act 2% of 2002.
z

S$ 73(1) of Act 25 of 2002.

 Chapter 10: Freedom of Expression 525
526 Information
and Communications Technology Law

“mere conduit” is exempt from liability in respect of the data™ involved if the “con-
duit” (iii) Hosting
(a) does
not initiate the transmission; Section 75(1) of the ECT Act provides that a service provider that provides a service
(6) does not select the addressee: consisting of the storage of data provided by the recipient of the service, is not liable
(¢} performs
the functions in an ic, technical for damages arising from the data stored at the request of the recipient of the ser-
data; and vice, as long as the service provider —
(d) docs not modify the data contained in the transmission.” (a) docs not have actual knowledge that the data message or an activity relating to
Although formulated in a fashion slightly different from that of the e-commerce the data message is infringing the rights ofa third party; or
Directive, these provisions are in essence the same as those of the Directive. (6) is not aware of facts or circumstances from which the infringing activity or the
Like the e-commerce Directive, the ECT Act provides that the “automatic, inter- infringing nature of the data message is apparent; and
mediate and transient” storage of the transmited information” is protected under (Q upon receipt of a takedown notification - . . acts expeditiously to remove or to
section 73, provided that such storage is disable access to the data.
(a) for the sole purpose of carrying out the Lransmission in the information system;
Again the wording of the ECT Act follows that of the ecommerce Directive. All that is
(6) in a manner that makes it ordinanly inaccessible to anyone other than anticipated
said about hosting in the context of the e-commerce Directive” is therefore also rel-
recipients; and
evant with regard to the ECT Act, except for a few small but significant differences.
(¢ fora period no longer than is bty ry for the ission.
First of all, the e-commerce Directive provides that service providers who host data
Paragraph (4) is not pan of the e-commerce Directive. It seems to be aimed at pre-
“are not liable” for storing them. This provision is wide enough to include immunity
venting unlawful interception of data during transmission.
from both criminal and civil liability” The ECT Act, on the other hand, specifically
(ii) Caching provides that the host “is not liable for damages”. This is in contrast with the previous
Section 74(1) gives immunity from liability to a service provider that transmits data sections: a mere conduit is “not liable for providing access ... or transmitting data
and during this process “caches” the data to make the data’s onward transmission to messages”; as service provider that “caches” data “is not itabhee for... storage of the
the recipients more efficient, provicied that the service provider information”. A host, however, is “not liable for damages”. It seems therefore as
(a) docs not modify the dita: if immunity from liability for hosts docs not extend to immunity from criminal liabil-
(4) complies with conditionson accessto the data; ity, whereas it does for service iders that are “mere conduits” or “caching” data
This matter is, however, yet to be settled by South African courts interpreting the rel-
(c} complies with rules regarding the updating of the dats, specified in a manner
evant sections.
(d) docs not interfere with the lawful use of technology, widely recognised and used by The Act also differs from the e-commerce Directive in that the limitations on the
industry, to obtain information on the use of the dats; and liability of hosts do not apply to a service provider unless the provider has designated
(2) removes or disables access to the data it has stored upon receiving
a takedown an agent to receive notifications of infringement The service provider must also
have provided the name, address, wlephone number and e-mail address of the agent
The provisions of the ECT Act regarding “caching” are similar wo those of the through its services, including on its websites accessible to the public.”
ecommerce Directive and all the remarks made in this regard in paragraph In terms of the Directive, the plaintiff need not give a take<iown notice in a speci-
10.2.7.1B(c) apply here, save for those about the requirement of the removal of the fied form. Hosts must remove offending material as soon as they have “actual
information by the service provider. The c-commerce Directive requires removal of knowledge” of illegal activity or information or “become aware” of facts or circum-
the information once the service provider has “actual knowledge” of the fact that the stances from which the illegal activity or information is < nt In terms of the
information was removed from the original website (the website the information of ECT Act, however, hosts need remove the stored data only after they have received a
which is cached). The ECT Act provides more certainty for service providers by pro-
viding that they must remove the data “upon receiving a take-down notice”.
See para. 10.2.7.1B(c)
(iii) above.
267 ‘The Act works with the concept of “data”, not “information” which is favoured by the Directive. In According to Reed Internet Law 134 fn. 158, it was said in the Explanatory Memorandum to the
8

the end, the two concepts mean the same thing, in that “data” is defined as “the electronic rep- original proposal for a Directive (OOM (1999) 427 final) 28 thar immunities extend 10 criminal
resentations of information in ary form” (s | of Act 2% of 2002). liability. However, Preamble para. (26) of the adopted Directive makes it clear that Member States
268 S73(1). ee ee ae oe ee ane See eer ae en Oy
269 See the remarks made in para 10.2.7.1B(c) above. criminal lability as well.
270 Cee ree re Te ee S$ 73(1) of Act 25 of 2002.
ot

passing the information on to the next computer im the network. S74(1).

am $73(2) of Act 25 of 2002. S75(1).
S$ 75{1) of Act 25 of 2002_
 Chapter 10: Freedom
of Expression 527
528 Information and Communications Technology law

take+iown notice. It therefore makes sense that the Act should provide for the ap-
pointment of agents by hosts to receive the notices. (¢ does not receive a financial benefit directly attributable to the infringing activity;
and
The ECT Act seems to want to avoid putting service providers in the difficult situ- (d) removes
or disables access to, the reference
or link to the data message
or activity
ation of having to decide whether to remove data that are prima facie infringing but within
a reasonable time after being informed that the dats message
or the activity
the publication of which may be justified. As already mentioned, hosts need only relating
to such data message, infringes
the rights of a person.
remove such data upon receiving a formal takedown notice. Therefore, a host will This section docs not mention a takedown notice. The service provider must
not be held liable for breaches necessarily committed in removing data in response remove or disable the link to the infringing data “afier being informed” chat the data
to a takedown notice. The person giving the takedown notice will be liable if such infringe on the rights ofa person. A person who receives revenue from the linked
notice was wrongful, in that it materially misrepresented the facts. web page cannot rely on this section for immunity. Website owners who provide
In Tsichlas » Touch Line Media (Pty) Lid™ the court held that the respondent, a links, for which they are paid, to other websites risk being held liable for infringing
website host that also provided a “chatforum”, was not a service provider and there- information on those websites.
fore not entided to the immunity offered by the ECT Act. It seems the coun mis-
understood the meaning of “service provider” and considered only “mere conduits” Take-down notification
as service providers. The court said that “the Electronic Communications and Trans- The ECT Act poses certain formal requirements for a take-lown notification.” For
actions Act 25 of 2002, in which provision is mace for the protection of so-called ‘ser- example, the takedown notice must be in writing, addressed to the service provider
vice providers’ whoo are regarded as conduits rather than as principals in the dissemination or designated agent, and signed by the complainant An electronic signature is
of information”. acceptable. Consequently one can assume that an ¢-mail message that contains all
It is correct that the respondent in this case was not a “mere conduit” — it was a the necessary information and is clectronically “signed” will be acceptable.
“host”, but as such it should have been able to qualily for protection under the Act if The notice must also include such information as the full particulars of the com-
it complied with all the other requirements (such as that it belong to a recognised plainant, the infringing material complained of and the remedial action required of
representative body and adopt the code of conduct of that body). However, the the service provider. The complainant must also attach a statement to the effect that
court found — errencously, it is suggested— that “{t}he whole basis on which its he or she is acting in good faith and that the information is, w his or her knowledge,
website operates seems to be that of a principal purveyor of information. It is clearly true and correct. The person submitting the notification will be liable for wrongful
not, nor does it fall within the definition of, a service provider”™ take-lown, not the service provider acting upon the notice.

Information location tools No general obligation to monitor

When a website owner supplics a hyperlink on his or her website wo a web page con- Like the Directive, the ECT Act places no general obligation on service providers to
taining defamatory material, he or she draws attention to the defamatory material monitor the data they transmit or store or to seck facts or circumstances indicating
and is therefore responsible for publication thereof. The ECT Act addresses this unlawful activity.” Despite there being no general obligation to monitor, the Minis-
issue in section 76. There is no similar provision in the e-commerce Directive.” ter may, in certain specific instances, oblige service providers to provide information
Section 76 provides that a service provider is exempted from liability for damages on illegal activities of the recipients of their services or to provide information that
(once more, exemption is only from “damages”) if the service provider refers or will help identify recipients of their services.”
links users to a web page containing an infringing data message by using information C Anonymity: Are ISPs obliged to reveal the identity of anonymous posters?
location tools (such as a directory, index, reference, pointer or hyperlink), provided
that the service provider The person who posts a defamatory comment mins the risk of being sucd for defa-
(a) does not have actual knowledge that the data message or an activity relating to the mation. However, with the use of pseudonyms by many users or people posting
data message is infringing the nights
of that person; anonymously, it is not always easy to identify the original author of the defamatory
(6) is not aware of facts or Grcumstances from which the infringing activity or the in- post. Even if a message seems to originate from a specific individual, it may be neces-
fringing nature of the data mesage is apparent; sary to establish that it is genuine.” Without the ability to identify (or unmask) the
ae author of the defamatory statement, there is no point in wying to pursuc legal
"The following discussion will briefly focus on the pre-trial discovery procedures

S$ 77(2)and (3).
2004 (2) SA 112 (W)_ See abso the discussion of the case in para. 10.2.4 abowe.
RB 8838

283 Ins 77(1) of Act 25 of 2002.

Trichlas 0 Touch Lime Media (Pty) 14d 2004 (2) SA 112 (W) 123 (emphasis added). 24 S78.
“Service provider” is defined in s 70 of Act 25 of 2002 as “any person providing information system 285 S$ 78(2).
services”. 286 Lloyd Information Technology Law 7 et 08.
Reed and Angel (ets) Computer Law 246 describe this as “a significant omixson™. aE: Mesiy,: Uemmekog anceps: s sees eee a Peceene adequately pro-
online speech?” Communications Lawyer inn Forwecner cache crg/ UMC)
continued
 5%) Information
and Communications Technology Law

