Journal of Information, Law and Technology

A Comparative Analysis of Zimbabwean and South African Data Protection Systems

Caroline Ncube

Lecturer, Department of Commercial Law, University of Cape Town

The author would like to thank the two reviewers for their insightful
comments and suggestions and Brent Hanks for his editorial work. The
author assumes responsibility for all errors within this work

This is a refereed article published on: 30 November 2004.

Citation: Ncube, 'A Comparative Analysis of Zimbabwean and South African Data Protection Systems', 2004 (2) The Journal of Information, Law and Technology (JILT). <http://www2.warwick.ac.uk/fac/soc/law2/elj/jilt/2004_2/ncube/>.

Abstract

Data protection is a very important international trade issue and the lack of adequate data protection may be a barrier to trade. Data protection laws are also a vital part of the protection of an individual’s privacy.

This paper is a descriptive analysis of Zimbabwean and South African data protection systems. It compares these two common law systems in a holistic manner taking into account each nation’s peculiar cultural, social, economic and political environments. The most striking feature of both these systems is that they are underdeveloped; Zimbabwe only protects data held and used by the public sector whilst South Africa has no specific data protection legislation at all. There is currently a concerted effort to secure data protection in South Africa spearheaded by the South African Law Commission (SALC).

This paper is a contribution to this law reform process. Its objective is to give a synopsis of the two data protection systems, identify their weaknesses and make suggestions for reform drawn from stronger data protection systems. It proceeds by outlining the constitutional, common law and legislative frameworks regulating data protection in each country, and comparing these with each other and a common ideal. The paper also briefly discusses the current data protection law reform in South Africa and concludes with a forecast of probable developments in both countries.

Keywords: Data Protection, privacy, privacy legislation, Zimbabwean privacy law, South African privacy law, law reform, comparative law.

1.  Introduction

The need to establish and enforce effective data protection systems in both Zimbabwe and South Africa is a trade and development issue. The 1995 European Union Data Protection Directive ( http://www.bfd.bund.de/europa/EU_richtl_en.html>) imposes a standard of protection on any country in which the personal data of European citizens is processed. Such data can only be processed in countries that can guarantee adequate levels of protection (Articles 25 -6).

Developing nations, especially those in Africa, as evidenced by their recent establishment of NEPAD,[1] intend to be full participants in the global economy. Such participation will only be enabled by conducive trade conditions. Zimbabwe and South Africa, like all other developing nations therefore need to ensure that their data protection laws encourage rather that discourage international trade by providing adequate levels of data protection to enable the flow of data from European Union (EU) countries.

The adequacy of these systems will ultimately lie in their application and enforcement. This paper will accordingly also discuss enforcement structures and procedures.

The substantive part of this article is divided into five parts. The first part compares Zimbabwean and South African constitutional provisions relating to privacy. The second part discusses the common law protection of privacy in both jurisdictions. The third part analyses the legislative frameworks in each country. The fourth part examines oversight and enforcement of these laws. The fifth and final part concludes the paper with an overall assessment of each country and a forecast of probable future developments.

2. Zimbabwean and South African Constitutional Provisions Relating to Privacy

The right to privacy is widely considered a fundamental human right. It is provided for in Article 12 of the 1948 Universal Declaration of Human Rights and in other international instruments, such as Article 16 of the United Nations Convention on the Rights of the Child, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and Article 14 of the United Nations Convention on Migrant Workers. The American Convention on Human Rights (Art 11, 14) and the American Declaration of the Rights and Duties of Mankind (Art V, IX and X) contain provisions similar to those found in the Universal Declaration and International Covenant (SALC IP24 at 3.1.3 – 3.1.6).

