A Comparative Analysis of Zimbabwean and South African Data Protection Systems

advertisement
Journal of Information, Law and Technology
A Comparative Analysis of Zimbabwean and South
African Data Protection Systems
Caroline Ncube
Lecturer, Department of Commercial Law, University of Cape Town
CNCUBE@law.uct.ac.za
The author would like to thank the two reviewers for their insightful
comments and suggestions and Brent Hanks for his editorial work. The
author assumes responsibility for all errors within this work
This is a refereed article published on: 30 November 2004.
Citation: Ncube, 'A Comparative Analysis of Zimbabwean and South African Data
Protection Systems', 2004 (2) The Journal of Information, Law and Technology (JILT).
<http://www2.warwick.ac.uk/fac/soc/law2/elj/jilt/2004_2/ncube/>.
Abstract
Data protection is a very important international trade issue and the lack of adequate
data protection may be a barrier to trade. Data protection laws are also a vital part of
the protection of an individual’s privacy.
This paper is a descriptive analysis of Zimbabwean and South African data protection
systems. It compares these two common law systems in a holistic manner taking into
account each nation’s peculiar cultural, social, economic and political environments.
The most striking feature of both these systems is that they are underdeveloped;
Zimbabwe only protects data held and used by the public sector whilst South Africa
has no specific data protection legislation at all. There is currently a concerted effort
to secure data protection in South Africa spearheaded by the South African Law
Commission (SALC).
This paper is a contribution to this law reform process. Its objective is to give a
synopsis of the two data protection systems, identify their weaknesses and make
suggestions for reform drawn from stronger data protection systems. It proceeds by
outlining the constitutional, common law and legislative frameworks regulating data
protection in each country, and comparing these with each other and a common ideal.
The paper also briefly discusses the current data protection law reform in South Africa
and concludes with a forecast of probable developments in both countries.
Keywords: Data Protection, privacy, privacy legislation, Zimbabwean privacy
law, South African privacy law, law reform, comparative law.
1. Introduction
The need to establish and enforce effective data protection systems in both Zimbabwe
and South Africa is a trade and development issue. The 1995 European Union Data
Protection Directive ( http://www.bfd.bund.de/europa/EU_richtl_en.html>) imposes a
standard of protection on any country in which the personal data of European citizens
is processed. Such data can only be processed in countries that can guarantee adequate
levels of protection (Articles 25 -6).
Developing nations, especially those in Africa, as evidenced by their recent
establishment of NEPAD,[1] intend to be full participants in the global economy.
Such participation will only be enabled by conducive trade conditions. Zimbabwe and
South Africa, like all other developing nations therefore need to ensure that their data
protection laws encourage rather that discourage international trade by providing
adequate levels of data protection to enable the flow of data from European Union
(EU) countries.
The adequacy of these systems will ultimately lie in their application and
enforcement. This paper will accordingly also discuss enforcement structures and
procedures.
The substantive part of this article is divided into five parts. The first part compares
Zimbabwean and South African constitutional provisions relating to privacy. The
second part discusses the common law protection of privacy in both jurisdictions. The
third part analyses the legislative frameworks in each country. The fourth part
examines oversight and enforcement of these laws. The fifth and final part concludes
the paper with an overall assessment of each country and a forecast of probable future
developments.
2. Zimbabwean and South African Constitutional Provisions Relating to Privacy
The right to privacy is widely considered a fundamental human right. It is provided
for in Article 12 of the 1948 Universal Declaration of Human Rights and in other
international instruments, such as Article 16 of the United Nations Convention on the
Rights of the Child, Article 17 of the International Covenant on Civil and Political
Rights (ICCPR) and Article 14 of the United Nations Convention on Migrant
Workers. The American Convention on Human Rights (Art 11, 14) and the American
Declaration of the Rights and Duties of Mankind (Art V, IX and X) contain provisions
similar to those found in the Universal Declaration and International Covenant (SALC
IP24 at 3.1.3 – 3.1.6).
A number of countries (like the United Kingdom) also protect the right to privacy
under the rubric of general human rights legislation. Others such as South Africa
(section 14 of the Constitution of South Africa Act 108 of 1996 (as amended)), the
Kingdom of the Netherlands (Constitution of the Kingdom of the Netherlands, 1989),
the Republic of the Philippines (art III, Constitution of the Republic of the
Philippines, 1987), and the Russian Federation (art 23, Constitution of the Russian
Federation, 1993) explicitly enshrine the right in their constitutions. The United States
stands apart from these countries insofar as its Constitution does not contain an
explicit right to privacy. Despite this the Supreme Court of the United States has
concluded that such a right is implicit in the Constitution (Hammit 1998) and most
Americans consider privacy a core value (Lloyd L R 1995).
Despite the widespread protection that it is offered in international instruments and
constitutional provisions, ‘privacy’ is however a term that is inherently difficult to
define and its definition varies widely (Electronic Privacy Information Center (EPIC)
Report 2002 p2.). Recognizing this the South African Constitutional Court recently
characterized the concept as both ‘amorphous and elusive’ (Bernstein and others v
Bester and others NNO (Bernstein v Bester) 1996 (2) SA 751 at 787-788), but chose
to offer forth a definition of privacy nonetheless as ‘an individual condition of life
characterised by exclusion from the public and publicity. This condition embraces all
those personal facts which the person concerned has determined himself to be
excluded from the knowledge of outsiders and in respect of which he has the will that
they be kept private’ (Bernstein v Bester at 789).
The Supreme Court of Zimbabwe has not yet had occasion to define privacy in the
context of the protection of personal information. Nor does the country’s constitution
provide explicit provisions for the protection of an individual’s right to privacy.
3. Common Law Protection of Privacy in Zimbabwe and South Africa
In order to evaluate the common law protection offered privacy in both countries it is
important to adopt an interdisciplinary, comparative law approach that takes into
account the specific cultural, socio- political and economic factors that impact the
manner in which law is applied and enforced in Zimbabwe and South Africa (Reitz,
JC; 1998, Webb 2003). This paper therefore employs the methodology most recently
utilized by Philippa Webb and originally formulated by legal analyst JC Reitz (1998,
p. 622, 634) and compares each country’s data protection systems to one another
before comparing them to a common ideal.
