State of Privacy South Africa

Table of contents

• Introduction
• Right to Privacy
• Communication Surveillance
• Data Protection
• Identification Schemes
• Policies and Sectoral Initiatives

Introduction

Acknowledgment

The State of Privacy in South Africa is the result of an ongoing collaboration by Privacy International and the Right2Know coalition.

Key Privacy Facts

1. Constitutional privacy protections: Section 14 of the Constitution of the Republic of South Africa protects the right to privacy.

2. Data protection laws: The Protection of Personal Information, Act 4 of 2013 (POPI) is the primary instrument regulating data protection in South Africa.

3. Data protection agency: Section 39 of POPI establishes the Information Regulator, a body composed of several members. Among the Information Regulator's duties are monitoring and enforcing compliance and handling complaints related to the enforcement of privacy laws.

4. Recent scandals: Members of the security services have been implicated in extrajudicial surveillance against South African citizens.

5. ID regime: South Africa's post-2013 smartcard ID includes a chip that contains the biometric information of the holder. That data is held by the Home Affairs National Identification System (HANIS).

Right to Privacy

The constitution

Section 14 of the 1996 Constitution of the Republic of South Africa provides for an express, justiciable right to privacy. It states:

"Everyone has the right to privacy, which includes the right not to have -

(a) their person or home searched;

(b) their property searched;

(c) their possessions seized;

(d) the privacy of their communications infringed."

This superseded section 13 of the interim Constitution of the Republic of South Africa Act 200 of 1993 ("the interim Constitution"), which was framed in largely the same terms.

Section 10 of the Constitution also contains a right to human dignity: "Everyone has inherent dignity and the right to have their dignity respected and protected."

The Constitution is the supreme law in South Africa (section 2), and the state is required to respect, protect, promote and fulfil the rights in the Bill of Rights (section 7(2)). It is binding on both state and non-state actors (section 8). All rights in the Bill of Rights can be limited by a law of general application, to the extent that the limitation is reasonable and justifiable in an open and democratic society (section 36). Certain statutes also compel organs of the state or other parties to protect private information obtained from the public, such as the National Health Act 61 of 2003; the National Credit Act 34 of 2005; the Consumer Protection Act 68 of 2008; the Electronic Communication and Transactions Act 25 of 2002; and the Promotion of Access to Information Act 2 of 2000.

Regional and international conventions

South Africa is party to a number of international instruments containing privacy protections, including:

• the Universal Declaration on Human Rights (article 12);
• the International Covenant on Civil and Political Rights (article 17); and
• the African Charter on the Rights and Welfare of the Child (article 10).

The Constitution provides that when interpreting the Bill of Rights, a court, tribunal or forum "must consider international law" (section 39(1)(b)); and that, when interpreting legislation, a court "must prefer any reasonable interpretation of the legislation that is consistent with international law over any alternative interpretation that is inconsistent with international law" (section 233).

Communication Surveillance

Introduction

The intense state secrecy surrounding surveillance practices, and an underdeveloped focus on surveillance from the journalistic, academic and civil society sectors, has limited the degree of insight into the true nature and extent of communications surveillance in South Africa.

Recent research undertaken by the Media Policy & Democracy Project, as well as previous efforts by the Right2Know Campaign, have shed some light on these matters. These developments happen against a backdrop of reportedly increasing abuses of state institutions for partisan gain, as well as a general trend towards securitisation, with the security agencies playing an increasingly visible role in policing the boundaries of democratic politics. This has manifested itself through new legislation, and surveillance of activists, journalists and perceived political opponents. 

In 2018, President Jacob Zuma resigned as head of state under pressure from his political party, and incoming President Cyril Ramaphosa has made a few pledges to reform aspects of the intelligence agencies’ work, and appointed new Ministers of Intelligence and Police.

Surveillance laws

Regulation of Interception of Communications and Provision of Communications Related Information Act (RICA) (2002)

RICA is the main communications surveillance law. Its stated aim is to regulate the interception of communications and related processes, including setting up a system for law enforcement to apply for judicial authorisation for the interception of communications. A recent research report by the Media Policy and Democracy Project compares RICA against the "Necessary and Proportionate" principles.

In April 2017, the amaBhungane Centre for Investigative Journalism launched a constitutional challenge to RICA. This challenge, initially to the high court in Pretoria, is contesting RICA on the basis of constitutional flaws and its failure to regulate bulk interception. In 2018, the Right2Know Campaign and Privacy International joined the case as a friend of the court. It is expected to be heard in March 2019. 

Judicial authorisation under RICA

RICA states that the interception of domestic communications can only be done with the authorisation of a designated judge. An interception direction may be granted when there are reasonable grounds to believe that a serious criminal offence has been, is being or probably will be committed. The law applies to internet service providers and telecommunications network operators, who are obliged to comply with any such warrant, called an "interception direction". The Act provides an emergency provision in which law enforcement agencies can track the location of a person's phone without getting pre-authorisation from a judge, provided that post-fact authorisation is sought.

The law makes no provision for a person to be notified that their communications were intercepted, and RICA forbids anyone to disclose any information about an interception direction. This means there is no user notification and service providers do not release compliance reports. The only information about judicial authorisation is a short undetailed annual report by the RICA judge which provides the total number of applications and authorisations by her office per year. This is tabled to Parliament's Joint Standing Committee on Intelligence and released to the public the following year, though there have been several discrepancies in the release of the reports, and general concerns that the reports lack any meaningful detail for the purposes of oversight, such as the number of targets to each authorised interdict, the type of interception authorised, and the suspected offence for which the interception is authorised.

On the issue of service provider transparency, in 2018 the Right2Know Campaign brought legal action against three major network operators (MTN, Cell C and Telkom) after they refused requests, in terms of freedom of information law, to provide a breakdown of how many warrants they had received in terms of RICA. Vodacom was alone in releasing this information (here).

The law makes no provision for a person to be notified that their communications were intercepted, and RICA forbids anyone to disclose any information about an interception direction. This means there is no user notification and service providers do not release compliance reports. The only information about judicial authorisation is a short undetailed annual report by the RICA judge which provides the total number of applications and authorisations by her office per year. This is tabled to Parliament’s Joint Standing Committee on Intelligence and released to the public the following year, though there have been several discrepancies in the release of the reports.

Provisions on metadata

RICA makes a distinction between communications content and metadata, which the Act defines as 'communication-related information'. RICA obliges all telecommunications and internet service providers to retain all users' metadata for a minimum of three years. The protections against interception of metadata are lower than those for communication content. Metadata older than 90 days is classified under the Act as 'archived' information and law enforcement can seek an interception direction for this from any High Court judge or magistrate.

In May 2017, an investigation by the Daily Maverick revealed that law enforcement agents frequently use section 205 of the Criminal Procedure Act to access call data records in a worrying number of cases, pursuant to section 15 of RICA. According to section 205, law enforcement officials can apply to a high court judge, regional court magistrate or magistrate for an order to obtain the records. Following questions by the Right to Know campaign, South Africa's leading mobile providers (Vodacom, MTN, Cell C and Telkom) revealed that they collectively disclosed 70,000 subscriber call records in response to law enforcement requests under section 205.

Financial Intelligence Centre Act (FICA) (2001)

The stated objective of FICA is to identify the profits of unlawful activities, and to combat money laundering. The Act states that all records about financial transactions between banking institutions and their clients to be stored for five years by either the institution or a third party delegated by the institution. The Financial Intelligence Centre can gather this information and make it available to investigating authorities, including the intelligence services. The Centre can also exchange this information with counterparts in other countries. According to the Matthews Review Commission, the Financial Intelligence Centre is a client of the National Communications Centre, a government communication interceptions facility.

