Read this:

These are my personal notes. I make no representation that they are correct or studying them will help you pass
LCR409.
In fact, I make exactly the opposite representation: if you only use these notes to study, you will probably fail.
Make sure that you only use these notes as a staring point.

Defamation and the Internet

Definition
Defamation is the intentional infringement of another person's right to his good name. In other words, it is the
wrongful, intentional publication of words or behaviour concerning another person which has the effect of injuring his
status, good name or reputation.
Certain elements must be present:
1. the act (publication of words or behaviour)
2. an injury to personality (the defamatory effect of the words or behaviour)
3. wrongfulness (the infringement of the personality right to a good name)
a. Defences: privilege, truth and public interest, fair comment
4. intention (animus iniuriandi)
a. Defences excluding fault: mistake, jest
5. a causal connection between the act and the injury to personality.
Defamation on the Internet in South Africa
National Media v Bogoshi:
 strict liability of the media: rejected as incompatible with freedom of expression; replaced by liability based on
negligence.
 court will have to evaluate the defamatory allegation in view of the objective reasonableness of the publication

Three key questions i.t.o. law of defamation on the Internet is concerned:

1. When does publication occur?
2. Who is liable for the defamation?
3. Where does publication occur?
When does publication occur?
Publication: the objectionable statement or behaviour regarding the defamed person is made known to at least
one person other than the defamed individual.
As soon as the outsider becomes aware of the defamatory nature of the allegation or behaviour, the publication
requirement is fulfilled.
Who is liable for the defamation?
Once publication has taken place, plaintiff has to show that defendant was responsible for publication.
Defendant will be accountable for defamation if he was aware or could reasonably have expected that an outsider
would gain knowledge of the alleged defamation.
Not only the person from whom the defamatory allegation originated, but every person who repeats, confirms or
draws attention to it would in principle be responsible for its publication.
Thus: not only the author of a defamatory message or a defamatory allegation in, for example an online magazine,
will be held liable, but also the editor, printer, publisher and owner of that magazine.

There is a difference between an individual and the media in the degree of liability. Thus distinction:
1. mass media: online newspapers and magazines and other online news services
2. not mass media: senders of email messages and participants in real-time chat groups
3. bulletin boards and newsgroups:
a. no editorial control is exercised: postings probably not regarded as “mass media”.

Authors of defamatory email messages liable are liable, but possibly also employers.
Employers can be held vicariously liable for delicts committed by employees in course and scope of employment.
Whether employer will be held liable, will depend on surrounding circumstances. Important factor: whether
defamatory email was sufficiently connected to the employer's business or whether the employee was on a so-called “
frolic of his own”
Liability of ISPs for defamatory content
Liability of ISPs: to a large extent dependent on their function and role in the publication process and a distinction,
based on their respective functions is generally made between:
 authors, editors and publishers of the material , where some form of editorial control is usually exercised
  distributors linked to the distribution process such as hosts, and network and service providers
 common carriers who serve merely as conduits in the transmission and routing process (analogous to a post
office or telephone company), for example, access providers and possibly hosts, depending on their role in the
publication process

Position in the USA

History:
Cubby Inc v Compuserve: Cubby: complained that it had been defamed in a newsletter on a forum and instituted a
claim for defamation against CompuServe.
Court held: CompuServe qualified as a distributor of information and could therefore only be liable if they had
knowledge or ought to have had knowledge of the offending material.
Lack of evidence that CompuServe had any knowledge of the defamatory statements and the fact that it was not
feasible for the ISP to check every publication for potentially defamatory statements, the court held that the
defendant was not liable.

Stratton Oakmont Inc et al v Prodigy Services Company: Court held: Prodigy, should be held liable as a publisher,
rather than a distributor, for information published on the defendant’s bulletin boards.
Court argued that Prodigy was liable as a publisher of the defamatory content due to the following:
1. Prodigy held itself out to the public and its members as controlling the content of its bulletin board
2. Prodigy exerted editorial control over its content through the use of an automatic screening software program
and board leaders to enforce its content guidelines
Case was taken on appeal and overturned.

Current:
Lunney v Prodigy Services: ISPs could claim to be common carriers.
Liability of ISP was not decided by relying on the distinction between a publisher and a distributor and the
indemnity provided by section 230 of the CDA, but the court granted the ISP the common-law privilege usually given
to telephone and postal companies, namely, that of being a mere conduit or common carrier.
Court decided that Prodigy was not a publisher of messages but, rather, a passive conduit for the information,
similar to a telephone company and, therefore, not liable.

