This is a short discussion of five topical privacy issues and how the law regulates them in South Africa. South Africa is about to enact a data protection law similar to what most countries have. It will be called the Protection of Personal Information Act (POPI). At the moment, POPI is not yet in force, but we will discuss the situation as if POPI is in place.

Can the South African Government access data in the cloud?

In terms of the Regulation of Interception of Communications and provision of Communication-related information Act (RICA), Government may intercept your data stored in the cloud only with an interception direction. They can do this without your knowledge by approaching the cloud service provider with the direction. The cloud storage provider then decrypts the data and shares it with Government.

What does Government have to show in order to obtain an interception directive? Section 16 of RICA sets out the requirements for an interception direction to be granted.

The South African Revenue Service (“SARS”) may be entitled to obtain information that relates to South African residents which is situated on a server abroad if there is a double tax agreement (“DTA”) in place between South Africa and the relevant country. This is in terms of the information exchange clause which is very wide. However, the provisions of the DTA cannot extend obligations or rights created under domestic law. So SARS may not invoke the information exchange clause in the DTA to impose the obligation to supply information, unless that information were obtainable under the laws or in the normal course of the administration of the law of the overseas country or South African law. Data Protection legislation in several countries will often preclude the Revenue authorities from disclosing information to SARS unless the Revenue authorities in the overseas country are entitled to the information for purposes of tax disclosure in that country.

What is the law on cookies in South Africa?

Currently there is no law that regulates cookies in South Africa.

Our umbrella privacy law called POPI will soon be passed and the information that the cookie collects would be classified as personal information and as such the data collector would have to comply with the relevant provisions in POPI.

In time, our Information Regulator will probably publish regulations on how cookies can be used. This is likely to be similar to the European Union e-Privacy Directive that regulates cookies.

What is a cookie? It is a small data file sent to your computer from a website which collects information. Cookies may collect personal data such as usernames and passwords and credit card numbers.

What are the latest legal developments regards data privacy?

We expect that POPI will be passed by the National Council of Provinces (NCOP) without any changes. This means that the Bill we have currently, will probably become law. The wording of the current draft will not change much.

Once the Bill is passed by the NCOP, the next step is for the President to sign it into law. After that the Minister will publish a commencement date in the Government Gazette and there will be a grace period of one year (from the date of commencement), which will allow organisations to comply by putting in place the correct measures to comply with POPI.

How difficult is it to collect personal information?

South African law is no more restrictive than the laws of other countries. When collecting personal information one must comply with the POPI conditions which are:

  • You must collect directly from the data subject and obtain the data subject’s consent
  • The data collection must be for a specific purpose
  • You must inform the data subject of the specific purpose

These conditions are not more onerous than conditions of other countries and furthermore there are exceptions available for these conditions. These conditions can be found in sections 11 to 13 of POPI.

Can you transfer data out of South Africa?

South African law is no more restrictive than the laws of other countries. Section 72 of POPI regulates trans border information flow and is much the same as the equivalent section in other privacy laws.

You may not transfer personal information about a data subject to a third party in another country unless:

  • The recipient of the information is subject to a law which regulates trans border information flow and personal information in a way which is substantially similar to POPI;
  • You have obtained the data subject’s consent;
  • The transfer is necessary for the performance of a contract between the data subject and the responsible party;
  • The transfer is necessary for the conclusion of a contract which is in the data subject’s interests;
  • The transfer is for the benefit of the data subject and it is not reasonably practical to obtain the consent of the data subject and if it were reasonably practical to obtain the consent the data subject would likely give it.

So, it is possible to transfer personal information from South Africa to most other developed countries in the world.