Journal of Information, Law and Technology A Comparative Analysis of Zimbabwean and South African Data Protection Systems Caroline Ncube Lecturer, Department of Commercial Law, University of Cape Town CNCUBE@law.uct.ac.za The author would like to thank the two reviewers for their insightful comments and suggestions and Brent Hanks for his editorial work. The author assumes responsibility for all errors within this work This is a refereed article published on: 30 November 2004. Citation: Ncube, 'A Comparative Analysis of Zimbabwean and South African Data Protection Systems', 2004 (2) The Journal of Information, Law and Technology (JILT). <http://www2.warwick.ac.uk/fac/soc/law2/elj/jilt/2004_2/ncube/>. Abstract Data protection is a very important international trade issue and the lack of adequate data protection may be a barrier to trade. Data protection laws are also a vital part of the protection of an individual’s privacy. This paper is a descriptive analysis of Zimbabwean and South African data protection systems. It compares these two common law systems in a holistic manner taking into account each nation’s peculiar cultural, social, economic and political environments. The most striking feature of both these systems is that they are underdeveloped; Zimbabwe only protects data held and used by the public sector whilst South Africa has no specific data protection legislation at all. There is currently a concerted effort to secure data protection in South Africa spearheaded by the South African Law Commission (SALC). This paper is a contribution to this law reform process. Its objective is to give a synopsis of the two data protection systems, identify their weaknesses and make suggestions for reform drawn from stronger data protection systems. It proceeds by outlining the constitutional, common law and legislative frameworks regulating data protection in each country, and comparing these with each other and a common ideal. The paper also briefly discusses the current data protection law reform in South Africa and concludes with a forecast of probable developments in both countries. Keywords: Data Protection, privacy, privacy legislation, Zimbabwean privacy law, South African privacy law, law reform, comparative law. 1. Introduction The need to establish and enforce effective data protection systems in both Zimbabwe and South Africa is a trade and development issue. The 1995 European Union Data Protection Directive ( http://www.bfd.bund.de/europa/EU_richtl_en.html>) imposes a standard of protection on any country in which the personal data of European citizens is processed. Such data can only be processed in countries that can guarantee adequate levels of protection (Articles 25 -6). Developing nations, especially those in Africa, as evidenced by their recent establishment of NEPAD,[1] intend to be full participants in the global economy. Such participation will only be enabled by conducive trade conditions. Zimbabwe and South Africa, like all other developing nations therefore need to ensure that their data protection laws encourage rather that discourage international trade by providing adequate levels of data protection to enable the flow of data from European Union (EU) countries. The adequacy of these systems will ultimately lie in their application and enforcement. This paper will accordingly also discuss enforcement structures and procedures. The substantive part of this article is divided into five parts. The first part compares Zimbabwean and South African constitutional provisions relating to privacy. The second part discusses the common law protection of privacy in both jurisdictions. The third part analyses the legislative frameworks in each country. The fourth part examines oversight and enforcement of these laws. The fifth and final part concludes the paper with an overall assessment of each country and a forecast of probable future developments. 2. Zimbabwean and South African Constitutional Provisions Relating to Privacy The right to privacy is widely considered a fundamental human right. It is provided for in Article 12 of the 1948 Universal Declaration of Human Rights and in other international instruments, such as Article 16 of the United Nations Convention on the Rights of the Child, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and Article 14 of the United Nations Convention on Migrant Workers. The American Convention on Human Rights (Art 11, 14) and the American Declaration of the Rights and Duties of Mankind (Art V, IX and X) contain provisions similar to those found in the Universal Declaration and International Covenant (SALC IP24 at 3.1.3 – 3.1.6). A number of countries (like the United Kingdom) also protect the right to privacy under the rubric of general human rights legislation. Others such as South Africa (section 14 of the Constitution of South Africa Act 108 of 1996 (as amended)), the Kingdom of the Netherlands (Constitution of the Kingdom of the Netherlands, 1989), the Republic of the Philippines (art III, Constitution of the Republic of the Philippines, 1987), and the Russian Federation (art 23, Constitution of the Russian Federation, 1993) explicitly enshrine the right in their constitutions. The United States stands apart from these countries insofar as its Constitution does not contain an explicit right to privacy. Despite this the Supreme Court of the United States has concluded that such a right is implicit in the Constitution (Hammit 1998) and most Americans consider privacy a core value (Lloyd L R 1995). Despite the widespread protection that it is offered in international instruments and constitutional provisions, ‘privacy’ is however a term that is inherently difficult to define and its definition varies widely (Electronic Privacy Information Center (EPIC) Report 2002 p2.). Recognizing this the South African Constitutional Court recently characterized the concept as both ‘amorphous and elusive’ (Bernstein and others v Bester and others NNO (Bernstein v Bester) 1996 (2) SA 751 at 787-788), but chose to offer forth a definition of privacy nonetheless as ‘an individual condition of life characterised by exclusion from the public and publicity. This condition embraces all those personal facts which the person concerned has determined himself to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private’ (Bernstein v Bester at 789). The Supreme Court of Zimbabwe has not yet had occasion to define privacy in the context of the protection of personal information. Nor does the country’s constitution provide explicit provisions for the protection of an individual’s right to privacy. 