On the whole there is scant academic literature on the data protection laws of South
Africa and Zimbabwe, although a detailed issue paper on South Africa’s data
protection laws was recently released by the SALC (Issue Paper 24 ‘Privacy and data
protection (IP 24)). There is an impressive body of literature on the historical,
economic and socio-political climates of both countries online and in print. This paper
will refer extensively to the online literature in order to enable readers to easily view
the materials, should they wish to do so. This literature includes reports and articles
by civic organisations, government information, media reports and survey and poll
findings. There is also a large body of scholarship regarding matters of privacy in
South Africa dating back as far as 1979. Of particular import are the materials dating
from the mid 1990s onwards. However, much of this literature was originally
produced in Afrikaans, so translations of the originals are relied on throughout this
paper. The reader will also find that many Roman-Dutch phrases are used in the
discussions of common law concepts, but every effort is made to concisely explain
these terms.
The Ideal
This section outlines the ideal against which both data protection systems will be
compared. The following four models of data protection were considered (EPIC
Report 2002 p3; SALC IP24 at 7.1.3):
a) Comprehensive Laws Model
This model is characterised by a general law that governs the collection, use and
dissemination of personal information by the public and private sectors. An oversight
body then ensures compliance. Industry develops rules for the protection of privacy
that are enforced by the industry and overseen by the private agency. This model,
adopted by the European Union to ensure compliance with its data protection regime,
is the preferred model for most countries adopting data protecting laws (SALC IP24 at
7.1.4, 7.2.1-7.2.36, EPIC Report 2002 p4).
b) Sectoral Laws Model
This model does not have a general law like the comprehensive model but has sectoral
laws governing, for example, financial privacy. In such cases, enforcement is
achieved through a range of mechanisms. It has been adopted by the United States but
has been criticised on a number of grounds. The first of these being the fact that it
requires new legislation be introduced with each new technology and consequently
protections frequently lag behind technological advances and actual practice. An
example of this shortcoming is the lack of legal protection for individual privacy on
the Internet in the United States. The second major criticism is the lack of an
oversight agency, which compromises the effectiveness of the laws. In many
countries, sectoral laws are used to complement comprehensive legislation by
providing more detailed protection for certain categories of information, such as
telecommunications, police files or consumer credit records (SALC IP 24 at 7.1.5,
7.2.37 -7.2.43; EPIC Report 2002 p4).
c) Self-Regulation Model
The essence of this model is the protection of data through various forms of selfregulation. Companies and industry bodies establish their own codes of practice and
engage in self-policing. Within the United States, this model has not been very
effective and there is little evidence that the aims of the codes are regularly fulfilled.
Additionally, these codes are often inadequate and are not efficiently enforced (SALC
IP24 at 7.1.6, 7.2.44- 7.2.70; EPIC Report 2002 p4).
d) Technology Model
Under this approach, due to the recent development of commercially available
technology-based systems, data protection is in the hands of individual users.
Individual users of the Internet and of some physical applications can employ a range
of programs and systems that provide varying degrees of privacy and security of
communications, for example encryption, anonymous remailers, proxy servers and
digital cash (SALC IP24 at 7.1.7, 7.2.71 – 7.2.81, EPIC Report 2002 p4).
Principles of Data Protection
The following international documents contain both clear basic principles of data
protection and also serve as influential models of national and international initiatives
on data protection (Bygrave LA 2002 p30, SALC IP24 at 1.2.22):
a) The Council of Europe’s 1981 Convention for the Protection of Individuals
with Regard to the Automatic Processing of Personal Data
(<http://www.coe.fr/eng/legaltxt/108e.htm>);
b) The 1981 Organisation for Economic Cooperation and Development’s
(OECD) Guidelines Governing the Protection of Privacy and Transborder
Data Flows of Personal Data (<http://www.oecd.org/documentprint>);
c) The 1995 EU Data Protection Directive; and
d) The United Nations’ (UN) Guidelines Concerning Computerised Personal
Data Files
(http://europa.eu.int/comm/internal_market/privacy/instruments/un_en.htm).
The COE Convention (a) and the OECD Guidelines (b) have had a profound effect on
the global enactment of data protection laws. Almost thirty countries have signed the
COE convention and the OECD guidelines have been widely used in national
legislation, even outside the OECD member countries (SALC IP24 at 1.2.14). The
OECD Guidelines provide eight principles relating to the collection, purpose, use,
quality, security and accountability of organisations in relation to personal
information.
The EU Directive was enacted to harmonise member states’ laws in providing
consistent levels of protection for citizens and ensuring the free flow of personal data
within the European Union (SALC IP24 at 1.2.16-17). The UN Guidelines are
intended to encourage those UN Member States without data protection legislation in
place to take steps to enact such legislation and to encourage governmental and nongovernmental international organisations to process personal data in a responsible, fair
and privacy-friendly manner. The Guidelines are not legally binding and seem to have
had much less influence on data regimes than the other instruments (Bygrave LA
2002 p33, SALC IP24 at 1.2.19).
Although the expression of data protection in the above declarations and laws varies,
they all set the common minimum standard that personal information must be:
• collected fairly and lawfully;
• used only for the specified purpose for which it was originally collected;
• adequate, relevant and not excessive to purpose;
• accurate and up to date;
• accessible to the subject;
• kept secure; and
• destroyed after its purpose is completed. (SALC IP24 at 1.2.23).
These minimum standards together with the comprehensive laws model outlined
above will comprise the ideal against which the data protection systems of South
Africa and Zimbabwe will be compared.
4. The Constitutional Right to Privacy
4.1 South Africa and Its Socio- Political, Economic and Historical Background
The South African constitution provides that the country is a constitutional democracy
and any law or conduct inconsistent with its constitution is invalid (section 2).
Chapter 2 of the constitution or the Bill of Rights provides for certain fundamental
rights applicable to all law, including the common law relating to the right to privacy,
and binds not only the State (section 8(1)) but also, if applicable, natural and juristic
persons (section 8(2)).
For nearly all the latter half of the twentieth century the National Party governed
South Africa. It was only in 1994 the first democratic elections were held in the
country under an Interim Constitution. The African National Congress (ANC) has
since led the government and has been opposed by numerous political parties,
including the New National Party (NNP), the Inkatha Freedom Party (IFP) and the
Democratic Alliance (DA). Together these parties have sought to move beyond the
racial discrimination and political violence that characterized the period prior to 1994
and have for the last decade been engaged in the pursuit of democratisation, socio-
economic change and reconciliation. The constitution-making process, local
government elections and the establishment of the Truth and Reconciliation
Commission have been vital components of their efforts.