Chapter 10; Freedom

of Expression 529
aim of the Order is to enable a prospective claimant to obtain the necessary infor
mation to take legal action against a wrongdoer who is infringing the claimant's legal
to identify the author of the defamatory comments that are used in the US and the rights. The granting of these Orders is torally in the discretion of the coun.”
UK, and conclude with the position in South Africa.
* The position in South Africa
* John Doe actions in the US In South Africa, in contrast to the position in the US and the UK, the issue of pre-
The process is started by the victim of an alleged online defamation filing a law suit trial discovery is more problematic.™ Rule 35 of the Uniform Rules of Court™ docs
against a “John Doc” defendant. Thereafter the victim (plaintiff) would normally not as a general rule provide for discovery before the commencement of an action.
issuc a to a third pany internet service provider (ISP) requesting the truc It seems that past applications for obtaining discovery before commencement of an
identity of the Doc defendant in order to include it into the defamation lawsuit. The action have in most cases been refused. However, it seems that there is authority that
ISP will usually notify its account holder (Intemet speaker) of the receipt of the an intending litigant may have the right to discovery before action commences,
subpoena, after which the account holder will be able to file a motion to quash the provided no other complete remedy was available to him.™ In order to side-step the
subpoena (on the basis that hisor her right to speak anonymously online would be thorny issue of discovery, the plaintifl in Rath o Rees” applied for an Anton
infringed by the ISP disclosing his or her true identity.) The court would be called Piller order. However, the court held that this order was unsuitable for obtaining the
upon to balance these important and competing interests of, on the one hand, the identity of an anonymous poster. It infringed unnecessarily on the right to privacy of
Internet speaker who argues in favour of his or her anonymous speech rights and, the respondent (the anonymous poster) and the applicant was unable to demon-
on the other hand, the victim (plaintifl) of the alleged online defamation who as- strate exceptional circumstances justifying such an order.”
serts that he or she will not be able to institute an action for defamation without The Promotion of Access to Information Act 2 of 2000™ could also be uscd to ob-
obtaining the identity of the Internet speaker. = tain information (regardiing the identity of the anonymous poster) before the com-
Many federal and state appellate courts have developed notice- and merit-based mencement of an action.” As seen [rom the position in the UK and US discussed
tests first articulated in Dendrite International, Inc. v Doe No. 7” w deicrmine whether
the defendant's identity should be revealed. The court held that a plainuff secking
discovery to unmask an anonymous poster must: (a) make reasonable efforts to 292. Norwich Pharmacal v Commissioners of Customs and Exrise at (1974) AC 133 (HL) 175R-E; S7F-18RF.
This procedure was also followed in the cise of Tolalis pie » The Fool Lid & Another [2001]
notify the defendant that it is secking to identify the defendant in the lawsuit in ENLR 29 (f£1C); |2002]1 WLR 1233 (CA). See also Sheffield (Chub Lid and Otherso
order to allow the defendant an opportunity to oppose the request, (b) specify Hargreaves |2007) EWHC (QB) 2375. See the discussion in Lloyd Information Technology Law
exactly the actionable specch, (c) reference the available legal clclaim, and (d) pro- 510. In terms of the s 5 of the Defamation Act 2013 it would now also be possible to obtain the
duce sufficient prima facie evidence of cach element of the claim” identity of an anonymous poster as a result of the new defence that has been established for web-
site operators. See “Defamatory material on websites — is the website host liable?” available at
httpowww.burges-calmon.com, / Practices/dispates_and_litigation/News/1204.3aspx: Smith C
* Norwich Pharmacal Proceedings in the UK ‘Anonymous posers and the new Defamation Act The draft Fegulations”
In the UK a victim can make an application in the High Court for a Norwich Pharma- See) Lenin eee coal Ta 2a
drafiregul (Op of Websites) Regul Si 2013
cal Order" to obtain the identity of an anonymous poster of defamatory comments.
No. 30% able at p/m iain on t/a 201/302
This is an Order which requires that a third party who is “mixed up” in the wrongdo- 293 See the discussion
in Nel “Online di of i lin
ing (albeit innocenuy) disclose information as to the identity of the wrongdoer. The critics”say SHU tul ee na occas ob cideaten meee ee eee in Papado-
poulos
S and Snail S (ed) Opherian@@SA
//1: The law of the internet in South Africa 261.
Rules regulating the conduct of the proceedings of the several provincial and local divisions of the
¥
communications _lwyer/2013/1 ber / Supreme Court of South Africa (the Uniform Rules of Court).
can_civil_ procedure, rules_protect_online_ pare anya iO} 215) 2s Spore Cen erred ok foe Teles a ee nee fe ences paces wre Cen Cia
288 Sinrod = “Fr: of limits” not be used as a “fishing” exp the should not have eddy availa
hup:/ /blogs.duanemorris.com/techlaw/ (accessed on 10 Jan 2015); 8 AB secs As The be to him: the applicant cannot obtain discovery agains: one person for the purpose of beinging ac-
problem of unmasking anonymous online critics” 2007 CJLSA 195 200; Nel “Freedom of expres- thon against another person; the court will not come to the assistance of a litigant in this way in order
sion, anonymity and the internet” in Papadopoulos and Snail (ed) Cyberlaw@SA III: The law of the to enable bien to ascertain whether he has a cause of action. Cilliers ef al [Mertsicin and Van Winsen:
internet in South Africa 3 ext 261. The Ciwil Practice of i igh Coun Bs pion Coasts Moped Moa Africa
5 ed T79-B1.
775 A2d 756 (N.}. Super. CL. App. Div. 2001). 26 Rath o Rees 2007 (1) SA 99 (C). Cavin Stansfield “Anton Piller Applications under Attack” (De-
Following Dendrile, a similar west was adopted in Doe No. { o Cahill 884 A2d 451 (Del. 2005) with cember 2006) Without! Prejudice 12-13.
ne

the difference being thar the Calill wst rejects the Dendrite balancing test in favour of a summary 297 Rath o Rees 2007 (1) SA 99 (C).
ee Ore ee ee eg ee 298 S7 ands 50. ifthe jon falls into the y of har then the i y of the poster
aout Can Gill Procedure rules ack dy protect online can be obtained through the Protection from Harasanent Act of 2011, bat then one should take
aaa Communications Langerhep:/ /www americantar.ong/ publications ‘communications Sawyer / steps in terms of this ion.
2013/ november /unmasking anonymods, 299 See the discussion
of OCI (Pry) Lid 2 Rakie NNO 2003 (2) SA 325 (T) in Gilliers Herbsteim
internet_posters_can_civil_ procedure_rules_protect_online_speech.huml (accessed 10 Jan 2015). and Van Winsen: The Civil Practice of the High Coarts and the Supreme Court of Appeal of South
291 The term derives from the name of the judgment in which the principle wax established that a Africa (2009) 782.
ae ee Pharmacal 0 Commissioners of Customs and Excise
[i974] AC 133.
 532. Information and Communications Technology Law
Chapter 10; Freedom
of Expression 531
both the State in which the tort was committed and the State in which the injury
above, there is a need for a procedure to obtain information before the commence resulting from the tort was incurred (if the injury occurred in a different country)
ment of an action to put a claimant, whose reputation has been infringed, in a posi- have jurisdiction over an action in respect of the ton.”
tion to institute a claim for defamation against a wrongdocr who hides behind the According to Collier, the general rule in South Africa is that a South African court
cloak of anonymity. It is suggested that provision should be made for the identifying will only assert personal jurisdiction over a foreign defendant if it can offer the plain-
of the identity of an anonymous poster by implementing the commomiaw discovery ufT an effective judgment The doctrine of arrest or auachment i is used to give effect
proceedings or extending the application of rule 35 of the Uniform Rules of to a judgment Section 19 of the Supreme Court Aa™ provides that a court has
Cour. “jurisdiction over all persons residing or being in and in relation to all causes arising
and all offences triable within its area of jurisdiction”.“” When a plaintiff alleges that
10.2.7.2 Jurisdiction, applicable law and enforcement of judgments a foreign defendant has defamed him or her, the court has to analyse the cause of
A Introduction: Explainingthe issues action to determine whether it arose in the court’s jurisdiction. Sometimes it is
argued that defamation takes place when the publication takes place (which can
Because the complexities of jurisdiction, choice of law and recognition : and enforce-
arguably be cither when the defamatory publication is uploaded on a server or
ment of foreign judgments fall outside the scope of the present work,” we will look
downloaded anywhere in the world) and sometimes it is said that defamation only
only bricfly at these issucs.
takes place once the publication is completed (comprehended and understood).""
(a) Identifying the defendant In Tsichias 2 Touch Line Media (Pty) Lid” both the plaintiff and the defendant were
A plaintiif who wants to sue for online defamation has several difficultics to over- South Africans, but domiciled in different divisions of the High Court The Witwa-
come even before arguing his or her case in a court of law. The first problem is of a tersrand Local Division founded jurisdiction principally on the basis that the online
practical nature, namely to establish whom to suc — in other words, wo cstablish who defamation occurred within its area of jurisdiction, in that publication of the defam-
published the defamatory content (the so-called primary publisher). Because the atory material (when a third party downloaded it) took place within its area of juris-
primary publisher of defamatory material may have posted the defamation anonym- diction Furthermore, the plaintiff had a place of business, although not its
ously, service Providers (the secondary publishers) have, as discussed above, became principal place of business, within the court's arca of jurisdiction: This “presence”
tactical targets. was on its own sufficient to give the court jurisdiction.“*
The ecommerce Directive™ leaves it to the discretion of the European Union’s In the United States the Supreme Court has held™ that due process in subjecting
member counties whether to introduce an obligation on intermediarics to hand a defendant to a judgment in personam when he or she is not present within the terri-
over details identifying individual subscribers to their services who are implicated in tory of the forum requires that the defendant have certain minimum contacts with
dealing with unlawful conten™ the territory of the forum such that the maintenance of the suit does not offend tra-
In terms of the ECT Act, the Minister may, in certain specific instances, oblige ser- ditional notions of fair play and substantial justice. In other words, jurisdiction can
vice providers to provide information on illegal activitics of the recipients of their be exercised over a foreign defendant if that defendant has “minimum contacts
services or to provide information that will enable the identification of recipients of
their services.
7 Reed Internet Law 229.
(b) Identifying the proper forum (jurisdiction) 308 Collier “Freedom of expression in cyberspace: Real limits in a virtual domain” 200% Stel! LR 23. She
points oat that the doctrine of arrest will probably nox withstand constitutional scrutiny.
Another problem facing a prospective litigant is deciding in which court to suc. This 8 Act 9 of 1999.
decision will depend on, inier alia, which courts have jurisdiction— that is, the power 310 S 19(1)(@). According to ceetaw the jurisdiction of the several High Court in South Africa is
to adjudicate on, determine and dispose of the matter.” Different Jurisdictions have derived from common law, not from any specific Act. The Supreme Court Act should therefore be
imerpreted in its commondaw context. See Forsyth Pricale Iniernational Law 4 et 167.
different rules to establish jurisdiction. According to Reed, the normal mule is that SIL See the discussion of various cases from different jurisdictions below in para. 10.2.7.2B.
312 See Tsichlas 0 Towch Line Media (Pry) Lid 2004 (2) SA 112 (W). See also the discussion of the case in
Net “Online
defi The problem of ki online critics” 2007 CILSA
para. 10.2.4 above.
313 The court recognised that this approach could lead to various complications, holding that: “In
193 200; Nel *Freedom of expression, anonymity and the internet” in Papadopoulos
and Snail
effect, fits} conclusion woukd mean that, whenever , anywhere in the world, accesses this
at soured dar bralareatrde at esa website and reads and understands the words which are complained of in this mutter, there will
Fora iled discussion
of these topics, sec Forsyth Privale International
Law 4 ed.
have been publication to that user at the place where the wer has acoesed the website”
i ae

SeSee, eee ee} 4 All ER 342, [2001] QB 201,

discussed in para. 10.2.7.1B(b) above.
(Tsichlas & Touch Line Media (Pty) Lad 2004 (2) SA 112 (W) 120).
Directive 2000/31 /EC on Cenain Legal Aspects of Information Society Services, in Particular Blectronic 314 Tsichlas 0 Touch Line Media (Pty) Lid 2004 (2) SA 112 (W) 119.
Commerce, in the Internal Market Official Journal L. 178 (17 July 2000). See para. 10.2.7.118(c) above. S15 Ppike aeper reenter dah peers cei defeat sca
Art 15(2) of Directive 2000/31 /EC 316 Exercise of jurisdiction is with the of “mini "and “fair play
and substantial justice”when G) the non-resident defendant haa purposefully directed his acsivisies
gee

S$ 78(2) of Act 25 of 2002-

Forsyth Private International
Law 4 ed (2003) 158. contanwed
 Chapter 10: Freedom
of Expression 533