3. Common Law Protection of Privacy in Zimbabwe and South Africa In order to evaluate the common law protection offered privacy in both countries it is important to adopt an interdisciplinary, comparative law approach that takes into account the specific cultural, socio- political and economic factors that impact the manner in which law is applied and enforced in Zimbabwe and South Africa (Reitz, JC; 1998, Webb 2003). This paper therefore employs the methodology most recently utilized by Philippa Webb and originally formulated by legal analyst JC Reitz (1998, p. 622, 634) and compares each country’s data protection systems to one another before comparing them to a common ideal. On the whole there is scant academic literature on the data protection laws of South Africa and Zimbabwe, although a detailed issue paper on South Africa’s data protection laws was recently released by the SALC (Issue Paper 24 ‘Privacy and data protection (IP 24)). There is an impressive body of literature on the historical, economic and socio-political climates of both countries online and in print. This paper will refer extensively to the online literature in order to enable readers to easily view the materials, should they wish to do so. This literature includes reports and articles by civic organisations, government information, media reports and survey and poll findings. There is also a large body of scholarship regarding matters of privacy in South Africa dating back as far as 1979. Of particular import are the materials dating from the mid 1990s onwards. However, much of this literature was originally produced in Afrikaans, so translations of the originals are relied on throughout this paper. The reader will also find that many Roman-Dutch phrases are used in the discussions of common law concepts, but every effort is made to concisely explain these terms. The Ideal This section outlines the ideal against which both data protection systems will be compared. The following four models of data protection were considered (EPIC Report 2002 p3; SALC IP24 at 7.1.3): a) Comprehensive Laws Model This model is characterised by a general law that governs the collection, use and dissemination of personal information by the public and private sectors. An oversight body then ensures compliance. Industry develops rules for the protection of privacy that are enforced by the industry and overseen by the private agency. This model, adopted by the European Union to ensure compliance with its data protection regime, is the preferred model for most countries adopting data protecting laws (SALC IP24 at 7.1.4, 7.2.1-7.2.36, EPIC Report 2002 p4). b) Sectoral Laws Model This model does not have a general law like the comprehensive model but has sectoral laws governing, for example, financial privacy. In such cases, enforcement is achieved through a range of mechanisms. It has been adopted by the United States but has been criticised on a number of grounds. The first of these being the fact that it requires new legislation be introduced with each new technology and consequently protections frequently lag behind technological advances and actual practice. An example of this shortcoming is the lack of legal protection for individual privacy on the Internet in the United States. The second major criticism is the lack of an oversight agency, which compromises the effectiveness of the laws. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protection for certain categories of information, such as telecommunications, police files or consumer credit records (SALC IP 24 at 7.1.5, 7.2.37 -7.2.43; EPIC Report 2002 p4). c) Self-Regulation Model The essence of this model is the protection of data through various forms of selfregulation. Companies and industry bodies establish their own codes of practice and engage in self-policing. Within the United States, this model has not been very effective and there is little evidence that the aims of the codes are regularly fulfilled. Additionally, these codes are often inadequate and are not efficiently enforced (SALC IP24 at 7.1.6, 7.2.44- 7.2.70; EPIC Report 2002 p4). d) Technology Model Under this approach, due to the recent development of commercially available technology-based systems, data protection is in the hands of individual users. Individual users of the Internet and of some physical applications can employ a range of programs and systems that provide varying degrees of privacy and security of communications, for example encryption, anonymous remailers, proxy servers and digital cash (SALC IP24 at 7.1.7, 7.2.71 – 7.2.81, EPIC Report 2002 p4). Principles of Data Protection The following international documents contain both clear basic principles of data protection and also serve as influential models of national and international initiatives on data protection (Bygrave LA 2002 p30, SALC IP24 at 1.2.22): a) The Council of Europe’s 1981 Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (<http://www.coe.fr/eng/legaltxt/108e.htm>); b) The 1981 Organisation for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (<http://www.oecd.org/documentprint>); c) The 1995 EU Data Protection Directive; and d) The United Nations’ (UN) Guidelines Concerning Computerised Personal Data Files (http://europa.eu.int/comm/internal_market/privacy/instruments/un_en.htm). The COE Convention (a) and the OECD Guidelines (b) have had a profound effect on the global enactment of data protection laws. Almost thirty countries have signed the COE convention and the OECD guidelines have been widely used in national legislation, even outside the OECD member countries (SALC IP24 at 1.2.14). The OECD Guidelines provide eight principles relating to the collection, purpose, use, quality, security and accountability of organisations in relation to personal information. The EU Directive was enacted to harmonise member states’ laws in providing consistent levels of protection for citizens and ensuring the free flow of personal data within the European Union (SALC IP24 at 1.2.16-17). The UN Guidelines are intended to encourage those UN Member States without data protection legislation in place to take steps to enact such legislation and to encourage governmental and nongovernmental international organisations to process personal data in a responsible, fair and privacy-friendly manner. The Guidelines are not legally binding and seem to have had much less influence on data regimes than the other instruments (Bygrave LA 2002 p33, SALC IP24 at 1.2.19). Although the expression of data protection in the above declarations and laws varies, they all set the common minimum standard that personal information must be: • collected fairly and lawfully; • used only for the specified purpose for which it was originally collected; • adequate, relevant and not excessive to purpose; • accurate and up to date; • accessible to the subject; • kept secure; and • destroyed after its purpose is completed. (SALC IP24 at 1.2.23). These minimum standards together with the comprehensive laws model outlined above will comprise the ideal against which the data protection systems of South Africa and Zimbabwe will be compared. 4. The Constitutional Right to Privacy 4.1 South Africa and Its Socio- Political, Economic and Historical Background The South African constitution provides that the country is a constitutional democracy and any law or conduct inconsistent with its constitution is invalid (section 2). Chapter 2 of the constitution or the Bill of Rights provides for certain fundamental rights applicable to all law, including the common law relating to the right to privacy, and binds not only the State (section 8(1)) but also, if applicable, natural and juristic persons (section 8(2)). For nearly all the latter half of the twentieth century the National Party governed South Africa. It was only in 1994 the first democratic elections were held in the country under an Interim Constitution. The African National Congress (ANC) has since led the government and has been opposed by numerous political parties, including the New National Party (NNP), the Inkatha Freedom Party (IFP) and the Democratic Alliance (DA). Together these parties have sought to move beyond the racial discrimination and political violence that characterized the period prior to 1994 and have for the last decade been engaged in the pursuit of democratisation, socio- economic change and reconciliation. The constitution-making