National Strategic Intelligence Act (NSIA) (1994)

The NSIA creates a range of intelligence structures and provides general guidelines for their function, including stipulating that covert intelligence gathering may only legally be conducted by these agencies.

Cybercrimes Bill

Since 2015, the South African government has been working on a cybercrimes legislation, with the stated aim of bringing South African law in line with international standards and create specific offences for cyber-related crime such as online fraud, forgery, extortion and terrorism. In 2015, a draft Bill drew significant opposition from civic groups, the public, and many parts of industry voiced significant opposition to the bill, on the basis that the draft Bill would infringe on internet freedom and expand the state’s surveillance powers.

In 2017, Parliament began deliberations on the Bill, which was dubbed the Cybercrimes and Cybersecurity Bill. Despite having undergone some positive revisions since its draft phase, the 2017 version of the Bill nevertheless contained a number of worrying provisions that concentrated cybersecurity powers in the hands of intelligence agencies, and potentially criminalising free expression through an overly broad definition of "malicious communications", some of which were spelled out in the Right2Know Campaign’s submission on the Bill.

Right2KnowCampaign

In October 2018, Parliament began deliberations on a significantly revised version of the Bill, now called the Cybercrimes Bill, which the justice department tabled. All provisions relating to cybersecurity have been removed from the Bill, and the provisions around ‘malicious communications’ narrowed. The Bill would need to be adopted by both houses of Parliament before it could be signed into law.

Surveillance actors

All state intelligence structures are governed by the National Strategic Intelligence Act. This stipulates that covert intelligence gathering may only legally be conducted by these agencies, and chapter 11 of the Constitution of South Africa creates broad regulations on the conduct of members of the agencies.

State Security Agency (SSA)

The State Security Agency (SSA) is the civilian intelligence agency of the South African government, falling under the Ministry of State Security. The SSA was formed in 2009 as an amalgamation of the National Intelligence Agency (NIA), which was responsible for domestic intelligence gathering, and the South African Secret Service (SASS), which was responsible for foreign intelligence gathering. The SSA has been criticised for its expansive domestic mandate which has led it to take an increasingly public role at the sideline of politics and civic affairs.

In 2013, the General Intelligence Laws Amendment Act was passed, amending and updating a range of laws affecting intelligence structures. One of the amendments was to specifically exclude matters relating to "lawful political activity, advocacy, protest or dissent" from the national security mandate. However, it is clear that the Agency continues to monitor lawful political activity and gather political intelligence in general.

The SSA also contains the Special Operations Unit, which appears to conduct extralegal surveillance. Rogue agents of the unit are allegedly engaged in using state resources to conduct "dirty tricks" campaigns, including cigarette smuggling and smear campaigns. An investigation in late 2017 by Rapport and News24 found that the SSA spent more than a billion rand (approximately US$ 72.1 million) in "irregular expenditure" since 2012.

In 2018, President Cyril Ramaphosa appointed an expert panel, comprising former intelligence figures and academics, to review the functions and operations of the State Security Agency.

Crime Intelligence Division (South African Police Service)

The Crime Intelligence Division (CID) is a unit of the South African Police Service. Though its detailed mandate is not encoded in law, CID is responsible for gathering intelligence on criminal activity, to support police investigations and to make crime fighting efforts more effective. Crime Intelligence also has authority to use surveillance, and conduct covert and undercover operations.

The Crime Intelligence Division also commits considerable, but as yet unquantified, resources to monitoring community organisations involved in protest and other political activity.

Crime Intelligence has also been seriously rocked by corruption scandals, organisational instability, and the appointment of people facing serious criminal charges to the senior leadership. These include Crime Intelligence head Richard Mdluli, who has since been fired.

Since 2017, the Independent Police Investigative Directorate, a state watchdog, has launched a series of criminal prosecutions of various former Crime Intelligence officials accused of corruption and abuse of state resources. Notably, this includes allegations that intelligence slush funds were used to influence elections for party leadership within the African National Congress.

Defence Intelligence Division (South African National Defence Force)

The Defence Intelligence Division, falling under the South African National Defence Force, is the military intelligence structure. The Defence Intelligence Division has a limited public profile.

Office for Interception Centres (OIC)

The Office for Interception Centres (OIC) is established in terms of RICA, and falls under the SSA. It provides communications interception services for law enforcement agencies in terms of RICA, and administers the 'hand over' of data from internet service providers and network operators to law enforcement.

National Communications Centre (NCC)

The National Communications Centre (NCC) is a national facility for intercepting and collecting electronic signals, and also falls under the SSA. According to the Matthews Review Commission, and subsequent investigative reports, the NCC has mass surveillance capabilities which are unregulated by law and therefore unconstitutional. Twice the Ministry has introduced legislation that sought to recognise the NCC in law. In the first instance the Bill was withdrawn; in the second instance, the relevant provisions were removed in deliberations.

Private sector actors

A number of South African companies are known to provide communications surveillance services or software, though the extent of their operations in South Africa is unknown. Two companies in particular have been associated with the South African government: VASTech and iSolv Technologies.

VASTech SA Pty Ltd is a South African company that designs and sells hardware and software capable of mass surveillance. Though its full client list is unknown, in 2011 it emerged that VASTech had sold its technology to the Gadaffi regime in Libya. In 2013, research by Privacy International revealed that the South African government had given public funding to VASTech to develop its products, prompting speculation that South Africa may also be a VASTech client. VASTech has also previously been active in Syria.

iSolv is a South African company providing products and services related to "lawful interception" and "targeted monitoring". One product called CS Intercept, is advertised on the iSolv website as "a versatile, purpose built appliance for the lawful interception and filtering of telecommunication networks". iSolv was noted by one vigilant cybersec blog as a prominent sponsor of a government-and-industry cybersecurity symposium in 2015. It is speculated that iSolv has some operational responsibilities at the government's Office for Interception Centres (OIC): in 2016, when the Right2Know Campaign attempted to make contact with the head of the OIC to notify them of a protest to be held at the facility, a government spokesperson referred R2K to an iSolv employee. The OIC has also been a client of iSolv.

Surveillance capabilities

Targeted interception of communications

RICA provides the state with extensive albeit regulated powers to conduct targeted interception of communications in South Africa with the cooperation of telecommunications network operations and internet service providers (see section 2.3 of the MPDP investigative monograph).

Blanket retention of metadata

Article 30(1)(b) of RICA requires telecommunication service providers to store "communication-related information" (i.e. metadata) for up to five years. Metadata is information about a communication, but not the content of such communication. This means that all telecommnications and internet users in South Africa are subject to a form of mass surveillance, as a detailed register of their communications interactions are stored by default. The technical requirements that RICA places on telecommunications are further detailed in subsequent regulations.

Interception of communications outside of legal frameworks

There have been several signs that the state is able to intercept communications outside of RICA's legal framework. Investigative reports in the Mail & Guardian reflect information from anonymous sources that the Office of Interception Centres is capable of intercepting communications illegally, with more extensive detail available in a recent investigative monograph.

Mass Interception of Communications

In 2008 the Matthews Commission found that the South African government had "bulk collection" capabilities through the National Communications Centre (NCC), the government's national facility for intercepting and collecting electronic signals in South Africa. The NCC appears to have been designed for the collection and analysis of foreign signals (communication that emanates from outside the borders of South Africa, or passes through or ends in South Africa). The Matthews Commission's report noted that the NCC is able to conduct "environmental scanning" of signals and unspecified other forms of "bulk collection" which appears to include mass monitoring of telecommunications, including conversations, emails, text messages and data, without judicial authorisations or other safeguards. The Matthews Commission found that these powers are unlawful and unconstitutional.