534 Information and Communications Technology law

with the jurisdiction.” A leading case is Young » New Haven Adgocate.”™ In this matter
two newspapers based outside Virginia published articles, in part discussing the con-
duct of residents in Virginia. The articles were available both offline and onlinc. the place of the event giving rise to it. The claimant may choose to suc the defendant
Despite this fact, the United States Court of Appeals for the Fourth Circuit concluded in cither of these places.
that In order to prevent certain people litigating in England (libel tourists), section 9
The newspapers did not post materials on the Internet with the manifest intent of tur of the Defamation Act of 2013 provides that the coun will not have jurisdiction to
geting Viirginia readers. Accordingly, the newspapers could not have “reasonably antici- hear a libel claim unless it is satisfied that England is the most appropriate jurisdic-
pate[d] being hauled into court [in Virginia} to answer for the truth of the statements tion. The provision applies to claims for defamation against a person who is domi-
made in their article[s}”.. . In sum, the newspapers do not have sufficent Internet con ciled outside the EU, Iccland, Norway and Switwerland.
tacts with Virginia i permit the district court to exercise specific jurisdiction over them" Other international aucmpts to unify jurisdiction rules include the work of the
Canadian courts assume jurisdiction over a case if there is a real and substantial Hague Conference on Private International Law. A Preliminary Draft Convention on
connection between the action and the forum. Jurisdiction and Foreign Judgements in Civil and Commercial Matters” provides
In Europe, the provisions of the Brussels Convention on Jurisdiction and the En- that an action for tor or delict may be brought in cither the State in which the act or
forcement of Judgements in Civil and Commercial Matters” apply when the parties omission Causing injury occurred or in which the injury arose, unless the defendant
to the litigation are domiciled in a European Union member State.” The basic rule can establish that it was not reasonably foreseeable that the injury could occur in
of the Convention is that a defendant must be sued in the courts of the member that State.
State in which he or she is domiciled. However, in the case of delict, the defendant
may also be sued in the courts “for the place where the harmful event occurred”. (c) Identifying
the applicable law (choice of law)
The “place where the harmful event occurred” has been interpreted by the Europe- Once it has been established which court has as jurisdiction, that court has to decide
an Court of Justice" as including both the place where the damage occurred and which law should be applicable to the issue.” The fact that a coun in a particular
jurisdiction has accepted jurisdiction docs not mean that the law of that forum will
automatically ‘apply. As was pointed out by Kirby| in the Australian case Dow jones &
of consummated some transaction with the forum or a resident thereof, or performed some act by Co Inc 9 Gutnick
which he purposefully availed himself of the privileges of conducting activities in the forum, thereby a court may have jurisdiction, but it may equally be bound by the applicable rules of
invoking the benefits and protections of its Laws; (ii) the claim arises out of or relates to the de-
private internabonal law to exercise its jurisdiction by giving effect to the law of «
fendant’s forum-related activities; and (iti) the exercise of jurisdiction is reasonable (Bancwft &
foreign jurisdiction, Where necessary, this is done by recening evidence to prove what the
Masters Inc 0 Augusta
Natl Inc 223 F3d 1082 1066 (9th Gir 2000))-
317 See Collier *Freedom of expression in cyberspace” 200% Stell LR 34 for a discussion of the “effects foreign Lew is.
doctrine” also used in American cex-law, and the “Zippo sliding scale” used to establish minimum The European Union is working on a treaty (the so-called Rome II treaty)™ to
contacts. provide a uniform EU rule on choice-of-law questions in non-contracuual disputes
318 Young « Naw Haven Advocate 31% F3d 256 (4th Cir 2002) as discussed by Svantesson “Borders on, or
such as defamation, copyright infringement and privacy infringements. Initially it was
border around — the future of the Internet” at hup://epublications.bomd.cdu.au/law pabs/16
(acceswxi
14 July 2007). proposed that the law of the counuy in which the damage arises or is likely to arise,
319 ‘Al 26 (quoting, Calter 9 Jones: 4605 USS 783798. (19640). ‘The targeting approach is also sirongly irrespective of the country in which the event giving rise to the damage occurred,
“Cyberspace is real, are fiction: The pe of expressive would apply to most delictual actions. However, the European Commission issued
viddss obdine, Gutsaih Seccquiiion of ecticmal borden ie Gberapaes” 2002 Stanford fournal of Init a revised proposal in 2006 ini which provisions relating to privacy and defamation
Laws 9B
were left out of Rome II.
320 See, for example, Morguward Investments Lid o De Savoy (1990) 3 SCR 1077; Muscutt © Courcelles (2002)
60 OR (3d) 20 (CA); Reals o Saldanha [2003] 3 SCR 416. The following factors are considered in
determining whether there is a real and substantial connection: (i) the connection
between the for-
um and the plaintiff's claim; (ii) the connection benween the forum and the defendant; (iti) un-
fairness to the defendant in assuming jurisdiction; (iv} unfairness to the plaindff in not asuming 325 ‘The section applies to defendants not domiciled in the UK, another Member State of the EU or a
jurisdiction; (¥) the involvement of other parties to the suit; (vi) the court's willingness to recog- contracting party to the Liagano Convention. “Ihe Defarnation Act 3015: Taylor Wessing Analysis”
nise and enforce an extra-provincial judgment rendered on the same jurisdictional basis; (vii) hitp://www.taylorwessing.com (accessed
10 fan 2015).
whether the case is interprovincial or international in nature; and (viii) comity and the standards 326 Available ar Raph b owen aero mone: _drafte.pdf (accessed 6 June 2007).
327 See also the discussion
by Collier “Freedom
of expression
in cyberspace” 200% Stell LR 24-26.
328 [2002] HCA 56 para. 105.
329 Proposal for a Regulation of the European Parliament and the Council on the Law Applicable to
communications and online provision of professional services) within the EU are regulated by the Non-Contractual Obligations (“Rome 1") COM (2003) 427 final, available at htp://eccuropa.
provisions
of the «commerce Directive 2000/31 /EC eu/justice_home/doc_centre/cvil/doc/com_2006_83_en-pdf
323° Art 53 of the Brussels Convention. 330 See UK Parliament Select Commitice on European Union “Eighth Report” (2004) para. 28. See also
324 Bier Mines de Potaxse d'Alsace | 1976] ECR 1725. Sce also Senith Internet Law and Regulation 252-24. Wimmer and Pogoriler “International jurisdiction and the Internet” wew.cov.com/publications/
download /oid 1 1881 /597.pdf (accessed 14 October 2006).
331 See www.dianawallismep.org.uk/ pages/rome2.heml (accessed 14 October 2006).
 Chapter 10: Freedom
of Expression 538

In many jurisdictions (for example those of Australia™ and Canada™) the law of 536 Information and Communications Technology law
the place in which the defamation occurred will be the applicable law in defamation
cases. Since 1996 the Taw ofthe place where the tort takes place has also applied in This represents
an extremely important limitation on the power of courts in any jurisdic
Engtand
E for torts in general, ™ but not for defamation. In defamation, an old English tion seeking to (successfully) hand down judgments against persons located in foreign
commonmtaw mule stating that, for a tort to be actionable in an English cour, it must jurisdictions (particularlywhere judgment has been made in defaultof appearance, and
be actionable under the law of both the forum (England) and the forcign place where the defendant hits no ascts in the court's jurisdction.)
where the tort was committed sul applics.™ This rule was abandoned by a 1995 Act Under South African law, there are certain conditions to be fulfilled before a
for all torts except defamation. The rule was retained for defamation in order to
foreign judgment will be recognised, such as that the forcign court had international
meet the concerns of the media who wanted the defences available to them under
jurisdiction to decide the case, the judgment was final and conclusive and shas not
the law of the United Kingdom to be available to them even if they publish abroad.”
become superannuated, and the judgment must not be against public policy.“
In the United States, the law of the jurisdiction with the closest connecting factor to
the tort is applicd.™ B Jurisdiction and choice of law in online defamation cases: A comparative
In South Africa the question of the applicable law in delict cases is still undecided look at case-law
Forsyth™ suggests that the law of the place where the delict was commited (lex loci
delicti) should apply in most cases. * However, there may be situations in which the (a) Dow Jones & Co Inc v Gutnick
place of the detict is uncertain or inappropriate; in such instances deviation from the Probably the most important case on jurisdiction on the Internet to date is the
lex loci delicii will be in order. Although the possibility of deviation [rom the general Australian High Court’s decision in Dow Jones & Co Incv Gutnick.** The saga started
rule introduces an clement of uncertainty, Forsyth argues that with time and liti; in 2000 in the Supreme Court of Victoria in Guinick 2 Dow Jones & Co Inc™ Gutnick,
in this area the situations in which such deviation is permitted will become clear. an Australian, brought a defamation action against Dow Jones in his home state of
Victoria, Australia, where his business headquarters were located. Dow Jones, an
(d) Enforcement American company, printed Barrons Magazine, which was also available online (as
Once a plaintill has successfully sucd for defamation, the next issue that may arise is Barrons Online) via a subscription news site. Dow Jones had its editorial office in New
how to enforce the judgment against a foreign defendam. Courts in different juris- York. Barrons Online was prepared in New York then sent by computer to the New
dictions do nott automatically enforce cach other's judgments.” As one comment- Jersey office, where the servers on which the online version was loaded were located_
ator points our” Those who registered and paid an annual fee had access to the information found
on the news site. In 2000, the news site had about 17 000 subscribers from Austratia,
300 of which were in Victorfa. Worldwide it had about 550 000 subscribers. To access
the online version of Barrons, a user had to register a user name and password. In
Dow Jones & Co Inc 0 Cuimick [2002) HCA 546 para. 107.
Bangoura0 Washingion Post 2004 Cant. 26633 (ON SC). 2000, Barrons published an article entitled “Unholy Gains” in both the print and
288

See Part fl of the Private International Law (Misceltancous Provisions) Act of 1995. See further online versions. Gutnick claimed that he was defamed in this article. He confined his
Morris. The Conflict of Laws 375. The taw of the place of the tort may be with the Loe of claim for defamation to publication that took place in Victoria.
another forum if that forum has a more significant connection to the case (Morris The Conflict of
Laws 381). Dow Jones argued that the Supreme Court of Victoria lacked jurisdiction in the
“The “double limb” ethers hmenpngtacibere rile wb Valin raked is See ee TST matter or, in the alternative, that that court was a clearly inappropriate forum
3

AC 396 the rule was made subject to exceptions. It was stated th: limb” rule may be because publication took place where the article was uploaded onto the servers in
depaned from if the facts of the case require it. Ths Rai ok ac nec rie eantceaees
New Jerscy. However, the court found that the allegedly defamatory article was pub-
take of policy pe d by the pe of a foreign country (see further
Morris The Conflict
of Laws 871-375). lished in the state of Victoria when it was downloaded by Dow Jones subscribers.
336 Private International Law (Miscellancous Provisions) Act of 1995. See further Morris The Conffiet of Hence, since thedcfamation took place in Victoria, the court could not be an in-
Laws 389. appropriate forum.”*
33 7 See further Mocris The Conflict of Laas 389.
338 Restatement (Second) on the Conflict of Laws (1972) § 145.
3839 Forsyth Prieale International
Law 4 ed 339.
340 Because this rule has been accepted in foreign jurisdictions such as Australia and Canada and
accords with the reasonable expectations of most parties and with Roman-Dutch authorities such ee pean ie cine eee Preale Internatenal Law
as Van der Keesel and Van Bijnkershock (Forsyth Privale International Law 4 ed 339). For a similar 4 ed 391. See also Fisel n “Int j gin y” 2006
SA Mer Lf
viewpoint, see also Kiggundu “Choice of law in defict: The rise and rise of the lex loci delicti commis” 45 and Collier “Freedom of expression inSeeipaee? cpap
2006 SA Marc 1f 105. 343 Suackat “Jurisdiction and the Internet after Gutnick and Yahoo!” 2005 (1) Journal of Info, Law and Tech 7.
34L) Forsyth Private International
Law 4 ed 359-840. 344 Forsyth Private International
Law 4 ei 591.
342) American courts, es eet ea Set eee es i maid wba 345 [2002] LIGA 56.
flict with the First A dment’s of fr of speech. For
a disc of when South 346 [2001] VSC 30s.
contansed 347 On the basis of the doctrine of forum non is applied mainly in
law countries.
348 [2001]
VSC 305 para 60.
 Chapter 10: Freedom
of Expression 537 S38 Information and Communications Technology law

