The ‘right to be forgotten’ is a right to have personal data deleted, in particular from the world wide web. South African law does not explicitly recognise a general right to be forgotten. But some laws dealing with privacy, access to information and freedom of speech implicitly recognise the right.
The Bill of Rights in the Constitution contains broad rights to dignity and privacy. Privacy rights can be limited by rights to freedom of expression and access to information.
The Right to be Forgotten and POPI
The Protection of Personal Information Act, like most foreign data protection laws, states that personal information may only be stored or used to the extent it is adequate, relevant and not excessive in relation to its purpose. Although POPI does not explicitly grant a right to be forgotten, section 24 allows data subjects to request responsible parties to correct or delete personal information or records.
Personal information cannot normally be kept longer than necessary, and must be permanently destroyed when consent is withdrawn or legal authority ends (for example when a ‘retention period’ has lapsed). Out-of-date, incomplete, misleading or inaccurate data must also be corrected or deleted. The law grants some privacy rights to juristic persons, such as companies.
The right to be forgotten in POPI only allows for deletion of personal information that is “inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully.” In addition, the act also requires responsible parties to delete or destroy records that should no longer be retained.
Other laws in South Africa
The Promotion of Access to Information Act and legal principles about freedom of expression could conflict with implied rights to be forgotten contained in other laws. Hundreds of regulations also require certain tax, health, employment, safety, corporate and other information to be retained in specific forms for specific periods. Conflicts will be decided on their merits and subject to context.
The National Credit Act allows individuals to access and challenge negative credit-related information. Credit bureaux must delete certain credit-related information after the relevant retention period. In general, the smaller a debt, the sooner information must be removed. Information about civil judgments can be kept for between 18 months and five years, and information about rescinded judgments for two years. Personal sequestrations can be recorded for 10 years after rehabilitation. There is no right to be forgotten in the case of corporate liquidations.
The Consumer Protection Act gives rights to individuals to put their names and contact details on a pre-emptive ‘do-not-contact’ direct marketing register. The register has not been formally recognised, but there are similar voluntary registers, such as the Direct Marketing Association’s ‘opt-out’ register.
The Electronic Communications and Transactions Act provides a practical procedure to demand that information service providers remove or disable access to ‘unlawful’ activity or content, via a take-down notification. This can help enforce a right to be forgotten where a service provider is based in South Africa.
The Criminal Procedure Act (as amended) allows for records of certain minor offences to be ‘expunged’ on application after 10 years, if there have been no other convictions. Political convictions under repealed race-based apartheid laws can also usually be removed. Children under 21 at the time of an offence can also have their records expunged under the Child Justice Act, unless the offence is serious (such as murder or rape).
In certain cases, offenders cannot ever remove their names from the National Sex Offenders Register or the National Child Protection Register. In other cases, offenders may generally only apply five to ten years after release from prison, suspension, or entry on the register.
Foreign and international laws and decisions about the right to be forgotten will usually be relevant or persuasive in a similar matter in South Africa.