The interim constitution referred to above was itself the result of a volatile and
protracted struggle between the NP-led apartheid government and its opponents. It
came into force on 27 April 1994 and led to a number of revolutionary changes in
South Africa. First, it ended racial discrimination by according all fundamental
(human) rights to all citizens. Second, it converted South Africa from parliamentary
sovereignty to constitutional sovereignty. Third, it replaced the central government
system with a federal one. Additionally, the interim constitution provided for the
drafting of a final constitution by the Constitutional Assembly in accordance with a
number of democratic constitutional principles. Once drafted, the final constitution
was to be certified by a Constitutional Court. Although the initial application for
certification (1996) failed, a second application was formally approved in 1997, with
the Bill of Rights in the Final Constitution substantially similar to the one included in
the Interim Constitution (De Waal et al 2000 p1-7).
4.1.1
Content
The right to privacy is entrenched in Section 14 of the Bill of Rights, which reads:
Everyone has the right to privacy, which includes the right not to have –
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized; or
(d) the privacy of their communications infringed.
This section has two parts, the first of which guarantees a general right to privacy and
the second protects against specific infringements of privacy, namely searches and
seizures and infringements of the privacy of communications (De Waal et al 2000
p267, SALC IP24 at 3.2.6). Even though not explicitly mentioned within the language
of the section these protections extend to the breach of informational privacy. (Mistry
v Interim Medical and Dental Council of South Africa and others1998 (7) BCLR 880
(CC) at para 14 ). Therefore, the list mentioned in section 14 is by no means
exhaustive. It extends to any other unlawful method of obtaining information or
making unauthorised disclosures. (SALC IP24 at 3.2.8).
For convenience the constitutional right to privacy can be thought of as protecting
privacy against the following (SALC IP24 at 3.2.11, De Waal et al 2000 p270):
(a) intrusions and interferences with private life;
(b) disclosures of private facts; and
(c) infringement of autonomy.
Informational privacy, the subject of data protection laws, is covered by both (a) and
(b) above.
The right to privacy is not absolute though, it can be limited in accordance with the
limitation clause (Section 36) of the Bill (Neethling et al 2002 p19, SALC IP24 at
3.2.21) that requires a careful weighing up of the right to privacy and other opposing
interests or rights. Data privacy legislation will therefore have to find a balance
between the data subject’s fundamental right to privacy as set out in section 14 of the
Constitution on the one hand, and on the other hand, the legitimate need of other
persons to obtain information about the data subject (SALC IP24 at 3.2.22). These
needs may be based on the person or institution’s fundamental right to choose their
trade, occupation or profession freely (section 22); their fundamental right to access to
information (section 32); or their fundamental right to freedom of expression
(section16) as well as other legitimate interests or rights.
4.2 Zimbabwe and Its Socio- Political, Economic and Historical Background
Zimbabwe, like South Africa, is a constitutional democracy. Section 3 of the
Zimbabwean Constitution mandates that the constitution is the supreme law and any
law that is inconsistent with it is void to the extent of the inconsistency (<
http://www.nca.org.zw/html/coz/coz_fs.htm >). For much of the twentieth century
Zimbabwe was known as Southern Rhodesia and was an official colony of Great
Britain. This began to change in 1965, when the Prime Minister of Southern
Rhodesia, Ian Smith, in an effort to thwart the British government’s call for black
majority rule unilaterally declared independence from Great Britain. Smith’s
declaration angered the British who considered the declaration illegal and
unconstitutional and promptly cut all ties with the colony and coerced the United
Nations into imposing sanctions on Smith’s government.
At this time the black liberation movement led by the African nationalist Zapu and
Zanu parties decided to take up arms against those in government opposed to majority
rule in Southern Rhodesia. By the late 1960s they had become increasingly involved
in violent clashes with official Rhodesian security forces and South African forces
supporting the Smith regime’s counter-insurgency efforts (BBC News Zimbabwe’s
History: Key Dates
<http://news.bbc.co.uk/1/hi/special_report/1998/12/98/zimbabwe/226542.stm>).
The government of Southern Rhodesia eventually declared itself a republic in 1970
and constitutional settlement talks between the warring parties began in earnest a few
years later. However, they were unsuccessful until 1979, when a settlement was
finally reached, leading to the creation of a new constitution (the Lancaster House
Constitution), transitional arrangements, a ceasefire, an election, and the eventual
renaming of Southern Rhodesia to Zimbabwe in 1980 (Southern Rhodesia
Constitutional Conference Held at Lancaster House, London September - December
1979 Report <http://home.wanadoo.nl/rhodesia/lanc1.html >). Robert G. Mugabe has
led the government of Zimbabwe since that time, first as Prime Minister (1980 -1987)
then as Executive President (1987 to the present).
For most of the 1980s Zimbabwe was plagued by political violence and the deaths of
thousands of people. Only after the formation of a government of national unity in
1988 brought a cessation to the hostilities and opened the path to elections in 1990,
1995, 2002 and 2003. (Legal Resources Foundation (LRF), Catholic Commission for
Justice and Peace (CCJP) Breaking the Silence, Building True Peace: A report on the
disturbances in Matabeleland and the Midlands 1980 – 1989: Summary Report <
http://www.zwnews.com/Breaking.doc>). In each instance, Mugabe’s ZANU party
was triumphant. However, the last round of elections was widely condemned as unfair
by both Zimbabweans and the international community (Helen Suzman Foundation
‘Political Opinion in Zimbabwe
2000’<http://www.hsf.org.za/Zimsurvey/zimdoor.html>;World press review online
‘Zimbabwe: Press Spars over Election
Results’<http://www.worldpress.org/africa/0314zim.htm>).
Prior to 1999 much of the political violence in Zimbabwe stemmed from political
feuds over the Lancaster House Constitution. So beginning that year a concerted
effort began to be made to replace it with a new Constitution. A governmentappointed Constitutional Commission eventually prepared a new draft Constitution
that was submitted to the state president in December 1999
(<http://www.gta.gov.zw/Constitutional/Draft.Constitution.htm>). A constitutional
referendum followed on February 12-13, 2000. The National Constitutional Assembly
(NCA) and other prominent civic organisations in Zimbabwe campaigned intensively
and successfully against the new draft Constitution and in the end a majority of the
people of Zimbabwe voted against it (Kambudzi 2000). The NCA then proceeded to
draft its own constitution (<http://www.nca.org.zw/html/fdraft/fdraft_index.htm >),
one that it argues is more suitable than the rejected draft. Suffice to say the
government of Zimbabwe has not pursued any further constitutional reform since its
draft was rejected but civic organisations continue to agitate for reform. The most
noteworthy aspect of the NCA’s draft constitution, for the purposes of this paper, is
that it includes in its bill of rights an express right to privacy (section 20).