Dow Jones appealed to the Victoria Court of Appeal and, when that appeal was applied to the case because choice-oflaw rules determined that the applicable law
rejected,” to the High Court. The High Court confirmed the decision of the Vic was kx loci delicti.™ Victoria was also clearly an appropriate forum for the litigation of
toria Supreme Court. the respondent's claim to vindicate his reputation which had been attacked in Vic-
Dow Jones’s appeal concerned three issues, namely the jurisdiction of the Austral-
ian court selected by the plaintiff to decide the action; if jurisdiction existed, which Dow Jones argued that the traditional rules for establishing publication in def-
law would apply in terms of the rules of private international law; and whether the amation Cases were not appropriate for the Internet. It argued that the rule for Inter-
proceedings should be stayed on the grounds of forum non conveniens (that the net publication should be akin to the “single publication” rule of the United States™”
Australian jurisdiction sclected by the plaintiff is an inconvenient forum compared and that an article should be deemed published when it is uploaded to a server. The
to another jurisdiction propounded by the opposing party). All three issues, alt- location of the server should, in other words, determine the choice of applicable law,
hough separate and distinct, depended on the vital question of where the cause of as well as jurisdiction, unless that place was “merely adventitious or opportunistic”.
action arose. In the words of Kirby J,” Dow Jones sought to emphasise the special nature of the Internet It also angued that
if Victoria [was] identified as the place of the tort, that finding would provide a strong with the Internet one cannot know where a website will be viewed.”
foundation to support the jurisdiction of the Supreme Court of Victoria, and to sustain The majority of the court was not impressed by the arguments about the differ-
B conchesor that the: lav to. be a applied to the procecdingp -- is the law of Victoria. ences between the Internet and previous communications technology. They were of
These Id, in turn, provide the resp with p barge to
the opinion that, however broad the reach of a particular means of communication
resist the contention that the proccedings should be stayed, ori ade onsinconvenient
forum grounds. may be,”
those who make information accessible by a particular method do so knowing of the
The coun pointed out that the tort of defamation focuses on publications causing reach that their information may have. In , those: who post information
on the
damage to reputation. It is the damage that founds the cause of action. Harm to rep- World Wide Web do so knowing thatthe information they make availabe is aailable to
utation takes place when a defamatory publication is comprehended by the reader,
listener or observer. Until then, no harm is done by the publication. Publication is Dow Joncs also advanced policy reasons ie the application of a “single publi-
therefore not a unilateral act but a bilateral one in which the publisher makes the cation” rule centred on the location of the server hosting the material. It argued
defamatory statement available and a third party has it available for his or her com- that, were the plaintiff to have a substantial reputation in more than one legal juris-
prehension. diction and able to scck to recover damages in all such jurisdictions in a single suit,
The bilateral nature of the publication also underpins the long-established com- the potential Iiliability of publishers would have a “chilling effect” on free speech on
montaw rule that every communication of defamatory matter founds a scparatc the Internet.™
cause of action. Since defamation is concerned with damage to reputation, it is The majority rejected this anggument because it would allow publishers to manipu-
usually deemed to have occurred where the damage to the reputation is suffered. late uploading and location of data so as to insulate themselves from liability.” Fus-
Ordinarily that will be where the allegedly defamatory material is available in com- thermore, the court held that journalists writing articles about prominent person-
prehensible form, provided that the person defamed has a reputation there which is alities can anticipate the jurisdiction(s) in which they may be required to defend def-
damaged by the defamation. The court could therefore hold that the place of the amation allegations. Plaintifls are unlikely to suc for defamation published outside
commission. of the tort for which Gutnick sued was Victoria. That was where the their home fora, unless a judgment obtained in another forum would be of real
damage to his reputation was alle; eged to have occurred, and he sought to vindicate
his reputation in that state only.” Since the defamation occurred in Victoria, that
state had jurisdiction in terms of its Rules of Court.” Australian law was to be 358 Paras
105 and 107-
399 Para. 202.
360 For a discussion of the develop of the single-publi tule, see Dow jones & Co Inc v Guinick
349 Dow fones & Co Inc 0 Gutnick [2001] VSCA 249. The Court of Appeal concluded that the decision $2002] HICA 56 paras 27-35. The court pointed oat that the singke-publication rule initially was a
of the Victoria Supreme Court was plainly correct. term prescribing that all causes of action for widely circulated material should be litigated in one
350 See Saadat “Jurisdiction and the Internet after Cutnick and Yahoo!” 2005 (1) _fournal of Info, Law trial and that each publication need not be separately pleaded and proved, but that it eventually
and Tech 13. The arguments made by the parties are also taken from this article, the author of came to be understood 2s affecting, and even determining, the choice of law to be applied in de-
which refers to the transcripes
of the case
361 Dow jones & Co Inc 0 Culmick (2002) LICA 56 para. 20.
gaeenee

362 Paras 79 ff, 111 ff. Justice Kirby, departing from the view held by the other seven justices of the
court, accepted the argument that the Internet is a unique medium, but held that it is the respon-
sibility
of the legistature to reform the Jaw rules of defi (para. 56).
fi

Para. 39.
S22

Para. 152.
Paras130 and 199.
 Chapter 10: Freedom of Expression 539

value to them (for cxampic, when the judgment is enforceable in a place where the
defendant has asscts)."”
540 Information and Communications Technology Law
The court was of the opinion that serious policy issucs would be raised if the tra-
ditional common-law mules of defamation were not applicd. What the appellant
sought to do, according to Callinan J, was to impose on Australian residents an The French court held that it had jurisdiction because (i) the mere display of the
“American legal hegemony in relation to Internet publications”. Were the location items offended against French law; (ii) aluhough some aspects of the site were aimed
of the server to determine jurisdiction and the choice of law, the result would be to at the United Seatcs, the memorabilia was of interest to anyone, including French
confer on one country, the United States, an effective global domain over the law of people; (iii) Yahoo! caused harm to the particular plaintiffs; and (iv) the site was in
defamation to the advantage of American publishers and to the ilisadvantage of any event aimed at France, as indicated by that fact that banner advertisements in
i
those unfortunate enough to be defamed outside the United States.* French would appear to users who appeared to originate in France.” The court held
Saadat™ su the decision in Dow jones & Co Inc ¢ Gutnick. He emphasises that that Yahoo! had committed a wrong on the territory of France. Consequently the
the implications of the High Court's decision are not that far-reaching. He angues court applied French law to the issue and held that the Yahoo.com site violated the
that Dow Jones was found liable partly because it actively solicited subscribers to its EreneinCrimierat Code." Yahoo! was ordered to comply with French law or face pen-
website from around the world; as a result of its solicitation Dow Jones could readily altics.
ascertain the quantity and location of its subscribers. To escape the reach of Dew
Jones, websites may, in future, shield themsclves by ensuring that certain articles are (c) Bangoura v Washington Post
not available to subscribers in particular jurisdictions. He also angues that reform of In Bangoura » Washingion Post, Bangoura sucd the Washington Post for an alleged
the commoniaw rules in the manner proposed by Dow Jones is undesirable. The defamatory article published by the Washington Post on its website in January 1997. At
server-tocation rule would create tremendous uncertainty and a whole new body of the time of publication, Mr Bangoura, a United Nations employee, was a resident of
jurisprudence would be required to develop some semblance of predictability. Kenya. Duc to the publication of the defamatory article implying that Mr Bangoura
was guilty of sexual harassment, financial improprictics and nepotism, Mr Bangoura
(b) La Ligue Contre le Racisme et l'Antisemitisme v Yahoo! Inc was suspended from his position and moved to Quebec in February 1997. Mr Ban-
Another case regarding jurisdiction and free speech on the Internet is that beeween goura moved to Ontario in Junc 2000 and in April 2003 instituted a claim for defa-
Yahoo! (an American online intermediary) and two French non-profit organisations, mation in Ontario against the Washingion Posi. The Court of Appeal for Ontario
the Union of Jewish Students i in France and an organisation dedicated to climinate overturned the decision of the lower court which assumed jurisdiction.” A umani-
anti-Semitism (LICRA). ™ While this casc dealt with hate speech on the Internet, mous Court of Appeal found that there was simply no real and substantial connec-
jurisdiction was the major issuc. tion between the newspaper's action and Ontario and that it was not appropriate for
In 2000, LICRA sought an injunction against Yahoo! in a Paris court over the sale the courts of Ontario to assume jurisdiction. The court held that the newspaper
of Nazi memorabilia (such as Hider’s book, Mem Kampf, and Nazi postage and coin-
age) on a website hosted by ¥Yahoo!. Under French Taw it is illegal to sell or exhibit
objects relating to Nazism.” Yahoo! blocked the sale of the memorabilia on its 373 In 2000 the German Bundesgerichtshof also issued a ruling that held that German koe applicible
French website (www.yahoo.{r), but certain items continued to be available through oo Rca, ee ea Satte ott 0 Jy oe te See teeettrre: ae hemor Wer rcs See
iss American Yahoo! website (www.yahoo.com), which was accessible to French citi- accessed by users of the Web in G The in din and
zens. Yahoo! contended that the French court did not have jurisdiction to hear the used to disseminate anti-llolocaust material. Wax Hersey Fekoese haw a elena es 98:
case. 374 A panel of exp was asked whether it was possible for Yahoo! to with the order. The
court conchided that blocking French access to the American Yahoo site was technically possible.
375 Before the French litigants attempted to enforce the decision in an American court, Yahoo! asked
a district court in California for an order declaring that French court's order unenforceable under
Para. "3. the Lows of the United States. The district court granted the order ( Yahoo! Inc w La Ligue Contre Le
Para. 200.
S828%

Racisme ot U'Antisemitiswe ef al 169 F Supp 2d 1181 (ND Cal. 2001)), but this decision was reversed by
Vox. the Ninth US Circun Court of Appeals. The court found that the district court had erred proce.
“Jurisdiction and the Internet afier Cutnick and Yahoo! 2005 (1) journal of Info, Law and Teck 17. durally in that Yahoo! should have waited for the foreign litigants to seek to enforce the judgment
La Ligue Contre le Racisme a [Antisemilisme @ Yahoo! Inc (VC! Paris, 22 May 2000, interim court in the USA before Yahoo!'s First Amendment claim could be heard by an American court After
orders 00/05308, 00/05309). An English transiation of the French case, as well as the subsequent this decision, Yahoo! asked the same Court of Appeals to hear the cise again, this time with If
American cases, can be found at ww juriscom.net/txt/jurisfr/ cti/yauctions20000522 hum /wew. judges. In 2006 the Ninth US Circuit Court of Appeals again rejected Yahoo!'s arguments, for two
Sigallaw.com /library/france-yahoo-2000-1 1-20_html {accessed 27 June 2006). See also Saadat “Ju- different reasons. "Three judges cubed that Californian courts have no jurisdiction over the French
risdiction and the Internet after Gutnick and Yahoo!” 2005 (1) _fournal of Info, Law and Tech 20. organizations. Another three judges stated that the case was not “ripe” (meaning Yahoo! had not
Art. R645 of the French Criminal Code- ‘This article buns the exhibition of Nazi propaganda for suffered sufficient hardship stemming from the French court's decision). In effect, Yahoo! failed
#8

sale and prohibits French citizens from purchasing or pasessing such material. to obtain immunity from the French court's decision (ser Peres “Yahoo loses in Nazi mem-
It was also argued that compliance with the order was imposible in that Yahoo! could not readily
orabélia cise” PC World 12 January 2006 bup://peworld.com/artle/id. 124967 page, | /article.
exclude
access to the site from France. bunl (accessed 15 October 2006)). In 2006 the US Supreme Coart declined to hear the case (see
Cross “Supreme Court declines to bear Yahoo Nazi case” Computerworld
— Networking and Internet
hup-/ /computerwork..com/action (accessed 14 July 2007}).
376 2004 Canl.Il 26633 {ON SC).
377 Bangoura » Washington Pest 20% Cant.It 32906 (ON CA).
 Chapter 16; Freedom of Expression 541 542 Information
and Communications Technology Law

