Law Research

Privacy and Data Protection laws in South Africa

The South African Bill of Rights states that everyone has the right to privacy which includes the right to not have their person, home or property searched, their posessions seized or the privacy of their communications infringed (South African Government, 2009).

The same Bill of Rights states that everyone has the right of access to any information held by the state and “any information that is held by another person and that is required for the excersize or protection of any rights” (South African Government, 2009).

South Africa also has the “ECT Act” (Electronic Communications and Transactions Act), which covers personal information that has been obtained through electronic transactions, which defines a set of rules between the person the information is about and the person/organisation (“data controller”) who is holding that information. This act states that the data controller must abide by all of the following points:

“(1) A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.

(2) A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

(3) The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

(5) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(6) A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

(7) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

(8) The data controller must delete or destroy all personal information which has become obsolete.

(9) A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.” (South African Government, 2002).

In contrast to the UK, South Africa does not specifically have a Data Protection Act, if we look at the Data Protection Act 1998 for the United Kingdom (United Kingdom Government) we see that it’s section on “Rights of access to personal data” are almost the same as South Africa’s but contains a much more comprehensive overview on the subject.

Interestingly enough the U.S does not have a specific Data Protection Act. They have the “Privacy Act of 1974” and the “Computer Matching and Privacy Act” but both of which only apply to personal information held by the government and does not include other entities. The U.S has another act, “The Privacy Act” which can be described as follows: “The act set forth some basic principles of “fair information practice,” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It requires that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The act also requires federal agencies to publish an annual list of systems maintained by the agency that contain personal information.” (Stratford & Stratford, 1998).


South African Government (2009) Chapter 2 – Bill of Rights [Online]. Available from: (Accessed: 14 November 2010).

South African Government (2002) Electronic Communications and Transactions Act, 2002, No. 25 of 2002 [Online]. Available from: (Accessed: 14 November 2010).

Stratford, J.S & Stratford, J (1998) ‘Data Protection and Privacy in the United States and Europe’, IASSIST Conference, 21 May, Yale University. New Haven, Connecticut: University of California.

United Kingdom Government (1998) Data Protection Act 1998 [Online]. Available from: (Accessed: 14 November 2010).

10 replies on “Privacy and Data Protection laws in South Africa”

Do you think South Africa needs a Data Protection Act in the same line as the UK? Is there any Bill in the making? What are the pros and cons of not having this form of legisation? What material or comprehensive scholarly articles can I read on this subject on South Africa?

Hi Zakhele, thanks for the comment.

I definitely think it’s something that South Africa needs to curb spam and telemarketers. I think our closest match would be the Protection of Personal Information Bill (see, as well as the ECT Act- which I would consider is something that could form a Data Protection Act, I must admit I have not extensively read through the Protection of Personal Info Bill.

I think the pro’s go without saying but one could argue that anything that restricts access to data could also restrict progress; data mining activities and so forth (which aren’t necessarily a bad thing).

For research I would recommend taking a look at EBSCOhost, they have a wealth of scholarly journals which cover a wide range of subjects – – unfortunately it is a premium service but they do have a trial.

Hi Michael

South Africa signed with the EU but it was not ratified, does the fact that it was not ratified have any effect on the Bills and Acts that are in place?

Hi Melaney,

Thanks for your comment! To my knowledge ratification would be required for a bill to be passed, so it is my assumption that this should make the bills and acts invalid. Do you have any references where the details of this signed agreement between EU and SA are – that mention it not being ratified?

Hi. I am currently doing research on the barriers of SA firms adopting Big Data. Do you think that firms may see these laws as a barrier?

hi Anton

Thanks for the comment. I think it depends on the firm and it’s end goals as to what they want to do with the data. The laws will most likely make the undertaking quite a bit more expensive, but then if you are one of the companies managing this data and in complete compliance with the law you may have a competitive edge.

So to answer your question I do think it will be a barrier, but I do believe it is a necessary one.

Dear sir,

Please, I need information or to advise me whom to write. It is about South African Law about internet privacy.

I was working in Johannesburg for 12 years. After leaving the job, new people take official computer, invite IT expert and took out my personal e-mails… They were getting my e-mails even 4 months after I left South Africa until changing my address to gmail.

Is this nonlegal activities breaking the Law? If yes, what I can do about it and is there any possibilities to go to the Court with that people?

Please, send respond also to my e-mail address.

Thanking in advance,

D. J.

Leave a Reply

Your email address will not be published. Required fields are marked *