4.2.1 Content
Although there is no explicit constitutional ‘right to privacy’ in Zimbabwe, there is
however various elements of the right to privacy that can are found in different
sections of the constitution. The first of these is found in section 17, which provides
for protection against arbitrary search or entry. The second is found in section 16,
which provides for protection against deprivation of property. The third of these
elements is found in section 20(1), which provides for protection of freedom of
expression and reads:
Except with his own consent or by way of parental discipline, no person shall
be hindered in the enjoyment of his freedom of expression, that is to say,
freedom to hold opinions and to receive and impart ideas and information
without interference, and freedom from interference with his
correspondence (emphasis added).
The right to privacy can accordingly be inferred from these sections. Additionally,
Section 24 of the constitution provides that when a person alleges that the Declaration
of Rights is being, or is likely to be infringed, that person may apply to the Supreme
Court for redress. The Zimbabwean situation is then somewhat similar to that in the
US where privacy, although not explicitly protected by the Constitution, can
nonetheless be considered a core and constitutionally protected value. However,
unlike the United States to date there is no case law on data protection in Zimbabwe.
4.3 Assessment
In both South Africa and Zimbabwe the constitution clearly lays a foundation for data
protection laws by protecting a person’s right to privacy. Moreover, the rights
enunciated in each Bill of Rights are fully justiciable and enforceable. Additionally,
other fundamental rights have been enforced in the courts and one can justifiably
argue that the right to informational privacy is likely also to be enforced in the near
future. However, despite the fact that each Bill of Rights lays an adequate foundation
for the protection of informational privacy both need to be supplemented by specific
legislation. Having said that, of the two, South African constitutional provisions are
clearly better suited to the task. The main reason for this being that from the time of
independence Zimbabweans have been predominantly concerned with those rights
pertaining to pressing political and economic issues such as the rising cost of living.
Subsequently, issues such as data protection have been largely overlooked. The South
African constitution was also drafted in the late 1990s as the Internet began maturing.
Moreover, its drafting benefited from lengthy and informed citizen debate and was
able to incorporate and draw extensively from the experiences and knowledge of other
jurisdictions.
5. The Common Law Right to Privacy
Zimbabwean and South African common law is the same. Roman- Dutch Law has
heavily influenced both countries. Section 89 of the Zimbabwean constitution
provides that:
Subject to the provisions of any law for the time being in force in Zimbabwe relating
to the application of African customary law, the law to be administered by the
Supreme Court, the High Court and by any courts in Zimbabwe subordinate to the
High Court shall be the law in force in the Colony of the Cape of Good Hope on 10th
June, 1891, as modified by subsequent legislation having in Zimbabwe the force of
law.
Clearly, the common law of Zimbabwe derives from the common law of South
Africa. And under the common law every person has personality rights such as the
rights to physical integrity, freedom, reputation, dignity, and privacy (SALC IP24 at
3.1.16, Neethling 1998 at 64, 103, 137, 157, 233, 265).
The leading case for the recognition of an independent right to privacy in South
African law is O'Keeffe v Argus Printing and Publishing Co Ltd and others (1954 (3)
SA 244 (C)) wherein dignitas was interpreted to include the whole legally protected
personality, except bodily integrity and reputation (SALC IP24 at 3.1.17). Privacy is
included in this genre, although the court did not expressly state this (SALC 3.1.18).
Later Zimbabwean cases have reached similar conclusions (Mr. and Mrs. “X” v
Rhodesia Printing and Publishing Co Ltd 1974 (4) SA 508 (R) at 511- 512,
Rhodesian Printing and Publishing Co Ltd v Duggan 1975 (1) SA 590 (RA) at 592).
The South African Constitutional Court (Gosschalk v Rossouw at 490-49, Bernstein v
Bester at 789) has itself endorsed such a contention and the express constitutional
recognition of the right to privacy in Section14 of the South African Constitution,
independent of the right to dignity in Section 10, confirms the independent existence
of the right to privacy. It bears repeating that only the legitimate interests of others
and the public interest may limit the common law right to privacy (SALC IP 24 at
3.2.21, Neethling 1998 p288 ff).
South African common law has been developed by the enactment of the Constitution
(section 39(2)). Therefore, any action resulting in the infringement of privacy in South
Africa is now considered a hybrid action based on a mixture of common law and
constitutional imperatives (McQuoid-Mason 2000 p261, SALC IP24 at 3.3.3). Under
common law a single inquiry is required to assess whether or not there has been an
unlawful infringement of privacy, whereas under the Constitution it is a twofold
inquiry (SALC IP24 at 3.3.5). Under common law, to succeed, a plaintiff needs to
prove the following:
(i) An invasion of the his privacy in the form of disclosure or revelation of his
personal information (SALC IP24 at 3.3.7- 3.3.10);
(ii) Wrongfulness, which is determined using the criterion of reasonableness or
the norm of boni mores (SALC IP 24 at 3.3.11 3.3.27); and
(iii) Intention (animus iniuriandi) (SALC IP24 at 3.3.5. 3.3.28 -3.3.32)
In the case of a constitutional invasion of privacy the applicant must prove
that:
(a) Invasive law or conduct has infringed his right to privacy in the
Constitution (Woolman 1996); and
(b) Such infringement is not justifiable in terms of section 36 of the
Constitution.
Defenses to the common law action are categorised into two main groups, namely
those excluding wrongfulness and those excluding intention. Examples of defenses
excluding wrongfulness include consent, necessity, private defense, impossibility,
public interest and performance in a statutory or official capacity. Examples of
defenses excluding intent include jest, mistake, insanity or intoxication (SALC IP24 at
3.3.42 – 3.3.60). The generally accepted main remedies for common law invasions of
privacy are (SALC 3.3.60, Neethling 1998 p304-305):
(i) The actio Iniuriarum (recovery of sentimental damages or satisfaction
(solatium) for injured feelings. The amount of compensation is in the
discretion of the court and is assessed on what is fair and reasonable (Jansen
van Vuuren and others NNO v Kruger 1993 (4) SA 842 at 857-858);
(ii) The actio legis Aquiliae (damages where the plaintiff has suffered actual
monetary loss as a result of the violation of privacy);
(iii) The interdict where a person is confronted with a threatening or
continuing infringement of his or her right (Rhodesian Printing and
Publishing Co Ltd v Duggan and others 1975 (1) SA 590 (Rhodesian
Appellate Court)); and
(iv) Retraction and apology (Mineworkers Investment Co (Pty) Ltd v
Modibane 2002 (6) SA 512 (W)).
Section 38 of the Constitution provides that in the case of an infringement of or threat
to the right to privacy as a fundamental right, the prejudiced or threatened person is
entitled to approach a competent court for appropriate relief, including a declaration
of rights.
