Module 4: Privacy and Security Online
Report of the UN Human Rights Committee regarding data retention in South Africa
Section 30(2) of the South African Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) obliges telecommunications service providers to retain all data for a period prescribed by the relevant executive authority, which may be between a period of three years and five years. The current prescription is three years. This means that all of a person’s personal telecommunications, up to three years past, lie in wait for the state to pry into, if the officials convince a judicial officer to authorise access.
In 2016, in the Human Rights Committee’s concluding observations regarding South Africa’s compliance with the ICCPR, the Human Rights Committee raised concern “about the wide scope of the data retention regime under [RICA]”. The Human Rights Committee therefore recommended that South Africa “should refrain from engaging in mass surveillance of private communications without prior judicial authorization and consider revoking or limiting the requirement for mandatory retention of data by third parties.”
Data retention is typically described as “the process through which governments and businesses (especially telecommunication and internet providers) record and store various data (usually related to individuals).”(1) As explained by Privacy International:(2)
“The practice of data retention involves the gathering and storing of communications data for extended periods for the purpose of future access. Metadata tells the story about your data and answers the who, when, what, and how of a specific communication. Data collected will likely cover a mixture of personally identifiable and non-identifiable information, including traffic data (data about how a communication was transmitted including source, destination, means of transmission, time and location of transmission), subscriber data (data identifying subscribers as provided to the communications service provider) and data specific to the use of the communications service in question (time of use, billing information, amount of data downloaded, redirection services). Data retention serves multiple uses, some of which are commercial and others not. Retention can similarly be voluntary, for instance where the data is kept by a company for its internal uses, or it can be mandated by law for potential access by third parties, in particular by governmental agencies.”
While, on the one hand, data retention can be important for crime prevention or criminal investigations, it also gives more power to governments to monitor the public and takes away their rights to online privacy.(3) The practice of mandating the retention of communications data (or metadata) raises significant privacy, transparency and security concerns. In turn, this may affect the ways in which people exercise their rights online, and poses a risk of leading to self-censorship.
It has been noted that: “Data retention laws are different from country to country, but they ultimately have the same goal: A better grip on the digital world at the expense of privacy and freedom of speech”.(4) Privacy International explains that the mass retention of individuals’ communications records, outside the context of any criminal investigation or business purpose, “amounts to the compilation of dossiers on each and every one of us, our friends, family and colleagues”.(5) Privacy International goes on to explain that:
“The potential harms associated with data retention and access are significant. In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses serious risks to individual privacy and data security. The data opens the door for governments and third parties to make intimate inferences about individuals, to engage in profiling and to otherwise intrude on people’s private lives. If the information is not properly protected there is the potential of unauthorised access to troves of information by third parties, including cyber-criminals.”
Most data protection frameworks provide that data should only be collected for specified, explicit and legitimate purposes and that such data should, in the ordinary course, be deleted when this is no longer the case. Additionally, data ought not to be kept for longer than it is needed. For example, article 5(1)(e) of the GDPR provides that personal data shall be—
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes … subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.
In general, there are two key factors that determine an appropriate data retention period: (i) the purpose for processing the data; and (ii) any legal or regulatory requirements for retaining it. In respect of the latter, various countries have mandatory data retention laws that require telecommunication and internet service providers to retain certain types of data – such as metadata – for stipulated periods of time.
Importantly, there have been at least two significant judgments of the CJEU — Digital Rights Ireland(6) and Tele2 Sverige AB(7) — that have reaffirmed the requirement that all data retention regimes must comply with the principles of legality, necessity and proportionality.(8) Appropriate safeguards are also needed to protect the data that has been retained.
Indefinite retention of DNA, fingerprints and photograph held to be in breach of privacy rights
In the February 2020 judgment of Gaughran v United Kingdom (application no. 45245/15), the matter concerned a complaint about the indefinite retention of data (DNA profile, fingerprints and a photograph) of a man who had a spent conviction for driving with excess alcohol. The European Court of Human Rights (ECtHR) held that there had been a violation of his privacy rights in terms of article 8 of the European Convention on Human Rights (European Convention). The ECtHR underlined that it was not the duration of the retention of data that had been decisive, but the absence of certain safeguards. In the applicant’s case, his personal data had been retained indefinitely without consideration of the seriousness of his offence, the need for indefinite retention, and without any real possibility of review. Noting that the technology being used had been shown to be more sophisticated than that considered by the domestic courts in this case, particularly regarding storage and analysis of photographs, the ECtHR considered that the retention of the applicant’s data had failed to strike a fair balance between the competing public and private interests.