The Regulation of Interception of Communications and Provision of Communication Related Information Act 70 of 2002 (RICA) was enacted more than twenty (20) years ago. Since the enactment of RICA, electronic communications technology has rapidly evolved and communication tools have changed and advanced. In 2019, Sutherland J remarked that –

“[28] RICA was enacted 2002, self-evidently, composed to address what was understood to be the character of the telecommunications environment of that time. Seventeen years later, that environment has evolved.”

The object of RICA is, in the first instance, to prohibit the interception of communications and, in the second instance, to regulate the exceptional circumstances under which communications may be intercepted.

This being the case, RICA, as a tool to fight crime, can also infringe on a person’s right to privacy if their communications are intercepted unlawfully. The Supreme Court of Appeal (“SCA“) recently had occasion to consider the extent to which RICA can seemingly protect the privacy of customers of mobile network operators in Giftwrap Trading (Pty) Ltd v Vodacom (Pty) Ltd and Others (1009/2020) [2023] ZASCA 47.

Facts

As a cellular phone and internet service provider, the first respondent (Vodacom) was required by law to obtain and keep specified information in respect of their customers. The appellant (Giftwrap) as the victim of “click fraud”, managed to obtain the local internet protocol (IP) addresses of devices from which the click fraud had emanated and also identified the service provider that each of the IP addresses used to gain access to the internet.

Seeking disclosure of the customer information in respect of each of the IP addresses, Giftwrap launched an application against the respondents (as the relevant service providers) in the High Court. The purpose of this application was to identify the wrongdoers in order to take legal action against them.

Vodacom submitted that the provisions of RICA precluded the disclosure that Giftwrap sought. The court agreed and held that section 42(1)(c) of RICA does not permit disclosure of customer information for the purpose of identifying wrongdoers.

Giftwrap brought an appeal to the SCA.

The issue

The salient issue on appeal was whether the provisions of RICA, particularly section 42, allow for the disclosure of customer information for the purpose of identifying wrongdoers.

The relevant provisions of RICA and arguments

Sections 39 and 40 of RICA are concerned with customer information and specifies the type of customer information that must be obtained and verified before a service provider enters into a contract with any person for the provision of electronic communication service. This includes information of both natural and juristic persons and includes, amongst others, physical addresses, full names and identification numbers or registration numbers as the case may be.

Insofar as the disclosure of customer information (as mentioned above) is concerned, section 42(2) provides that no service provider may disclose any information obtained in the exercise of its powers or the performance of its duties in terms of RICA, except for the purposes mentioned in section 42(1). To this end, section 42(1) provides for the disclosure of customer information –

• to any other person who of necessity requires it for the performance of his or her functions in terms of RICA (section 42(1)(a));
• if he or she is a person who of necessity supplies it in the performance of his or her functions in terms of RICA (section 42(1)(b)); or
• information which is required in terms of any law or as evidence in any court of law (section 42(1)(c));
• to any competent authority which requires it for the institution or an investigation with a view to the institution of any criminal or civil proceedings (section 42(1)(d)).

It was argued by Giftwrap that it was entitled to the customer information behind the IP addresses in terms of section 42(1)(c) of RICA as it wished to identify the wrongdoers of click fraud in order to take legal action against them.

Vodacom did not dispute Giftwrap’s factual averments nor that the information in question could be useful for the purpose for which it was required. It said that were the decision solely up to it, Vodacom would have provided the information to Giftwrap. In its view, however, the provisions of RICA precluded the disclosure that Giftwrap sought, hence the opposition to the application.

Findings of the SCA

The SCA held that Giftwrap required the customer information as part of an investigation (to identify perpetrators of click fraud) with a view to taking appropriate legal action. Therefore, it goes without saying that disclosure of the customer information in respect of the listed IP addresses would not necessarily lead to legal action against a person so identified.

The question then is whether section 42(1)(c) of RICA permitted this or, put differently, whether section 42(1)(c) permitted disclosure for this purpose.

The SCA held that the answer to this question lays in the interpretation of section 42(1)(c) of RICA by a holistic consideration of its text, context and apparent purpose. The SCA held that according to its text, section 42(1)(c) conveyed that the information must at the time of its disclosure be required as evidence in a court of law. It therefore envisaged disclosure of information which was required as evidence in proceedings that were pending in a court of law.

On that basis, information that is required to investigate whether legal proceedings could be instituted falls outside the ambit of section 42(1)(c). Reverting to the reason for which Giftwrap required the customer information, the court found that RICA did not permit the disclosure of customer information of a service provider for purposes of investigation or identifying wrongdoers.

Conclusion

In light of the SCA’s decision, the crux issue conclusion clarifies that Giftwrap did not fit the criteria per section 42(1)(c) of RICA that allowed it to obtain customer information for its own “investigation” and not for “evidence” in court for a pending matter. This was detrimental to Giftwrap’s case.

The SCA did not make reference to the relevant provision of the Protection of Personal Information Act 4 of 2013 (“POPIA“), yet the privacy of customers is relevant from a POPIA perspective.

There are competing interests in this regard:

• On one hand, section 14 of the Constitution guarantees the right to privacy. In particular, section 14(4) of the Constitution specifically protects an individual’s right not to have the privacy of his communications infringed.
• On the other hand, the interception of a communication or access to customer information pursuant to RICA is, on the face of it, an infringement on a person’s right to privacy.

However, it should be borne in mind that section 6(1)(c) of POPIA provides that POPIA does not apply to the processing of personal information when it relates to the judicial functions of a court.

Written by Ahmore Burger-Smidt, Head of Regulatory and Dale Adams, Associate; Werksmans