In USA a distinction is drawn between primary and secondary publishers: in the case of a secondary publisher
(mere distributor as in the case of an ISP), onus is on the claimant to prove fault by the secondary publisher.

The Communications Decency Act of 1996 section 230(c) of the Act: expressly provides that ISPs are not liable as
the publishers “of any information provided by another information content provider”.

Zeran v America Online: started trend of establishing broad immunity for ISPs from defamation liability under
Section 230(c) of the CDA.
Position in the UK
I.t.o. liability of ISPs in the UK, distinction is generally made between
1. publishers of defamatory material on, for example, bulletin boards
2. innocent disseminators of such material.

1. If considered to be publishers, i.t.o. principles of strict liability of publishers for defamation, may be found liable
for defamation without fault.
a. Will have to rely on the same defences available to an author, i.e. liability would depend on whether
alleged defamatory allegation was truthful, constituted fair comment, or was privileged.
2. If they can argue successfully that they do not take an active part in the actual process of communication, but
merely provide the means to make it possible, they may be able to rely on one of two defences, namely
a. The common-law defence of innocent dissemination, or
b. The statutory defence of innocent dissemination in terms of section 1 of the Defamation Act of 1996.

Common-law defence of innocent dissemination

Three elements of defence: Operator:
1. did not know that the network/bulletin board contained the libel in question
2. did not know that material on the network or bulletin board was of a nature likely to contain libellous material
3. did not lack knowledge of (1) and (2) above as the result of any negligence on the operator's part

Not a very useful defence:

1. ISP that becomes aware of the fact that, for example, a bulletin board is likely to contain defamatory
statements will not be able to rely on this defence
 2. ISP or operator that deliberately closes its eyes to the nature of the material on its bulletin boards or network
will probably not be able to escape liability
3. Decided in Laurence Godfrey v Demon Internet Limited that ISP that carries defamatory material on a
newsgroup or website is a publisher for the purposes of defamation law and is prima facie liable.

The statutory defence of innocent dissemination

Section 1 of the Defamation Act 1996:
1. In defamation proceedings a person has a defence if he shows that
a. he was not the author, editor or publisher of the statement complained of,
b. he took reasonable care in relation to its publication, and
c. he did not know, and had no reason to believe, that what he did caused or contributed to the
publication of a defamatory statement.
2. A person shall not be considered the author, editor or publisher of a statement if he is only involved
a. in processing, making copies of, distributing or selling any electronic medium in or on which the
statement is recorded, or in operating or providing any equipment, system or service by means of which
the statement is retrieved, copied, distributed or made available in electronic form;
b. as the operator of or provider of access to a communications system by means of which the statement
is transmitted, or made available, by a person over whom he has no effective control.
3. Employees or agents of an author, editor or publisher are in the same position as their employer or principal to
the extent that they are responsible for the content of the statement or the decision to publish it.

ISPs will thus escape liability if they can prove that:

1. they were only involved in operating or providing any equipment, system or service by means of which a
statement may be retrieved, copied, distributed or made available in electronic form, or
2. they were merely operators of, or providers of access to, communication systems by means of which
statements (made by persons over whom they have no effective control) are transmitted, or made available

Problem of relying on this defence: in order for it to succeed, ISPs also have to convince the court that
1. they took reasonable care in relation to publication of the statement complained of
2. they did not know, and had no reason to believe, that what they did caused or contributed to the publication of
a defamatory statement
Electronic Communications and Transactions Act of 2002
Chapter 11 of this Act provides for the limitation of liability of ISPs for transmitting, routing, temporarily storing,
caching and hosting of unlawful material & providing links to unlawful material in certain prescribed circumstances.
Definitions
Service provider: any person providing information system services.
Information system services: the provision of connections, the operation of facilities for information systems, the
provision of access to information systems, the transmission or routing of data messages between or among points
specified by a user and the processing and storage of data, at the individual request of the recipient of the service.
Sections
Section 72: limitation of liability will only apply to an ISP if ISP is a member of the industry representative body
and has adopted and implemented the official code of conduct of such a representative body.

Section 71: Minister will only recognise such an industry representative body if the Minister is satisfied that:
1. members are subject to a code of conduct;
2. membership is subject to adequate criteria;
3. the code of conduct requires continued adherence to adequate standards of conduct; and
4. the representative body is capable of monitoring and enforcing its code of conduct adequately.

