The concept of “personal information” in the Protection of Personal Information Act 4 of 2013 – a comparative analysis from a European perspective
Author | Baumann, J.S. |
DOI | https://doi.org/10.47348/TSAR/2021/i4a4 |
Published date | 20 September 2021 |
Date | 20 September 2021 |
Citation | 2021 TSAR 718 |
Pages | 718-739 |
https://doi.org /10.47348/ TSAR /2021/i4a 4
TSAR 2021 . 3 [ISSN 0257 – 7747]
718
The concept of “personal information” in
the Protection of Personal Information Act
4 of 2013 – a comparative analysis from a
European perspective
JONAS S BAUMANN*
NAZRE EN ISMAIL**
SAMEVATTING
DIE BEGRIP “PERSOONLIKE INLIGTING” IN DIE WET OP BESKERMING VAN
PERSOONLIKE INLIGTING 4 VAN 2013 – ’N VERGELYKENDE ANALISE VANUIT ’N
EUROPESE PERSPEKTIEF
Die Wet op Beskerming v an Persoonlike Inl igting 4 van 2013 is ’n mylpaal in die ontw ikkeling van die
Suid-Afri kaanse wetgewing oor d atabeskerming. ’n Aanta l sleutelbepalings van hie rdie wet is vanaf 1
Julie 2021 van toepassi ng en hou aansienli ke uitdagings in v ir nakoming deu r verantwoordelike pa rtye.
In die lig van die afdw ingingsmegan ismes wat deur Wet 4 van 2013 geïmplement eer word, is dit
van kardin ale belang om die omvang daarva n so presies moontlik te bepaal . Die begrip “persoonli ke
inligti ng” is van fundament ele belang vir die uitbreidi ng van die materiële omvang va n die wet.
Wet 4 van 2013 is opgestel aan die hand va n gevestigde inter nasionale raamwe rke vir databe skerming,
sowel as die Europese r iglyn vir die be skerming va n data van 1995. Alhoewel die Eu ropese
databesker mingsraa mwerk intusse n verder ontwik kel het deur die implem entering van ’n algeme ne
regulasie in sake die besker ming van gegewens, bied d ie Europese wetgew ing oor databe skerming
’n “ekosisteem” vir regsver gelyking met Wet 4 van 2013 vanweë die histo riese verband t ussen die
onderskeie inst rumente. Dit is veral d ie geval met betrekki ng tot die reëls insake d ie materiële omvang
van Wet 4 van 2013, waarin konsept e en meganismes u it die Europese ra amwerk aanvaar wor d. In
hierdie verband wor d ondersoek of die interpre tasie van die omvangsreëls soos de ur die Europese hof
van justisie ont wikkel, ’n raamwerk ka n bied vir die inter pretasie van die be palings van Wet 4 van 2013.
Die normatiewe ba sis van die konsep “persoonli ke inligting” in Wet 4 van 2013 val in ’n groot mate
saam met die konse p van “persoonl ike data” in Europe se wetgewing oor die beske rming van dat a, maar
wyk ook in sekere a spekte daarv an af.
Die artikel bie d ’n vergelykende analise van hierd ie konsepte. Dit blyk dat aka demiese standpu nte en
regspraak af komstig uit d ie Europese Unie gebr uik kan word as ’n waard evolle bron vir die inte rpretasie
van Wet 4 van 2013. Dit is veral van toepas sing op die vraag i n hoeverre ken nis van derde par tye
in ag geneem moet word om ’n persoon as “identiseerba ar” te klassise er. Die Europese hof van
justisie het in die Bre yer-saak uit spraak oor hierd ie hoogs omstrede aan geleentheid gebied en wel in die
konteks van din amiese IP-adresse. In d ie artikel word bespreek of die i nterpretasie deur d ie Europese
hof bruikba ar kan wees in ’n Suid-Afri kaanse konteks.
1 Introduction
The General Data Protection Regulation1 forms the “new” general data protect ion
law within the legal fra mework of the European Union and has been applicable
* Research Associate, Research Centre for Private International Law in Emerging Countries, University
of Johannesburg.
** Lecturer, Department of Practical Business Law, Faculty of Law, University of Johannesburg.
1 Regulation (EU) 2016/679 of the European parliament and of the council of 27-04-2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC, OJ L 119 (4-05-2016) 1.