A number of countries (like the United Kingdom) also protect the right to privacy under the rubric of general human rights legislation. Others such as South Africa (section 14 of the Constitution of South Africa Act 108 of 1996 (as amended)), the Kingdom of the Netherlands (Constitution of the Kingdom of the Netherlands, 1989), the Republic of the Philippines (art III, Constitution of the Republic of the Philippines, 1987), and the Russian Federation (art 23, Constitution of the Russian Federation, 1993) explicitly enshrine the right in their constitutions. The United States stands apart from these countries insofar as its Constitution does not contain an explicit right to privacy. Despite this the Supreme Court of the United States has concluded that such a right is implicit in the Constitution (Hammit 1998) and most Americans consider privacy a core value (Lloyd L R 1995).

Despite the widespread protection that it is offered in international instruments and constitutional provisions, ‘privacy’ is however a term that is inherently difficult to define and its definition varies widely (Electronic Privacy Information Center (EPIC) Report 2002 p2.). Recognizing this the South African Constitutional Court recently characterized the concept as both ‘amorphous and elusive’ (Bernstein and others v Bester and others NNO (Bernstein v Bester) 1996 (2) SA 751 at 787-788), but chose to offer forth a definition of privacy nonetheless as ‘an individual condition of life characterised by exclusion from the public and publicity. This condition embraces all those personal facts which the person concerned has determined himself to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private’ (Bernstein v Bester at 789).

The Supreme Court of Zimbabwe has not yet had occasion to define privacy in the context of the protection of personal information. Nor does the country’s constitution provide explicit provisions for the protection of an individual’s right to privacy.

3. Common Law Protection of Privacy in Zimbabwe and South Africa

In order to evaluate the common law protection offered privacy in both countries it is important to adopt an interdisciplinary, comparative law approach that takes into account the specific cultural, socio- political and economic factors that impact the manner in which law is applied and enforced in Zimbabwe and South Africa (Reitz, JC; 1998, Webb 2003). This paper therefore employs the methodology most recently utilized by Philippa Webb and originally formulated by legal analyst JC Reitz (1998, p. 622, 634) and compares each country’s data protection systems to one another before comparing them to a common ideal.

On the whole there is scant academic literature on the data protection laws of South Africa and Zimbabwe, although a detailed issue paper on South Africa’s data protection laws was recently released by the SALC (Issue Paper 24 ‘Privacy and data protection (IP 24)). There is an impressive body of literature on the historical, economic and socio-political climates of both countries online and in print. This paper will refer extensively to the online literature in order to enable readers to easily view the materials, should they wish to do so. This literature includes reports and articles by civic organisations, government information, media reports and survey and poll findings. There is also a large body of scholarship regarding matters of privacy in South Africa dating back as far as 1979. Of particular import are the materials dating from the mid 1990s onwards. However, much of this literature was originally produced in Afrikaans, so translations of the originals are relied on throughout this paper. The reader will also find that many Roman-Dutch phrases are used in the discussions of common law concepts, but every effort is made to concisely explain these terms.

The Ideal

This section outlines the ideal against which both data protection systems will be compared. The following four models of data protection were considered (EPIC Report 2002 p3; SALC IP24 at 7.1.3):

a) Comprehensive Laws Model

This model is characterised by a general law that governs the collection, use and dissemination of personal information by the public and private sectors. An oversight body then ensures compliance. Industry develops rules for the protection of privacy that are enforced by the industry and overseen by the private agency. This model, adopted by the European Union to ensure compliance with its data protection regime, is the preferred model for most countries adopting data protecting laws (SALC IP24 at 7.1.4, 7.2.1-7.2.36, EPIC Report 2002 p4).

b) Sectoral Laws Model

This model does not have a general law like the comprehensive model but has sectoral laws governing, for example, financial privacy. In such cases, enforcement is achieved through a range of mechanisms. It has been adopted by the United States but has been criticised on a number of grounds. The first of these being the fact that it requires new legislation be introduced with each new technology and consequently protections frequently lag behind technological advances and actual practice. An example of this shortcoming is the lack of legal protection for individual privacy on the Internet in the United States. The second major criticism is the lack of an oversight agency, which compromises the effectiveness of the laws. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protection for certain categories of information, such as telecommunications, police files or consumer credit records (SALC IP 24 at 7.1.5, 7.2.37 -7.2.43; EPIC Report 2002 p4).