Section 73: ISP acting as a mere conduit will be exempt from liability if certain requirements are fulfilled.
ISPs who store, transmit, route, or provide access to data through such activity will be exempt from liability if ISP:
1. does not initiate the transmission
2. does not select the addressee;
3. performs the functions in an automatic, technical manner without selection of the data; and
4. does not modify the data contained in the transmission.

Section 73(2): acts of transmission, routing and provision of access mentioned in this section must be performed
for the sole purpose of transmitting information.

Section 74(1): exempts ISP from liability if data is cached on the system of the ISP for the sole purpose of making
the onward transmission of the data more efficient as long as the ISP
 1. does not modify the data;
2. complies with conditions on access to the data;
3. complies with rules regarding updating of data;
4. does not interfere with the lawful use of technology to obtain information on the use of the data; and
5. removes or disables access to the data it has stored upon receiving a take-down notice referred to in section 77

Section 75(1): ISP that acts as a host of a website will be exempted from liability for damages arising from data
stored on the website:
1. as long as the ISP
a. does not have actual knowledge that the data message or an activity relating to the data message is
infringing the rights of a third party; or
b. is not aware of facts or circumstances from which the infringing activity or the infringing nature of the
data message is apparent; and
c. upon receipts of a take-down notification referred to in section 77, acts expeditiously to remove or to
disable access to the data.
2. Limitations on liability established by this section do not apply to a service provider unless it has designated an
agent to receive notifications of infringement and has provided through its services, including on its web sites in
location accessible to the public, the name, address, phone number and e-mail address of the agent.

Section 76: ISP will be exempted from liability for damages if the ISP refers or links users to a web page
containing an infringing data message “by using information location tools, including a directory, index, reference,
pointer or hyperlink, where the service provider:
1. does not have actual knowledge that the data message or an activity relating to the data message is infringing
the rights of that person;
2. is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data
message is apparent;
3. does not receive a financial benefit directly attributable to the infringing activity; and
4. removes or disables access to, the reference or link to the data message or activity within a reasonable time
after being informed that the data message or the activity relating to such data message, infringes the rights of
a person.

Section 77(1): Take-down notification. States that:

1. It must be in writing and addressed to the ISP (or his or her agent).
2. Complainant must include certain prescribed information, for example,
a. full particulars of the complainant,
b. the infringing material complained of and
c. the remedial action required to be taken by the ISP.
3. A person who lodges such a notification with an ISP while knowing that it materially misrepresents the facts,
will be liable for damages for wrongful take-down (s 77(2)).
4. An ISP will not be liable for wrongful take-down in response to a notification (s 77(3)).

No general obligation on ISPs who are members of the industry representative body and who provide the services
in terms of this Act to:
1. monitor the data they transmit or store
2. to actively seek facts or circumstances indicating an unlawful activity (s 78).

