This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at firstname.lastname@example.org.
The first coronavirus death in South Africa was recorded on 27 March 2020, exactly three weeks after South Africa’s first confirmed case of coronavirus. The SA Coronavirus Statistics Report of 25 June 2020 state that a total of 1,460,012 Covid-19 tests have been conducted and 2,292 deaths have been recorded. The total number of confirmed cases currently stands at 118,375 people with 59,974 people having recovered. The epicentre of the virus is Cape Town in the Western Cape Province. South Africa has been applauded by the World Health Organisation on its stringent, drastic and decisive measures to address the spread of the virus at an early stage.
Unfortunately, there are serious concerns that these drastic measures unfairly infringe on the rights enshrined in the Constitution of the Republic of South Africa Act, 1996 (“the Constitution”). Some of the constitutional rights which were seriously infringed relate to the right to freedom of movement (section 21), the right to freedom of trade (section 22), the right to assembly (section 17), the right to freedom of religion (section 15), as well as the right of privacy (section 14) and human dignity (section 10). Different people have approached our courts challenging the constitutionality of different restrictive measures adopted by the government. The Constitutional Court has clarified that the decision by the government to place South Africa under lockdown is constitutional in the case of Hola Bon Renaissance Foundation. Despite the lockdown itself being declared constitutional, a recent High Court decision in De Beer has held that the regulations accompanying the lockdown are unconstitutional, unlawful and invalid on the basis of being irrational. This paper briefly discusses whether some of the measures adopted in South Africa infringe on the right to privacy and data protection.
1. SOUTH AFRICA’S COVID-19 STATE OF PLAY
South Africa’s underlying law regulating Covid-19 pandemic is the Disaster Management Act 57 of 2002 (“DMA”). This Act seeks to provide for an integrated and coordinated disaster management policy that focuses on preventing or reducing the risk of disasters, emergency preparedness, rapid and effective response to disasters and post-disaster recovery. Section 23 (1) of the DMA provides that when a disastrous event occurs or threatens to occur, the National Disaster Management Centre must assess the magnitude and severity of the disaster and classify it as a local, provincial and national disaster. On 15 March 2020, the South African government, through the Minister of Cooperative Governance and Traditional Affairs (“the Minister”) classified the Covid-19 pandemic as a national disaster (Classification of a National Disaster Regulations). Pursuant to the national state of disaster, on 18 March 2020 the Minister published Regulations relating to the regulation and combat of Covid-19. These regulations set out a list of prohibited activities such as gatherings, the limitation on the sale of alcohol and closure of schools. From 18 March 2020 to date, the Minister has amended and updated the regulations. Some of the amendments include the following:
- Disaster Management Act: Amendment to Regulations of 25 March 2020 – which imposed restrictions on movement of people and goods and prohibited the operation of public transport services (alert level 5);
- Disaster Management Act: Amendment to Regulations of 26 March 2020 – which amended a few provisions of the 25 March 2020 regulations;
- Disaster Management Act: Amendment to Regulations of 2 April of 2020 – which introduced regulations on contact tracing;
- Disaster Management Act: Amendment of Regulations: Coronavirus Covid-19 Lockdown of 16 April 2020 – which extended lockdown period from 16 April 2020 to 30 April 2020;
- Disaster Management Act: Regulations Alert Level 4 of 29 April 2020 – which introduced eased regulations from alert level 5 to alert level 4 and permitted movement of persons but under strict conditions; and
- Disaster Management Act: Regulations: Alert Level 3 during Coronavirus Covid-19 lockdown of 28 May 2020 – which introduced an ease in regulations from alert level 4 to alert level 3 by permitting less restrictions on movement of persons, attendance of funerals and restrictions on gatherings.
The social and economic impact of the virus, particularly the lockdown has proved catastrophic as millions of people lost their jobs and means of trade. The government injected a total of 500 Billion Rand into the economy to assist in the fight against Covid-19 as well as provide financial support to millions of South Africans who have been impacted by the lockdown.
2. LOCKDOWN REGULATIONS, A THREAT TO PRIVACY AND DATA PROTECTION
Of particular relevance to privacy and data protection, are Regulations on Contact Tracing. Under the Contact Tracing Regulations, South Africa’s National Department of Health has been tasked to develop and maintain a coronavirus Tracing Database. The purpose of the database is to enable the tracing of Covid-19 patients as well as persons who may have been in contact with Covid-19 patients. When a person is being tested for Covid-19, information such as first name and surname; identity number; passport number; residential address; any other address where such person could be located; and cell phone numbers is collected. The information collected during testing is immediately submitted to the Director General: Health (“DG”) for inclusion in the coronavirus Tracing Database. The type of information collected and contained in the Tracing Database falls within the definition of personal information and special personal information under the Protection of Personal Information Act, 4 of 2013 (POPIA). POPIA is South Africa’s law on data protection which seeks to give effect to the constitutional right to privacy by putting in place conditions that must be complied with when responsible parties process personal information.
- Condition 1: Accountability – means that responsible parties must comply with the law and process personal information in a responsible manner during the management of Covid-19 and even after Covid-19.
- Condition 2: Processing Limitation – when processing personal information for Covid-19, responsible parties must ensure that they only collect information that is adequate, relevant and not excessive. Due to the nature of the virus, consent of the Covid-19 patient is not necessary and their personal information may be collected to comply with the law and public law duty of protecting public health.
- Condition 3: Purpose Specification – the only purpose of processing Covid-19 related personal information must be to detect, contain and prevent the spread of Covid-19. Once the purpose has been achieved, records of personal information must be destroyed. In the case of Covid-19, the records must be destroyed within 6 weeks after the lapse of the national state of disaster.