"Grabbers" - IMSI catchers

Extensive evidence has emerged that South African police, and possibly other security agencies, have access to IMSI catchers, locally referred to as "grabbers". IMSI catchers are a broad category of devices that mimic the operation of a cell tower in order to entice users' mobile phones to surrender personally identifiable data such as the SIM card number (IMSI). Though the specific type of devices presumed to be used by the South African government is not known, in recent years IMSI catcher technology has become far more sophisticated and can reportedly intercept voice, SMS and data.

In July 2015, several private individuals were arrested in a police sting, reportedly while trying to sell a privately owned 'Grabber'. Several media reports carried on- and off-the-record comments by police sources which strongly suggested that government agencies have bought and presumably used such technology themselves. Further evidence of police use of 'Grabbers' was detailed in an investigative report in the Mail&Guardian newspaper.

In 2018, an anonymously-sourced report in the Afrikaans newspaper Rapportalleged that the military’s Defence Intelligence Division had procured a mobile surveillance van from a Chinese supplier, which may have included ‘Grabber’ technology.

While regulations issued under RICA prohibit the private use, sale or possession of such technology, it is not clear if authorities are following the legal process in RICA to apply for judicial authorisation when using a Grabber device. Failing to do so would make the use of this technology unlawful, and information requests by the Right2Know Campaign to verify this were refused. However, as 'Grabbers' are capable of mass surveillance, which is unregulated through RICA or any law, it is unclear if use of such devices is lawful at all. In November 2015, Parliament's Joint Standing Committee on Intelligence stated that it intended to "revisit RICA with a view of whether any changes would be required to strengthen the Act in the likely event that the Judge is not sufficiently empowered to deal with matters such as grabbers."

Spyware

Though unconfirmed, there is evidence that spyware has been used by state or private actors in South Africa. FinFisher is a trojan software developed by British surveillance software company Gamma Group and sold by FinFisher GmbH in Germany. Once surreptiously installed on a user's device, FinFisher is capable of taking screenshots, recording audio and keystrokes and other invasive forms of data collection. CitizenLab research first detected the presence of FinFisher on South African servers in 2013, while Wikileaks has recorded that FinFisher representatives visited South Africa in 2012 and 2013. In 2015, the investigative TV show Carte Blanche reported that FinFisher may have been used by a covert intelligence unit in the South African Revenue Service (SARS). 

In 2018, a Citizen Lab report documented possible presence of the Israeli-made Pegasus spyware on South African networks.

 

Surveillance oversight, checks and balances

Oversight of surveillance in South Africa would normally take the form of oversight by the responsible minister, parliamentary oversight, judicial oversight and external independent oversight. However, each of these oversight mechanisms has been noted for serious shortcomings in transparency and independence.

Oversight in RICA

The RICA legislation makes provisions for checks and balances through both internal and external oversight mechanisms. These oversight mechanisms include the judicial, legislative and executive branches of government.

RICA provides that a designated judge be appointed to enforce RICA. The appointed RICA judge is mandated to report every year to Parliament’s Joint Standing Committee on Intelligence (JSCI) with an annual report. The JSCI, which oversees both the functions and the reviews of the intelligence services, is then also mandated to release a public report on the application of RICA. Data from these reports, which have been noted for lacking detail and consistency, has been analysed in R2K's 2014 State of the Secret Nation Report.

As of November 2018, there is no independent oversight body that can check and review the decisions and reports of a RICA judge. The designated oversight body, the JSCI, generally holds hearings and discussions behind closed doors and often releases highly selective and redacted reports and information providing insufficient information for the public to understand.

Parliamentary oversight

According to the Intelligence Services Oversight Act, all State Security structures, including the oversight bodies, must account to Parliament's Joint Standing Committee on Intelligence (JSCI). The JSCI is a closed committee. Members have strict security clearances. In terms of the rules of Parliament, the JSCI operates behind closed doors by default and any documents before it are classified. Only by resolution of the Committee can a meeting be opened or any document made public, and in practical terms, this has rarely happened. The Matthews Commission criticised the JSCI's make-up for lacking transparency and tending to lack independence from the executive. The Right2Know Campaign has publicly criticised the JSCI for lacking transparency, undermining public participation and generally shielding the security structures from justified public scrutiny.

Office of the Inspector General of Intelligence

The Inspector-General is a civilian oversight office mandated to investigate complaints from members of the public and members about the intelligence services on any allegation of maladministration, abuse of power, or criminal activity by State Security, Crime Intelligence or Defence Intelligence. It is created through Section 11 of the Constitution and the Intelligence Services Oversight Act. The office's powers are also limited in law -- the IG can only disclose limited information to a complainant, and only make information public after consulting the President and the Minister of State Security or Police. Nevertheless, the IG has the potential to be a powerful watchdog for the public, but in reality, has seldom played that role.

The position of Inspector General of Intelligence was vacant between March 2015 and March 2017, due to a political deadlock in the appointment process which Parliament must oversee. This delay was disastrous for oversight on surveillance abuses, and Right2Know has been forced to run a campaign on the mere appointment of the watchdog. On 13 March 2017, the President confirmed the appointment of Dr Isaac Dintwe as the Inspector General of Intelligence, following Parliament's approval of his nomination in November 2016.

In April 2018, the Inspector General’s powers and independence were tested when Dintwe alleged that then-head of the State Security Agency, Arthur Fraser, had sought to strip him of his security clearance to block an investigation of his affairs. The Inspector-General secured a court order against interference in his duties, and further launched a court application seeking to amend the governing legislation to insulate of his office against political interference. As of November 2018, the application has yet to be heard.

 

Surveillance case law

Constitutional Court case law regarding the right to privacy

Several cases at the Constitutional Court have dealt with the right to privacy.

Bernstein and Others v Bester NO and Others (CCT 23/95) [1996] ZACC 2:

The dispute in question arose between a firm of chartered accountants and various liquidators regarding sections 417 and 418 of the Companies Act 61 of 1973. These provisions dealt with the summons and examination of persons during the winding up of a company unable to pay its debts. Part of the challenge included an argument that a witness' privacy is invaded when he or she is forced to disclose their books or documents that they want to keep confidential and to reveal information that they want to keep to themselves.

The court noted that a claim to privacy would have to be founded on the content of the information that the examinee is forced to disclose, not on his or her desire not to disclose it, which facts were not before the court. The court nevertheless made certain observations about the right to privacy, which it described as "amorphous and elusive" (para 65). The court noted in this regard that "it is only the inner sanctum of a person, such as his/her family life, sexual preference and home environment, which is shielded from erosion by conflicting rights of the community. This implies that community rights and the rights of fellow members place a corresponding obligation on a citizen, thereby shaping the abstract notion of individualism towards identifying a concrete member of civil society. Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly" (para 67).

It stated further that "[a] very high level of protection is given to the individual's intimate personal sphere of life and the maintenance of its basic preconditions and there is a final untouchable sphere of human freedom that is beyond interference from any public authority. So much so that, in regard to this most intimate core of privacy, no justifiable limitation thereof can take place. But this most intimate core is narrowly construed. This inviolable core is left behind once an individual enters into relationships with persons outside this closest intimate sphere; the individual's activities then acquire a social dimension and the right of privacy in this context becomes subject to limitation" (para 77).