process, local government elections and the establishment of the Truth and Reconciliation Commission have been vital components of their efforts. The interim constitution referred to above was itself the result of a volatile and protracted struggle between the NP-led apartheid government and its opponents. It came into force on 27 April 1994 and led to a number of revolutionary changes in South Africa. First, it ended racial discrimination by according all fundamental (human) rights to all citizens. Second, it converted South Africa from parliamentary sovereignty to constitutional sovereignty. Third, it replaced the central government system with a federal one. Additionally, the interim constitution provided for the drafting of a final constitution by the Constitutional Assembly in accordance with a number of democratic constitutional principles. Once drafted, the final constitution was to be certified by a Constitutional Court. Although the initial application for certification (1996) failed, a second application was formally approved in 1997, with the Bill of Rights in the Final Constitution substantially similar to the one included in the Interim Constitution (De Waal et al 2000 p1-7). 4.1.1 Content The right to privacy is entrenched in Section 14 of the Bill of Rights, which reads: Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed. This section has two parts, the first of which guarantees a general right to privacy and the second protects against specific infringements of privacy, namely searches and seizures and infringements of the privacy of communications (De Waal et al 2000 p267, SALC IP24 at 3.2.6). Even though not explicitly mentioned within the language of the section these protections extend to the breach of informational privacy. (Mistry v Interim Medical and Dental Council of South Africa and others1998 (7) BCLR 880 (CC) at para 14 ). Therefore, the list mentioned in section 14 is by no means exhaustive. It extends to any other unlawful method of obtaining information or making unauthorised disclosures. (SALC IP24 at 3.2.8). For convenience the constitutional right to privacy can be thought of as protecting privacy against the following (SALC IP24 at 3.2.11, De Waal et al 2000 p270): (a) intrusions and interferences with private life; (b) disclosures of private facts; and (c) infringement of autonomy. Informational privacy, the subject of data protection laws, is covered by both (a) and (b) above. The right to privacy is not absolute though, it can be limited in accordance with the limitation clause (Section 36) of the Bill (Neethling et al 2002 p19, SALC IP24 at 3.2.21) that requires a careful weighing up of the right to privacy and other opposing interests or rights. Data privacy legislation will therefore have to find a balance between the data subject’s fundamental right to privacy as set out in section 14 of the Constitution on the one hand, and on the other hand, the legitimate need of other persons to obtain information about the data subject (SALC IP24 at 3.2.22). These needs may be based on the person or institution’s fundamental right to choose their trade, occupation or profession freely (section 22); their fundamental right to access to information (section 32); or their fundamental right to freedom of expression (section16) as well as other legitimate interests or rights. 4.2 Zimbabwe and Its Socio- Political, Economic and Historical Background Zimbabwe, like South Africa, is a constitutional democracy. Section 3 of the Zimbabwean Constitution mandates that the constitution is the supreme law and any law that is inconsistent with it is void to the extent of the inconsistency (< http://www.nca.org.zw/html/coz/coz_fs.htm >). For much of the twentieth century Zimbabwe was known as Southern Rhodesia and was an official colony of Great Britain. This began to change in 1965, when the Prime Minister of Southern Rhodesia, Ian Smith, in an effort to thwart the British government’s call for black majority rule unilaterally declared independence from Great Britain. Smith’s declaration angered the British who considered the declaration illegal and unconstitutional and promptly cut all ties with the colony and coerced the United Nations into imposing sanctions on Smith’s government. At this time the black liberation movement led by the African nationalist Zapu and Zanu parties decided to take up arms against those in government opposed to majority rule in Southern Rhodesia. By the late 1960s they had become increasingly involved in violent clashes with official Rhodesian security forces and South African forces supporting the Smith regime’s counter-insurgency efforts (BBC News Zimbabwe’s History: Key Dates <http://news.bbc.co.uk/1/hi/special_report/1998/12/98/zimbabwe/226542.stm>). The government of Southern Rhodesia eventually declared itself a republic in 1970 and constitutional settlement talks between the warring parties began in earnest a few years later. However, they were unsuccessful until 1979, when a settlement was finally reached, leading to the creation of a new constitution (the Lancaster House Constitution), transitional arrangements, a ceasefire, an election, and the eventual renaming of Southern Rhodesia to Zimbabwe in 1980 (Southern Rhodesia Constitutional Conference Held at Lancaster House, London September - December 1979 Report <http://home.wanadoo.nl/rhodesia/lanc1.html >). Robert G. Mugabe has led the government of Zimbabwe since that time, first as Prime Minister (1980 -1987) then as Executive President (1987 to the present). For most of the 1980s Zimbabwe was plagued by political violence and the deaths of thousands of people. Only after the formation of a government of national unity in 1988 brought a cessation to the hostilities and opened the path to elections in 1990, 1995, 2002 and 2003. (Legal Resources Foundation (LRF), Catholic Commission for Justice and Peace (CCJP) Breaking the Silence, Building True Peace: A report on the disturbances in Matabeleland and the Midlands 1980 – 1989: Summary Report < http://www.zwnews.com/Breaking.doc>). In each instance, Mugabe’s ZANU party was triumphant. However, the last round of elections was widely condemned as unfair by both Zimbabweans and the international community (Helen Suzman Foundation ‘Political Opinion in Zimbabwe 2000’<http://www.hsf.org.za/Zimsurvey/zimdoor.html>;World press review online ‘Zimbabwe: Press Spars over Election Results’<http://www.worldpress.org/africa/0314zim.htm>). Prior to 1999 much of the political violence in Zimbabwe stemmed from political feuds over the Lancaster House Constitution. So beginning that year a concerted effort began to be made to replace it with a new Constitution. A governmentappointed Constitutional Commission eventually prepared a new draft Constitution that was submitted to the state president in December 1999 (<http://www.gta.gov.zw/Constitutional/Draft.Constitution.htm>). A constitutional referendum followed on February 12-13, 2000. The National Constitutional Assembly (NCA) and other prominent civic organisations in Zimbabwe campaigned intensively and successfully against the new draft Constitution and in the end a majority of the people of Zimbabwe voted against it (Kambudzi 2000). The NCA then proceeded to draft its own constitution (<http://www.nca.org.zw/html/fdraft/fdraft_index.htm >), one that it argues is more suitable than the rejected draft. Suffice to say the government of Zimbabwe has not pursued any further constitutional reform since its draft was rejected but civic organisations continue to agitate for reform. The most noteworthy aspect of the NCA’s draft constitution, for the purposes of this paper, is that it includes in its bill of rights an express right to privacy (section 20). 