Compartmentalised data protection in South Africa: The right to privacy in the Protection of Personal Information Act
Author | Katzav, G. |
DOI | https://doi.org/10.47348/SALJ/v139/i2a8 |
Published date | 15 May 2022 |
Date | 15 May 2022 |
Citation | (2022) 139 SALJ 432 |
Pages | 432-470 |
432
https://doi.org/10.47348/SALJ/v139/i2a8
COMPARTMENTALISED DATA PROTECTION
IN SOUTH AFRICA: THE RIGHT TO PRIVACY
IN THE PROTECTION OF PERSONAL
INFORMATION ACT
GI LAD K ATZAV†
Research Fellow, Mandela Institute,
University of the Witwatersrand, Johannesburg
In European Union (‘EU’) law, the entrenched right to data protection is an
independent fundamental right. EU case law has gradually di sconnected the right
to data protection from the right to a privat e life. South Africa’s rst exclusive
data protection legislation, the Protection of Personal Infor mation Act 4 of 2013
(‘POPIA’), is redolent of EU data prote ction legislation. Howeve r, the stated purpose
of the POPIA is to g ive eect to the right to privacy. This article examines wheth er
the laws of data prot ection can be wholly encapsu lated within s 14 of the Constitution.
To this end, this article co nsiders two main con ceptions of priva cy in our law.
The rst is Ne ethling’s informational pr ivacy and the reasona ble expectation of p rivacy.
The second is R autenbach’s theory of informational control o ver personal matte rs in
relation to other r ights. On either app roach, I argue that the subst antive provisions
of the POPIA are ir reducible to privacy protection alone. Ultimately, framing
the POPIA exclusively within the domain of p rivacy will eithe r (i) unduly restrict
legislative inte rpretation; or (ii) the true meaning of pr ivacy will be diluted, leading to
legal uncert ainty. To avoid this, I suggest distinguishing between the value of privacy
in the POPIA and the actual loss of priva cy.
Right to pr ivacy – data protect ion – personal infor mation – data proce ssing
I IN TRODUCT ION
The processin g of personal inform ation is an indispensa ble and irreversible
part of contemporary societa l organisation. From the recordi ng of
one’s race, sex and biometric information at in fancy, to the level of
education achieved th roughout adolescence, and a ll the way to mar ital
status, employment history and highway commuting, everyone, in some
way, encounters this inevitabilit y. In the Age of Digita lisation and Big
Data, propelled by Capital Survei llance, this entrenched practice has
precipitated novel har ms.1 Zubo explain s that the insid ious nature of
the digital epoch lies in the fact that it is unprecedented and, as a result,
unrecogn isable: ‘When we encounter something unprecedented, we
automatically interpret it through the lens of familiar categories, thereby
rendering i nvisible precisely what is unprecedented.’2
† BCom LLB LLM (Wit s).
1 Shoshana Zubo The Age of Surveillanc e Capitalism: The Fight fo r a Human
Future at the New Frontier of Power (2 019).
2 Ibid at 12.
(2022) 139 SALJ 432
© Juta and Company (Pty) Ltd
COMPARTMEN TALISED DATA PROTECTION IN SOUT H AFRICA 433
https://doi.org/10.47348/SALJ/v139/i2a8
The gradua l awakening of a global consciousness to these threats,
particularly in Europe, has resulted in the creation of both substantive and
procedural d ata protection laws. The Protection of Persona l Information
Act 4 of 2013 (‘POPIA’), modelled closely after the developments of the
European Union (‘EU’) in this domain, represents South Africa’s legi s-
lative response to data-processing practices.3 If the foreign jur isprudence
and legal scholarship proves to be a harbinger of South Africa’s data
protection regime, then it is imperat ive to grapple analytical ly with its
foundationa l concepts and its underlying assu mptions in order to explore,
and sub sequent ly map, the terra incognita under the POPIA.