could not have foreseen that Bangoura would move to Ontario three years after the legal system should be used to determine both the existence of damage (the merits
articles were published. To hold otherwise, according to the court, would mean that
ofa claim) as well as the quantum of damages. If the defamation is downloaded in
a defendant could be sucd almost anywhere in the world, depending on where a
South Africa — in other words, publication takes place here, it is possible that a court
defendant may decide to reside, long after the publication of the article. The count
was also of the opinion that the articles in question “did not reach significantly into could decide that South African law should be applied, but there is no guaranice.
Ontario”, because of the small number of subscribers.™ {e) Conclusion
The court distinguished Bangoura’s siuration from Gutnick’s on the basis that, at It is evident that cross-border Internet dicfamation cases raisc various difficulties. A
the time of the publication, Gutnick was living in the place where the defamation defamation dispute involves the balancing of the freedom of expression with the
was published and that the magazine in Gutnick’s case had considerably more sub- protection of reputation. The balancing of these two values differs from country to
scribers in the place where the defamatory artide was published than the Washington country. As a consequence, different results are reached depending on where liti-
Post tract in Ontario. gation takes place. The effect of this is that a publisher
of a web page which is access-
ible from anywhere in the world has to comply with the most stringent limitations on
(d) Burchell v Anglin freedom of speech in order to escape liability in all possible jurisdictions.” Such a
Regarding the question as to which country’s laws would be applicable in a case of situation is untenable. Users of the Internet require legal certainty about their poss-
defamation, it was decided in Burchell 9 Anglin,” where the plaintiff was a South ible liability for publications made on the Internet. It is suggested that international
African, the defendant was a resident of Texas,” and the plantfl’s booking agent co-operation, for example in the form of the adoption of an international treaty to
was situated in Nebraska, that the law of Nebraska was the applicable law— that was harmonise legal rules in this area, may be the only real solution.
where the delict took place (where the defamation was published) and was the
jurisdiction with the most significant relationship to the panics and the delict.™ 10.3. Hate speech online
However, the court pointed out that there are other factors too that had to be taken
into account. Just as all South African law was subject to constitutional scrutiny, so 10.3.1 Introduction
too was the case with foreign law. The court had to consider whether the law of Freedom of expression on the Internet may also be cunailed by laws prohibiting
Nebraska passed constitutional muster before it could take the decision to apply that hate speech. Hate speech is gencrally understood as meaning epithets or disparaging
law.” This had to be determined according to the facts of cach case. * The same and abusive words and phrases directed at individuals or groups representing a
specific race, religion, ethnic background, gender or sexual preference. The Inter-
net has seen a proliferation of so-called “hate sites” since the middle of the 1990s. A
Kven though the articles were still available for a fee, wncil the date of the court case only one per- study in 2005 estimated that there are more than 5 000 websites promoting racial
3

son had paid te access the articles since their publication — the plaintiffs attorney!
2010 (3) SA 48 (EOC). hatred and violence, anti-Semitism and xenophobia."
Regulation of hate speech dilTers even more widely between the different countries
é3

The plaintiff operated a game reserve situated in the Eastern Cape and generated income by
providing hunting safaris, photographic and taxidermy services, etc. Most of the business gencrat- than the regulation of defamatory speech. For example, in the United States a very
ed was done through the booking agent Cabelas, situated in Nebraska. When the relationship be- permissive free-speech legal framework exists and hate ‘h is not prohibited per
the deferstant for def: jon and loss of ii due to defi ¥ made
by the de- se but may provide evidence of mmotive in a hate crime. On the other hand, Can-
fendant to the employees of Cabelas. An application was made for the Court to decide on the ada has strong hate-specch | laws,” including provisions in both the Criminal Code
choice: of law: does the law of Nebraska or South African law apply to the dispute? and Human Rights Code.™ In the United Kingdom the Public Order Act of 1986
S81 Burchell o Angin 2010 (3) SA 48 (ECC) at E21. For a discussion of this judgment, see Marx F “Ar
last a South African proper low of delict: Burchell » Angfin 2010 (2) SA 48 (ECG)" 2011 Obiter 224;
Schulze C “Conflict of laws” 2010 ASSAL 179; Schulze “The law reports” July 2010 De Rebus 26-27 ‘This question was left open in the case of Burchell 0 Anglin 2010 (3) SA 48 (ECC); Pougieter
at af
2 2

hup:/ /wewanyvirtualpaper.com/doc/derebus/de_rebas july _2010/2010062301 /28_hunl#29 Visser

& Poigicter, Law of Damages3 ed 580_
382 Burchell » Angin 2010 (3) SA 48 (EOC) at 118. Potgieter et al Visser & Poigicter,Law of Damages 580. Roosand Slabbert “Defamation
on Facebook: Isparia « Richier 2013 (6) SA 529 (CP)" 2014 PER
Necks | explains it as follows: “Crouse A] decides’ that the fex deci deficti was the law of Nebraska as 28.
the defamatory statements were heard and read in that state. However, although “[weighing] beav- Reesd InternetLaw 257.
gee%

ily in the baluncing scale” (par 124), the place of the detict was in final instance “only to be used as See also Svantesson “Borders on, or border around — the future of the Internet”.
a factor in a balancing test to decide which ji would have the most real or significant re- Burns Communications Law 112; Nel “Freedom of expression and the Internet” 222.
Akdeniz “Executive summary for the stocktaking on efforts to combat racism on the Internet” wew.
lationship with the defamation and the parties” (par 128). Nevertheless, taking into account the
Unt ge aes 14 July 2007). See also Nel “Freedom of expression and the Internet”
other connecting factors (listed in par 124), the judge decided that the law of Nebraska wouki
prima facie be applicable.” — Neels “Nebeaskan defamation law to be challenged under the South
(oie Bote La’ im Coma 120; Wi Cems Lame V2.
African Constitution” hitp-/ /conflictoflaws.net/2010/nebraskan<iefamation-lawto-be-challenged-
Nel “Freedom of expression and the Internet” 224.
underthesouthafrican-constitution/ (accessed Jan 2015).
rie

Ceist Internet Law in Canada 199. See also Burns Communications Law 120-121.
383 Schulze “The law reports” July 2010 De Rebus 26-27 hetp:/ /wew.myirmalpaper.com/doc/ Canada Criminal Code RSC 1985, ¢ C46, s 319 and Canada Human Rights Act 1967-1977,c 33
derebus/de_rebus_july 2010/201006230 1 /28.hemni#29 respectively.
 Chapter 10: Freedom
of Expression 543 $44 Information
and Communications Technology Law

criminalises acts intended to stir up 'raracial and religious hatred, including threaten- Section 10 of the Act prohibits the peblication or communication of hate speech
ing and insulting words and ays." Many European countries have adopted legis- intended to do harm or incite hatred.” This prohibition only applics to hate speech
lation to regulate hate speech. based on the prohibited grounds defined in section 1(1).™ Note that the mere pub-
lication of the hateful words is not cnough to infringe section 0: the words must
It is important therefore to note that different standards may exist in different ju- reasonably be construed as demonstrating a clear intent to do harm.
risdictions. Significant efforts are also being made at international level to align the
laws in the various jurisdictions involved on the Internet. In this regard the provi- Any person acting in his or her own interest, or on behalf of another, or as a mem-
sions of the Protocol to the Convention on Cybercrime are important. ber ofa group, or in the public interest may instiqte proceedings” in terms of the
Act in a so-called “equality court™ established by the Act. The equality court must
hold an inquiry and determine whether hate speech has taken place as alleged.
10.3.2 Regulation of hate speech in South Africa After the inquiry, the court may make an order that is appropriate in the circum-
10.3.2.1 Hate speech and the Constitution stances. A list of the possible orders is given in the Act.“
The liability of Internet service providers in South Africa is limited by the pro-
Hate speech, being insulting and hurwul, infringes the dignity of the persons at visions of Chapter XI of the Electronic Communications and Transactions Act (the
whom it is directed.” The right to human dignity is recognised in section 10 of the
ECT Aci).™ In the discussion of these provisions, the argument was made that the
South African Constitution as a fundamental right Furthermore, section 16(2) of
limitations in apie XI extend to both civil and criminal liability as
s far as service
the Constitution excludes advocacy of hatred based on race, ethnicity, gender or
providers that act as “mere conduits” or “cache” data are concerned.™ (Note, how-
religion from the protection given by the freedom of expression guaraniced in sec-
ever, the different viewpoint of Nel, that service providers are not protected from
tion 16(1) of the Constiuition.

10.3.2.2 Legislation affecting hate speech 400 S 10(1) of Act 4 of 2000 provides that “Subject to the proviso in section 12, no person may publish,
propagate, advocate or communicate words based on one or more of the prohibited grounds,
A The Promotion of Equality and Prevention of Unfair Discrimination Act against any person, that could reasonably be construed to demonstrate a Clear intention to —
In South Africa, with its particular political history, infringement of dignity and the (a) be hurtful;
unequal treatment of persons are inextricably linked. South Africa has signed the (4) be harmful of to incite harm;
United Nations Convention on the Elimination of All Forms of Racial Discrimin- (c} promote or propagate hatred”_
ation,™ indicating its willingness to proscribe hate speech. The South African legisla- 1 According to s 1 (1) (xxii) the “'prohibiied grounds’ are —
(a) race, gender, sex, pregnancy, marital status. ethnic or social origin, colour, sexual orientation,
ture has therefore adopted legislation to promote the equal treatment of
fpersons — age. disability, religion, conscience, belief, culture, language and birth; or
the Promotion of Equality and Prevention of Unfair Discrimination Ac This Act
prohibits the distribution of hate speech-
(i) undermines
human dignity; or
(ii) adversely affects the equal enjoyment of a person's rights and freedoms in a serious
394 See Reed and Angel (exis) Computer Law 581. mariner that is comparable to discrimination on a ground in paragraph (a)".
395 Burns Communications Law 116, 119. European countries that have signed the Additiorial Protocol $20(1).
to the Convention on Cybercrime, have to adopt legislation to criminalise hate speech (see para. In terms of s 16(1), every magistrate's court amd every High Court is an equality coun for the area
103.3 below). of its jurisdiction; and any magistrate, additional magistrate and judge may be designated by the
36 Snare 0a ee Minister, after consultation with the Judge President or the head of an administrative region, as a
37 African low has treated contemptuous remarks about a person's race or racial views as de- presiding officer of the equality court of the area in respect of which he or she is magistratc,
Gemaatcey oF that panics (te Nesthling et al. Necthling’s Law of Personality 143; Argus Printing and additional magistrate or judge, as the Guse may be.
Publishing Co Lid o Fsselen’s Estate 1994 (2) SA 1 (A) 22-23). ‘The right to a reputation is, of course, $21(1).
gs

S 21(2). Possible orders include an interim order, a declaratory order, an order making a sctile-
on social ider liability” 2011 Obiter ment between the parties, an order for the payment of any damages in respect of impairment of
322; De Vos “Malema judgment: A rethink on hate specch” Pea ete eae
dignity, and in respect of pain and suffering or emotional and suffering as a result of
ing.co.za/malemajudgment think-on-hate-speech iled/;
Nel SS “Pree
the heareapeesh: PRC siers Se Tae as cele ier fins ae SRC Bee bet toes 6. oes Hoe Set
anonymity and the internet” in Papadopoulos and Snail (ed) Oyberlan8kSA HI: ahaa
‘h or to A to address the hate ch, an order to comply with the
in South Africa 3 ed) 2012 261; Afri forum and Another » Malema and Others 2011 (6) SA 240 (Eq);
provisions of the Act and an order as to costs. ‘The court can also issue an order directing the derk
Afriforum and Another 0 Malema 2010 (5) SA 235 (GNP).
of the equality court to submit the matter to the Director of Public Prosecutions for the possible
398 The Convention was adopts and opened for signature and ratification by General Assembly Res-
institution of criminal proceedings in terms of the common law or relevant legistation.
olution
2106 (XX) of 21 December 1965, and came imto effect on 4 January 1969. Art. 4 of this
Act 25 of 2002.
B85