4.2.1 Content Although there is no explicit constitutional ‘right to privacy’ in Zimbabwe, there is however various elements of the right to privacy that can are found in different sections of the constitution. The first of these is found in section 17, which provides for protection against arbitrary search or entry. The second is found in section 16, which provides for protection against deprivation of property. The third of these elements is found in section 20(1), which provides for protection of freedom of expression and reads: Except with his own consent or by way of parental discipline, no person shall be hindered in the enjoyment of his freedom of expression, that is to say, freedom to hold opinions and to receive and impart ideas and information without interference, and freedom from interference with his correspondence (emphasis added). The right to privacy can accordingly be inferred from these sections. Additionally, Section 24 of the constitution provides that when a person alleges that the Declaration of Rights is being, or is likely to be infringed, that person may apply to the Supreme Court for redress. The Zimbabwean situation is then somewhat similar to that in the US where privacy, although not explicitly protected by the Constitution, can nonetheless be considered a core and constitutionally protected value. However, unlike the United States to date there is no case law on data protection in Zimbabwe. 4.3 Assessment In both South Africa and Zimbabwe the constitution clearly lays a foundation for data protection laws by protecting a person’s right to privacy. Moreover, the rights enunciated in each Bill of Rights are fully justiciable and enforceable. Additionally, other fundamental rights have been enforced in the courts and one can justifiably argue that the right to informational privacy is likely also to be enforced in the near future. However, despite the fact that each Bill of Rights lays an adequate foundation for the protection of informational privacy both need to be supplemented by specific legislation. Having said that, of the two, South African constitutional provisions are clearly better suited to the task. The main reason for this being that from the time of independence Zimbabweans have been predominantly concerned with those rights pertaining to pressing political and economic issues such as the rising cost of living. Subsequently, issues such as data protection have been largely overlooked. The South African constitution was also drafted in the late 1990s as the Internet began maturing. Moreover, its drafting benefited from lengthy and informed citizen debate and was able to incorporate and draw extensively from the experiences and knowledge of other jurisdictions. 5. The Common Law Right to Privacy Zimbabwean and South African common law is the same. Roman- Dutch Law has heavily influenced both countries. Section 89 of the Zimbabwean constitution provides that: Subject to the provisions of any law for the time being in force in Zimbabwe relating to the application of African customary law, the law to be administered by the Supreme Court, the High Court and by any courts in Zimbabwe subordinate to the High Court shall be the law in force in the Colony of the Cape of Good Hope on 10th June, 1891, as modified by subsequent legislation having in Zimbabwe the force of law. Clearly, the common law of Zimbabwe derives from the common law of South Africa. And under the common law every person has personality rights such as the rights to physical integrity, freedom, reputation, dignity, and privacy (SALC IP24 at 3.1.16, Neethling 1998 at 64, 103, 137, 157, 233, 265). The leading case for the recognition of an independent right to privacy in South African law is O'Keeffe v Argus Printing and Publishing Co Ltd and others (1954 (3) SA 244 (C)) wherein dignitas was interpreted to include the whole legally protected personality, except bodily integrity and reputation (SALC IP24 at 3.1.17). Privacy is included in this genre, although the court did not expressly state this (SALC 3.1.18). Later Zimbabwean cases have reached similar conclusions (Mr. and Mrs. “X” v Rhodesia Printing and Publishing Co Ltd 1974 (4) SA 508 (R) at 511- 512, Rhodesian Printing and Publishing Co Ltd v Duggan 1975 (1) SA 590 (RA) at 592). The South African Constitutional Court (Gosschalk v Rossouw at 490-49, Bernstein v Bester at 789) has itself endorsed such a contention and the express constitutional recognition of the right to privacy in Section14 of the South African Constitution, independent of the right to dignity in Section 10, confirms the independent existence of the right to privacy. It bears repeating that only the legitimate interests of others and the public interest may limit the common law right to privacy (SALC IP 24 at 3.2.21, Neethling 1998 p288 ff). South African common law has been developed by the enactment of the Constitution (section 39(2)). Therefore, any action resulting in the infringement of privacy in South Africa is now considered a hybrid action based on a mixture of common law and constitutional imperatives (McQuoid-Mason 2000 p261, SALC IP24 at 3.3.3). Under common law a single inquiry is required to assess whether or not there has been an unlawful infringement of privacy, whereas under the Constitution it is a twofold inquiry (SALC IP24 at 3.3.5). Under common law, to succeed, a plaintiff needs to prove the following: (i) An invasion of the his privacy in the form of disclosure or revelation of his personal information (SALC IP24 at 3.3.7- 3.3.10); (ii) Wrongfulness, which is determined using the criterion of reasonableness or the norm of boni mores (SALC IP 24 at 3.3.11 3.3.27); and (iii) Intention (animus iniuriandi) (SALC IP24 at 3.3.5. 3.3.28 -3.3.32) In the case of a constitutional invasion of privacy the applicant must prove that: (a) Invasive law or conduct has infringed his right to privacy in the Constitution (Woolman 1996); and (b) Such infringement is not justifiable in terms of section 36 of the Constitution. Defenses to the common law action are categorised into two main groups, namely those excluding wrongfulness and those excluding intention. Examples of defenses excluding wrongfulness include consent, necessity, private defense, impossibility, public interest and performance in a statutory or official capacity. Examples of defenses excluding intent include jest, mistake, insanity or intoxication (SALC IP24 at 3.3.42 – 3.3.60). The generally accepted main remedies for common law invasions of privacy are (SALC 3.3.60, Neethling 1998 p304-305): (i) The actio Iniuriarum (recovery of sentimental damages or satisfaction (solatium) for injured feelings. The amount of compensation is in the discretion of the court and is assessed on what is fair and reasonable (Jansen van Vuuren and others NNO v Kruger 1993 (4) SA 842 at 857-858); (ii) The actio legis Aquiliae (damages where the plaintiff has suffered actual monetary loss as a result of the violation of privacy); (iii) The interdict where a person is confronted with a threatening or continuing infringement of his or her right (Rhodesian Printing and Publishing Co Ltd v Duggan and others 1975 (1) SA 590 (Rhodesian Appellate Court)); and (iv) Retraction and apology (Mineworkers Investment Co (Pty) Ltd v Modibane 2002 (6) SA 512 (W)). Section 38 of the Constitution provides that in the case of an infringement of or threat to the right to privacy as a fundamental right, the prejudiced or threatened person is entitled to approach a competent court for appropriate relief, including a declaration of rights. Assessment Effective common law data protection, based on general principles, can be achieved only through a two-pronged approach (Neethling 1998 p328, SALC IP24 at 3.4.1). The first rung of this approach, common law, as influenced by the Constitution, should be fully utilised. However, ‘the inherent conservatism of the courts’, and the fact that the protection of privacy is still very underdeveloped in South African law will mean that the courts will not adequately protect privacy. Consequently, the matter will have to be regulated by legislation (also Neethling 2002 p589). The second rung of this approach is that the individual himself should have and exercise a measure of active control over his personal data, otherwise the common law protection of data will be ineffective.