Compartmentalised data protection in South Africa: The right to privacy in the Protection of Personal Information Act

• Author: Katzav, G.
• DOI: https://doi.org/10.47348/SALJ/v139/i2a8
• Published date: 15 May 2022
• Date: 15 May 2022
• Citation: (2022) 139 SALJ 432
• Pages: 432-470

432

https://doi.org/10.47348/SALJ/v139/i2a8

COMPARTMENTALISED DATA PROTECTION

IN SOUTH AFRICA: THE RIGHT TO PRIVACY

IN THE PROTECTION OF PERSONAL

INFORMATION ACT

GI LAD K ATZAV†

Research Fellow, Mandela Institute,

University of the Witwatersrand, Johannesburg

In European Union (‘EU’) law, the entrenched right to data protection is an

independent fundamental right. EU case law has gradually disconnected the right

to data protection from the right to a private life. South Africa’s rst exclusive

data protection legislation, the Protection of Personal Information Act 4 of 2013

(‘POPIA’), is redolent of EU data prote ction legislation. Howeve r, the stated purpose

of the POPIA is to give eect to the right to privacy. This article examines whether

the laws of data prot ection can be wholly encapsu lated within s 14 of the Constitution.

To this end, this article considers two main conceptions of privacy in our law.

The rst is Ne ethling’s informational pr ivacy and the reasona ble expectation of p rivacy.

The second is Rautenbach’s theory of informational control over personal matters in

relation to other rights. On either approach, I argue that the substantive provisions

of the POPIA are irreducible to privacy protection alone. Ultimately, framing

the POPIA exclusively within the domain of privacy will either (i) unduly restrict

legislative inte rpretation; or (ii) the true meaning of pr ivacy will be diluted, leading to

legal uncert ainty. To avoid this, I suggest distinguishing between the value of privacy

in the POPIA and the actual loss of privacy.

Right to pr ivacy – data protect ion – personal infor mation – data proce ssing

I INTRODUCTION

The processin g of personal inform ation is an indispensa ble and irreversible

part of contemporary societal organisation. From the recording of

one’s race, sex and biometric information at infancy, to the level of

education achieved throughout adolescence, and all the way to marital

status, employment history and highway commuting, everyone, in some

way, encounters this inevitability. In the Age of Digitalisation and Big

Data, propelled by Capital Surveillance, this entrenched practice has

precipitated novel harms.1 Zubo explains that the insidious nature of

the digital epoch lies in the fact that it is unprecedented and, as a result,

unrecognisable: ‘When we encounter something unprecedented, we

automatically interpret it through the lens of familiar categories, thereby

rendering invisible precisely what is unprecedented.’2

† BCom LLB LLM (Wit s).

1 Shoshana Zubo The Age of Surveillance Capitalism: The Fight for a Human

Future at the New Frontier of Power (2 019).

2 Ibid at 12.

(2022) 139 SALJ 432

© Juta and Company (Pty) Ltd

COMPARTMEN TALISED DATA PROTECTION IN SOUT H AFRICA 433

https://doi.org/10.47348/SALJ/v139/i2a8

The gradual awakening of a global consciousness to these threats,

particularly in Europe, has resulted in the creation of both substantive and

procedural data protection laws. The Protection of Personal Information

Act 4 of 2013 (‘POPIA’), modelled closely after the developments of the

European Union (‘EU’) in this domain, represents South Africa’s legi s-

lative response to data-processing practices.3 If the foreign jurisprudence

and legal scholarship proves to be a harbinger of South Africa’s data

protection regime, then it is imperative to grapple analytically with its

foundational concepts and its underlying assumptions in order to explore,

and sub sequently map, the terra incognita under the POPIA.

