Module 4: Privacy and Security Online
Report of the UN Human Rights Committee regarding data retention in South Africa
The legally mandated retention of communications data in South Africa has been a contentious issue for courts, digital rights advocates, and human rights bodies.
- Section 30(2) of South Africa’s Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) obliges telecommunications service providers to retain all communications data for a period of three years. This means that all details of a person’s personal telecommunications, up to three years past, lie in wait for the state to pry into, if the officials convince a judicial officer to authorise access.
- In 2016, in an assessment of South Africa’s compliance with the ICCPR, the UN Human Rights Committee raised concern “about the wide scope of the data retention regime under [RICA]”, and recommended that South Africa “should refrain from engaging in mass surveillance of private communications without prior judicial authorization and consider revoking or limiting the requirement for mandatory retention of data by third parties.”
- In 2022, South Africa’s Constitutional Court declared parts of RICA unconstitutional for failing to provide adequate safeguards for the collection of information for surveillance and ordered that it be reformed. While the applicants in AmaBhungane did not succeed in convincing the High Court, in an earlier stage of the case, to make a finding on the long period of storage of communication data, the judgment included an order for Parliament to amend the law to build new safeguards for data once it has been collected.(1)
Data retention is typically described as “the process through which governments and businesses (especially telecommunication and internet providers) record and store various data (usually related to individuals).”(2) As explained by Privacy International:(3)
“The practice of data retention involves the gathering and storing of communications data for extended periods for the purpose of future access. Metadata tells the story about your data and answers the who, when, what, and how of a specific communication.”
While the specific terms and definitions vary, most legal frameworks on data retention relating to communications provide for two categories of information – the ‘content’ of the communication itself, and information about the communication. This second category, often called communication data or communication metadata, includes a wide range of information which is often deeply revealing, such as the identities or identifiers of those involved, the times and durations of their interactions, locational information, and any technology or services involved. While data retention can be important for criminal investigations, it also gives more power to governments to monitor the public and takes away their rights to online privacy.(4) The practice of mandating the retention of communications data raises significant privacy, transparency and security concerns. In turn, this may affect the ways in which people exercise their rights online and poses a risk of leading to self-censorship.
It has been noted that: “Data retention laws are different from country to country, but they ultimately have the same goal: A better grip on the digital world at the expense of privacy and freedom of speech”.(5) Privacy International explains that the mass retention of individuals’ communications records, outside the context of any criminal investigation or business purpose, “amounts to the compilation of dossiers on each and every one of us, our friends, family and colleagues”.(6) Privacy International goes on to explain that:
“The potential harms associated with data retention and access are significant. In a context where the gathering and exploitation of data by private companies becomes increasingly privacy intrusive and widespread, data retention poses serious risks to individual privacy and data security. The data opens the door for governments and third parties to make intimate inferences about individuals, to engage in profiling and to otherwise intrude on people’s private lives. If the information is not properly protected there is the potential of unauthorised access to troves of information by third parties, including cyber-criminals.”
Most data protection frameworks provide that data should only be collected for specified, explicit and legitimate purposes and that such data should, in the ordinary course, be deleted when this is no longer the case. Additionally, data ought not to be kept for longer than it is needed. For example, article 5(1)(e) of the GDPR provides that personal data shall be–
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes … subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.
In general, there are two key factors that determine an appropriate data retention period: (i) the purpose for processing the data; and (ii) any legal or regulatory requirements for retaining it. In respect of the latter, various countries have mandatory data retention laws that require telecommunication and internet service providers to retain certain types of data – such as metadata – for stipulated periods of time.
Importantly, there have been at least two significant judgments of the CJEU — Digital Rights Ireland(7) and Tele2 Sverige AB(8) — that have reaffirmed the requirement that all data retention regimes must comply with the principles of legality, necessity and proportionality.(9) Appropriate safeguards are also needed to protect the data that has been retained.
Indefinite retention of DNA, fingerprints and photograph held to be in breach of privacy rights
The European Court of Human Rights’ (ECtHR) 2020 judgment of Gaughran v United Kingdom (application no. 45245/15) concerned a complaint about the indefinite retention of data (DNA profile, fingerprints and a photograph) of a man who had a spent conviction for driving with excess alcohol.)
- The ECtHR held that there had been a violation of his privacy rights in terms of article 8 of the European Convention on Human Rights (European Convention).
- The ECtHR underlined that it was not the duration of the retention of data that had been decisive, but the absence of certain safeguards. In the applicant’s case, his personal data had been retained indefinitely without consideration of the seriousness of his offence, the need for indefinite retention, and without any real possibility of review.
- Noting that the technology being used had been shown to be more sophisticated than that considered by the domestic courts in this case, particularly regarding storage and analysis of photographs, the ECtHR considered that the retention of the applicant’s data had failed to strike a fair balance between the competing public and private interests.