(Neethling 1998 p334-337). This active control over personal information can be based on the common law and the Constitutional Court’s recognition of the fact that the right to privacy encompasses the competence of a person to control his private facts or the scope of his interest in his privacy (SALC IP24 at 3.4.3, Neethling 1998 p39; National Media Ltd and others v Jooste 1996 (3) SA 262 A 271-2.at 271-272; Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd ao; In re Hyundai Motor Distributors (Pty) Ltd and others v Smit NO and others 2001 (1) SA 545 (CC) at 557). However active control principles, or principles of data protection, differ completely from common law privacy protection as discussed above and accordingly are unique in the field of personality protection. Legislation is accordingly the best vehicle through which principles of data protection can be provided (SALC IP24 at 3.4.3). 6. Statutes 6.1 Zimbabwe: Access to Information and Protection of Privacy Act The parliament of Zimbabwe recently enacted the ‘Access to Information and Protection of Privacy Act’ (AIPPA) (Chapter 10:27). This act came into operation on 15 March 2002 precisely at a time when public participation in the political process and incisive media reporting on government activities had reached previously unprecedented levels. The act was viewed in civil society circles largely as a weapon to be used against journalists and most legal analyses of the act have accordingly concentrated on the provisions of the act relating to the regulation of journalists and the mass media (Media Institute of Southern Africa (MISA) Action Alert 15/10/2003< http://www.misa.org/node/view/58>; Amnesty International Canada ‘Zimbabwe Rights under siege’< http://www.amnesty.ca/zimbabwe/actKarombo.htm >). Unsurprisingly, its provisions relating to informational privacy have attracted far less attention. In a memorandum accompanying the bill the Parliament of Zimbabwe provided the following justification for the passing of the act: information plays a “critical role…in a constitutional democracy and… can be used usefully or harmfully”. The AIPPA applies to all matters relating to access to information, protection of privacy and the mass media. It both complements existing laws relating to these matters and prevails over those that are found to be inconsistent with its provisions (Sec3 (1) and Sec 3(2)). Furthermore, it applies to all records in the custody or under the control of public bodies in Zimbabwe. There are however exclusions listed in the First Schedule, which range from personal notes, communications or draft decisions of a person who is acting in a judicial or quasi-judicial capacity to records containing teaching materials or research information of employees of a post-secondary educational body (Section 4(1)). The AIPPA provides for the following: 1. Access to records and information held by public bodies (Sections 5 – 13); 2. Protected information (Sections 14- 25); 3. Information pertaining to third parties (Sections 26 -28); 4. Collection, protection and retention of personal information by public bodies (Sections 29-35); 5. Use and disclosure of personal information by public bodies (Sections 36 – 37); 6. Regulation of the mass media and journalists (Sections 38- 90); and 7. Appeals to administrative court and other general matters (Sections 91 – 93). This paper is specifically concerned with (4) and (5) above and aspects of the sections they concern are discussed in more detail below. Collection Section 29 provides that a public body may only collect personal information if the following conditions are satisfied: (a) The collection of that information is expressly authorized in terms of an enactment; (b) The information is to be collected for the purposes of national security, public order and law enforcement; (c) The information is to be collected for the purposes of public health; (d) The information relates directly to and is necessary for an operating programme, function or activity of the public body; and/or (e) The information will be used to formulate public policy. Except in two specific circumstances personal information must always be collected directly from the person to whom it relates. An exception can be made in the case that collection from another source is authorized by the individual concerned, the Media Commission (Commission) or another enactment (section 30 (1) (a)). Exceptions can also be made in the case that the collection of personal information is related in some way to the following activities: the enforcing of laws, the proceedings before courts or judicial/quasi-judicial tribunals, the granting of honours or award (including an honorary degree, scholarship, prize or bursary), the collection of debts or fines, and the making of payments (Section 30 (1) (b)). The public body collecting personal information must inform a person from whom it intends to collect personal information of the purpose for which the personal information is being collected and the legal authority for collecting it (Section 30(2)), except where the information relates to law enforcement and/or the Commission exempts it from making such notification. Such exemptions may be granted if the notification would result in the collection of inaccurate information, or defeat the purpose of, or prejudice the use for which, the information is to be collected (Section 30(3)). Furthermore, under the act, any individual required to supply to a public body personal information or information relating to a third party who knowingly supplies information to that body which he or she knows to be false and/or does not have reasonable grounds for believing to be true shall be guilty of an offence and liable to a fine or to imprisonment for a period not exceeding six months or to both such fine and such imprisonment (Section 35). Accuracy Section 31 of AIPPA provides that a public body using an individual’s personal information must take every reasonable step to ensure that the information collected is both accurate and complete. A person may request the head of a public body to correct any information relating to him/herself that he/she reasonably believes contains an error or omission (Section 32 (1)). Upon receipt of such a request the head of the public body concerned must correct or annotate the personal information on the record pertaining to the person making the request (Section 32(2)). After such a