- Condition 4: Further Processing – further processing of personal information must be in line with the original purpose for which it was collected. A responsible party may further process personal information without complying with this condition if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of a data subject or another individual.
- Condition 5: Information Quality – this condition requires that a responsible party must keep complete, accurate and updated records of personal information.
- Condition 6: Openness – it is expected of a responsible party to maintain documentation of all processing operations which relate to detecting, containing and preventing the spread of Covid-19.
- Condition 7: Security Safeguards – to secure the integrity and confidentiality of personal information collected in relation to Covid-19, a responsible party must take appropriate, reasonable technical and organisational measures to prevent the loss or damage to or unauthorised access of personal information.
- Condition 8: Data Subject Participation – a responsible party must, upon request, confirm whether it holds personal information about a data subject.
After years of waiting for the full implementation of POPIA, the Office of the Presidency announced that the substantive provisions of POPIA came into effect on 1 July 2020. This new development in South African law means that any responsible party processing personal information must comply with the POPIA 8 conditions. Commenting on the DMA regulations, the Information Regulator (South Africa’s data protection supervisory authority) published a Guidance Note on Covid-19. The Guidance Note clarified that government departments fall within the definition of responsible party (data controller) and operators (processors). This means that the Department of Health and the DG as responsible parties are expected to comply with data protection conditions set out under POPIA when managing the Tracing Database.
Another privacy threatening provision of the Contact Tracing Regulations relates to the powers bestowed on the DG. Regulation 11H (10) of the Contact Tracing Regulations permit the DG to direct any electronic communications service provider with information relating to the location or movements of any person known or reasonably suspected to have contracted Covid-19 or persons who may have come into contact with Covid-19 patients. There are concerns and fears that contact tracing can lead to surveillance during the pandemic. Some have also raised concerns that journalists must be afforded special protection under the Contact Tracing Regulations. It is my submission that the Contact Tracing Regulations do not provide for surveillance by government. Not every government department has been given the authorisation to conduct the tracing. Tracing is limited to the Director General of Health. If other government departments such as law enforcement bodies seek to obtain location data and movement data, they have to rely on other laws such as the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (“RICA”) and the Criminal Procedure Act 51 of 1977. Further, the wording of the regulations is that the Director General “may” request such information. This wording means that it is not mandatory for the DG to request location data of every Covid-19 patient or any person suspected to have been in contact with a Covid-19 patient.
The Contact Tracing Regulations also places a limitation on service providers. Service providers cannot unilaterally trace Covid-19 patients without receiving a request from the Director General. With POPIA coming into effect, the Information Regulator will be able to exercise its regulatory powers and take action against any responsible parties who do not comply with POPIA conditions.
3. WHAT IS SOUTH AFRICA’S POSITION ON CONTACT TRACING MOBILE APPS?
South Africa is still in its infancy stages in developing mobile app technologies (mobile Apps) to be used as part of contact tracing process. South African government together with the University of Cape Town recently developed a mobile App called Covi-ID. Use of the App is by voluntary consent and there is not yet any state mandated mobile Apps that people are expected to download and use. The government operates a WhatsApp platform that provides people with information on coronavirus as well as information on symptoms for Covid-19. The WhatsApp platform has been criticised for lack of transparency on the terms and conditions available regarding the processing of personal information collected via the platform.
Contact Tracing Regulations specifically refer to tracing by service providers who hold electronic communications network service licenses. The regulations do not provide for the use of mobile Apps for the tracing of people. It is not clear whether the DG can rely on Contact Tracing Regulations to approach a mobile App provider to disclose location data of its users. Considering that the objective of contact tracing is to prevent the spread of Covid-19, it can be argued that the DG should be able to request for such information from the mobile App provider. POPIA provides a justification of such processing of personal information collected via the mobile App if it is to comply with a law such as the DMA and the Regulations.
The African Union (“AU”) also published its Guidance Note on Contact Tracing for Covid-19 Pandemic. The AU Guidance Note provides an overview on the steps to be followed when tracing a contact, how to identify a contact and the best practice to manage contacts. However, the AU Guidance Note does not speak to the use of technologies as a tool to trace Covid-19 contacts. This might be because most people in African states do not have access to cellular phones and smartphones. This might also be because some areas still do not have proper infrastructure for telecommunication services and emphasis on mobile tracing might become futile. For an informed guidance on use of mobile Apps for contact tracing, it is my recommendation that South Africa should consider the European Data Protection Board Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the Covid-19 outbreak.
The coming into force of POPIA is a welcome development in our law. When the regulations on the DMA were passed, there was no due consideration to the limitation that each regulation had on human rights and privacy. The objective of the regulations was to save lives and stop the spread of the virus. From a privacy perspective, the Contact Tracing Regulations contained gaps on the processing of personal information. POPIA makes it mandatory that any processing of personal data, either for Covid-19 related purpose or otherwise, must comply with the conditions for lawful processing of personal information.
Melody Musoni is a PhD Student at the University of Witwatersrand and Legal Consultant at Phukubje Pierce Masithela Attorneys Inc in South Africa. Melody is passionate about the interplay between law and technological innovations, cybersecurity and data protection.(email@example.com).
For more information on the context of this e-conference
and the other papers see here
Don’t miss the next paper tomorrow at 12 p.m. (GMT+1), Tracing applications in Canada: Lessons on how to regulate artificial intelligence – A few words explaining the Covid-19 situation in Canada, by Vincent Gautrais