In this regard, the most important and overarching assumption of the

POPIA is that it conceptualises data protection law as a lex specialis of the

right to privacy.4 The aim of this article is to question this assumption,

to safeguard against the harms of data processing. More specically, will

any malecence a ssociated with the processi ng of personal inform ation be

entirely covered by s 14 of the Constitution?5 This will necessarily bring

into question whether personal information can comfortably t within

the lexicon of private information. How will courts balance competing

interests between a data subject and the responsible party where a privacy

interest cannot be reasonably identied? Can a litigant rely on the POPIA

— and the rights, mechanisms and institutions for which it provides — to

pursue interests that are not necessarily privacy-related interests?

I make two assertions in this article. First, the law of data protection

is irreducible to privacy protection alone.6 Secondly, the continued

formulation of data protection principles as a specialised form of privacy

protection over-inates the scope of protection aorded by the right to

privacy. This not only dilutes the meaning of s 14 of the Constitution,

but it further obfuscates an already hazy concept. The POPIA is plagued

by a codied insistence on interpreting unprecedented digital challenges

through the ‘lens of familiarity’. Consequently, its nascent ability to

forge strong, meaningful and eective data protection jurisprudence

may suer from legal myopia. In support of this assertion, this article is

structured as follows.

Following this introduction, Part II provides an overview account of

data protection law. First, it aims to delineate and delimit the nature and

scope of data protection as it has developed in the EU and, in particular,

to consider whether da ta protection is seen as an inde pendent fundamental

3 A nneliese Roos ‘The Eu ropean Union’s General Dat a Protection Regu lation

(GDPR) and its impl ications for South Af rica’s data privacy law: A n evaluation of

selected content pr inciples’ (2020) 53 CILSA 1at 4.

4 See the preamble and s 2 of t he POPIA.

5 The Constitution of the Republic of South Africa, 1996.

6 See the discussion in part III.

© Juta and Company (Pty) Ltd

434(2022) 139 T HE SOUTH AFRIC AN LAW JOURNAL

https://doi.org/10.47348/SALJ/v139/i2a8

right, divorced from the right to privacy. Secondly, it will outline the

POPIA’s conception of data protection as a subset of the right to privacy.

Part III aims to consider two main theories of privacy in South African

law and to evaluate whether they can properly explain the principles of

the POPIA in terms of the right to privacy. As this par t will demonstrate,

privacy theories can only account for data protection principles in a

piecemeal fashion. Therefore, I argue that the right to privacy may

prove to be inadequate to safeguard against the harms of data processing.

Pigeonholing data protection is not only theoretically misconceived, but

its compart mentalisation may absolve the relevant persons and institutions

from making the choices that truly reect the ideals of substantive human

rights protection.

II BACKGROUND

(a) The law of data protection: An overview

Prior to the POPIA, the South African legal landscape did not have any

exclusive persona l data protection legisl ation.7 Now, with its introduc tion,

data protection law ushers in an entirely new legal eld of study and

practice. For the purposes of orientation, this part is subdivided into two

further subparts. The rst is a pathnding overview into the right to data

protection and its basic principles. Given that the POPIA was inspired by

EU law, and the fact that EU data protection jurisprudence is by far the

more matured, South African courts are likely to seek guidance in their

developments. Thus, the second subpart will look at the data protection

case law of the Court of Justice of the European Union (‘CJEU’).

(i) The nature and the principles of data protection law

Constitutionally speaking, data protection is an enshrined fundamental

right in European law. Article 8 of the EU’s Charter of Fundamental

Rights (‘EU Charter’) provides:

‘1. Everyone has the right to the protection of personal data concerning

him or her.

2. Such data must be processed fairly for specied purposes and on the

basis of the consent of the person concerned or some other legitimate

basis laid down by law. Everyone has the right of access to data

which has been collected concerning him or her, and the right to

have it rectied.

7 Although certain ‘data protection’ provisions existed elsewhere. See the

Electronic Communications and Transactions Act 25 of 2002, ss 50–1;

the National Health Act 61 of 2002, ss 14–17; the Consumer Protection Act 68

of 2008, ss 51(1)(j)(ii), 51(2)(b)(ii) and 107(1).

© Juta and Company (Pty) Ltd