the spy who went into the cold - werksmans€¦ · worked with the national security agency...
TRANSCRIPT
The spy who went into the coldBy Tammy Bortz, director and Hilah Laskov, associate
The recent furore around the unfettered access by the US government to personal data of individuals has drawn data protection laws out of the cold and into the harsh light of day. Is the personal information of South African individuals safe?
Introduction
Well-publicised whistle-blower, Edward
Snowden (an erstwhile US government
contractor), made allegations that the US
government regularly intercepts and accesses
the personal information of individuals
processed in the US. It was further alleged
that organisations such as The Guardian,
Google, Facebook, Apple and Microsoft have
worked with the National Security Agency
(“NSA”) to provide ‘direct access’ to the back
ends of their communicating systems so as to
be able to easily access such data. In certain
circumstances the US government is entitled
to access personal information for foreign
intelligence purposes, which was not the case
here, alleged Snowden.
Both the US and RSA have legislation that
allows governmental authorities to access
personal data. The central issue is this; under
what circumstances can the authorities legally
access personal data?
Can the US government assess personal information of SA citizens that is stored or processed in the US?
The US has laws which entitle the US
authorities to access personal data of
individuals; the most notable being the
Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act ,
commonly known as the Patriot Act, and the
Cyber Intelligence Sharing and Protection Act
(“CISPA”).
CISPA allows for voluntary information
sharing between private companies and the
government in the event of a cyber-attack.
For example, if the US government detects a
cyber-attack that might take down Facebook,
it is allowed to notify Facebook of the
impending cyber-attack. Similarly, Facebook
could inform the US government if it notices
unusual activity on its networks that might
suggest a cyber-attack. It has been argued
that CISPA allows companies to easily hand
LegAL BrIef | SEPTEMBER 2013
over private information to the US government
as the threshold for unusual activity is set too
low, thus having the effect of overriding US
privacy laws.
The Patriot Act permits US enforcement
agencies to apply for what is called a FISA
Order in terms of the Foreign Intelligence
Surveillance Act (“FISA”) from the FISA Court.
The FISA Order requires “the production of
any tangible thing for an investigation to
obtain foreign intelligence information not
concerning a United States person or to
protect against international terrorism or
clandestine intelligence activities”.
If the FISA Order is granted, personal
information of individuals (“Targeted
Individuals”) can then be obtained by the US
Authorities by serving the FISA Order on the
company (“Target Company”) that holds the
Targeted Individual’s personal information.
FISA Orders include a “gag provision”1 which
prohibits the Target Company that receives
a FISA Order from disclosing that fact to
Targeted Individuals. The effect is that personal
data of Targeted Individuals may be handed
over to US enforcement agencies without that
individual’s knowledge or consent.
Applications of the Patriot Act
The Patriot Act only applies in respect of
personal data (of a Targeted Individual)
required for foreign intelligence investigations
or to protect against international terrorism
or clandestine intelligence activities, when the
FISA Order was legally and validly obtained
and when it is served on:
u an entity subject to US jurisdiction. A
company will be considered to be under
US jurisdiction when it conducts
systematic business in the US and when
it has “activities within the borders of
the US”; or
u an entity is in “possession, custody,
or control” of the data being requested
(irrespective of whether such data is
stored or processed within the US or
another country).
The major criticism following the Snowden
allegations is that the US Authorities’ conduct
was in direct contravention of the Patriot
Act. Personal data was obtained by the US
government that was unrelated to foreign
intelligence or international terrorism and, in
certain circumstances, without obtaining a
FISA Order.
The provisions of the Patriot Act and CISPA
would arguably result in a conflict with
1 There is a similar provision in CISPA.
SA’s common law, the Constitution and the
Protection of Personal Information Bill (once
promulgated). Both a FISA Order obtained in
terms of the Patriot Act and the sharing of
cyber threat information in terms of CISPA
would result in the disclosure of personal
data without a data subject’s consent or
knowledge.
That being so, the Patriot Act can, indeed,
legally be used to access personal data of
SA Target Individuals if the Target Company
is linked to the US (in the manner described
above). This would be common, for example,
where personal data is placed in a cloud and
this cloud is located within the US.
It is important
for companies to
understand how
foreign and local
legislation impacts on
personal information
it may process and
to take all necessary
steps to ensure data is
protected as much as is
legally permissible.
examples of SA laws that entitle the SA government to access personal data:
regulation and Interception of
Communications Act (“rICA”)
RICA regulates the interception of private
communications between individuals. A
communication includes communications
via email, phone calls, letters or private and
personal conversations between individuals.
RICA prohibits such interception unless the
person intercepting the communication has
obtained the necessary legal authorisation, or
one of two people to a given communication
consents to this.
