Source: Paul Jacobson of Jacobson Attorneys
The primary law governing privacy law is the Bill of Rights and article 14 in particular:
14 Privacy
Everyone has the right to privacy, which includes the right not to have-
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized; or
(d) the privacy of their communications infringed.
The right to privacy is a general right to privacy first. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights:
- Has a law or a party’s conduct infringed the right, taking into account the right’s scope; and
- If there is an infringement, is it justified under the Limitations clause in the Bill of Rights?
The Limitations clause is article 36:
36 Limitation of rights
(1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including-
(a) the nature of the right;
(b) the importance of the purpose of the limitation;
(c) the nature and extent of the limitation;
(d) the relation between the limitation and its purpose; and
(e) less restrictive means to achieve the purpose.
(2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.
So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally.
The seminal case on the right to privacy is Bernstein and Others v Bester NO and Others. The Constitutional Court said that the right to privacy is informed largely by a legitimate expectation of privacy which, in turn, means that a person must establish that:
he or she has a subjective expectation of privacy and that the society has recognized that expectation as objectively reasonable.
The subjective component means that a person can’t have an expectation of privacy where that person has consented to have his or her privacy invaded. The objective component introduces a requirement for reasonableness when assessing an apparent privacy violation. There is a notion of a “continuum of privacy interests” which is a helpful application of this idea of a legitimate expectation of privacy. The Court in the Bernstein case said the following:
The truism that no right is to be considered absolute, implies that from the outset of interpretation each right is always already limited by every other right accruing to another citizen. In the context of privacy this would mean that it is only the inner sanctum of a person, such as his/her family life, sexual preference and home environment, which is shielded from erosion by conflicting rights of the community. This implies that community rights and the rights of fellow members place a corresponding obligation on a citizen, thereby shaping the abstract notion of individualism towards identifying a concrete member of civil society. Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly.
This is an explanation for why people in the public eye have a different legitimate expectation of privacy than people who are deeply private and secretive. A person’s legitimate expectation of privacy is determined by their level of publicity and the consents they have given to invasions of their privacy.
Without delving into the law further we can already see that an aspect of the legitimate expectation of privacy is this subjective expectation of privacy which is determined by factors like consent and so on. Bottom line here is that if you grant your consent to a company to collect and process your personal information in some way, you don’t have a legitimate expectation of privacy when it comes to the authorised use of that personal information.
The general right to privacy should protect another important interest called “informational self-determination“. This interest includes the ability to control what information is collected, how and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination).
So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn’t otherwise permissible but you have a say over what that information can be used for, not to mention the ability to find out what personal information authorised parties have collected and correct it if need be.
Chapter 8 of the Electronic Communications and Transactions Act contains a voluntary set of principles which go some way towards codifying this aspect of privacy law but it is limited to “electronic transactions” and, as we pointed out above, is voluntary. Notwithstanding these limitations, it is helpful in formulating a privacy policy which contains the necessary consents which a service may require from its users.
The proposed Protection of Personal Information Bill will take this process further and introduce a far more structured and mandatory regime to protect collection and processing of personal information but we are still some way away from that proposed law being passed. That being said, we recommend to our clients that they develop privacy policies in line with this proposed legislation because it is the likely shape of things to come (which is important when incorporating privacy considerations into a medium to long term project) and it provides sound principles for the collection and processing of personal information.