Implication of this legislation: if ISPs implement certain measures and notify their subscribers about these
measures, they will put themselves in a position to enter a so-called “safe harbour” where they will be exempted from
liability for damages arising from that objectionable material.
ISPs can be called to identify users
Defamed persons look to hold Internet intermediaries liable for material hosted, cached or carried by them.
Intermediary may:
1. offer the best hope of having the offending material removed from the Internet.
2. be the only deep pocket worth suing
3. be the only available and viable defendant
Position in the UK:
Compelling ISPs to disclose the identity of their subscribers:
Totalise v Motley Fool: stands as authority for the proposition that internet intermediaries can be ordered to
disclose the identity of their subscribers, where those subscribers have published material which is plainly defamatory.
Internet intermediaries may not in cases where the offending material gives rise to a strong prima facie case in
defamation refuse to respond to a request from a defamed person for access to information which would identify the
author of the offending material.
 Other means of ascertaining the author of a defamatory Internet publication
Takenaka Ltd v Frankl: parties agreed to submit a computer to an expert for examination. The expert produced a
lengthy report which concluded that, on the balance of probabilities, the defendant had sent the offending e-mail
messages.
John Doe: commencement of proceedings against a John Doe defendant, followed by issuing a subpoena against
the relevant intermediary to obtain material which uncovers John Doe’s identity.
Position in the USA
Melvin v. Doe: Court held that if the plaintiff could prove the identity of defendant was
1. material, relevant, and necessary,
2. cannot be obtained by alternative means, and
3. is crucial to plaintiff’s case
the First Amendment would not protect the anonymity of the defendant
Ampex case: Court ruled that plaintiffs in libel actions must prove that the allegedly libellous statement is in fact
libellous before the identity of the speaker will be revealed (practically problematic, if not impossible).
Position in SA:
Rath v Rees: court held:
1. Anton Piller procedure should not have been used in order to obtain evidence to disclose the identity of the
anonymous user.
2. Firm pressure on ISPs to assist a potential plaintiff by identifying names & addresses of users who have posted
defamatory allegations
3. If they do not cooperate: may find themselves being joined to an action for defamation as publishers of matter.
4. According to general principles of defamation law: publication = the repeating of defamatory allegations.
Where does publication take place on the internet?
General rule: publication takes place where the defamatory content is read, seen or heard, and is completed when
the receiver understands the content.
Precedent: Dow Jones & Co Inc v Gutnick: material on the Internet is deemed to have been published wherever it
is viewed online, rather than the country of origin. (Also view of the Court in Tsichlas v Touch Line Media (Pty) Ltd)
Governments have been negotiating to draft Hague Convention on Jurisdiction and Foreign Judgments in Civil and
Commercial Matters. Aim: to harmonise rules for cross-border litigation between private parties. Would require
signatory countries to agree to enforce legal judgments handed down in other countries.
Defamatory material en email
Defamation will probably occur at the place where the offending material is accessed.
Employer can be held liable for a delict committed by its employee, if it is proved that
1. the employee is in fact liable for the delict,
2. that an employer/employee relationship existed at the time the delict was committed and
3. that the delict was committed by the employee “in the course and scope of his or her employment”
Whether an employer will be held liable for e-mail messages sent by its employees will depend on all the facts and
the surrounding circumstances.
Most important point: determine whether the offending act was committed in pursuance of the execution of the
employer's business or whether the employee can be said to have engaged in a “frolic of his own”.
Remedies
1. If the plaintiff is successful in proving that the words referring to the plaintiff are defamatory, plaintiff can claim
satisfaction from the defendant.
2. Plaintiff who can prove financial loss as a result of the defamatory statement: entitled to an award for damages
3. Person who is confronted with a threatening infringement of the right to his good name can apply for an
interdict to restrain publication

Privacy
Interests that are threatened by the processing of personal information
Private law concerns itself with two interests that are jeopardised when personal information is processed:
1. a person's privacy and
2. a person’s identity.
Definitions
Personal information: Information is regarded as personal when it can be associated with a person.
Private information: if a person wants to keep it from the knowledge of outsiders, i.e. he or she does not want
other people to know about it)
All private information will be personal information, but not all personal information is necessarily private.
 Anonymous information: information that is collected about people in such a way that the information cannot be
linked to a specific person (cannot amount to a breach of privacy).
Sensitive personal information: refers to information that relates to the person's race or ethnic descent, political
convictions, religious beliefs and convictions, membership of a trade union, health and sex life.
Processing of data: includes any operation performed upon personal data, such as the collection, recording,
organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination,
alignment or combination, blocking, erasure or destruction of such data.
Data controller: the natural or juristic person, public authority, agency or other body that determines the purposes
for which and the means by which the data are processed.
Data user: a person who receives data and applies them for various purposes.
Data subject: a person whose personal data are processed, i.e. the person to whom the data relates.