Case and Another v Minister of Safety and Security and Others; Curtis v Minister of Safety and Security and Others (CCT 20/95; CCT 21/95) [1996] ZACC 7:

These cases concerned the constitutionality of section 2(1) of the Indecent or Obscene Photographic Matter Act 37 of 1967, which provided that "[a]ny person who has in his possession any indecent or obscene photographic matter shall be guilty of an offence and liable on conviction to a fine not exceeding one thousand rand or imprisonment for a period not exceeding one year or to both such fine and such imprisonment".

The Constitutional Court held that section 2(1) was in conflict with the right to privacy, and imposed an unjustifiable limitation on the right. Consequently, the provision was struck down. As stated by Didcott J, "[w]hat erotic material I may choose to keep within the privacy of my home, and only for my personal use there, is nobody's business but mine. It is certainly not the business of society or the State. Any ban imposed on my possession of such material for that solitary purpose invades the personal privacy which s 13 of the [interim Constitution] guarantees that I shall enjoy" (para 91). (This position was, however, qualified by some of the other judges, who noted that this could be subject to limitation in appropriate circumstances, such as with regard to child pornography.)

NM and Others v Smith and Others (CCT 69/06) [2007] ZACC 6:

A biography titled "Patricia de Lille" disclosed the names of three HIV positive women without their consent. The affected women sued for damages, arguing that their rights to privacy, dignity and psychological integrity had been violated. In assessing whether these were private facts, the court noted that private facts have been defined as those matters of which the disclosure "will cause mental distress and injury to anyone possessed of ordinary feelings and intelligence in the same circumstances and in respect of which there is a will to keep them private" (para 34).

The court noted that private and confidential medical information contains highly sensitive and personal information about individuals, and reflects "delicate decisions and choices relating to issues pertaining to bodily and psychological integrity and personal autonomy" (para 40), and that there is therefore "a strong privacy interest in maintaining confidentiality" (para 41). In the context of HIV specifically, the court noted that the affirmation of secure privacy rights under within the Constitution may encourage individuals to seek treatment and divulge information encouraging disclosure of HIV which may previously have been hindered by ostracism and stigmatism. The court was of the view that this protection of privacy raises in every individual an expectation that he or she will not be interfered with, and there would need to be a pressing social need for that expectation to be violated and the person's right to privacy interfered with; on the facts of the case, no such compelling public interest existed. The court concluded that the publication of the affected women's HIV status constituted a wrongful publication of a private fact and a breach of the women's right to privacy.

Mistry v Interim National Medical and Dental Council and Others (CCT 13/97) [1998] ZACC 10:

This case dealt with whether the powers of entry, examination, search and seizure given to inspectors by section 28(1) of the Medicines and Related Substances Control Act 101 of 1965 were consistent with the constitutional right to privacy. In terms of this provision, the only criterion for entering "any premises, place, vehicle, vessel or aircraft" was that the medicine or scheduled substance was there or reasonably suspected of being there. Once on the premises, the inspector were permitted to look both at the medicine or scheduled substance, as well as "any book, record or document". The court held that to the extent that a statute authorises "warrantless entry into private homes and rifling through intimate possessions, such activities would intrude on the 'inner sanctum' of the persons in question and the statutory authority would accordingly breach the right to personal privacy" (para 23). As such, the provision was held to be an unjustifiable limitation of the right to privacy, and accordingly struck down.

With regard to the unjustifiability of the limitation, the court stated that: "To sum up: irrespective of legitimate expectations of privacy which may be intruded upon in the process, and without any predetermined safeguards to minimise the extent of such intrusions where the nature of the investigations makes some invasion of privacy necessary, section 28(1) gives the inspectors carte blanche to enter any place, including private dwellings, where they reasonably suspect medicines to be, and then to inspect documents which may be of the most intimate kind. The extent of the invasion of the important right to personal privacy authorised by section 28(1) is substantially disproportionate to its public purpose; the section is clearly overbroad in its reach and accordingly fails to pass the proportionality test" (para 30).

National Coalition for Gay and Lesbian Equality and Another v Minister of Justice and Others (CCT 11/98) [1998] ZACC 15:

This matter dealt with various provisions in terms of statute and the common law that criminalised sodomy. Although the Constitutional Court primarily decided the matter on the basis of the equality clause, finding that the crime of sodomy violated the right of homosexuals not to be discriminated against on the basis of sexual orientation, it also found the crime of sodomy to be unconstitutional as a breach of the rights to privacy and dignity. With regard to privacy, Ackermann J stated that "[p]rivacy recognises that we all have a right to a sphere of private intimacy and autonomy which allows us to establish and nurture human relationships without interference from the outside community. The way in which we give expression to our sexuality is at the core of this area of private intimacy. If, in expressing our sexuality, we act consensually and without harming one another, invasion of that precinct will be a breach of our privacy" (para 32).

Minister of Police and Others v Kunjana (CCT 253/15) [2016] ZACC 21:

This matter dealt with a warrantless search of an individual's property and seizure of items, namely drugs and cash, by the South African Police Service in terms of section 11(1)(a) and (g) of the Drugs and Drug Trafficking Act 140 of 1992. These provisions granted police officials the power to conduct a warrantless search in any premises if there are reasonable grounds to suspect that an offence under the Drugs and Drug Trafficking Act has or is about to be committed, and the power to seize anything that would result in an infringement of that legislation.

The court accepted at the outset that the provisions violated the rights to privacy and dignity, and concentrated its attention on whether this was a reasonable and justifiable limitation in accordance with section 36 of the Constitution. The court noted that the more a search intrudes into the inner sanctum of a person (such as their home), the more the search infringes their right to privacy. It went on to hold that the provisions are problematic "as they do not preclude the possibility of a greater limitation of the right to privacy than is necessitated by the circumstances, with the result that police officials may intrude in instances where an individual's reasonable expectation of privacy is at its apex" (para 26). The court concluded that less restrictive measures exist to achieve the purpose of the legislation, and that the impugned provisions could not be justified in terms of section 36 of the Constitution.

Lower courts

Several criminal cases involving breach of RICA and related offences have been playing out in South Africa's lower courts.

"Grabber" case

Several individuals face prosecution in the Pretoria Magistrate's Court after being arrested in a police sting, allegedly while trying to sell an IMSI Catcher. Reports claim that the device was purchased from Israeli security company Verint. While one of the individuals appears to have used his position as a government employee to purchase and import the device, it is alleged to have been used for private purposes. The arrest, court case and surrounding media coverage has shed light on the fact that law enforcement agencies possess and use similar technology, although the extent remains unclear.

The accused have claimed to have been part of a project of State Security -- the full extent of the intrigue has been mapped out by the amaBhungane Centre for Investigative Journalism.

Sunday Times 'bugging' case

In August 2017, the former Crime Intelligence official Bongani Cele was found guilty under s58 of RICA of spying on the phone communications of journalists Mzilikazi wa Afrika and Stephan Hofstatter in 2010. Cele was sentenced to three years in jail, suspended for four years.

The case dates to 2010 when the SAPS Crime Intelligence Division (CID) is alleged to have fraudulently intercepted the metadata of the two Sunday Times investigative journalists who were publishing major exposes on scandals in police leadership. Evidence suggested that Crime Intelligence officials convinced the RICA judge to authorise their surveillance under false pretences, submitting the journalists' phone numbers with fictional names and claiming the request was part of an investigation of a criminal syndicate. Cele is the only official to be convicted for illegal communications surveillance under RICA.

Scheepers case

Former Crime Intelligence official Paul Scheepers faces prosecution in the Bellville Special Commercial Crimes Court for a range of offences, including contravening RICA. Scheepers is accused of running a private security firm alongside his police duties and supplying falsified affidavits to a magistrate in order to get metadata records of lawyers, senior police officers, an individual from the financial services regulator, and other individuals. He is also accused of acting as a vendor for a UK based company called Forensic Telecommunications Services Ltd (FTS), helping sell an IMSI Catcher on behalf of FTS to a local cash-in-transit security firm.