correction, the head of the public body must then notify the correction to any other public body or any third party to whom that information has been disclosed during the last twelve months (Section 32(3)). Security Section 33 provides that the head of a public body should protect personal information that is under his custody or control by taking reasonable steps to ensure that there is adequate security and there is no unauthorised access, collection, use, disclosure or disposal of such personal information. Use and Retention If a public body uses an individual’s personal information to make a decision that directly affects the individual, the public body must retain that information for at least one year after using it so that the individual has a reasonable opportunity to have access to it (section 34). And a public body may only use personal information for the purpose for which that information was obtained or compiled or for a use consistent with that purpose or if the person to whom the information relates has consented (section 36). Disclosure for Archival or Historical Purposes The National Archives, or the archives of a public body, may disclose personal information to a third party for the purpose of historical research or any other lawful purpose if such disclosure would not result in an unreasonable invasion of personal privacy in terms of the Act or the information being released pertains to a person who has been deceased for thirty or more years (section 37). 6.2 South Africa Like Zimbabwe South Africa does not have specific data protection legislation in force, although certain provisions of the Promotion of Access to Information Act and the Electronic Communications and Transactions Act do have provisions relating to data protection. These provisions are however regarded as interim measures and will only stay in force until more specific data privacy laws are formulated and implemented (SALC IP24 at 1.2.25). South African commentators agree that the urgent creation of such measures through legislation is a pressing priority (SALC IP24 at 1.2.24) and a law reform process is now in full motion. 6.2.1 Interim Provisions Electronic Communications and Transactions Act (ECTA) (25 of 2002) The ECTA only applies to personal information that has been obtained through electronic transactions (section 50(1)). This act provides principles for collecting information but these principles are not binding and may be voluntarily subscribed to by the data controller (defined in section one as the person collecting the information) by the noting of such subscription in any agreement with a data subject (defined by section 1 as the person to whom the information relates). Once a data controller elects to subscribe to the principles listed in the act, (s) he must subscribe to them all (Section 50(3)). Listed in Section 51 of the Act the principles include: Fair and Lawful Collection A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject, unless he or she is permitted or required to do so by law (section 51 (1)). A data controller may not electronically request, collect, collate, process or store personal information on a data subject that is not necessary for the lawful purpose for which the personal information is required (section 51 (2)). The data controller must also disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored (section 51 (3)). Use and Retention The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law (section 51 (4)). The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected (section 51 (5)). The data controller must also delete or destroy all personal information that has become obsolete (section 51 (8)). A data controller may though use personal information to compile profiles for statistical purposes and may freely trade such profiles and statistical data as long as the profiles or statistical data cannot be linked to any specific data subject by a third party (section 51 (9)). Disclosure A data controller may not disclose any of the personal information held by a third party unless required or permitted by law or specifically authorised to do so in writing by the data subject (section 51 (6)). Furthermore, for as long as the personal information is used and for a period of at least one year thereafter, the data controller must keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed (section 51 (7)) Promotion of Access to Information Act (PAIA) (2 of 2000) The bulk of this act is concerned with access to information held by both public and private bodies. The most notable provision regarding data protection is section 88 which provides: If no provision for the correction of personal information in a record of a public or private body exists, that public or private body must take reasonable steps to establish adequate and appropriate internal measures providing for such correction until legislation providing for such correction takes effect. 6.2.2 Law reform The SALC has recently embarked on a law reform process initiated by its report to the Ad Hoc Joint Committee on the Open Democracy Bill (dated 24 January 2000), subsequently re-named the Promotion of Access to Information Act. The report concluded that the Open Democracy Bill did not deal adequately with a number of crucial aspects of the right to privacy, such as the correction of and control over personal information. The report also noted that foreign jurisdictions often had separate privacy and data protection laws. The SALC therefore requested the Minister for Justice and Constitutional Development (the Minister) to introduce privacy and data protection legislation into Parliament, after thorough research of the matter, as soon as reasonably possible. The Minister, in turn, approached the SALC to consider the possible inclusion of such an investigation in its programme. The investigation was eventually included in the programme of the SALC on the 17th of November 2000 and a Project Committee was appointed by the Minister to assist the SALC in its task (SALC IP24 at 1.1.1 - 1.1.5). The SALC then conducted its research and released an issue paper and questionnaire to the public in December 2003. The next stage will be the issuance of a discussion paper and draft bill (SALC < http://wwwserver.law.wits.ac.za/salc/salc.html >). The preliminary proposals of the SALC can be summarised as follows: a)Privacy and data protection should be regulated by legislation; b) General principles of data protection should be developed and incorporated in that legislation; c) A statutory regulatory agency should be established; d) A flexible approach should be followed in which industries will develop their own codes of practice (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency. 6.3 Assessment The legislative frameworks of both Zimbabwe and South Africa are on the whole inadequate. The Zimbabwean legislation is deficient due to its failure to regulate personal information held by private persons and bodies. However, the AIPPA does contain all the data protection principles that constitute the ideal. The South African legislation is inadequate on two main grounds. Firstly, the ECTA only regulates information collected electronically, makes the subscription to data protection principles voluntary, leaves the enforcement of the principles to the law of contract, omits the very significant right to request correction and the duty of data controllers to ensure the accuracy of information (Smith A 2003). The inadequacies of this enforcement mechanism are discussed below. Secondly, the PAIA merely recognises the right of a data subject to have only accurate records about themselves used and retained by both private and public bodies, but does not provide for a procedure through which a data subject may request correction or amendment of records, instead it shifts the onus onto public and private bodies to establish such procedures. 