In this regard, RICA provides for various
mechanisms through which SA authorities can
access communications. Authorities can apply
for an Interception Direction or a Real-Time
Communication-Related Direction.
If granted, an Interception Direction would
allow authorities to intercept at any place
in SA, any communication in the course of
its occurrence or transmission. If granted,
a Real-Time Communication Related Direction
would order that a telecommunication service
provider (which includes all network providers)
provide real-time communication-related
information in respect of any of its customers
on an ongoing basis and as it becomes
available. Real-time communication-related
information means communication-related
information which is immediately available
to a telecommunication service provider (a)
before, during, or for a period of 90 days after
the transmission of an indirect communication;
and (b) in a manner that allows the
communication-related information to be
associated with the indirect communication to
which it relates.
electronic Communications and
Transactions Act (“eCT Act”)
The ECT Act allows employees of the
Department of Communications (referred
to as “cyber inspectors”), upon obtaining a
warrant, to access an information system
that has a bearing on an investigation to,
for example:
u search such information system;
u access and inspect the operation of any
computer or equipment forming part of
an information system and any associated
apparatus or material which the cyber
inspector has reasonable cause to suspect
is or has been used in connection with any
offence; or
u use or cause to be used any information
system or any part of a system to search
any data contained in, or available to, such
information system.
The ECT Act defines an “information system”
as a system for generating, sending, receiving,
storing, displaying or otherwise processing
data messages and includes the internet.
Conclusion
While the provisions of the Patriot Act and
the Snowden allegations have raised quite a
stir about privacy laws, the SA government
(and other foreign governments) have had the
power to access personal information through
various legislative avenues for a long time.
It is important for companies to understand
how foreign and local legislation impacts
on personal information it may process and
to take all necessary steps to ensure data is
protected as much as is legally permissible.
“
“
Tammy Bortz
Title: DirectorOffice: Cape TownDirect line: +27 (0)21 405 5171Fax: +27 (0)86 511 1343Switchboard: +27 (0)21 405 5100Email: [email protected]
Tammy Bortz is a director of Werksmans Attorneys and heads up the firm’s Technology Law Practice. Tammy is a commercial lawyer who specialises in information technology (IT) law. Her expertise extends to drafting and negotiating all types of IT from complex outsourcing transactions and cloud agreements to simple terms and conditions; electronic data issues including cross border data transfer considerations; social media, preparing IT-related policies and procedures; preparing legal opinions on all aspects of IT Law and advising on regulatory compliance with numerous pieces of legislation.
She has represented technology vendors and their customers and has an excellent understanding of both perspectives. In addition, Tammy regularly presents at conferences on all aspects of Technology Law.
She has a BA LLB from the University of the Witwatersrand.
Meet the Authors
Hilah Laskov
Title: AssociateOffice: Cape TownDirect line: +27 (0)21 405 5174Fax: +27 (0)11 535 8526Switchboard: +27 (0)21 405 5100Email: [email protected]
Keep us close
ThE COrpOrATE & COMMErCiAl lAw FirMwww.werksmans.com
Nothing in this publication should be construed as legal advice from any lawyer or this firm. Werksmans’ legal briefs should be seen as general summaries of developments or principles of interest that may not apply directly to specific circumstances. Professional advice should therefore be sought before any action is taken.
Established in the early 1900s, Werksmans Attorneys is a leading South African corporate and commercial law firm serving multinationals, listed companies, financial institutions, entrepreneurs and government.
Connected to an extensive African legal network through LEX Africa, the firm’s reputation is built on the combined experience of Werksmans and Jan S. de Villiers, which merged in 2009.
With a formidable track record in mergers and acquisitions, banking and finance, and commercial litigation and dispute resolution, Werksmans is distinguished by the people, clients and work that it attracts and retains.
Werksmans’ lawyers are a powerful team of independent-minded individuals who share a common service ethos. The firm’s success is built on a solid foundation of insightful and innovative deal structuring and legal advice, a keen ability to understand business and economic imperatives and a strong focus on achieving the best legal outcome for clients.
Go to www.werksmans.com for more information.
Follow us on Twitter (www.twitter.com/werksmans) and on Facebook (www.facebook.com/werksmans).
About werksmans Attorneys
A member of the Lex Africa legal network
Hilah Laskov is an associate in the Banking & Finance practice of Werksmans. She is a member of the Association of Certified Fraud Examiners (South African Chapter) and sits on the Executive Committee of the Cape Town Candidate Attorneys Association.
In 2013 Hilah was awarded the Rodman Ward prize for the best essay written on an aspect of Corporate Governance (University of Cape Town).
She holds a BA and an LLB, both from the University of Cape Town.