The concept of “personal information” in the Protection of Personal Information Act 4 of 2013 – a comparative analysis from a European perspective

• Author: Baumann, J.S.
• DOI: https://doi.org/10.47348/TSAR/2021/i4a4
• Published date: 20 September 2021
• Date: 20 September 2021
• Citation: 2021 TSAR 718
• Pages: 718-739

https://doi.org /10.47348/ TSAR /2021/i4a 4

TSAR 2021 . 3 [ISSN 0257 – 7747]

718

The concept of “personal information” in

the Protection of Personal Information Act

4 of 2013 – a comparative analysis from a

European perspective

JONAS S BAUMANN*

NAZRE EN ISMAIL**

SAMEVATTING

DIE BEGRIP “PERSOONLIKE INLIGTING” IN DIE WET OP BESKERMING VAN

PERSOONLIKE INLIGTING 4 VAN 2013 – ’N VERGELYKENDE ANALISE VANUIT ’N

EUROPESE PERSPEKTIEF

Die Wet op Beskerming v an Persoonlike Inl igting 4 van 2013 is ’n mylpaal in die ontw ikkeling van die

Suid-Afri kaanse wetgewing oor d atabeskerming. ’n Aanta l sleutelbepalings van hie rdie wet is vanaf 1

Julie 2021 van toepassi ng en hou aansienli ke uitdagings in v ir nakoming deu r verantwoordelike pa rtye.

In die lig van die afdw ingingsmegan ismes wat deur Wet 4 van 2013 geïmplement eer word, is dit

van kardin ale belang om die omvang daarva n so presies moontlik te bepaal . Die begrip “persoonli ke

inligti ng” is van fundament ele belang vir die uitbreidi ng van die materiële omvang va n die wet.

Wet 4 van 2013 is opgestel aan die hand va n gevestigde inter nasionale raamwe rke vir databe skerming,

sowel as die Europese r iglyn vir die be skerming va n data van 1995. Alhoewel die Eu ropese

databesker mingsraa mwerk intusse n verder ontwik kel het deur die implem entering van ’n algeme ne

regulasie in sake die besker ming van gegewens, bied d ie Europese wetgew ing oor databe skerming

’n “ekosisteem” vir regsver gelyking met Wet 4 van 2013 vanweë die histo riese verband t ussen die

onderskeie inst rumente. Dit is veral d ie geval met betrekki ng tot die reëls insake d ie materiële omvang

van Wet 4 van 2013, waarin konsept e en meganismes u it die Europese ra amwerk aanvaar wor d. In

hierdie verband wor d ondersoek of die interpre tasie van die omvangsreëls soos de ur die Europese hof

van justisie ont wikkel, ’n raamwerk ka n bied vir die inter pretasie van die be palings van Wet 4 van 2013.

Die normatiewe ba sis van die konsep “persoonli ke inligting” in Wet 4 van 2013 val in ’n groot mate

saam met die konse p van “persoonl ike data” in Europe se wetgewing oor die beske rming van dat a, maar

wyk ook in sekere a spekte daarv an af.

Die artikel bie d ’n vergelykende analise van hierd ie konsepte. Dit blyk dat aka demiese standpu nte en

regspraak af komstig uit d ie Europese Unie gebr uik kan word as ’n waard evolle bron vir die inte rpretasie

van Wet 4 van 2013. Dit is veral van toepas sing op die vraag i n hoeverre ken nis van derde par tye

in ag geneem moet word om ’n persoon as “identiseerba ar” te klassise er. Die Europese hof van

justisie het in die Bre yer-saak uit spraak oor hierd ie hoogs omstrede aan geleentheid gebied en wel in die

konteks van din amiese IP-adresse. In d ie artikel word bespreek of die i nterpretasie deur d ie Europese

hof bruikba ar kan wees in ’n Suid-Afri kaanse konteks.

1 Introduction

The General Data Protection Regulation1 forms the “new” general data protect ion

law within the legal fra mework of the European Union and has been applicable

* Research Associate, Research Centre for Private International Law in Emerging Countries, University

of Johannesburg.

** Lecturer, Department of Practical Business Law, Faculty of Law, University of Johannesburg.

1 Regulation (EU) 2016/679 of the European parliament and of the council of 27-04-2016 on the

protection of natural persons with regard to the processing of personal data and on the free movement

of such data, and repealing Directive 95/46/EC, OJ L 119 (4-05-2016) 1.