Assessment
Effective common law data protection, based on general principles, can be achieved
only through a two-pronged approach (Neethling 1998 p328, SALC IP24 at 3.4.1).
The first rung of this approach, common law, as influenced by the Constitution,
should be fully utilised. However, ‘the inherent conservatism of the courts’, and the
fact that the protection of privacy is still very underdeveloped in South African law
will mean that the courts will not adequately protect privacy. Consequently, the matter
will have to be regulated by legislation (also Neethling 2002 p589).
The second rung of this approach is that the individual himself should have and
exercise a measure of active control over his personal data, otherwise the common
law protection of data will be ineffective.(Neethling 1998 p334-337). This active
control over personal information can be based on the common law and the
Constitutional Court’s recognition of the fact that the right to privacy encompasses the
competence of a person to control his private facts or the scope of his interest in his
privacy (SALC IP24 at 3.4.3, Neethling 1998 p39; National Media Ltd and others v
Jooste 1996 (3) SA 262 A 271-2.at 271-272; Investigating Directorate: Serious
Economic Offences v Hyundai Motor Distributors (Pty) Ltd ao; In re Hyundai Motor
Distributors (Pty) Ltd and others v Smit NO and others 2001 (1) SA 545 (CC) at 557).
However active control principles, or principles of data protection, differ completely
from common law privacy protection as discussed above and accordingly are unique
in the field of personality protection. Legislation is accordingly the best vehicle
through which principles of data protection can be provided (SALC IP24 at 3.4.3).
6.
Statutes
6.1 Zimbabwe: Access to Information and Protection of Privacy Act
The parliament of Zimbabwe recently enacted the ‘Access to Information and
Protection of Privacy Act’ (AIPPA) (Chapter 10:27). This act came into operation on
15 March 2002 precisely at a time when public participation in the political process
and incisive media reporting on government activities had reached previously
unprecedented levels. The act was viewed in civil society circles largely as a weapon
to be used against journalists and most legal analyses of the act have accordingly
concentrated on the provisions of the act relating to the regulation of journalists and
the mass media (Media Institute of Southern Africa (MISA) Action Alert
15/10/2003< http://www.misa.org/node/view/58>; Amnesty International Canada
‘Zimbabwe Rights under siege’< http://www.amnesty.ca/zimbabwe/actKarombo.htm
>). Unsurprisingly, its provisions relating to informational privacy have attracted far
less attention. In a memorandum accompanying the bill the Parliament of Zimbabwe
provided the following justification for the passing of the act: information plays a
“critical role…in a constitutional democracy and… can be used usefully or
harmfully”.
The AIPPA applies to all matters relating to access to information, protection of
privacy and the mass media. It both complements existing laws relating to these
matters and prevails over those that are found to be inconsistent with its provisions
(Sec3 (1) and Sec 3(2)). Furthermore, it applies to all records in the custody or under
the control of public bodies in Zimbabwe. There are however exclusions listed in the
First Schedule, which range from personal notes, communications or draft decisions
of a person who is acting in a judicial or quasi-judicial capacity to records containing
teaching materials or research information of employees of a post-secondary
educational body (Section 4(1)).
The AIPPA provides for the following:
1. Access to records and information held by public bodies (Sections 5 –
13);
2. Protected information (Sections 14- 25);
3. Information pertaining to third parties (Sections 26 -28);
4. Collection, protection and retention of personal information by public
bodies (Sections 29-35);
5. Use and disclosure of personal information by public bodies (Sections
36 – 37);
6. Regulation of the mass media and journalists (Sections 38- 90); and
7. Appeals to administrative court and other general matters (Sections 91
– 93).
This paper is specifically concerned with (4) and (5) above and aspects of the sections
they concern are discussed in more detail below.
Collection
Section 29 provides that a public body may only collect personal information if the
following conditions are satisfied:
(a) The collection of that information is expressly authorized in terms of an
enactment;
(b) The information is to be collected for the purposes of national security,
public order and law enforcement;
(c) The information is to be collected for the purposes of public health;
(d) The information relates directly to and is necessary for an operating
programme, function or activity of the public body; and/or
(e) The information will be used to formulate public policy.
Except in two specific circumstances personal information must always be collected
directly from the person to whom it relates. An exception can be made in the case that
collection from another source is authorized by the individual concerned, the Media
Commission (Commission) or another enactment (section 30 (1) (a)). Exceptions can
also be made in the case that the collection of personal information is related in some
way to the following activities: the enforcing of laws, the proceedings before courts or
judicial/quasi-judicial tribunals, the granting of honours or award (including an
honorary degree, scholarship, prize or bursary), the collection of debts or fines, and
the making of payments (Section 30 (1) (b)).
The public body collecting personal information must inform a person from whom it
intends to collect personal information of the purpose for which the personal
information is being collected and the legal authority for collecting it (Section 30(2)),
except where the information relates to law enforcement and/or the Commission
exempts it from making such notification. Such exemptions may be granted if the
notification would result in the collection of inaccurate information, or defeat the
purpose of, or prejudice the use for which, the information is to be collected (Section
30(3)). Furthermore, under the act, any individual required to supply to a public body
personal information or information relating to a third party who knowingly supplies
information to that body which he or she knows to be false and/or does not have
reasonable grounds for believing to be true shall be guilty of an offence and liable to a
fine or to imprisonment for a period not exceeding six months or to both such fine and
such imprisonment (Section 35).
Accuracy
Section 31 of AIPPA provides that a public body using an individual’s personal
information must take every reasonable step to ensure that the information collected is
both accurate and complete. A person may request the head of a public body to
correct any information relating to him/herself that he/she reasonably believes
contains an error or omission (Section 32 (1)). Upon receipt of such a request the head
of the public body concerned must correct or annotate the personal information on the
record pertaining to the person making the request (Section 32(2)). After such a
correction, the head of the public body must then notify the correction to any other
public body or any third party to whom that information has been disclosed during the
last twelve months (Section 32(3)).
Security
Section 33 provides that the head of a public body should protect personal information
that is under his custody or control by taking reasonable steps to ensure that there is
adequate security and there is no unauthorised access, collection, use, disclosure or
disposal of such personal information.
Use and Retention
If a public body uses an individual’s personal information to make a decision that
directly affects the individual, the public body must retain that information for at least
one year after using it so that the individual has a reasonable opportunity to have
access to it (section 34). And a public body may only use personal information for the
purpose for which that information was obtained or compiled or for a use consistent
with that purpose or if the person to whom the information relates has consented
(section 36).
