Compartmentalised data protection in South Africa: The right to privacy in the Protection of Personal Information Act

Abstract

In European Union (‘EU’) law, the entrenched right to data protection is an independent fundamental right. EU case law has gradually disconnected the right to data protection from the right to a private life. South Africa’s first exclusive data protection legislation, the Protection of Personal Information Act 4 of 2013 (‘POPIA’), is redolent of EU data protection legislation. However, the stated purpose of the POPIA is to give effect to the right to privacy. This article examines whether the laws of data protection can be wholly encapsulated within s 14 of the Constitution. To this end, this article considers two main conceptions of privacy in our law. The first is Neethling’s informational privacy and the reasonable expectation of privacy. The second is Rautenbach’s theory of informational control over personal matters in relation to other rights. On either approach, I argue that the substantive provisions of the POPIA are irreducible to privacy protection alone. Ultimately, framing the POPIA exclusively within the domain of privacy will either (i) unduly restrict legislative interpretation; or (ii) the true meaning of privacy will be diluted, leading to legal uncertainty. To avoid this, I suggest distinguishing between the value of privacy in the POPIA and the actual loss of privacy.