Convention
enjoins State Parties to declare an offence punishable by law all di: jon of ideas
based on racial superiority or hatred, incitement to racial discrimination, and acts of violence or See para. 10.2.7.1B.
incitement to such acs against any race or group of persons of another colour or ethnic origin. ‘This is also the situation in the UK in terms of the Electronic Commerce (EC Directive) Regu-
399 Act 4 of 2000. lations, 2002. See also Reed and Angel (eds) Comprater
Law 271.
 Chapter 1G: Freedom of Expression 545

criminal liability.) These limitations do not, however, affect any obligation im- 546 Information and Communications Technology law
posed by law or by a court to remove, block or deny access to any data message.”
Therefore, if an equality court orders the service provider to remove, block or deny
access to hate speech in terms of the Promotion of Equality and Prevention of Unfair isguilty of an offence. A publication is defined as including “any message or commu-
Discrimination Act, the provisions of the ECT Act cannot interfere with such an nication, including a visual presentation, placed on any distributed network includ-
order. ing, but not confined to, the Internet”."”
Because this offence requires the distribution of hate speech to be done knowingly,
Despite its prohibitions, section 10 docs not preclude the bona fide engagement in
a service provider with no knowledge of the content of the matcrial cannot be guilty
artistic creativity, academic and scientific inquiry, fair and accurate reporting in the
of distributing hate speech. Funhermore, a user who downloads hate speech also
public interest or publication of any information, advertisement or notice in accord-
does not commit this offence, as long as he or she docs not distribute the hate
ance with section 16 of the Constitution.“’ This means that, as a Danish court found
speech any further."
in Jersild » Denmark,” reporters and editors will not be held liable for hate specch
when, for example, they broadcast (or distribute on the Internet) interviews with However, in terms of section 29(4) there are numerous exceptions to the pro-
racist groups. visions of section 29(1) to (3) prohibiting the broadcast, distribution, exhibition and
presentation of material advocating, inder alia, hatred:
In fersild v Denmark” an inverviewer and cditor were charged with and convicted of
(a) a bona fide scientific, documentary, dramatic, artistic, literary or
complicity in making racist statements public in contravention of the Danish Penal or play, or any part thereof which, judged wat! in
film, entertainment oeis ot
Code. The interviewer interviewed members of a youth group which expressed views such nature;
of a racist nature. Neither the interviewer nor the editor indicated support for the (4) a publication, film, entertainment or play which amounts to a bona fide discussion,
group. The interview was broadcast as part of a news and currentaffairs programme. argument or opinion on a matter pertsining to religion, belief or conscience; or
The Supreme Court of Denmark upheld the conviction of the reporter and editor (ce) a publication, film, entertainment or play which amounts to a bona fide discussion,
on the grounds that freedom of expression did not outweigh the legitimate interest argument or opinion on a matter of public interest.
in protecting members of minority groups against racist propaganda. The reporter A person who contravenes this section of the Act may be sentenced tw a fine or to
appealed to the European Court of Human Rights on the grounds that his right to imprisonment for a period not exceeding five years," or to both if aggravating fact-
freedom of expression under article 10 of the European Convention on Human ors are predominant.
Rights, 1950 had been violated.
That coun agreed with him. It held that the punishment of the journalist under 10.3.3 The Additional Protocol to the Convention on Cybercrime
these circumstances would seriously hamper the contribution of the press to dis-
The Convention on Cybercrime™ is a convention of the Council of Europe.™ How
cussions of matters of public interes. The reasons advanced in support the applic- ever, four non-member countries, one of which was South-Africa, were involved in
ant’s conviction and sentence were not sufficient to establish that the interference
the drafting of this Convention.” The Convention was adopted in 2001 and signed
with his freedom of expression was necessary in a democratic socicty“*
at that time by South-Africa. Signatories are obliged to implement the provisions of
the Convention in their national laws.
B The Films and Publications
Act
The criminalisation of racist or xenophobic nature acts committed by means of
The distribution of hate speech is also prohibitcd by the Films and Publications
computer systems was discussed during the drafting of the Convention, but conscn-
Act“ Section 29(1)(¢) of this Act provides that any person who knowingly distrib-
sus could not be reached. It was agreed that a separate protocol would be drafted,
utes a publication which, “judged within context”, “advocates hatred that is based on
and in January 2003 an additional protocol was agreed to.” By May 2008, 31 member
race, ethnicity, gender or religion, and which constiuutes incitement to cause harm”

416 SL.
409 Nel “Freedoen of expression and the Internet” 206 interprets s 79 (the savings clause) ax excluding 417 See also Nel “Freedom of expression and the Internet” 225.
immunity from criminal lability in terms of any other law or Act. Interpreted this way, Chapter XI 418 SW) of Act 6 of 1996.
only provides immunity from civil liability, whether the service provider acts as a mere conduit, or 419 $20(2).
caches data, or acs as a host. 420 Budapest,
23 November 2001: TS 189(2004)_
410 S$ 79(d) of Act 25 of 2002. 421) Fountded in 1949, the Council of Europe: (10 be distinguished from the Council of the European
411 S 10(1) read with s 12 of Act 4 of 2000.
412 23 September 1994, Series A 298, ref. no. 36/1993/432/5 10, as discussed in Burns Communications heads of State of 47 European countries, There are also five observer countries, including the
Law 115. USA, Canada
and Japan. ‘The Council meets twice a year. Its aims are inter alia to protect human
413 23 September 1994, Series A 298, ref_ no. 36/1993/432/5
10- rights, democracy and the rule of law, and to find common solutions to the challenges facing Ku-
414 For more detail, see Burns Communications
Law 115. ropean society. ft also oversees the Convention on Human Rights, 1950. Its websive: is found at
415 Act & of 1996. www.coe.imt
See Reed and Angel (eds) Compnaler Law 579.
58

poor sonia? aeons herssbeis chop inion eaenastrebatrecmere pcre

racist and ? hobic mature F y (Strasbourg, 23 January 2003:
contamaed
 Chapter 10: Freedom of Expression 547 548 Information and Communications Technology Law

States of the Council of Europe and two non-member States (Canada and South Most countries have laws in place that criminalise the distribution of obscene and
Africa) had signed the Additional Protocol. indecent material in particular Grcumstances. These laws usually also cxtend to
The Additional Protocol defines “racist and xenophobic material”
as material distributed on the Internet. However, as in the case of laws regulating def-
amation on the Internet, there is no unanimity in the content of these laws. Differ-
= material, any tage ee eet een which
or h against any individual ent communities have different views on what should be considered obscene, in-
mania ck aileabiads: based on race,cielo scene cence oe lace cog decent or pornographic. These differences are reflected in the laws of country, leav-
well as religion if used as a pretext for any of these factors.” ing service providers and users of the Internet in a difficult position, in that they
It requires cach signatory State to adopt Icgislative measures to criminalise certain could be held criminally liable for activities that are legal where they are situated but
conduct committed “intentionally and without a right” by means of computer sys- not in other jurisdictions in which they operate.
tems. The conduct that must be criminalised includes distributing racist and xcno-
phobic material, making threats and insults motivated by racism and xcnophobia, 10.4.2 When is material obscene, indecent
or pornographic?
distributing material which denies, grossly minimises, approves or justifies genocide
In the United Kingdom, obscenity laws apply not only to sexual material but to any
or crimes against humanity, as well as aiding and abetting the commission of any of
material the effect of which is to “deprave and corrupt” persons who are likely to
these crimes.”
read, see or hear the matter it contains. In terms of the law of the United King-
The significance of the Additional Protocol is that it requires signatory Statcs to dom, therefore, a publication | describing the use of drugs or showing scenes of
establish similar substantive offences regarding the dissemination of racist and xcno- violence can also be “obscene”.
phobic material, thus contributing to the harmonisation of legal rules at the inter-
national level- In the United States, on the other hand, “obscenity” is limited to visual sexual
(pornographic) material. In order to be pornographic, it must appeal to the pruc-
ent interest" The standard used to determine this is that of the local community.”
10.4 Online obscenity and indecency This means that material that is unobjectionable in one State may be illegal in an-
other. This is precisely what happened in Thomas v Uniled States. A husband and
10.4.1 Introduction wife operated an online bulletin board. The files were located on their computer in
A popular view, according to Reed and Angel, seems to be that the primary activity on California. The postal inspector of Tennessee downloaded material from their web-
the Internet is the provision, distribution and downloading of obscene and indecent site. They were subsequently extradited from California’ to Tennessee where they
material, including pictorial pornography. Arguably, however, media statements were charged with interstate transponing of obscenity.” A Tennessee jury found
about the prevalence of such material are usually overstated.™ them guilty. It was argued on their behalf that the pacar’ was not obscene by Cal-
In relation to pornography (and other obscenity mattcrs) Burns points out that ifornian standards, but the judge held that the appropriate standard of the test for
the question is whether the law should play any role in the sphere of morality. In
other words, should the State be involved in ensuring that “public morals” are not
harmed or infringed?™ Recently the focus of the debate about the prohibition of
431 Reed and Angel (eds) Comprater
Law 26%, 269.
pornography was on the harm that can be caused by pornography in the form of 432 S$ 1(1) of the UR’s Obscene Publications Act of 1999.
sexual acts accompanied by murder, sexual violence, sexual abuse of children, and 483 fohn Calder (Publications) Lid 0 Powell (1965) 1 All ER 159; R o Skiroing | 1985] 2 All ER 70s; Reet
sexual harassment. and Ange! (eds) Compuler Law 266.
434 Roth # United States 354 US 476 (1957). “Prurient” is defined
as ~ interested
in improper
matters, expecially of a sexual mature” (Morris {ed) Tar Amicon Flange Desioasty of he Eagle
‘TS 189). The Additional Protocol entered into force in March 2006, when it was ratified by a fifth
Language 1054).
member Sean
435 Miller 0 California
413 US 15 (1973). The Supreme Court held that obscene materials do not enjoy
424 South Africa signed the Protocol on 4 April 2008. The Protocol is avaikzble at bttp://conventions. yaar er esl omura/s aiaaclesoigsor ri. enmomerh imaamnesonmcceie
ove int/ Treaty / Commun /ChercheSigxsp?NT-188&CM-8&DF-5/22/2008&CL-FNG. obscene is: (a) whether
the average pi applying P woukt
425 Art. 2(1). find the work, taken as a whole, appeals to the p (b) wh hes the work depicts or
426 Art 3(1). describes, in a patently offensive way, sexual conduct specifically defined by the applicable state
427 Arts 4-7. South Africa already complies with the provisions relating to di of this type of law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific
material, courtesy of the provisions of the Promotion of Equality and Pr of Unfair Dis- value. The Supreme Court has allowed one exception to the rule that obscenity ix not protesctext
crimination Act 4 of 2000 and the Films and Publications Act fi of 1996. See the discussions of
under the First Amendment: in Stanley 0 Ceopgia 394 US 957, 56% (1969), the court held that “mere
these: Act in paras 10.3.2.2A
and 10.3.2.2B, above, respectively.
Reed and Angel (exts) Comprater Lan 265. private possession of obscene material” is provected.
436 Thomas v United States 74 F 3d 701 (6th Cir) cen denied, 117 S Ci 74 (1996). See also Reed and
888

Burns Communications Jaw 141.