7. Law in action 7.1 Zimbabwe The AIPPA establishes a Commission (section 38) which among other roles is charged with commenting on the implications of proposed legislation, the programmes of public bodies regarding access to information and protection of privacy, and implications of automated systems for the collection and storage and analysis or transfer of information. It is also tasked with informing the public about the Act itself (Section 39). To date, the Commission has dealt with no matters relating to informational privacy. The AIPPA also provides for review by the Commission of a decision or act pertaining to an application for access to a record or for correction of personal information held by a public body (other than itself). A third party notified of a decision to give access may also request the Commission to review any decision made by the head of the public body (sections 53 - 57). Applications for review of decisions or acts of the Commission are to be made to the Administrative Court (section 90A). 7.2 South Africa As mentioned above, any disputes arising under the ECTA are to be dealt with under the law of contract. This is unfortunate and inadequate. Firstly, because the data subject may have not read the (online) contract and will subsequently be unable to enforce the principles protecting him or her. Secondly, the remedies available may be inadequate. These remedies include an interdict where the breach is continuing or threatening specific performance and damages. The inadequacy of these remedies lies, for example, in the quantification of damages (Smith A 2003 p10). The PAIA provides for internal appeals against decisions of private and pubic bodies (sections 74 – 77) and, after internal remedies have been exhausted, for applications to court regarding decisions of information officers or relevant authorities of public bodies or heads of private bodies (sections 78 – 82). It also empowers the Human Rights Commission to carry out certain duties in relation to the Act (section 83 – 85). In particular the Human Rights Commission may, among other things, monitor the implementation of the Act and if reasonably possible, on request, assist any person wishing to exercise the rights contemplated in the Act (section 83 (3)). The Human Rights Commission therefore has a limited oversight function. 7.3 Assessment The oversight mechanisms of both countries are underdeveloped and the courts will have to enforce the data protection laws until such a time that proper oversight bodies are established. 8. Current Data Flows From Europe and Their Economic Significance The Council and the European Parliament, through the EU Directive, have given the European Commission the power to: 1. Determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into (Article 25(6)); and 2. Decide that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2), in that, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights (Article 26 (4)). A declaration that a country offers adequate levels of protection means that personal data can flow from EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary (EUROPA EU –Internal market- Data Protection - Adequacy <http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm>). The Commission has so far recognized Switzerland, Hungary, the US Department of Commerce's Safe harbor Privacy Principles, Canada and Argentina as providing adequate protection (Rapid Press Release Reference: IP/03/932 of 02/07/2003). Similarly, if the Commission finds that the incorporation of certain standard clauses into a contract will offer sufficient safeguards, personal data can flow from a Data Controller established in any of the EU member states and the three EEA member countries to a Data Controller established in a country not ensuring an adequate level of data protection. The Commission is in the process of approving standard contractual clauses for transfers of personal data to data processors (EUROPA EU – Internal market- Data Protection – Model Contracts <http://europa.eu.int/comm/internal_market/privacy/modelcontracts_en.htm >). Data will accordingly only flow to a country outside Europe if the country has been declared as having adequate levels of protection or where the Commission has found that adequate safeguards for information can be secured through contracts. The procedure for the adoption of a (comitology) Commission decision based on Article 25 (6) and 26(4) of the Directive involves: 1. A proposal from the Commission; 2. An opinion of the group of the national data protection commissioners (Article 29 working party); 3. An opinion of the Article 31 Management committee delivered by a qualified majority of Member States; 4. A thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executing powers correctly, which may, if it considers it appropriate, issue a recommendation; and 5. The adoption of the decision by the College of Commissioners. Even if the country of destination does not offer an adequate level of protection or a finding been made as to the adequacy of contractual clauses, data may be transferred in the following specific circumstances provided for by Article 26 (1): 1. The data subject has given his consent unambiguously to the proposed transfer; or 2. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request; or 3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or 4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or 5. The transfer is necessary in order to protect the vital interests of the data subject; or 6. The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. Also, under Article 26 (2) national authorities may authorise on a case by case basis specific transfers to a country not classified as offering an adequate protection where the exporter in the EU cites adequate safeguards with respect to the protection of privacy by fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. This could be done for example by contractual arrangements between the exporter and the importer of data, subject to the prior approval of national authorities. (MEMO/01/228 Brussels, 18th June 2001) Zimbabwe and South Africa have not been declared as having adequate levels of protection for personal data nor has a determination been made regarding the adequacy of contractual clauses. Data may be flowing to these countries in terms of article 26(1). However, specific information on the levels of such data flows is difficult to gather as EU member states do not always report such transfers. Indeed the Commission has expressed concern about this in its first report on the implementation of the Data Protection Directive (<http://europa.eu.int/comm/internal_market/privacy/lawreport/datadirective_en.htm>). The report specifically states that certain indicators, such as the very limited number of notifications received from Member States pursuant to Article 26 (3) of the Directive, clearly suggest that ‘many unauthorised and possibly illegal transfers are being made to destinations or recipients not guaranteeing adequate protection’. The Commission further noted that ‘although there are other legal transfer routes apart