Matthews Commission

The Matthews Commission was a Ministerial Review Commission into the policies and practices of the intelligence structures in terms of the Constitution, established by the former Minister of Intelligence in 2006 after a series of 'spy' scandals. Though it does not have the standing of a court judgement, the Commission's report remains the most detailed and authoritative finding on surveillance structures, laws and practices in South Africa. The findings of the Matthews Commission report, which became public in 2008, include:

• Evidence of surveillance abuses and evidence that the intelligence services had an inappropriate interest in "lawful political and social activities";

• The oversight systems, including the Inspector General of Intelligence and Parliament's intelligence committee, lacked appropriate levels of transparency and independence; and

• The capabilities of the National Communications Centre (NCC) include mass surveillance, and a finding that these capabilities are unlawful and unconstitutional.

The Matthews Commission report has effectively been ignored on a technicality — it 'leaked' to the media before being tabled before Cabinet. This has allowed state officials to refuse to recognise the report, saying it has "no status" because it was not properly processed.

Examples of surveillance

While various political leaders, civil society activists and unionists have reported concerns that they are targets for surveillance (see here), the best documented case studies relate to journalists.

In June 2018 the Right2Know Campaign published a report on case studies of journalists who appear to have been surveilled.

In addition to the aforementioned cases involving Sam Sole and journalists of the Sunday Times, other notable cases for which there is documentary evidence are:

Jacques Pauw 

Jacques Pauw authored The President’s Keepers, a best-selling expose on alleged corruption between various senior officials and a well-connected business family. In 2018, newspapers received transcripts of a phone call between Pauw and the Inspector General of Intelligence, which appeared to show that the SSA recorded his phone calls to identify ‘state capture’ whistleblowers.

Athandiwe Saba 

In April 2018, it was reported that the phone records of Mail&Guardian reporter Athandiwe Saba had been illegally acquired by a senior government official whom Saba had investigated. Documents acquired by the Mail&Guardian suggest that the official got her phone records from a private investigator, after a fraudulent police warrant was used to subpoena the records from her mobile network providers.

Peter Bruce and Rob Rose 

In August 2017, it was reported that a private investigator had illegally acquired the phone records financial journalists Peter Bruce and Rob Rose. A former employee at mobile network operator MTN is now on criminal trial, with the state alleging that she sold the phone records to the private investigator, who was allegedly employed by a controversial business family.

 

 

Data Protection

Data protection laws

The Protection of Personal Information Act 4 of 2013 ("POPI") was signed by President Zuma on 19 November 2013. As stated in the preamble, the purpose of POPI was, in line with international standards, to regulate "the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests".

Five members of the Information Regulator were appointed by the President on recommendation from the National Assembly, with effect from 1 December 2016 for a period of 5 years. The Information Regulator will be chaired by Advocate Pansy Tlakula.

As of April 2017, only certain provisions of POPI have come into force, most notably those that render it possible to establish the office of the Information Regulator. The bulk of the legislation -- including the conditions for the lawful processing of personal information -- is not yet in force. Section 114(1) of POPI provides that all processing of personal information must comply with POPI within one year of the section coming into force, still pending. This period may be extended for up to three years by the Minister of Justice and Correctional Services in consultation with the Information Regulator.

Key definitions

The definitions contained in section 1 of POPI are important in understanding the legislation. The following are the key definitions in terms of POPI:

• A "data subject" is the person to whom the personal information relates;
• A "responsible party" is the public or private body or person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
• An "operator" is the person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
• The "Regulator" is the information regulator established in terms of section 39 of POPI; the Regulator is a juristic person, whose functions include monitoring and enforcing compliance by public and private bodies with the provisions of POPI.

The term "personal information" is defined broadly under POPI, including the personal opinions, views or preferences of the person, and the views or opinions of another individual about the person. POPI also creates a sub-category of personal information, "special personal information", which have more stringent requirements for processing. This includes a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and the criminal behaviour of a data subject.

The term "processing" is also defined broadly, and refers to "any operation or activity or set of operations, whether or not by automatic means, concerning personal information". Notably, POPI only applies to the processing of a "record" containing personal information.

​Conditions for the lawful processing of personal information

There are eight conditions at the heart of POPI for the lawful processing of personal information. These conditions are as follows:

• Condition 1: Accountability (section 8): It is the duty of the responsible party to ensure that the conditions are complied with, both at the time that the purpose and means of processing is determined and during the processing itself.
• Condition 2: Processing limitation (sections 9 to 12): Processing must be done lawfully and in a manner that does not infringe the right to privacy of a data subject. Section 11(1) stipulates the circumstances under which personal information may be processed, which includes where the data subject has consented, the processing is necessary in terms of a contract to which the data subject is a party, or is necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. As a general rule, personal information must be collected directly from the data subject.
• Condition 3: Purpose specification (sections 13 to 14): Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. Subject to certain exceptions, records of personal information must not be retained longer than is necessary to achieve the purpose for which it was collected or subsequently processed, and must be destroyed or deleted once the responsible party is no longer authorised to retain the record. The exceptions include where the retention is required or authorised by law, the data subject has consented to the retention, or the personal information is being retained for historical, statistical or research purposes.
• Condition 4: Further processing limitation (section 15): The further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
• Condition 5: Information quality (section 16): A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary. In doing so, the responsible party must have regard to the purpose for which was collected or further processed.
• Condition 6: Openness (sections 17 and 18): A responsible party must maintain the documentation of all processing operations, and must take reasonably practicable steps to ensure that the data subject is made aware of the personal information being collected, together with other stipulated information. There are various exceptions to this condition, including where the data subject has provided consent for non-compliance, non-compliance is necessary for the conduct of proceedings in any court, compliance is not reasonably practicable, or the information will be used for historical, statistical or research purposes.
• Condition 7: Security safeguards (sections 19 to 22): A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of personal information, or unlawful access to or processing of personal information. The responsible party is required to take all reasonable measures to identify internal and external risks, establish and maintain appropriate safeguards, and ensure that the safeguards are properly implemented and updated. The responsible party is also required to enter into a written contract with any operator to ensure that it establishes and maintains appropriate security measures. Any security breach must be brought to the attention of the Regulator and the affected data subjects.
• Condition 8: Data subject participation (sections 23 to 25): A data subject has the right to request a responsible party to confirm whether or not the responsible party holds personal information about the data subject, and to request the record itself. A data subject may also request a responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or retained for longer than permitted.

​Cross-border flows of information

Chapter 9 of POPI deals with cross-border information flows. A responsible party in South Africa may not transfer personal information about a data subject to a third party who is in a foreign country unless: (i) the third party is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection; (ii) the data subject consents to the transfer; (iii) the transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request; (iv) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or (v) the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject's consent, but if it were reasonably practicable to obtain the data subject's consent, he or she would be likely to give it.

Accountability mechanisms

Section 39 of the Protection of Personal Information Act (POPI) establishes the Information Regulator, which consists of a chairperson and four other persons who sit as ordinary members. In terms of this section, the Information Regulator is a juristic person which has jurisdiction throughout South Africa, and is independent and subject only to the Constitution and the law. The Information Regulator is accountable to the National Assembly.

In broad terms, as set out in section 40 of POPI, the powers, duties and functions of the Information Regulator include to provide education; to monitor and enforce compliance; to consult with interested parties; to handle complaints; to conduct research and report to Parliament; to issue codes of conduct; and to facilitate cross-border cooperation in the enforcement of privacy laws. In performing its functions and exercising its powers, the Information Regulator is required to have regard to the conditions for the lawful processing of personal information, the protection of all human rights and social interests that compete with privacy, the international obligations accepted by South Africa and any developing general international guidelines relevant to the better protection of individual privacy.