Pornography has become a gender issue and is mo longer a moral issue, according to Burchell Per- Angel (eds) Computer Law 265.
sonality Rights and Freedom of Expression 39. 437 Under18 USC § 1465.
 Chapter 10: Freedom
of Expression 549 52 Information and Communications Technology law

obscenity was the standard of Tennessee, the place where the material was received differences. The age of sexual consent varies from 18 years (in Tennessee), 17 years
and viewed. (Ireland), 16 years (in South Africa, the United Kingdom, Germany, the Nether
The Canadian Criminal Code provides that matcrial will be deemed obscenc if its lands and many other countries), 15 years (Denmark and the Czech Republic), 14
dominant characteristic is “the undue exploitation of sex or of sex and any one or years (Italy, Chile, Croatia, Brazil and some other countries) to 13 years (Spain and
more of the following suece, namely crime, horror, cruclty and violence”. Un. Japan) of age.” In Iran and Saudi Arabia there is no legal age of consent, since sex-
due exploitation of sex” is interpreted as meaning child pornography, explicit sex ual relations outside marriage are prohibited by law.
coupled with violence and degradation or dehumanisation of women, when there is In some jurisdictions, such as the United Kingdom, the mere possession of child
a substantial risk of harm to society.” pornography is an offence.” As a general rule, the mere possession of (adult) porn-
ography is not an offence; criminal liability in connection with adult pornography
According to Burns, it is generally accepted that mildly erotic or sexual material
usually requires that the person intend distributing or exhibiting the material. In the
should not be subjected to censorship (in the sense of being prohibited by the State)
case of child pornography, possession with intent to distribute usually constitutcs a
other than making it inaccessible to young people.“ What should be considered
mildly erotic is, of course, asubjective question the answer to which may differ from more serious offence than mere possession.“
one jurisdiction to another.” “As Reed and Angel point out, it is clear from the
debates and the cascaw over the years that one person's “offensive, degrading and
10.4.3.2 Pornography laws involving minors in the United States
threatening” may well be another's great work of literauire or an, or protected The United States Congress has made several atiempts to jate the transmission
social, political or scxual statement, or “holiday snaps”. of obscene or indecent material to minors over the Internet” The first attempt was
the Communications Decency Act (CDA) of 1996. This Act made it a crime to
transmit indecent communications knowingly to any recipient under 18 years of age_
10.4.3 Pornography involving minors
The Supreme Court ruled in Reno 2 American Civil Liberties Union™ that the CDA
10.4.3.1 Differences in laws was unconstitutional because it was not narrowly tailored to serve a compelling
There is universal acceptance that the depiction of minors engaged in sexual con- governmental interest and because less restrictive means of regulating the conduct
duct is unlawful per se" Differences arise, however, about the unlawfulness of the concerned were available. It held that the Internet was a “unique and wholly new
material when the persons involved in sexual conduct are adults depicted as minors. medium of worldwide human communication” deserving of full First Amendment
In some jurisdictions such material is unlawful, whereas in others actual pantiG- protection. The court was of the opinion that it was possible to warn viewers of the
pation of a minor is required.‘® Differences regarding the unlawfulness of the ma- Internet about imminent indecent content. Since alternative methods of regulating
terial also exist when the images of minors are not of real children but created by the conduct existed, the CDA’s provisions were overbroad in that . they would also
computer. prohibit constitutionally protected indecent speech among adults. (It is a funda-
In determining whether pornography involves minors, the age at which a person mental First Amendment principle that the government may not suppress lawful
can consent to sexual activity is obviously important In this respect there are also speech as a means of suppressing unlawful speech.)

488 Their conviction was upheld by the Court of Appeals for the 6th Circuit and the US Supreme
Coun refused to bear the case (Thomas o United States 74 F <i 701 (6th Cir) cert denied,
117 S Cr 448 In the UK, the age of sexual consent is 16, but the Sexual Offences Act of 2003 amended the def
74 (1996))- inition of “child” in the Protection of Children Act of 1978 to mean “persons under 18" for the
439 Canada Criminal Code RSC 1985, ¢ C46, s 163(8)- purposes of “indecent photographs”. Hf a person in the photograph is 16 or 17 years of age, the
440 Ro Buller (1992) | SCR 452. photograph constitutes child pornography.
441) Burns Communications Law 144. See Reed and Angel (eds) Compruter Law 267-268 for the specific Acts determining these ages.
88

442 In 2007 Hollywood star Richard Gere kissed Kollywood star Shilpa Shetty several times on the cheek 8 160 of the Protection of Chikiren Act of 1978 (as amended by s 84(4) of the Criminal Justice and
in public at an AIDS awareness event in Delhi. A warrant for his arrest was subsequently issued for Public Order Act of 1994). See also the California Peral Code $ 311.11(a). For a discussion in
viokation
of local obscenity laws. general see Loyd Information Technology Law a1 230-238.
443 Reed and Angel (exis) Computer Lan 266. ASE Reed Internet Law 107_
444 Reed Internet
Law 107; Geist Internal Law in Canada 138.'The US Supreme Court has held (New York 452 Wortley and Smaltbone S Child Pornograply on the Internet (May 2012) bupc/ /wew.cops.usdoj gov.
@ Rerber 458 US 747 (1982)) that child pornography is material that visually depicts sexual conduct 453 47 USC § 223. Congressional authority t regulate at the state level is based on the commerce
by children below ’a specified age. Such material is not considered protected speech under the chuse, US Constitution art. 1,5 8, which provides that “The Congress shall have Power -. . To reg-
First Amendment. ulate commerce with foreign Nations, and among the several States”. Congress has the power to
As it is in, for example, the USA: see 18 USC § 2256(B). Federal child-pomography stamutes are legislate in the area of interstate telecommunications: the CDA was enacted as part of the Tele-
&

codified in 18 USC $§ 2251-2299. communications Ac

As in Canada: see RB w Sharpe (BOCA 1999 416) 30 June 1999_ 521 US 844 (1997).
g¢
$8

Such material is prohibaed in the UK (by the Protection of Children Act of 1978 and s 160 of the it is a fundamental First Amendment principle that the government may not suppress lawful
Criminal Justice Act of 1988) and in the USA (by 18 USC § 22546(C)). speech as a means of suppressing unlawful speech.
 582 Information and Communications Technology Law

Chapter 10: Freedom of Expression 551 The Children’s Internet Protection Act of 2000™ (CIPA) is another federal law
dealing with distribution of pornography to children that was upheld by the Supreme
Court. This Act forbids public libraries to receive federal assistance for Internet
The successor to the Communications Decency Act is the Child Online Protection
access, unless they install fiitering software to block obscene or pornographic images,
Act (the COPA) of 1998. The COPA imposed criminal penalties on the commer
cial distribution of material harmful to minors. In 1999 a federal district court™ and prevent minors from accessing material harmful to them. The district court in
granted a preliminary injunction prohibiting the government from impicmenting US 9 American Library Association, Inc. decided that the CIPA was unconstitutional.”
the COPA, concluding that the respondent (the American Civil Liberty Union) was The Supreme Court reversed this decision,™ holding that there are substantial
governmental interests at stake: the interest in protecting young library users from
likely to prevail in its argument that there were less restrictive alternatives to the
material inappropriate for minors is legitimate and compelling. Given this interest
COPA, particularly blocking or filtering technology. Therefore, the COPA was likely
to fail the First Amendment test. A lengthy court baule followed, with the case going and the failure by the applicants to show that adult library users” access to the ma-
twice to the Court of Appeals for the Third Circuit and twice to the Supreme terial is burdened to any significant degree, the statute is not prima face unconstitu-
Court.™ The Supreme Court upheld the district court’s injunction against the COPA tional.
in 2004, holding that the COPA probably violated free-speech rights, but sent the
case back to the lower court to let the government re-argue its case. The Act remains
10.4.3.3 International efforts
inactive. The regulation of illegal content on the Internet cannot be efficiently addressed by
individual States, because of the transnational character of the Internet The Council
The Child Pornography Prevention Act of 1996" prohibited any visual depiction,
of Europe and the European Union have adopted legal instruments aimed at har-
including any photograph, film, video, picture or computer-generated image or pic-
monising the legal positions in their respective member Statcs.
ture that is, or appears to be, of a minor engaging in sexually explicit conduct. The
Act would have forbidden the practice of taking images of adults engaged in sexual
A The Council of Europe’s Convention on Cybercrime
acts or posing nude and digitally altering the images to make the adults look like
children. It was struck down by the Supreme Court in Ashcroft 0 Free Speech Coalition.” Despite not being a member State of the Council of Eu , South Africa was one of
The court held that the Act was overbroad in that it banned material that was neither the drafiers of the Council’s Convention on Cybercrime.” This Convention requires
obscene nor produced by the exploitation of real children.” member States to establish as criminal offences in their domestic law certain acts re-
garding child pornography, when such acts are committed intentionally and without
In 2003, the US Congress enacted the PROTECT Act.™ One of its sections prohib-
right. The types of conduct forbidden are™
its computer-generatcd images of child pornography if “such visual depiction is a
computer image or computer-generated image that is, or appears to be virtually (a) producing child pornography for the purpose of its distribution through compu-
ter system;
indistinguishable from, that of a minor engaging in sexually explicit conduct”.
(6) offering or making available child pornography through a computer system;
Another section of this Act, the “pandering provision”, Prohibits offers to provide
child pornography and requests for child. pornography. This provision was upheld by (co) distributing or transmitting child pornography through a computer system;
the Supreme Court in US 0 Williams. The court held that the provision is neither (d) procuring child pornography through a computer system for oneself or for another
“overbroad” under the First Amendment™ nor impermissibly vague under the duc- person,

process clause of the US Constitution.” (e) possessing child pornography in a computer system or on a computerdats storage
medium,

456 47 USC § 231 ff Pub |. No. 105-277.

457 In American Cioil Liberties Union o Reno 31 F Supp
2d 473 (ED Pa 1999) (the case reached
the
Supreme Court with a different name: Ashcroff o American Cieil Liberties Union). 17 USC § 1701. Pub 1. 106-554.
Be

See Ashcroft o American Civil Liberties Union 322 F 3d 240 (2000); Ashcroft 0 American Cicil Liberties US v American
Library Asm, Inc 201 F Supp 2d 401. The district court held, inter alia, that Congress
3

Union 535 US 5-4 (2003); Ashcroft » American (Gieil Liberties Union 542 US 656 (2004). had exceeded its authority under the spending clause in that any public library that complies with
Child Pornography
Prevention Act of 1996, Pub L. 104-208,
110 Star. 3008-26. CIPA's conditions would necessarily violate the First Amendment, that the CIPA filtering software
S86

535 US 254 (2002). constitutes 2 restriction on access to a public forum that is subject to strict scrutiny;
Bills are frequently introduced in this area of free speech, bat not all of them become law. The and that, although the government has 2 compelling imerest in preventing the dissemination of
Child Obscenity and Prevention Act of 2002 and the Child Pornography Prevention Act of 2005 obscenity, child pornography, or material harmful to minors, the use of software filters is not nar-
are two such examples. tailored to further that interest.
‘The Prosecutorial Remexties and Other Tools to End Exploitation of Chikiren Today Act 18 USC 470 In LS « American Library Association, Inc, ef al 539 US 194 (2003).
8

2422. 471 Convention on Cybercrime (Budapest, 23 November 2001: TS 185(2004))- See also para. 10.3.3
18 USC § 2256(8)(B). abowe.
18 USC § 2252A(a){3) (B)-
SRG3R

472 An 9(1).
Case no. 06-694, decided on 19 May 2008_
Page 6-18 of the judgment.
Page 11-18.
 Ch 10: Freedom ofE: . 558 554 Information and Communications Technology Law

