The spy who went into the coldBy Tammy Bortz, director and Hilah Laskov, associate

The recent furore around the unfettered access by the US government to personal data of individuals has drawn data protection laws out of the cold and into the harsh light of day. Is the personal information of South African individuals safe?

Introduction

Well-publicised whistle-blower, Edward

Snowden (an erstwhile US government

contractor), made allegations that the US

government regularly intercepts and accesses

the personal information of individuals

processed in the US. It was further alleged

that organisations such as The Guardian,

Google, Facebook, Apple and Microsoft have

worked with the National Security Agency

(“NSA”) to provide ‘direct access’ to the back

ends of their communicating systems so as to

be able to easily access such data. In certain

circumstances the US government is entitled

to access personal information for foreign

intelligence purposes, which was not the case

here, alleged Snowden.

Both the US and RSA have legislation that

allows governmental authorities to access

personal data. The central issue is this; under

what circumstances can the authorities legally

access personal data?

Can the US government assess personal information of SA citizens that is stored or processed in the US?

The US has laws which entitle the US

authorities to access personal data of

individuals; the most notable being the

Uniting and Strengthening America by

Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism Act ,

commonly known as the Patriot Act, and the

Cyber Intelligence Sharing and Protection Act

(“CISPA”).

CISPA allows for voluntary information

sharing between private companies and the

government in the event of a cyber-attack.

For example, if the US government detects a

cyber-attack that might take down Facebook,

it is allowed to notify Facebook of the

impending cyber-attack. Similarly, Facebook

could inform the US government if it notices

unusual activity on its networks that might

suggest a cyber-attack. It has been argued

that CISPA allows companies to easily hand

LegAL BrIef | SEPTEMBER 2013

over private information to the US government

as the threshold for unusual activity is set too

low, thus having the effect of overriding US

privacy laws.

The Patriot Act permits US enforcement

agencies to apply for what is called a FISA

Order in terms of the Foreign Intelligence

Surveillance Act (“FISA”) from the FISA Court.

The FISA Order requires “the production of

any tangible thing for an investigation to

obtain foreign intelligence information not

concerning a United States person or to

protect against international terrorism or

clandestine intelligence activities”.

If the FISA Order is granted, personal

information of individuals (“Targeted

Individuals”) can then be obtained by the US

Authorities by serving the FISA Order on the

company (“Target Company”) that holds the

Targeted Individual’s personal information.

FISA Orders include a “gag provision”1 which

prohibits the Target Company that receives

a FISA Order from disclosing that fact to

Targeted Individuals. The effect is that personal

data of Targeted Individuals may be handed

over to US enforcement agencies without that

individual’s knowledge or consent.

Applications of the Patriot Act

The Patriot Act only applies in respect of

personal data (of a Targeted Individual)

required for foreign intelligence investigations

or to protect against international terrorism

or clandestine intelligence activities, when the

FISA Order was legally and validly obtained

and when it is served on:

u an entity subject to US jurisdiction. A

company will be considered to be under

US jurisdiction when it conducts

systematic business in the US and when

it has “activities within the borders of

the US”; or

u an entity is in “possession, custody,

or control” of the data being requested

(irrespective of whether such data is

stored or processed within the US or

another country).

The major criticism following the Snowden

allegations is that the US Authorities’ conduct

was in direct contravention of the Patriot

Act. Personal data was obtained by the US

government that was unrelated to foreign

intelligence or international terrorism and, in

certain circumstances, without obtaining a

FISA Order.

The provisions of the Patriot Act and CISPA

would arguably result in a conflict with

1 There is a similar provision in CISPA.

SA’s common law, the Constitution and the

Protection of Personal Information Bill (once

promulgated). Both a FISA Order obtained in

terms of the Patriot Act and the sharing of

cyber threat information in terms of CISPA

would result in the disclosure of personal

data without a data subject’s consent or

knowledge.

That being so, the Patriot Act can, indeed,

legally be used to access personal data of

SA Target Individuals if the Target Company

is linked to the US (in the manner described

above). This would be common, for example,

where personal data is placed in a cloud and

this cloud is located within the US.

It is important

for companies to

understand how

foreign and local

legislation impacts on

personal information

it may process and

to take all necessary

steps to ensure data is

protected as much as is

legally permissible.

examples of SA laws that entitle the SA government to access personal data:

regulation and Interception of

Communications Act (“rICA”)

RICA regulates the interception of private

communications between individuals. A

communication includes communications

via email, phone calls, letters or private and

personal conversations between individuals.

RICA prohibits such interception unless the

person intercepting the communication has

obtained the necessary legal authorisation, or

one of two people to a given communication

consents to this.