Disclosure for Archival or Historical Purposes
The National Archives, or the archives of a public body, may disclose personal
information to a third party for the purpose of historical research or any other lawful
purpose if such disclosure would not result in an unreasonable invasion of personal
privacy in terms of the Act or the information being released pertains to a person who
has been deceased for thirty or more years (section 37).
6.2 South Africa
Like Zimbabwe South Africa does not have specific data protection legislation in
force, although certain provisions of the Promotion of Access to Information Act and
the Electronic Communications and Transactions Act do have provisions relating to
data protection. These provisions are however regarded as interim measures and will
only stay in force until more specific data privacy laws are formulated and
implemented (SALC IP24 at 1.2.25). South African commentators agree that the
urgent creation of such measures through legislation is a pressing priority (SALC
IP24 at 1.2.24) and a law reform process is now in full motion.
6.2.1 Interim Provisions
Electronic Communications and Transactions Act (ECTA) (25 of 2002)
The ECTA only applies to personal information that has been obtained through
electronic transactions (section 50(1)). This act provides principles for collecting
information but these principles are not binding and may be voluntarily subscribed to
by the data controller (defined in section one as the person collecting the information)
by the noting of such subscription in any agreement with a data subject (defined by
section 1 as the person to whom the information relates). Once a data controller elects
to subscribe to the principles listed in the act, (s) he must subscribe to them all
(Section 50(3)). Listed in Section 51 of the Act the principles include:
Fair and Lawful Collection
A data controller must have the express written permission of the data subject for the
collection, collation, processing or disclosure of any personal information on that data
subject, unless he or she is permitted or required to do so by law (section 51 (1)).
A data controller may not electronically request, collect, collate, process or store
personal information on a data subject that is not necessary for the lawful purpose for
which the personal information is required (section 51 (2)). The data controller must
also disclose in writing to the data subject the specific purpose for which any personal
information is being requested, collected, collated, processed or stored (section 51
(3)).
Use and Retention
The data controller may not use the personal information for any other purpose than
the disclosed purpose without the express written permission of the data subject,
unless he or she is permitted or required to do so by law (section 51 (4)). The data
controller must, for as long as the personal information is used and for a period of at
least one year thereafter, keep a record of the personal information and the specific
purpose for which the personal information was collected (section 51 (5)). The data
controller must also delete or destroy all personal information that has become
obsolete (section 51 (8)). A data controller may though use personal information to
compile profiles for statistical purposes and may freely trade such profiles and
statistical data as long as the profiles or statistical data cannot be linked to any specific
data subject by a third party (section 51 (9)).
Disclosure
A data controller may not disclose any of the personal information held by a third
party unless required or permitted by law or specifically authorised to do so in writing
by the data subject (section 51 (6)). Furthermore, for as long as the personal
information is used and for a period of at least one year thereafter, the data controller
must keep a record of any third party to whom the personal information was disclosed
and of the date on which and the purpose for which it was disclosed (section 51 (7))
Promotion of Access to Information Act (PAIA) (2 of 2000)
The bulk of this act is concerned with access to information held by both public and
private bodies. The most notable provision regarding data protection is section 88
which provides:
If no provision for the correction of personal information in a record of a public or
private body exists, that public or private body must take reasonable steps to establish
adequate and appropriate internal measures providing for such correction until
legislation providing for such correction takes effect.
6.2.2
Law reform
The SALC has recently embarked on a law reform process initiated by its report to the
Ad Hoc Joint Committee on the Open Democracy Bill (dated 24 January 2000),
subsequently re-named the Promotion of Access to Information Act. The report
concluded that the Open Democracy Bill did not deal adequately with a number of
crucial aspects of the right to privacy, such as the correction of and control over
personal information. The report also noted that foreign jurisdictions often had
separate privacy and data protection laws. The SALC therefore requested the Minister
for Justice and Constitutional Development (the Minister) to introduce privacy and
data protection legislation into Parliament, after thorough research of the matter, as
soon as reasonably possible. The Minister, in turn, approached the SALC to consider
the possible inclusion of such an investigation in its programme. The investigation
was eventually included in the programme of the SALC on the 17th of November
2000 and a Project Committee was appointed by the Minister to assist the SALC in its
task (SALC IP24 at 1.1.1 - 1.1.5). The SALC then conducted its research and released
an issue paper and questionnaire to the public in December 2003. The next stage will
be the issuance of a discussion paper and draft bill (SALC <
http://wwwserver.law.wits.ac.za/salc/salc.html >).
The preliminary proposals of the SALC can be summarised as follows:
a)Privacy and data protection should be regulated by legislation;
b) General principles of data protection should be developed and incorporated
in that legislation;
c) A statutory regulatory agency should be established;
d) A flexible approach should be followed in which industries will develop
their own codes of practice (in accordance with the principles set out in the
legislation) which will be overseen by the regulatory agency.
6.3 Assessment
The legislative frameworks of both Zimbabwe and South Africa are on the whole
inadequate. The Zimbabwean legislation is deficient due to its failure to regulate
personal information held by private persons and bodies. However, the AIPPA does
contain all the data protection principles that constitute the ideal.
The South African legislation is inadequate on two main grounds. Firstly, the ECTA
only regulates information collected electronically, makes the subscription to data
protection principles voluntary, leaves the enforcement of the principles to the law of
contract, omits the very significant right to request correction and the duty of data
controllers to ensure the accuracy of information (Smith A 2003). The inadequacies of
this enforcement mechanism are discussed below. Secondly, the PAIA merely
recognises the right of a data subject to have only accurate records about themselves
used and retained by both private and public bodies, but does not provide for a
procedure through which a data subject may request correction or amendment of
records, instead it shifts the onus onto public and private bodies to establish such
procedures.
7. Law in action
7.1 Zimbabwe
The AIPPA establishes a Commission (section 38) which among other roles is
charged with commenting on the implications of proposed legislation, the
programmes of public bodies regarding access to information and protection of
privacy, and implications of automated systems for the collection and storage and
analysis or transfer of information. It is also tasked with informing the public about
the Act itself (Section 39). To date, the Commission has dealt with no matters relating
to informational privacy.
The AIPPA also provides for review by the Commission of a decision or act
pertaining to an application for access to a record or for correction of personal
information held by a public body (other than itself). A third party notified of a
decision to give access may also request the Commission to review any decision made
by the head of the public body (sections 53 - 57). Applications for review of decisions
or acts of the Commission are to be made to the Administrative Court (section 90A).
7.2 South Africa
As mentioned above, any disputes arising under the ECTA are to be dealt with under
the law of contract. This is unfortunate and inadequate. Firstly, because the data
subject may have not read the (online) contract and will subsequently be unable to
enforce the principles protecting him or her. Secondly, the remedies available may be
inadequate. These remedies include an interdict where the breach is continuing or
threatening specific performance and damages. The inadequacy of these remedies lies,
for example, in the quantification of damages (Smith A 2003 p10).