Any person may submit a complaint to the Information Regulator, which must be made in writing, alleging interference with the protection of the personal information of a data subject. Upon receipt of a complaint, various steps may be taken by the Information Regulator, including conducting an investigation. The Information Regulator may also, on its own initiative, commence an investigation into the interference with the protection of the personal information of a data subject. The Information Regulator is given significant powers in terms of POPI, including powers of search and seizure.

As of April 2017, while an Information Regulator has been appointed, the office is still in the process of being set up and it is not yet possible to submit a complaint. This means that there is not yet any accountability under POPI.

Data breaches: case law

As the Protection of Personal Information Act (POPI) is not yet fully in force, there has not been any litigation in terms of POPI.

Examples of data breaches

In 2016, it was estimated that data breaches have cost South Africa an overall total cost of R28.6 million (around US$ 2.06 million). However, at present, data breaches in South Africa often go unreported. In 2015, it was reported that only five data breaches were registered in South Africa. This is expected to change significantly as POPI comes into force, as responsible parties will be required by law to disclose information about data breaches if they occur.

One of the most high-profile data breaches in South Africa occurred in October 2013, when it was reported that a variant of malware called "Dexter" had been inserted into point-of-sale devices at South African fast food outlets in order to obtain customer card data. This was reported to have cost South African banks tens of millions of rands.

In July 2016, it was reported that hackers claiming to be linked to Anonymous breached the website of South African stated-owned arms supplier, Armscor. The hack targeted Armscor's settlement and invoicing system, and leaked approximately 63MB in HTML files on the dark web, including ordering and payment details for various companies. Furthermore, the Anonymous hacker has indicated that the hack gave them access to 19,938 supplier IDs, names and their passwords, which would allow anyone to log in to the Armscor system as a supplier or manager.

In March 2017, a researcher discovered a breach involving about 7 million customers of Ster Kinekor, a cinema chain.

In October 2017, a security researcher identified a leak of a massive databaseof South Africans’ data, including government-issued ID numbers, email address, phone numbers, as well as information about marital status, employment, and property ownership. The Right2Know Campaign has written to the Information Regulator urging an investigation into the breach.

In May 2018, online traffic fine website ViewFines reportedly had a breach of personal records of 943 000 South African drivers.

In June 2018, financial services company Liberty disclosed that its email repository had been breached by a third party trying to demand a "ransom" in exchange for the data, exposing the an unknown number of customers.

Identification Schemes

ID cards and databases

From 2013, a new South African smartcard ID has been introduced. This includes a chip that contains information, such as the fingerprints of the holder. While neither enrolment nor carrying the ID card is mandatory, in reality, it is required for many civil functions. Details are stored on the Home Affairs National Identification System (HANIS).

Voter registration

Unlike in many countries in Africa, there has been little pressure to date in South Africa for the introduction of biometric voter registration systems. Registration requires an official ID.

SIM card registration

Under the 2002 Regulation of Interception of Communication Act (RICA), all SIM cards, whether used in a mobile phone or for data, must be registered with the state via the person's service provider. A South African citizen must provide his or her name, address and identity number. For non-citizens, a name, address and passport number is required.

 

Policies and Sectoral Initiatives

Cybersecurity policy

The National Cybersecurity Policy Framework for South Africa was developed by the Justice, Crime Prevention and Security Cluster in South Africa in an effort to create a framework to investigate and combat cybercrime. It was approved by Parliament in 2012 but only published in the government gazette in December 2015.

A revised draft of the Cybercrimes Bill, along with a revised discussion document, were tabled in Parliament. This bill replaces a former bill published in August 2015 that was met with public criticism.

Though the new Cybercrimes Bill is generally an improvement on the former bill, it nevertheless contains a number of worrying provisions concentrating cyber security powers in the hands of intelligence agencies, and potentially criminalising free expression through an overly broad definition of "malicious communications". The Right to Know coalition has published a full critique of the bill. Public hearings were held on the bill in September 2017.

According to the explanatory memorandum, the Department of Justice and Constitutional Development was mandated to review the cybersecurity laws in South Africa and ensure that there is a coherent and integrated cybersecurity legal framework. At present, various laws on the statute book deal with cybersecurity, some with overlapping mandates administered by different government departments, with no coordinated implementation. In addition to the common law, these statutes (as listed in the explanatory memorandum) include:

• the Electronic Communications and Transactions Act 25 of 2002;

• the South African Police Service Act Act No. 68 of 1995;

• the Correctional Services Act 111 of 1998;

• the National Prosecuting Authority Act 32 of 1998;

• the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002;

• the Prevention and Combatting of Corrupt Activities Act 12 of 2004;

• the Films and Publications Act 65 of 1996;

• the Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007;

• the Copyright Act 98 of 1978;

• the Civil Proceedings Evidence Act 25 of 1956;

• the Criminal Procedure Act 51 of 1977;

• the Protection of Personal Information Act 4 of 2013;

• the Protection from Harassment Act 17 of 2011;

• the Financial Intelligence Centre Act 28 of 2001; and

• the State Information Technology Agency Act 88 of 1998.

​However, following significant criticism of the Bill, the Department of Justice and Constitutional Development has engaged in a process of re-drafting certain portions with representatives of civil society in an effort to address some of these key concerns.

Cybercrime

Chapter XIII of the Electronic Communications and Transactions Act 25 of 2002 (ECTA) deals with cybercrime. Some of the cybercrimes addressed under this chapter include:

• The intentional and unauthorised access or interception of any data (subject to the Regulation of Interception of Communications and Provision of Communication-related Act 70 of 2002);
• The intentional and unauthorised interference with data in a way that causes the data to be modified, destroyed or rendered ineffective;
• The unlawful production, sale, distribution or use of a device that is designed primarily to overcome security measures for the protection of data.

Any person found guilty of an offence under this chapter is liable on conviction to a fine or imprisonment.

A draft Cybercrimes and Cybersecurity Bill B-2015 was published for public comment in August 2015, together with an explanatory memorandum. In October 2018, Parliament began deliberations on a significantly revised version of the Bill, now called the Cybercrimes Bill, which the justice department tabled. All provisions relating to cybersecurity have been removed from the Bill, and the provisions around ‘malicious communications’ narrowed. The Bill would need to be adopted by both houses of Parliament before it could be signed into law.

Encryption

Electronic Communications and Transactions Act 25 of 2002 ("ECTA")

ECTA is the primary piece of legislation governing providers of cryptography services, with a number of provisions regarding cryptography providers contained in chapter V. A "cryptography provider" means "any person who provides or proposes to provide cryptography services or products in the Republic", and a "cryptography service" is defined as:

"[A]ny service which is provided to a sender or a recipient of a data message or to anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring —

(a) that such data or data message can be accessed or can be put into an intelligible form only by certain persons;

(b) that the authenticity or integrity of such data or data message is capable of being ascertained;

(c) the integrity of the data or data message; or (d) that the source of the data or data message can be correctly ascertained".

Similarly, a "cryptography product" is defined as:

"[A]ny product that makes use of cryptographic techniques and is used by a sender or recipient of data messages for the purposes of ensuring -

(a) that such data can be accessed only by relevant persons;

(b) the authenticity of the data;

(c) the integrity of the data; or

(d) that the source of the data or data message can be correctly ascertained".