In this regard, RICA provides for various

mechanisms through which SA authorities can

access communications. Authorities can apply

for an Interception Direction or a Real-Time

Communication-Related Direction.

If granted, an Interception Direction would

allow authorities to intercept at any place

in SA, any communication in the course of

its occurrence or transmission. If granted,

a Real-Time Communication Related Direction

would order that a telecommunication service

provider (which includes all network providers)

provide real-time communication-related

information in respect of any of its customers

on an ongoing basis and as it becomes

available. Real-time communication-related

information means communication-related

information which is immediately available

to a telecommunication service provider (a)

before, during, or for a period of 90 days after

the transmission of an indirect communication;

and (b) in a manner that allows the

communication-related information to be

associated with the indirect communication to

which it relates.

electronic Communications and

Transactions Act (“eCT Act”)

The ECT Act allows employees of the

Department of Communications (referred

to as “cyber inspectors”), upon obtaining a

warrant, to access an information system

that has a bearing on an investigation to,

for example:

u search such information system;

u access and inspect the operation of any

computer or equipment forming part of

an information system and any associated

apparatus or material which the cyber

inspector has reasonable cause to suspect

is or has been used in connection with any

offence; or

u use or cause to be used any information

system or any part of a system to search

any data contained in, or available to, such

information system.

The ECT Act defines an “information system”

as a system for generating, sending, receiving,

storing, displaying or otherwise processing

data messages and includes the internet.

Conclusion

While the provisions of the Patriot Act and

the Snowden allegations have raised quite a

stir about privacy laws, the SA government

(and other foreign governments) have had the

power to access personal information through

various legislative avenues for a long time.

It is important for companies to understand

how foreign and local legislation impacts

on personal information it may process and

to take all necessary steps to ensure data is

protected as much as is legally permissible.

“

“

Tammy Bortz

Title: DirectorOffice: Cape TownDirect line: +27 (0)21 405 5171Fax: +27 (0)86 511 1343Switchboard: +27 (0)21 405 5100Email: tbortz@werksmans.com

Tammy Bortz is a director of Werksmans Attorneys and heads up the firm’s Technology Law Practice. Tammy is a commercial lawyer who specialises in information technology (IT) law. Her expertise extends to drafting and negotiating all types of IT from complex outsourcing transactions and cloud agreements to simple terms and conditions; electronic data issues including cross border data transfer considerations; social media, preparing IT-related policies and procedures; preparing legal opinions on all aspects of IT Law and advising on regulatory compliance with numerous pieces of legislation.

She has represented technology vendors and their customers and has an excellent understanding of both perspectives. In addition, Tammy regularly presents at conferences on all aspects of Technology Law.

She has a BA LLB from the University of the Witwatersrand.

Meet the Authors

Hilah Laskov

Title: AssociateOffice: Cape TownDirect line: +27 (0)21 405 5174Fax: +27 (0)11 535 8526Switchboard: +27 (0)21 405 5100Email: hlaskov@werksmans.com

Keep us close

ThE COrpOrATE & COMMErCiAl lAw FirMwww.werksmans.com

Nothing in this publication should be construed as legal advice from any lawyer or this firm. Werksmans’ legal briefs should be seen as general summaries of developments or principles of interest that may not apply directly to specific circumstances. Professional advice should therefore be sought before any action is taken.

Established in the early 1900s, Werksmans Attorneys is a leading South African corporate and commercial law firm serving multinationals, listed companies, financial institutions, entrepreneurs and government.

Connected to an extensive African legal network through LEX Africa, the firm’s reputation is built on the combined experience of Werksmans and Jan S. de Villiers, which merged in 2009.

With a formidable track record in mergers and acquisitions, banking and finance, and commercial litigation and dispute resolution, Werksmans is distinguished by the people, clients and work that it attracts and retains.

Werksmans’ lawyers are a powerful team of independent-minded individuals who share a common service ethos. The firm’s success is built on a solid foundation of insightful and innovative deal structuring and legal advice, a keen ability to understand business and economic imperatives and a strong focus on achieving the best legal outcome for clients.

Go to www.werksmans.com for more information.

Follow us on Twitter (www.twitter.com/werksmans) and on Facebook (www.facebook.com/werksmans).

About werksmans Attorneys

A member of the Lex Africa legal network

Hilah Laskov is an associate in the Banking & Finance practice of Werksmans. She is a member of the Association of Certified Fraud Examiners (South African Chapter) and sits on the Executive Committee of the Cape Town Candidate Attorneys Association.

In 2013 Hilah was awarded the Rodman Ward prize for the best essay written on an aspect of Corporate Governance (University of Cape Town).

She holds a BA and an LLB, both from the University of Cape Town.