2021 TSAR 718
© Juta and Company (Pty) Ltd
https://doi.org /10.47348/ TSAR /2021/i4a 4
THE CONCEPT OF “PER SONAL INFORM ATION” 719
[ISSN 0257 – 7747] TSAR 2021 . 4
since 25 May 2018.2 This regulation, which replaces3 the f ully har monising4
1995 European Union Data Protection Directive (directive),5 is considered to be
the “beginning of a new era in data protection law”.6 With regard to the South
Africa n status quo, a new – rst – “era” of codied dat a protection rules bega n
with the Protection of Personal Information Act 4 of 2013.7 The act was gazetted
on 26 November 2013,8 but a number of key provisions9 of Act 4 of 2013 came into
force only on 1 July 2020.10 The act aims to give effect to the constitutional right
of privacy as enshri ned in section 14 of the constitution by safeguarding personal
information when processed by a responsible party and at the same time seeks to
balance this protect ion with other rig hts.11
Over the years data protection law has advanced to a compliance matter,12 since
non-compliance with data protection rules imposes a critical liability r isk not only
for corporations and enterprises but also for natu ral persons. The deadline for
compliance with the ru les of Act 4 of 2013 was 1 July 2021.13
Modern data prote ction laws such as the regulation and Act 4 of 2013 provide for
private as well as public enforcement of their provisions. I n the event of infringement s,
the addressees of dat a protection rules – “controllers” and “processors” in te rms of
the regulation, “responsible parties” and “operators” in terms of Act 4 of 2013 –
face not only civil law claims14 but also authoritative measures by data protection
authorities such as orders,15 nes and – under Act 4 of 2013 – even criminal
prosecution.16 Fines are probably the most powerful instrument of data protection
authorities. Act 4 of 2013 provides for nes up to R10 million.17 The regulation
equips the data prote ction authorities of the member states with the power to i mpose
nes up to €20 million or 4 per cent of the total worldwide an nual tur nover of
2 See a 99 (2) of the regulation. Some German courts had already applied the regulation before that
date. See Finanzgericht Düsseldorf 2017 Beck-Rechtsprechung (BeckRS) 122830 par 31 and
Verwaltungsgericht Wiesbaden 2017 BeckRS 129989 par 32.
3 See a 94(1) of the regulation.
4 the Lindqvist case ECJ 2004 EuZW 245 252 par 96; the Huber case ECJ 2009 EuZW 183 185 par 51;
the ASNEF case ECJ 2012 EuZW 37 39 par 29.
5 Directive 95/46/EC of the European parliament and of the council (24-10-1995) on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ
L 281 (23-11-1995) 31.
6 Kühling and Sackmann “Datenschutzordnung 2018 – nach der Reform ist vor der Reform?!” 2018 Neue
Zeitschrift für Verwaltungsrecht (NVwZ) 681; see also Schantz “Die Datenschutz-Grundverordnung –
Beginn einer neuen Zeitrechnung im Datenschutzrecht” 2016 Neue Juristische Wochenschrift (NJW)
1841.
7 Until the provisions of Act 4 of 2013 became applicable, the protection of privacy in the South African
legal system was subject to the established common-law principles and claims. See in detail Roos “Data
protection law in South Africa” in Makulilo (ed) African Data Privacy Laws (2016) 196; Roos “Data
privacy law” in Van der Merwe, Roos, Pistorius, Eiselen and Nel Information and Communications
Technology Law (2016) 418; and the overview provided by Naude and Papadopoulos “Data protection
in South Africa: the Protection of Personal Information Act 4 of 2013 in light of recent international
developments (1)” 2016 THRHR 51 53 ff.
8 GG 37067 (26-01-2013).
9 This applies particularly to s 2-38 and 55-109 of Act 4 of 2013.
10 Proclamation R 21, GG 43461 (22-06-2020) 3.
11 Cf s 2 of Act 4 of 2013.
12 Cf s 8 of Act 4 of 2013; a 24(1) s 1 and a 28(1) of the regulation.
13 s 114(1) of Act 4 of 2013.
14 See s 99(1) of Act 4 of 2013 and a 82 of the regulation.
15 See s 95(1) of Act 4 of 2013 and a 58 of the regulation.
16 s 107 of Act 4 of 2013.
17 See s 109(2)(c) of Act 4 of 2013.
© Juta and Company (Pty) Ltd
To continue reading
Request your trial