Section 29 of ECTA requires the Director-General of the Department of Communications to establish and maintain a register of cryptography providers. The register must record the name and address of the cryptography provider, a description of the cryptography service or cryptography product being provided, and any other particulars that may be prescribed to identify and locate the cryptography provider or its products or services adequately. A cryptography provider is not, however, required to disclose confidential information or trade secrets in respect of its cryptography products or services.

The Cryptography Regulations (2006), promulgated in terms of ECTA, provide more detail on the information that must be contained in the register and the process for registration. Notably, in terms of regulation 2 of the Cryptography Regulations, there is a host of information that must be provided in addition to what is required under section 29 of ECTA in order to identify and locate the cryptography provider. This includes telephone and fax numbers, email addressed, constitutive documents (such as the memorandum of association and the articles of association), and detailed profiles of personnel who have supervisory or managerial responsibilities.

No person may provide cryptography services or products in South Africa until the particulars of that person have been recorded in the register in terms of section 29 of ECTA. In terms of section 30(3) of ECTA, a cryptography service or product is regarded as having been provided in South Africa if it is provided (i) from premises in South Africa; (ii) to a person who is present in South Africa when that person makes use of the service or product; or (iii) to a person who uses the service or product for the purposes of a business carried on in South Africa or from premises in South Africa.

As a general principle, the information contained in the register may not be disclosed to anyone other than an employee of the Department of Communications responsible for the keeping of the register. However, this general principle may be departed from in certain instances, such as if it is disclosed to a relevant authority investigating a criminal offence or if it is disclosed to government agencies responsible for safety and security in South Africa pursuant to an official request.

​Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 ​("RICA")

A person who applies for and is eligible to obtain an interception direction under RICA may also apply for decryption direction. The application for a decryption direction must contain various information, including the identity of the decryption key holder, a description of the encrypted information, and the period for which the decryption direction is required.

In terms of section 21(4) of RICA, a decryption direction may only be issued under the following circumstances:

"A decryption direction may only be issued —

(a) if the designated judge concerned is satisfied, on the facts alleged in the application concerned, that there are reasonable grounds to believe that —

(i) any indirect communication to which the interception direction concerned applies, or any part of such an indirect communication, consists of encrypted information;

(ii) the decryption key holder specified in the application is in possession of the encrypted information and the decryption key thereto;

(iii) the purpose for which the interception direction concerned was issued would be defeated, in whole or in part, if the decryption direction was not issued; and

(iv) it is not reasonably practicable for the authorised person who executes the interception direction concerned or assists with the execution thereof, to obtain possession of the encrypted information in an intelligible form without the issuing of a decryption direction; and

(b) after the designated judge concerned has considered —

(i) the extent and nature of any other encrypted information, in addition to the encrypted information in respect of which the decryption direction is to be issued, to which the decryption key concerned is also a decryption key; and

(ii) any adverse effect that the issuing of the decryption direction might have on the business carried on by the decryption key holder to whom the decryption direction is addressed."

Any person who fails to comply with a direction issued in terms of RICA is guilty of a criminal offence.

​National Conventional Arms Control Act 41 of 2002 (NCACA)

​In terms of section 13 of the NCACA, no person may trade in or possess the controlled items referred to in the Conventional Arms Control Regulations (2004) (CACR), unless that person is registered and in possession of an appropriate permit. The CACR set out the types of munitions that require permits, and the type of permit required. Although neither the NCACA nor the CACR refers to encryption or cryptography services, the CACR does state as follows at the beginning of the schedule:

"General technology note

​The export of 'technology' which is 'required' for the 'development', 'production' or 'use' of items controlled in the Dual-Use List is controlled accordig to the provisions in each Category. This ​'technology' remains under control even when applicable to any uncontrolled item."

​This would affect, for instance, any decryption key necessary to decrypt information needed to use arms contemplated in the CACR. There are, however, several exceptions to this, in particular where the technology or software is in the public domain, or where it is designed for installation by the user without further substantial support by the supplier.

​The NCACA and the CAC are the two main laws identified by the National Cybersecurity Policy Framework for South Africa as key to the regulation of the field of cryptography.

​The National Strategic Intelligence Act 39 of 1994 (NSIA)

The purpose of the NSIA is to set out the functions of the national intelligence structures in South Africa. In 2013, the NSIA was amended by the General Intelligence Laws Amendment Act 11 of 2013 to include cryptography services as part of the functions of the State Security Agency. As a result of this amendment, section 2(2)(b) of the NSIA was amended to include the following as functions of the SSA:

"(i) to identify, protect and secure critical electronic communications and infrastructure against unauthorised access or technical, electronic or any other related threats;

(ii) to provide cryptographic and verification services for electronic communications security systems, products and services used by organs of state;

(iii) to provide and coordinate research and development with regard to electronic communications security systems, products and services and any other related services".

It is therefore now squarely within the ambit of the SSA to provide cryptographic services for all government departments as well as other organs of state.

Licensing of industry

The Independent Communications Authority of South Africa (ICASA), which is established by section 3 of the ICASA Act 13 of 2000 regulates the telecommmunications industry. The Electronic Communications Act 36 of 2005 (ECA) seeks to regulate the electronic communications industry in South Africa in the public interest. The licensing framework is set out in chapter 3 of the ECA.

ICASA is responsible for prescribing regulations setting out, amongst other things, the process and procedures to apply for licences, the necessary documentation required, and the licence fees applicable.

In granting a licence, ICASA is required to ensure that electronic communications network services, broadcasting services and electronic communications services, viewed collectively, are provided by persons or groups of persons from a diverse range of communities in South Africa, and promote broad-based black economic empowerment.

Chapter IX of the ECA covers broadcasting services, and provides for public broadcasting service licences (section 49), community broadcasting service licences (section 50), and commercial broadcasting service licences (section 51).

Section 72A of the ECA requires that the Minister establish a National Broadcasting Council to, among other things, coordinate overall broadband implementation by government at national, provincial and local government levels, to facilitate the monitoring and measurement of broadband penetration in South Africa, and to develop a broadband implementation plan.

E-governance/digital agenda

South Africa's e-governance strategy is driven by the Department of Public Service and Administration, which is responsible for the development and coordination of the government's overall e-government strategy. The key legislation in this regard is the Public Service Act 103 of 1994, which provides for, among other things, the establishment of norms and standards relating to e-government and information management in the public service. In South Africa, efforts have been made to use e-governance to simplify government procedures, improve access to information by citizens, and improve service delivery, as well as to strengthen accountability and transparency.

The government has established statutory bodies to coordinate the implementation of e-governance projects. These include the State Information Technology Agency (SITA) that is responsible for acquiring, installing, implementing and maintaining IT in the public sector; and the Government Information Technology Officers Council (GITO Council), that consists of national and provincial IT officers and is responsible for consolidating and coordinating IT initiatives in government, including e-governance, to facilitate service delivery.

Chapter IV of the Electronic Communications and Transactions Act 25 of 2002 covers e-government services. In terms of these provisions, a public body may accept the filing, creation or retention of documents in the form of data messages; issue any permit, licence or approval in the form of a data message; or make or receive payment in electronic form or by electronic means. The public body may specify requirements by notice in the government gazette, including:

• the manner and format in which the data messages must be filed, created, retained or issued;
• the type of electronic signature required; or
• the appropriate control processes and procedures to ensure adequate integrity, security and confidentiality of data messages or payments.​​

Certain provincial governments have also developed e-governance strategies. Gauteng, for example, has set up an e-government website, and in September 2015 it announced that it had established a Department of e-Government to improve service delivery, modernise the public service and stimulate the province's knowledge-based economy. According to its press statement, the Department of e-Government would be mandated to implement the e-Government Strategy of the Gauteng City Region 2015-2020, which seeks to consolidate back-end systems and processes to bring about better front-line service delivery to the people, among other goals.