2021 TSAR 718

© Juta and Company (Pty) Ltd

https://doi.org /10.47348/ TSAR /2021/i4a 4

THE CONCEPT OF “PER SONAL INFORM ATION” 719

[ISSN 0257 – 7747] TSAR 2021 . 4

since 25 May 2018.2 This regulation, which replaces3 the f ully har monising4

1995 European Union Data Protection Directive (directive),5 is considered to be

the “beginning of a new era in data protection law”.6 With regard to the South

Africa n status quo, a new – rst – “era” of codied dat a protection rules bega n

with the Protection of Personal Information Act 4 of 2013.7 The act was gazetted

on 26 November 2013,8 but a number of key provisions9 of Act 4 of 2013 came into

force only on 1 July 2020.10 The act aims to give effect to the constitutional right

of privacy as enshri ned in section 14 of the constitution by safeguarding personal

information when processed by a responsible party and at the same time seeks to

balance this protect ion with other rig hts.11

Over the years data protection law has advanced to a compliance matter,12 since

non-compliance with data protection rules imposes a critical liability r isk not only

for corporations and enterprises but also for natu ral persons. The deadline for

compliance with the ru les of Act 4 of 2013 was 1 July 2021.13

Modern data prote ction laws such as the regulation and Act 4 of 2013 provide for

private as well as public enforcement of their provisions. I n the event of infringement s,

the addressees of dat a protection rules – “controllers” and “processors” in te rms of

the regulation, “responsible parties” and “operators” in terms of Act 4 of 2013 –

face not only civil law claims14 but also authoritative measures by data protection

authorities such as orders,15 nes and – under Act 4 of 2013 – even criminal

prosecution.16 Fines are probably the most powerful instrument of data protection

authorities. Act 4 of 2013 provides for nes up to R10 million.17 The regulation

equips the data prote ction authorities of the member states with the power to i mpose

nes up to €20 million or 4 per cent of the total worldwide an nual tur nover of

2 See a 99 (2) of the regulation. Some German courts had already applied the regulation before that

date. See Finanzgericht Düsseldorf 2017 Beck-Rechtsprechung (BeckRS) 122830 par 31 and

Verwaltungsgericht Wiesbaden 2017 BeckRS 129989 par 32.

3 See a 94(1) of the regulation.

4 the Lindqvist case ECJ 2004 EuZW 245 252 par 96; the Huber case ECJ 2009 EuZW 183 185 par 51;

the ASNEF case ECJ 2012 EuZW 37 39 par 29.

5 Directive 95/46/EC of the European parliament and of the council (24-10-1995) on the protection of

individuals with regard to the processing of personal data and on the free movement of such data, OJ

L 281 (23-11-1995) 31.

6 Kühling and Sackmann “Datenschutzordnung 2018 – nach der Reform ist vor der Reform?!” 2018 Neue

Zeitschrift für Verwaltungsrecht (NVwZ) 681; see also Schantz “Die Datenschutz-Grundverordnung –

Beginn einer neuen Zeitrechnung im Datenschutzrecht” 2016 Neue Juristische Wochenschrift (NJW)

1841.

7 Until the provisions of Act 4 of 2013 became applicable, the protection of privacy in the South African

legal system was subject to the established common-law principles and claims. See in detail Roos “Data

protection law in South Africa” in Makulilo (ed) African Data Privacy Laws (2016) 196; Roos “Data

privacy law” in Van der Merwe, Roos, Pistorius, Eiselen and Nel Information and Communications

Technology Law (2016) 418; and the overview provided by Naude and Papadopoulos “Data protection

in South Africa: the Protection of Personal Information Act 4 of 2013 in light of recent international

developments (1)” 2016 THRHR 51 53 ff.

8 GG 37067 (26-01-2013).

9 This applies particularly to s 2-38 and 55-109 of Act 4 of 2013.

10 Proclamation R 21, GG 43461 (22-06-2020) 3.

11 Cf s 2 of Act 4 of 2013.

12 Cf s 8 of Act 4 of 2013; a 24(1) s 1 and a 28(1) of the regulation.

13 s 114(1) of Act 4 of 2013.

14 See s 99(1) of Act 4 of 2013 and a 82 of the regulation.

15 See s 95(1) of Act 4 of 2013 and a 58 of the regulation.

16 s 107 of Act 4 of 2013.

17 See s 109(2)(c) of Act 4 of 2013.

© Juta and Company (Pty) Ltd