The recent furore around the unfettered access by the US government to personal data of individuals has drawn data protection laws out of the cold and into the harsh light of day. Is the personal information of South African individuals safe?

Introduction

Well-publicised whistle-blower, Edward Snowden (an erstwhile US government contractor), made allegations that the US government regularly intercepts and accesses the personal information of individuals processed in the US. It was further alleged that organisations such as The Guardian, Google, Facebook, Apple and Microsoft have worked with the National Security Agency (“NSA”) to provide ‘direct access’ to the back ends of their communicating systems so as to be able to easily access such data. In certain circumstances the US government is entitled to access personal information for foreign intelligence purposes, which was not the case here, alleged Snowden.

Both the US and RSA have legislation that allows governmental authorities to access personal data. The central issue is this; under what circumstances can the authorities legally access personal data?
Can the US government access personal information of SA citizens that is stored or processed in the US?

The US has laws which entitle the US authorities to access personal data of individuals; the most notable being the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, commonly known as the Patriot Act, and the Cyber Intelligence Sharing and Protection Act (“CISPA”).

CISPA allows for voluntary information sharing between private companies and the government in the event of a cyber-attack. For example, if the US government detects a cyber-attack that might take down Facebook, it is allowed to notify Facebook of the impending cyber-attack. Similarly, Facebook could inform the US government if it notices unusual activity on its networks that might suggest a cyber-attack. It has been argued that CISPA allows companies to easily hand over private information to the US government as the threshold for unusual activity is set too low, thus having the effect of overriding US privacy laws.

The Patriot Act permits US enforcement agencies to apply for what is called a FISA Order in terms of the Foreign Intelligence Surveillance Act (“FISA”) from the FISA Court. The FISA Order requires “the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities”.

If the FISA Order is granted, personal information of individuals (“Targeted Individuals”) can then be obtained by the US Authorities by serving the FISA Order on the company (“Target Company”) that holds the Targeted Individual’s personal information. FISA Orders include a “gag provision”[1] which prohibits the Target Company that receives a FISA Order from disclosing that fact to Targeted Individuals. The effect is that personal data of Targeted Individuals may be handed over to US enforcement agencies without that individual’s knowledge or consent.

Applications of the Patriot Act

The Patriot Act only applies in respect of personal data (of a Targeted Individual) required for foreign intelligence investigations or to protect against international terrorism or clandestine intelligence activities, when the FISA Order was legally and validly obtained and when it is served on:

• an entity subject to US jurisdiction. A company  will be considered to be under US jurisdiction when it conducts systematic business in the US and when it has “activities within the borders of the US”; or
• an entity is in “possession, custody, or control” of the data being requested (irrespective of whether such data is stored or processed within the US or another country).

The major criticism following the Snowden allegations is that the US Authorities’ conduct was in direct contravention of the Patriot Act. Personal data was obtained by the US government that was unrelated to foreign intelligence or international terrorism and, in certain circumstances, without obtaining a FISA Order.

The provisions of the Patriot Act and CISPA would arguably result in a conflict with SA’s common law, the Constitution and the Protection of Personal Information Bill (once it has been promulgated). Both a FISA Order obtained in terms of the Patriot Act and the sharing of cyber threat information in terms of CISPA would result in the disclosure of personal data without a data subject’s consent or knowledge.

That being so, the Patriot Act can, indeed, legally be used to access personal data of SA Target Individuals if the Target Company is linked to the US (in the manner described above). This would be common, for example, where personal data is placed in a cloud and this cloud is located within the US.

Examples of SA laws that entitle the SA government to access personal data Regulation and Interception of Communications Act (“RICA”)

RICA regulates the interception of private communications between individuals. A communication includes communications via email, phone calls, letters or private and personal conversations between individuals. RICA prohibits such interception unless the person intercepting the communication has obtained the necessary legal authorisation, or one of two people to a given communication consents to this.

In this regard, RICA provides for various mechanisms through which SA authorities can access communications. Authorities can apply for an Interception Direction or a Real-Time Communication-Related Direction.

If granted, an Interception Direction would allow Authorities to intercept at any place in SA, any communication in the course of its occurrence or transmission.

If granted, a Real-Time Communication-Related Direction would order that a telecommunication service provider (which includes all network providers) provide real-time communication-related information in respect of any of its customers on an ongoing basis and as it becomes available. Real-time communication-related information means communication-related information which is immediately available to a telecommunication service provider (a) before, during, or for a period of 90 days after the transmission of an indirect communication; and (b) in a manner that allows the communication-related information to be associated with the indirect communication to which it relates.

Electronic Communications and Transactions Act (“ECT Act“)

The ECT Act allows employees of the Department of Communications (referred to as “cyber inspectors”), upon obtaining a warrant, to access an information system[2] that has a bearing on an investigation, for example, to:

• search such information system;
• access and inspect the operation of any computer or equipment forming part of an information system and any associated apparatus or material which the cyber inspector has reasonable cause to suspect is or has been used in connection with any offence; or
• use or cause to be used any information system or any part of a system to search any data contained in, or available to, such information system.

The ECT Act defines an “information system” as a system for generating, sending, receiving, storing, displaying or otherwise processing data messages and includes the internet.

Conclusion

While the provisions of the Patriot Act and the Snowden allegations have raised quite a stir about privacy laws, the SA government (and other foreign governments) have had the power to access personal information through various legislative avenues for a long time. It is important for companies to understand how foreign and local legislation impacts on personal information it may process and to take all necessary steps to ensure data is protected as much as is legally permissible.

Written by Hilah Laskov, Associate and Tammy Bortz, Director at Werksmans Attorneys

[1] There is a similar provision in CISPA.