The PAIA provides for internal appeals against decisions of private and pubic bodies
(sections 74 – 77) and, after internal remedies have been exhausted, for applications to
court regarding decisions of information officers or relevant authorities of public
bodies or heads of private bodies (sections 78 – 82). It also empowers the Human
Rights Commission to carry out certain duties in relation to the Act (section 83 – 85).
In particular the Human Rights Commission may, among other things, monitor the
implementation of the Act and if reasonably possible, on request, assist any person
wishing to exercise the rights contemplated in the Act (section 83 (3)). The Human
Rights Commission therefore has a limited oversight function.
7.3 Assessment
The oversight mechanisms of both countries are underdeveloped and the courts will
have to enforce the data protection laws until such a time that proper oversight bodies
are established.
8. Current Data Flows From Europe and Their Economic Significance
The Council and the European Parliament, through the EU Directive, have given the
European Commission the power to:
1. Determine whether a third country ensures an adequate level of
protection by reason of its domestic law or of the international
commitments it has entered into (Article 25(6)); and
2. Decide that certain standard contractual clauses offer sufficient
safeguards as required by Article 26 (2), in that, they provide adequate
safeguards with respect to the protection of the privacy and
fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights (Article 26 (4)).
A declaration that a country offers adequate levels of protection means that personal
data can flow from EU member states and three EEA member countries (Norway,
Liechtenstein and Iceland) to that third country without any further safeguard being
necessary (EUROPA EU –Internal market- Data Protection - Adequacy
<http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm>). The
Commission has so far recognized Switzerland, Hungary, the US Department of
Commerce's Safe harbor Privacy Principles, Canada and Argentina as providing
adequate protection (Rapid Press Release Reference: IP/03/932 of 02/07/2003).
Similarly, if the Commission finds that the incorporation of certain standard clauses
into a contract will offer sufficient safeguards, personal data can flow from a Data
Controller established in any of the EU member states and the three EEA member
countries to a Data Controller established in a country not ensuring an adequate level
of data protection. The Commission is in the process of approving standard
contractual clauses for transfers of personal data to data processors (EUROPA EU –
Internal market- Data Protection – Model Contracts
<http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm >). Data
will accordingly only flow to a country outside Europe if the country has been
declared as having adequate levels of protection or where the Commission has found
that adequate safeguards for information can be secured through contracts.
The procedure for the adoption of a (comitology) Commission decision based on
Article 25 (6) and 26(4) of the Directive involves:
1.
A proposal from the Commission;
2.
An opinion of the group of the national data protection commissioners
(Article 29 working party);
3.
An opinion of the Article 31 Management committee delivered by a
qualified majority of Member States;
4.
A thirty-day right of scrutiny for the European Parliament, to check if the
Commission has used its executing powers correctly, which may, if it
considers it appropriate, issue a recommendation; and
5.
The adoption of the decision by the College of Commissioners.
Even if the country of destination does not offer an adequate level of protection or a
finding been made as to the adequacy of contractual clauses, data may be transferred
in the following specific circumstances provided for by Article 26 (1):
1. The data subject has given his consent unambiguously to the proposed
transfer; or
2. The transfer is necessary for the performance of a contract between the data
subject and the controller or the implementation of pre-contractual measures
taken in response to the data subject's request; or
3. The transfer is necessary for the conclusion or performance of a contract
concluded in the interest of the data subject between the controller and a third
party; or
4. The transfer is necessary or legally required on important public interest
grounds, or for the establishment, exercise or defence of legal claims; or
5. The transfer is necessary in order to protect the vital interests of the data
subject; or
6. The transfer is made from a register which according to laws or regulations is
intended to provide information to the public and which is open to
consultation either by the public in general or by any person who can
demonstrate legitimate interest, to the extent that the conditions laid down in
law for consultation are fulfilled in the particular case.
Also, under Article 26 (2) national authorities may authorise on a case by case basis
specific transfers to a country not classified as offering an adequate protection where
the exporter in the EU cites adequate safeguards with respect to the protection of
privacy by fundamental rights and freedoms of individuals and as regards the exercise
of the corresponding rights. This could be done for example by contractual
arrangements between the exporter and the importer of data, subject to the prior
approval of national authorities. (MEMO/01/228 Brussels, 18th June 2001)
Zimbabwe and South Africa have not been declared as having adequate levels of
protection for personal data nor has a determination been made regarding the
adequacy of contractual clauses. Data may be flowing to these countries in terms of
article 26(1). However, specific information on the levels of such data flows is
difficult to gather as EU member states do not always report such transfers.
Indeed the Commission has expressed concern about this in its first report on the
implementation of the Data Protection Directive
(<http://europa.eu.int/comm/internal_market/privacy/lawreport/datadirective_en.htm>). The report specifically states that certain indicators, such as the
very limited number of notifications received from Member States pursuant to Article
26 (3) of the Directive, clearly suggest that ‘many unauthorised and possibly illegal
transfers are being made to destinations or recipients not guaranteeing adequate
protection’. The Commission further noted that ‘although there are other legal
transfer routes apart from Article 26 (2), this number is derisory by comparison with
what might reasonably be expected’ (p19).
In view of the Commission’s strongly worded displeasure about illegal transfers and
inadequate reporting, it is unlikely that substantial personal data will be transferred to
Zimbabwe and South Africa. The Commission has also established a work
programme to rectify this and has sent a note to member states laying out common
criteria for carrying out these notifications in a pragmatic way that puts into place
mechanisms that guarantee the exchange of best practices between Member States.
The note also deals with notification arrangements concerning standard contractual
clauses adopted by the Commission, other model contracts or authorisations and
binding corporate rules.
‘Europe is the largest source of investment for South Africa and accounts for almost
half of South Africa's total foreign trade. Seven of South Africa's top 10 trading
partners are European countries. Relations with Europe, with the EU as the pivot, are
crucial economically’ (South Africa Yearbook 2003/4
<http://www.info.gov.za/yearbook/2004/economy.htm >). Any decrease in the flow of
personal data from Europe is likely to impact significantly on South Africa’s
economy. The same is true of Zimbabwe as her economy is closely linked, and indeed
largely dependent, on South Africa. It is thus imperative that both countries move
swiftly to enact adequate data protection laws.