The Action Plan was based on four courses of action:™

“Child pornography” is defined™ as pornographic material that visually depicts (a) establishing a safer environment through a European nctwork of “hotlines™™ and
(2) a minor engaged in sexually expliat conduct: by aging sclf-regut: and the ador of codesof cond
() 3 person appearing to bea minor engaged in TESA SRE (8) developing filtering and rating. systems, in —— by highlighting their benefits
(oe) real es repr ga engaged in ly 2 and facilitating an interns fb agre
A “minor” is defined as any person under, the age of 18 years; but a party to the Con- (2 encouraging awareness campaigns at all a to nko parents and all people
vention may use a lower agetimit, which limit may not be lower than 16 years of age.“ dealing with children (teachers,
social workers and so on) of the best way to protect
minors against exposure to content that could be harmful to their development;
The definition of child pornography includes not only visual pornographic depic-
(d ‘coaches tng seqport cients ter maaeen Icipt bee omer providing coordination with
tions of actual minors but also of adults depicted as minors. This definition is wide imilar internals and iB the impact of C
enough to include images of minors which are created by, for example, a computer.
In 2005 a new programme, the Safer Internet Plus Programme, was adopted. It
However, a party to the Convention may, upon signing the Convention, make res-
aims to empower parents and teachers with Internet safety tools. The four-year pro-
ervations regarding some of these isions. It may reserve the right not to crimin-
alise mere possession of child pornography and the night not to extend the de gramme had a budget of €45 million to be spent on combating illegal and harmful
inition of child pornography to include paragraphs (6) and (c) of the definition. Internet content. The new programme also covers other media, such as videos, and
explicitly addressed the fight against racism, as well as spam. The new programme
Because South Africa has signed the Convention, the provisions of the Convention focuses more closely on end-users such as parents, educators and children.
have to be given effect to in South African law”

B_ European Community programmes for a safer Internet 10.4.4 The liability of service providers for possession and distribution
The European Community has also recognised that illegal and harmful content on of pornegraphy
the Internet needs to be titackled at Community level. In 1999 it adopted an Action When liability in terms of an Act is based on the possession of pormography (usually
Plan for a Safer Internet.” The Action Plan budgets moncy for projects with the aim only of child pornography), only intermediaries which act as hosts of material or
of fostering a favourable environment for the development of the Internet industry cache material on their websites can be liable. Mere conduits cannot be said to
by promoting safe use of the Internet and combating illegal or harmful conten possess the material. However, as liability in terms of the Act usually requires that the
act with a certain intent (such as that to distribute or exhibit the material),
it will have to be proved that the service provider was aware of the nature of the ma-
terial on its server. Whether the necessary awareness was present is a question of fact_
However, sometimes a statutory presumption of intent may exist. In other words, a
person found in posseasion of child pornographic material is presumed to intend
distributing the material.”
3922 |

In art. 9(2}.
Art. 9(3)}.
See the discussion in para. 10.4.5 below. 478 See the Safer Internet Projects website at htrp://ec.curopacu/information_socicty/
activities /sip/
EU Parliament and Council Decision No. 276/1999/EC “Adopting 2 Multiannual Community projects /index_en.hiem.
Action Plan on Promoting Safer Use of the Internet by Combating legal and Harmful Content on 4739 The Safer Internet Plus Programme (sce fn. 429 below) provided co-funding for nwo European
Global Networks” (25 January 1999) Official fowrnal 1. 33 of 6 February 1999. An action plan is 2 enabling
non-binding legal instrument that aims to promote the general principles or aims of the EU. hisa
financial instrument that is usually applied in such policy fields as industry or culture which are
not part of the legal harmonisation of member countries.
477
A distinction & drawnb egal and bh d b these two types of content Pree peor 2 lay redealcat ae pct eg ebay ter ranted sien reas aoe
should be deah with di according to the EU Commission. Hlegal content must be dealt cered capability to recognise and process transmisions or forward them to other nodes.) Some
with af itt source: by the police and the judicial authoriGes, whose activites are covered by awareness nodes (nodes that perform is ng activities) with helplines en-
legislation and judicial co-op. agre i , Service providers can be of ick abling children to raise concerns about illegal and harmful content and uncomfortable or scary
ble aristance in restricting the ciraslation of illegal content (particularly in the case of child por- er ee eee eee The European Commission has also en-
nography, racism and or yorcresat frerandanbar pinged rire sgeen pi ogee eG aT nodes, hotlines and helplines at local level.
Thus “comn-
of conduct and hodines) governed and supported by legislation and with consumer backing. bie oodes" Compenrd of an aemecness mode, a hotline and a helpline have already been created
Harmful content is both that which is authorised but has restricted circulasion (for adults only, for in some countries. See the Safer Internet Projects website at hep://eeuropa.cu/ information
example} and that which could be offensive 10 some users, even if publication cannot he restricted soxiety/ activities/sip/
projects /index_ enh.
Became suck restriction would be dermed an infringrsnent of freesiom of speech: Action. fo com- 480 EU Parliament and Council Decision No. 84/2005/EC “Establishing a Multiannual Community
bat harmful first and f chnotogy (filtering tools and rating Programme on Promoting Safer Use of the Internet and New Online Technotogies” (11 May 2005).
mechanisms) to enable users to reject such content by promoting awareness among parents, and 481 See Safer Internet Projects websive: atfase (eerops elated basen in Veen
fostering selfregulati These could be an adeq way of pr v4 in 482 See, for example, s 1 (2) of the UK's Obscene Publications
particular.
 586 Information and Communications Technology law
Chapter 10: Freedom
of Expression 555
the imposition of age restrictions and, in the case of films, the imposition of con-
In most cases, however, criminal liability only arises when pornographic matcrial is ditions on the distribution thereof.”
distributed. Since all service providers distribute material, this is a problematic area Any person who knowingly distributes a publication containing “banned” content
for them. Reed™ identifies three basic approaches to the criminal liability of inter- is guilty of an offence.” Apart from the usual forms of publication (such as news-
mediaries: papers, books, posters and so on) the Act's definition of publication includes any
O The knowing distribution of obscene matcrial is criminalised. This approach is record, magnetic tape, soundtrack and computer software which is not a film.* Sig-
followed in Tennessec.™ A service provider that docs not monitor the contents nificantly, for our purposes, a publication also includes “any message or communi-
of its server is able to plead ignorance. However, sometimes knowledge is imput- cation, including a visual presentation, placed on any distributed network including,
ed to the service peovider if a reasonable person would have suspected the na- but not confined to, the Internet”
ture of the material A visual presentation includes a drawing, picture, illustration, painting, photograph
UO The distribution of obscene material for gain is criminalised, subject to a defence or image, as well such items produced by means of computer software” Any draw-
of lack of knowledge, or reasonable suspicion, of the contents of the material. ing, photograph, image or other publication that contains “banned” content and is
This is the approach in the United Kingdom." knowingly distributed on the Internet contravenes the Films and Publications Act.
OF The knowing distribution of obscene material is criminalised, although inter- It is a specific object of the Act to make the exploitative use of children in porno-
mediarics who merely provide access to other servers without panicipating act- graphic publications, fifilms or on the Internet punishable.” Child pornography is
ively in the production or distribution of material are specifically exempted from defined in section I of the Act as including
liability. In other words, service providers who act as mere conduits cannot be any image. however created,” or any description ofa person, real or simulated, who is,
held liable, but service providers who cache data or act as hosts are liable if they or who is depicted or descnibed
as being, under the age of 18 years—
knew the material on their servers was obscene or pornographic. This approach G) engaged in sexual conduct;
is followed in California.”
Gi) participating
in, or assisting another person to participate in, sexual conduct;
or
However, it should also be bore in mind that many jurisdictions have adopted (mi) showing or describeng the body, ee ana, amr Re
laws or regulations that provide service providers with immunity for the third-party ner or in cir thin Ie:
information they carry. Some of these regulatory regimes are discussed above in the te mich x manner tha capable of ing ed forthe porpones of sol
context of defamation laws. As the global trend scems to be to extend immunity to ploitation-.
criminal liability," the provisions of these regulatory regimes should be borne in In terms ofection 27, the production, importation and ion of child porn-
mind in this regard. ography are offences, if these actions are done knowingly. Hence, a person who

10.4.5 Regulation of online pornography

in South Africa S$ 2 prohibits the distribution of publications or films classified as XX (hecuuse they contain

=
Online pornography i is regulated by the Films and Publications Act.” The Act regu. caadesek ae. Weabaity, Racca; capi,degrading sex which constitutes incitement to harm or extreme
lates the creation and distribution of publications and films by means of classification, jolence) of X18 (b they @ visual pr imulated of real, of explicit sexual
conduct which, in the case of sexual intercourse, | includes an explicit visual of gen-
itals). Films rated
X18 may, however, be shown at so-called “adult” premises
(x 24).
& S288 8 2(a)-
Reesd Internet Law 109-110. Ss 25, 26 and 28 of Act 65 of 1996. “Banned content” is content classified ax XX or X18.
828

Tennesse Code § 99-17-902(a). St.

In other words, the service provider can escape liability only if it was not negligent in not knowing $1. This part of the definition was added by s 1 (5) of the Films and Publications Amendment Act
the content 34 of 1999.
Sees 2(1) of the Obscene Publications Act 1959, S | of Act 65 of 1996. Computer software is defined in s 1 as “a programme and associated dara
88

See § 312.64) of the California Penal Code. See also the French Telecommunications
Law of capable of generating a display on a computer monitor, television screen, liquid crystal dispkay or
1996.
similar medium that allows interactiveuse”.
See para. 10.2.7.1 above.
S26).
2

Reed Interne Law 134 fn. 158. See, for example, the USA's Communications Decency Act of 1996 §
a8

In other words, Computer-generated images are also covered by this provision.

230; the UK's Electronic Commerce (EC Directive) Regulations 2002; s 10 of the Singaporean
Electronic: Transactions Act 1998 (quowd in Reed /niernat Law 113); the EU Commerce Directive $ 27(1){a). The fact that the offences in this Act must be committed implies
that service
A 1245 (in terms of the Directive individual member States of the EU can decide whether to providers can only be held liable if they have knowledge of the nature of the material they pass on,
extend immunity to criminal liability). cache or host. However, the provisions of the Blectronic Communications and Transactions Act 25
Act 65 of 1996, See also Watney “Regulation of Internet pornography in South Africa {part 1)” of 2002 also protect service i from crimirral liability, at least in so far as they act as mere
8

2006 Tydstrif oir J: Romeins iollandse

Reg 227; Watney “Regulation
of Internet pornogra- conduits or cache data. (See the discussion in para. 10-2.7.1B(d)(iii)
above.) If this holds true, ser-
Bir ie Sets Abie (act 2)Ph aren ie fray earth reaper Nel “Freedom of vice providers that comply with all the conditions of the ECT Act can escape criminal liability im-
poulos and Snail (ext) Cyberiawt&SA
I: The law posed in terms of the Films and Publicatons Act. Nel “Fre dom of exp and the Int *
ya han Soman ier contanwed
 Chapter 10: Freedom
of Expression 457

downloads child pornography and knowingly kecps it on his or her computer is in

possession of such material and guilty of that offence.
Section 27A of the Act imposes obligations on Internet service providers. They
must register with the Films and Publications Board and take all reasonable steps to
prevent the use of their services for the hosting or distribution of child pornog-
raphy.”
Further obligations are imposed on Internet service providers who know that their
services are being used for the hosting or distribution of child pornography. Such an
Internet service provider must
(a) take all reasonable steps to prevent access to the child pornography by any person;
(6) report the presence thereof, as well as the particulars of the person maintaint or
hosting or distributing or in any manner contributing
to such Internet ser oor ps
official
of the South African Police Service; and
(ed take all reasonable steps to preserve such evidence for purposes of investigation
and prosecution by the relevant authorities."
Service providers are also obliged to provide the police, upon the latter's request,
with the particulars of
© users who have gained access orfr attempted to gain access to
an Internet address chat contains child pornography.” A person who fails to com-
ply with the provisions of section 27A is guilty of an offence.

206, however, is of the opinion that the effect of the savings clause (s 79 of Act 25 of 2002) is to ex-
ude immunity from criminal liability in terms of any other law or Act.
S27A(1).
888

S 27A(2).
“Internet address” is defined in s 1 as meaning “a website, a balletin board service, an Internet
Se ee
A(3).
$8

S27A(4).