c) Self-Regulation Model

The essence of this model is the protection of data through various forms of self-regulation. Companies and industry bodies establish their own codes of practice and engage in self-policing. Within the United States, this model has not been very effective and there is little evidence that the aims of the codes are regularly fulfilled. Additionally, these codes are often inadequate and are not efficiently enforced (SALC IP24 at 7.1.6, 7.2.44- 7.2.70; EPIC Report 2002 p4).

d) Technology Model

Under this approach, due to the recent development of commercially available technology-based systems, data protection is in the hands of individual users. Individual users of the Internet and of some physical applications can employ a range of programs and systems that provide varying degrees of privacy and security of communications, for example encryption, anonymous remailers, proxy servers and digital cash (SALC IP24 at 7.1.7, 7.2.71 – 7.2.81, EPIC Report 2002 p4).

Principles of Data Protection

The following international documents contain both clear basic principles of data protection and also serve as influential models of national and international initiatives on data protection (Bygrave LA 2002 p30, SALC IP24 at 1.2.22):

a) The Council of Europe’s 1981 Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (<http://www.coe.fr/eng/legaltxt/108e.htm>);

b) The 1981 Organisation for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (<http://www.oecd.org/documentprint>);

c) The 1995 EU Data Protection Directive; and

d) The United Nations’ (UN) Guidelines Concerning Computerised Personal Data Files

(http://europa.eu.int/comm/internal_market/privacy/instruments/un_en.htm).

The COE Convention (a) and the OECD Guidelines (b) have had a profound effect on the global enactment of data protection laws. Almost thirty countries have signed the COE convention and the OECD guidelines have been widely used in national legislation, even outside the OECD member countries (SALC IP24 at 1.2.14). The OECD Guidelines provide eight principles relating to the collection, purpose, use, quality, security and accountability of organisations in relation to personal information.

The EU Directive was enacted to harmonise member states’ laws in providing consistent levels of protection for citizens and ensuring the free flow of personal data within the European Union (SALC IP24 at 1.2.16-17). The UN Guidelines are intended to encourage those UN Member States without data protection legislation in place to take steps to enact such legislation and to encourage governmental and non-governmental international organisations to process personal data in a responsible, fair and privacy-friendly manner. The Guidelines are not legally binding and seem to have had much less influence on data regimes than the other instruments (Bygrave LA 2002 p33, SALC IP24 at 1.2.19).

Although the expression of data protection in the above declarations and laws varies, they all set the common minimum standard that personal information must be:

• collected fairly and lawfully;

• used only for the specified purpose for which it was originally collected;

• adequate, relevant and not excessive to purpose;

• accurate and up to date;

• accessible to the subject;

• kept secure; and

• destroyed after its purpose is completed. (SALC IP24 at 1.2.23).

These minimum standards together with the comprehensive laws model outlined above will comprise the ideal against which the data protection systems of South Africa and Zimbabwe will be compared.

4. The Constitutional Right to Privacy

4.1South Africa and Its Socio- Political, Economic and Historical Background

The South African constitution provides that the country is a constitutional democracy and any law or conduct inconsistent with its constitution is invalid (section 2). Chapter 2 of the constitution or the Bill of Rights provides for certain fundamental rights applicable to all law, including the common law relating to the right to privacy, and binds not only the State (section 8(1)) but also, if applicable, natural and juristic persons (section 8(2)).

For nearly all the latter half of the twentieth century the National Party governed South Africa. It was only in 1994 the first democratic elections were held in the country under an Interim Constitution. The African National Congress (ANC) has since led the government and has been opposed by numerous political parties, including the New National Party (NNP), the Inkatha Freedom Party (IFP) and the Democratic Alliance (DA). Together these parties have sought to move beyond the racial discrimination and political violence that characterized the period prior to 1994 and have for the last decade been engaged in the pursuit of democratisation, socio-economic change and reconciliation. The constitution-making process, local government elections and the establishment of the Truth and Reconciliation Commission have been vital components of their efforts.