Health sector and e-health

National Health Act 61 of 2003

All information concerning a person receiving treatment in a health establishment (including information relating to his or her health status, treatment or stay in a health establishment) is considered confidential unless the person consents to a disclosure in writing; a court order requires the disclosure; or non-disclosure of the information represents a serious threat to public health (section 14). However, a health worker or health care provider may disclose personal information to any person if it is necessary for a legitimate purpose in the course and scope of his or her duties (section 15).

The person in charge of a health establishment is required to set up control measures to prevent unauthorised access to health records. Failure to do so is a criminal offence (section 17).

Promotion of Access to Information Act 2 of 2000 (PAIA)

PAIA contains specific provisions that are relevant to requests for information regarding health records: section 30 of PAIA deals with requests to public bodies; and section 61 deals with requests to private bodies.

If an information officer is of the opinion that disclosing a record provided by a health practitioner would cause harm to the physical or mental health or well-being of the person requesting the record, the information officer may consult with a health practitioner before disclosing the record. If the health practitioner is of the view that disclosure would be likely to cause serious harm to his or her physical or mental health or well-being, the information officer may only give access to the record if the requester proves to the satisfaction of the information officer that adequate provision is made for counselling.

Protection of Personal Information Act 4 of 2013 ("POPI")

Information concerning a data subject's health is categorised as "special personal information" under POPI, and is subject to additional requirements for lawful processing (sections 26, 27 and 32). Only certain responsible parties are permitted to process health information (such as medical professionals, medical schemes and schools), but this may only be done subject to an obligation of confidentiality by virtue of the responsible party's office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.

Personal information concerning a data subject's inherited characteristics may not be processed unless a serious medical interest prevails or the processing is necessary for historical, statistical or research activity.

e-Health Strategy South Africa (2012/13-2016/17)

While the responsibility for developing an e-health policy and strategy resides with the national department of health, the delivery of e-health services in public sector facilities is the responsibility of the provincial departments of health.

The e-Health Strategy adopts the World Health Organisation's definition of e-health, that being "the use of information and communication technologies (ICTs) for health to, for example, treat patients, pursue research, educate students, track diseases and monitor public health". The overall aim of the e-Health Strategy is to provide a single, harmonised and comprehensive e-health strategy that (i) supports the medium-term priorities of the public health sector, (ii) paves the way for future public sector e-health requirements, and (iii) lays the requisite foundations for the future integration and coordination of all e-health initiatives in the country in both the public and private sector.

Various challenges have been identified in the e-Health Strategy, including limited capacity or capabilities within the public sector to implement a national e-health strategy; widely differing levels of e-health maturity across and within province; the high price of broadband connectivity; and a low degree of cooperation, collaboration and sharing across all sectors.

Smart policing

In the mid-2010s, the South African's government's Council for Scientific and Industrial Research (CSIR) developed a smart policing platform, the Command and Control Collaborator (Cmore). CSIR describe the product as "an integrative, collaborative distributed shared awareness system". The platform has reportedly been used to combat rhino poaching in Kruger National Park and "a host of defence-related border safeguarding experiments held over the past three years".

Transport

We are not aware of any privacy issues related to transportation in South Africa. Please send any tips or information to: research@privacyinternational.org

Smart cities

Broadband roll-out

In 2013, the Department of Communications published a policy document in terms of section 3(1) of the Electronic Communications Act 36 of 2005 titled "South Africa Connect: Creating Opportunities, Ensuring Inclusion: South Africa's Broadband Policy". The policy sets out the following targets:

• By 2016: 50% of the population to have broadband access at 5 Mbps (2013 baseline: 33.7%)
• By 2020: 90% of the population to have broadband access at 5 Mbps, 50% of the population to have broadband access at 100 Mbps;
• By 2030: 100% of the population to have broadband access at 10 Mbps, 80% of the population to have broadband access at 100 Mbps.

In the 2015 State of the Nation address, President Jacob Zuma announced that eight municipalities were set to have full broadband capability within five years. The cities of Cape Town, Johannesburg, Tshwane and Ethewkini have programmes and plans in place to realise this initiative. It was further announced that Telkom had designated itself as the lead agency to assist with broadband roll-out. This was followed by an announcement in the Minister of Finance's 2015 budget speech that R 1.1 billion (around US$ 79.2 million) had been allocated to the expansion of broadband connectivity in government institutions and schools.

However, commentators have raised concerns that little was known about the progress, scope and funding of the South Africa Connect policy, with only the Department of Communications and the entities reporting to it being involved. It was noted also that the National Broadband Advisory Council, appointed to advise on the rollout of the policy, had collapsed; there was uncertainty whether the implementation plan had been submitted to the National Treasury to release the first tranche of funding; whether a transparent and legally sound process would be held to appoint the 'lead agency'; or whether the government had conducted a credible nationwide survey into the future-proof suitability of all the communications networks already installed around South Africa.

During the 2016 state of the nation address, President Zuma indicated that "[g]overnment will fast-track the implementation of the first phase of broadband roll-out to connect more than 5,000 government facilities in eight district municipalities over a three-year period. Funding to the tune of R740 million (US$ 53.5 million) over a three-year period has been allocated in this regard".

In August 2016, it was reported that the South African government was ready to finalise and fast-track the implementation of the new ICT policy to connect schools, health facilities and government offices. This process, driven by the Department of Telecommunications and Postal Services, aims to outline the government's plans for the rollout of broadband across the country and direct the allocation of spectrum.

In February 2017, the rollout of the government's broadband plan, SA Connect, commenced in two local municipalities in the Eastern Cape, which are two of the eight priority municipalities. However, progress was slow, particularly after a service providers' tender cancellation.

This connectivity lays the foundation for smart city development.

Cape Town smart city initiative

South Africa's second largest city, Cape Town, is in the process of developing a smart city initiative. The initiative sits as part of the city's "digital city strategy". The four pillars of the initiative are digital government, digital inclusion, digital economy, and digital infrastructure.

A key component of the project is the EPIC (Emergency Police Incident Control) project. The system would be used to system could be used to monitor law enforcement service requests, manage staff and draw reports for statistical purposes, in order to increase the effectiveness of law enforcement responses. According to a study by Dr. Nora Ni Loideain at the University of Cambridge, the project began in 2013 and the first stqge was launched in November 2016. Ni Loideain also raised concerns over the impact of the second phase of EPIC's rollout on the right to privacy in South Africa.

Migration

We are not aware of any privacy issues related to migration in South Africa. Please send any tips or information to: research@privacyinternational.org

Emergency response

We are not aware of any privacy issues related to emergency response in South Africa. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

We are not aware of any privacy issues related to humanitarian and development programmes in South Africa. Please send any tips or information to: research@privacyinternational.org

Social media

In September 2017, Business Day reported seeing a directive from police minister Fikile Mbalula to the new acting head of crime intelligence, Major-General King Ngcobo, instructing him to increase "data-mining" of South African citizens and residents. 

Mbalula has since been relieved of his position as minister, but investigative reports suggest that data mining is still in operation. Investigative journalist Heidi Swart has concluded that a social media analytics tool called Media Sonar (manufactured and distributed by a Canadian company of the same name) is sold in South Africa through the private sector, and may be in use by government agencies.

In South Africa, the 2013 Protection of Personal Information Act would regulate such activity, but as of November 2018 has yet to come into force, due to significant delays in operationalising the Information Regulator, the new enforcement agency in terms of the Act. There is no clear timeline of when the Information Regulator would be operationalised.