from Article 26 (2), this number is derisory by comparison with what might reasonably be expected’ (p19). In view of the Commission’s strongly worded displeasure about illegal transfers and inadequate reporting, it is unlikely that substantial personal data will be transferred to Zimbabwe and South Africa. The Commission has also established a work programme to rectify this and has sent a note to member states laying out common criteria for carrying out these notifications in a pragmatic way that puts into place mechanisms that guarantee the exchange of best practices between Member States. The note also deals with notification arrangements concerning standard contractual clauses adopted by the Commission, other model contracts or authorisations and binding corporate rules. ‘Europe is the largest source of investment for South Africa and accounts for almost half of South Africa's total foreign trade. Seven of South Africa's top 10 trading partners are European countries. Relations with Europe, with the EU as the pivot, are crucial economically’ (South Africa Yearbook 2003/4 <http://www.info.gov.za/yearbook/2004/economy.htm >). Any decrease in the flow of personal data from Europe is likely to impact significantly on South Africa’s economy. The same is true of Zimbabwe as her economy is closely linked, and indeed largely dependent, on South Africa. It is thus imperative that both countries move swiftly to enact adequate data protection laws. 9. Conclusion In their current form the data protection systems of both Zimbabwe and South Africa are wholly inadequate. Not only do both jurisdictions fail to conform to the comprehensive laws model of data protection, their current laws also fall far short of internationally accepted data protection principles. However, given the current process of legal reform underway in South Africa it at least appears as though some of these inadequacies will be rectified there in the near future. Notes and References [1] See NEPAD website < http://www.touchtech.biz/nepad/files/en.html.>. Books Bygrave LA (2002). Data protection: Approaching Its Rationale, Logic and Limits (Kluwer Law International: The Hague). De Waal J, Currie I & Erasmus G (2000) The Bill of Rights Handbook 3ed (Juta: Kenwyn). Neethling J (1998) Persoonlikheidsreg (Butterworths: Durban). Neethling J, Potgieter JM & Visser PJ (1996) Neethling’s Law of Personality (Butterworths: Durban). Neethling J, Potgieter JM & Visser PJ (2002) Law of Delict (Butterworths: Durban). Articles Bygrave (2001). ‘The Place of Privacy in Data Protection Law’, University of New South Wales Law Journal (6). Available online at: <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html>. Crisis in Zimbabwe Coalition (2004). ‘Comments on the selective application of AIPPA’. Available online at: <http://www.kubatana.net/html/archive/cact/040121ciz.asp?sector=LEGISL&range_s tart=1>. Gross (1967). ‘The Concept of Privacy,’ 1967 NYULR 34. Hammitt (1998). ‘A Constitutional Right of Informational Privacy’. Available online at: < http://www.govtech.net/magazine/gt/1998/june/access/access.phtml >. Kamduzi (2000). ‘Review of the Constitutional Process,’ Agenda, Vol.3, No.3, November 2000. McQuoid-Mason (2001). ‘Invasion of Privacy: Common Law v Constitutional Delict - Does it Make a Difference?,’ Acta Juridica, 227-261. Neethling (2002). ‘Aanspreeklikheid vir ’Nuwe’ Risiko’s: Moontlikhede en Beperkinge van die Suid-Afrikaanse Deliktereg,’ 2002 65 THRHR.. Petras(2002). ‘The legal implications of accreditation or non-accreditation of journalists under the Access to Information and Protection of Privacy Act’. Available online at: < http://www.kubatana.net/docs/media/021019accredmisazip.rtf >. Reitz (1998). ‘How to Do Comparative Law,’ American Journal of Comparative Law, Volume 46, (617). Rich (1995). ‘Right to Privacy in the Workplace in the Information Age’. Available online at: < http://www.publaw.com/privacy.html >. Webb (2003). ' A Comparative Analysis of Data Protection Laws in Australia and Germany, ' 2003 (2) The Journal of Information, Law and Technology (JILT). Available online at: <http://elj.warwick.ac.uk/jilt/03-2/webb.html>. Conference Proceedings Smith A (2003). ‘Privacy and the sale of customer lists in South African Insolvency Law: some issues reconnoitred,’ University of South Africa, Centre for Business Law, e-Commerce and Current Commercial Law Workshop, 28 August 2003. Reports BBC News (No Date). ‘Zimbabwe’s History: Key Dates’. Available online at: < http://news.bbc.co.uk/1/hi/special_report/1998/12/98/zimbabwe/226542.stm>. Electronic Privacy Information Center (EPIC) and Privacy International. Privacy and Human Rights Report (2002). ‘An International Survey of Privacy Laws and Developments,’ United States of America. Available online at: <http://www.privacyinternational.org/>. Helen Suzman Foundation (2000). ‘Political Opinion in Zimbabwe 2000’. Available online at: < http://www.hsf.org.za/Zimsurvey/zimdoor.html >. Legal Resources Foundation (LRF), Catholic Commission for Justice and Peace (CCJP) (1997). ‘Breaking the Silence, Building True Peace: A report on the disturbances in Matabeleland and the Midlands 1980 – 1989: Summary Report’. Available online at: <http://www.zwnews.com/Breaking.doc>. Report of the Southern Rhodesia Constitutional Conference (1979). Available online at: < http://home.wanadoo.nl/rhodesia/lanc1.html >. R.W. Johnson (2000). ‘Zimbabwe's Hard Road to Democracy: Report of an exit poll during the election of June 24-25, 2000’. Available online at: < http://www.hsf.org.za/Zimexit/exitconts.html >. World Press Review Online (2002). ‘Zimbabwe: Press Spars over Election Results’. Available online at: <http://www.worldpress.org/africa/0314zim.htm>. Links Organizations Constitutional Court, South Africa < http://www.concourt.gov.za>. South African Government <http://www.gov.za>. The National Constitutional Assembly <http://www.nca.org.zw>. South African Law Reform Commission < http://wwwserver.law.wits.ac.za/salc/salc.html > Zimbabwean Government <http://www.gta.gov.zw>. Materials Constitution of South Africa Act 108 of 1996 (as amended). Available online at: < http://www.gov.za/structure/constitution.htm>. Constitution of Zimbabwe. Available online at: < http://www.nca.org.zw/html/coz/coz_fs.htm>. Council of Europe’s Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (COE Convention) (1981). Available online at: <http://www.coe.fr/eng/legaltxt/108e.htm>. NCA Draft Constitution. Available online at: <http://www.nca.org.zw/html/fdraft/fdraft_index.htm >. The European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and On the Free Movement of Such Data (1995). Available online at: <http://www.cdt.org/privacy/eudirective/EU_Directive_.html>). The Organisation for Economic Cooperation and Development’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (1981). Available online at: <http://www.oecd.org/documentprint>. The UN Guidelines Concerning Computerised Personal Data Files, adopted by the UN General Assembly on 14 December 1990, Doc E/CN.4/1990/72 20.2.1990. Available online at: < http://europa.eu.int/comm/internal_market/privacy/instruments/un_en.htm>. Zimbabwe Constitutional Commission Draft Constitution (December 1999). Available online at: <http://www.gta.gov.zw/Constitutional/Draft.Constitution.htm>. Legislation Access to Information and Protection of Privacy Act (AIPPA) (Chapter 10:27). Electronic Communications and Transactions Act (ECTA) (25 0f 2002). Promotion of Access to Information Act (PAIA) (2 of 2000).