9. Conclusion
In their current form the data protection systems of both Zimbabwe and South Africa
are wholly inadequate. Not only do both jurisdictions fail to conform to the
comprehensive laws model of data protection, their current laws also fall far short of
internationally accepted data protection principles. However, given the current
process of legal reform underway in South Africa it at least appears as though some of
these inadequacies will be rectified there in the near future.
Notes and References
[1] See NEPAD website < http://www.touchtech.biz/nepad/files/en.html.>.
Books
Bygrave LA (2002). Data protection: Approaching Its Rationale, Logic and Limits
(Kluwer Law International: The Hague).
De Waal J, Currie I & Erasmus G (2000) The Bill of Rights Handbook 3ed (Juta:
Kenwyn).
Neethling J (1998) Persoonlikheidsreg (Butterworths: Durban).
Neethling J, Potgieter JM & Visser PJ (1996) Neethling’s Law of Personality
(Butterworths: Durban).
Neethling J, Potgieter JM & Visser PJ (2002) Law of Delict (Butterworths: Durban).
Articles
Bygrave (2001). ‘The Place of Privacy in Data Protection Law’, University of New
South Wales Law Journal (6). Available online at:
<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html>.
Crisis in Zimbabwe Coalition (2004). ‘Comments on the selective application of
AIPPA’. Available online at:
<http://www.kubatana.net/html/archive/cact/040121ciz.asp?sector=LEGISL&range_s
tart=1>.
Gross (1967). ‘The Concept of Privacy,’ 1967 NYULR 34.
Hammitt (1998). ‘A Constitutional Right of Informational Privacy’. Available online
at: < http://www.govtech.net/magazine/gt/1998/june/access/access.phtml >.
Kamduzi (2000). ‘Review of the Constitutional Process,’ Agenda, Vol.3, No.3,
November 2000.
McQuoid-Mason (2001). ‘Invasion of Privacy: Common Law v Constitutional Delict
- Does it Make a Difference?,’ Acta Juridica, 227-261.
Neethling (2002). ‘Aanspreeklikheid vir ’Nuwe’ Risiko’s: Moontlikhede en
Beperkinge van die Suid-Afrikaanse Deliktereg,’ 2002 65 THRHR..
Petras(2002). ‘The legal implications of accreditation or non-accreditation of
journalists under the Access to Information and Protection of Privacy Act’. Available
online at: < http://www.kubatana.net/docs/media/021019accredmisazip.rtf >.
Reitz (1998). ‘How to Do Comparative Law,’ American Journal of Comparative Law,
Volume 46, (617).
Rich (1995). ‘Right to Privacy in the Workplace in the Information Age’. Available
online at: < http://www.publaw.com/privacy.html >.
Webb (2003). ' A Comparative Analysis of Data Protection Laws in Australia and
Germany, ' 2003 (2) The Journal of Information, Law and Technology (JILT).
Available online at: <http://elj.warwick.ac.uk/jilt/03-2/webb.html>.
Conference Proceedings
Smith A (2003). ‘Privacy and the sale of customer lists in South African
Insolvency Law: some issues reconnoitred,’ University of South Africa, Centre for
Business Law, e-Commerce and Current Commercial Law Workshop, 28 August
2003.
Reports
BBC News (No Date). ‘Zimbabwe’s History: Key Dates’. Available online at:
< http://news.bbc.co.uk/1/hi/special_report/1998/12/98/zimbabwe/226542.stm>.
Electronic Privacy Information Center (EPIC) and Privacy International. Privacy and
Human Rights Report (2002). ‘An International Survey of Privacy Laws and
Developments,’ United States of America. Available online at:
<http://www.privacyinternational.org/>.
Helen Suzman Foundation (2000). ‘Political Opinion in Zimbabwe 2000’. Available
online at: < http://www.hsf.org.za/Zimsurvey/zimdoor.html >.
Legal Resources Foundation (LRF), Catholic Commission for Justice and Peace
(CCJP) (1997). ‘Breaking the Silence, Building True Peace: A report on the
disturbances in Matabeleland and the Midlands 1980 – 1989: Summary Report’.
Available online at: <http://www.zwnews.com/Breaking.doc>.
Report of the Southern Rhodesia Constitutional Conference (1979). Available online
at:
< http://home.wanadoo.nl/rhodesia/lanc1.html >.
R.W. Johnson (2000). ‘Zimbabwe's Hard Road to Democracy: Report of an exit poll
during the election of June 24-25, 2000’. Available online at: <
http://www.hsf.org.za/Zimexit/exitconts.html >.
World Press Review Online (2002). ‘Zimbabwe: Press Spars over Election Results’.
Available online at: <http://www.worldpress.org/africa/0314zim.htm>.
Links
Organizations
Constitutional Court, South Africa < http://www.concourt.gov.za>.
South African Government <http://www.gov.za>.
The National Constitutional Assembly <http://www.nca.org.zw>.
South African Law Reform Commission <
http://wwwserver.law.wits.ac.za/salc/salc.html >
Zimbabwean Government <http://www.gta.gov.zw>.
Materials
Constitution of South Africa Act 108 of 1996 (as amended). Available online at:
< http://www.gov.za/structure/constitution.htm>.
Constitution of Zimbabwe. Available online at: <
http://www.nca.org.zw/html/coz/coz_fs.htm>.
Council of Europe’s Convention for the Protection of Individuals with
Regard to the Automatic Processing of Personal Data (COE Convention) (1981).
Available online at: <http://www.coe.fr/eng/legaltxt/108e.htm>.
NCA Draft Constitution. Available online at:
<http://www.nca.org.zw/html/fdraft/fdraft_index.htm >.
The European Union Directive on the Protection of Individuals with Regard to the
Processing of Personal Data and On the Free Movement of Such Data (1995).
Available online at: <http://www.cdt.org/privacy/eudirective/EU_Directive_.html>).
The Organisation for Economic Cooperation and Development’s Guidelines
Governing the Protection of Privacy and Transborder Data Flows of Personal Data
(1981). Available online at: <http://www.oecd.org/documentprint>.
The UN Guidelines Concerning Computerised Personal Data Files, adopted by the
UN General Assembly on 14 December 1990, Doc E/CN.4/1990/72 20.2.1990.
Available online at:
< http://europa.eu.int/comm/internal_market/privacy/instruments/un_en.htm>.
Zimbabwe Constitutional Commission Draft Constitution (December 1999).
Available online at: <http://www.gta.gov.zw/Constitutional/Draft.Constitution.htm>.
Legislation
Access to Information and Protection of Privacy Act (AIPPA) (Chapter 10:27).
Electronic Communications and Transactions Act (ECTA) (25 0f 2002).
Promotion of Access to Information Act (PAIA) (2 of 2000).
Download