In this reg ard, the most important and overarching assumption of the
POPIA is that it conceptualises d ata protection law as a lex specialis of the
right to privacy.4 The aim of this article is to question this assumption,
to safeguard against the harms of data processing. More specical ly, will
any malecence a ssociated with the processi ng of personal inform ation be
entirely covered by s 14 of the Constit ution?5 This wi ll necessarily bring
into question whether personal information can comfortably t within
the lexicon of private information. How wil l courts balance competing
interests between a data subject and the responsible par ty where a privacy
interest cannot be reasonably ident ied? Can a litigant rely on the POPIA
— and the rights, mechanisms and institutions for which it provides — to
pursue interests that are not necessarily pr ivacy-related interests?
I make two assertions in this article. First, the law of dat a protection
is irreducible to privacy protect ion alone.6 Secondly, the continued
formulation of data protection pr inciples as a specialised form of privacy
protection over-in ates the scope of protection aorded by the right to
privacy. This not on ly dilutes the meaning of s 14 of the Constitution,
but it further obf uscates an a lready haz y concept. The POPIA is plag ued
by a codied insistence on interpreting unprecedented digital challenges
through the ‘lens of familiarity’. Consequently, its nascent abil ity to
forge strong, meaningful and eective data protection jur isprudence
may suer from leg al myopia. In support of this assertion, this ar ticle is
structured as follows.
Following this introduction, Part II provides an overview account of
data protect ion law. First, it aims to delineate and del imit the nature and
scope of data protection as it has developed in the EU and, in particular,
to consider whether da ta protection is seen as an inde pendent fundamental
3 A nneliese Roos ‘The Eu ropean Union’s General Dat a Protection Regu lation
(GDPR) and its impl ications for South Af rica’s data privacy law: A n evaluation of
selected content pr inciples’ (2020) 53 CILSA 1 at 4.
4 See the preamble and s 2 of t he POPIA.
5 The Constitut ion of the Republic of South A frica, 1996.
6 See the discus sion in part III.
© Juta and Company (Pty) Ltd
434 (2022) 139 T HE SOUTH AFRIC AN LAW JOURNAL
https://doi.org/10.47348/SALJ/v139/i2a8
right, divorced from the right to privacy. Secondly, it will outline the
POPIA’s conception of data protection as a subset of the right to privacy.
Part III ai ms to consider two main theories of privacy in South A frican
law and to evaluate whether they can properly explain the principles of
the POPIA in terms of the right to pr ivacy. As this par t will demonstrate,
privacy theor ies can only accou nt for data protection principles in a
piecemeal fashion. Therefore, I argue that the right to privacy may
prove to be inadequate to safeguard a gainst the harms of data processing.
Pigeonholi ng data protect ion is not only theoretically misconceived, but
its compart mentalisation may absolve the relevant persons and institutions
from mak ing the choices that truly reect the ideals of substantive human
rights protection.
II BACKGROUND
(a) The law of data protection: An overview
Prior to the POPIA, the South African legal landscape did not have any
exclusive persona l data protection legisl ation.7 Now, with its introduc tion,
data protect ion law ushers in an ent irely new legal eld of st udy and
practice. For the pur poses of orientation, this par t is subdivided into two
further subparts. The rst is a pathnding overview into the right to d ata
protection and its basic principles. Given that the POPIA was inspired by
EU law, and the fact that EU d ata protection jur isprudence is by far the
more matured , South African courts are likely to seek guidance in their
developments. Thus, the second subpart will look at the data protection
case law of the Cour t of Justice of the European Union (‘CJEU’).
(i) T he nature and the principles of data protection law
Constitutionally speaking, data protection is an enshrined fu ndamental
right in Eu ropean law. Article 8 of the EU’s Charter of Fundamental
Rights (‘EU Charter’) provides:
‘1. Everyone h as the right to the protection of per sonal dat a concerning
him or her.
2. Such data must be processed fai rly for specied pu rposes and on t he
basis of the con sent of the person concer ned or some other legit imate
basis la id down by law. Everyone has the r ight of access to data
which has been collected concer ning him or her, and the right to
have it rectied.
7 Althoug h certain ‘data protect ion’ provisions existed elsewhere. See the
Electron ic Communica tions and Transa ctions Act 25 of 20 02, ss 50–1;
the Nationa l Health Act 61 of 2002 , ss 14–17; the Consumer Protection Act 68
of 2008, ss 51(1)(j)(ii), 51(2)(b)(ii) and 107(1).
© Juta and Company (Pty) Ltd
To continue reading
Request your trial