Protection of the right to privacy and identity in the law of delict

Privacy
Definition
An individual condition of life characterised by exclusion from publicity. This condition includes all those personal
facts which the person himself or herself at the relevant time determines to be excluded from the knowledge of
outsiders and in respect of which he or she evidences a will for privacy.
When personal information on a person is processed, the person’s right to privacy is at stake.
Infringement of privacy
Since privacy implies an absence of acquaintance with a person or the person's personal affairs, privacy can be
infringed only by unauthorised acquaintance by outsiders with the person or his or her affairs.
Two ways in which such acquaintance may occur, namely:
1. Acquaintance/intrusion: if the outsider himself or herself becomes acquainted with the person or his affairs
a. Examples : entry into a private residence, secretly watching a person in closed quarters, reading private
documents, listening to private conversations, shadowing a person, taking unauthorised blood tests, and
the improper interrogation of a person by the police
b. Surfing the Internet and personal information is captured: we have to do with intrusion
2. Disclosure/revelation: if the outsider acquaints third parties with the individual or his or her personal affairs
which, although known to the outsider, remain private
a. Examples: the disclosure of private facts that have been acquired by a wrongful act of intrusion, the
disclosure of private facts contrary to the existence of a confidential relationship, and the publication of
private facts by the mass media
b. When personal data or information that has been captured are distributed/made known to other people
Grounds of justification
Presence of a ground of justification excludes the wrongfulness of an invasion of privacy.
Following grounds of justification are relevant in cases of infringement of privacy:
1. necessity
2. private defence
3. public interest (especially the public interest in information)
4. consent
a. If a legally competent person voluntarily gives his or her consent to a particular action, any subsequent
damage is justified and, therefore, lawful
b. can be unilaterally revoked at any stage before the action that has been agreed to takes place
c. can be given expressly (in words) or implicitly (by conduct)
d. passive acquiescence does not necessarily amount to consent
e. should be given voluntarily. Forced = invalid
f. only valid if that person fully understands and knows exactly what he is agreeing to.
g. must be given in advance
h. the actual individual concerned must grant this consent.
5. fair comment
6. privilege
7. protection of justifiable or legitimate private interests
a. justified for a person or institution to process personal information to protect a legitimate justifiable
private interest of the person or institution, for instance, a business interest
b. data processing must remain within limits, otherwise it is unreasonable and therefore wrongful.
c. unnecessary or irrelevant information may not be collected.
d. business should not retain information longer than necessary/longer than any legal provision requires
e. information may not be used for any other purpose than that for which it was collected
8. protection of justifiable or legitimate public interests.
 a. may be done by either private individuals or the state, i.e.
i. press may process personal information to promote the public interest in information.
ii. bank may reveal personal information about a client to promote the public interest in the
prevention of crime.
b. when state processes personal information to protect the public interest, authority to do so is usually
provided by a law
c. processing of
d. personal information by the state is essential for the proper functioning of the state administration

Any law that authorises the processing of information can be tested against the Constitution: the processing of the
data may not exceed the extent that the law authorises, otherwise the processing will be wrongful.
Intention
1. When wrongfulness of the privacy infringement has been established, a presumption of animus iniuriandi
arises, which may be rebutted by the defendant
2. Presumption of animus iniuriandi may be rebutted by defences such as rixa, jest or mistake.
Remedies
1. actio iniuriarum (mend injury to his or her personality)
2. actio legis Aquiliae (patrimonial loss)
3. interdict (prevent (further) damage)

Identity
Definition
A person's uniqueness or individuality which identifies or individualises him or her as a particular person and thus
distinguishes him or her from others. Identity is manifested in various indicia by which that particular person can be
recognised, in other words facets of personality which are characteristic of or unique to that person, such as his or
her life history, character, name, creditworthiness, voice, handwriting, appearance (physical image), et cetera.
Recognised as an independent personality right by SCA in Grutter v Lombard.
Ways of infringing identity
Identity is infringed if indicia are used in a way that does not reflect the person's true (own) personality image.
Following two forms of wrongful identity infringement may serve as guidelines for the development of
infringement of identity as an iniuria:
1. the public falsification of the personality image (described as “publicity which places the plaintiff in a false light
in the public eye”, or “false-light tort”)
2. the economic misappropriation of identity indicia, especially for advertising purposes (described as
“appropriation, for the defendant's advantage, of the plaintiff's name or likeness”, or “appropriation tort”)
Infringement by data processing: The processing of personal information will be an infringement of a person’s
right to identity when false information is processed about a person.
Difference between infringement of privacy and infringement of identity
Privacy:
True facts about the person are made known against his or her will: privacy is infringed
True private information re a person is processed/transmitted on the Internet: person's right to privacy is at stake
Identity
False use is made of the person's indicia: identity is infringed.
False or untrue information about him or her is processed or transmitted: person's right to identity is infringed
Wrongfulness and grounds of justification
Wrongfulness:
Wrongfulness of an infringement identity: determined by means of the boni mores / reasonableness criterion.
Wrongful in principle:
1. fixation of false information
2. the mass publication of false facts about a person
Grounds of justification:
Ground of justification excludes wrongfulness of an invasion of the right to identity.
Justifications:
1. Appropriation situation:
a. Consent
2. Identity infringement
a. necessity
b. self-defence
 c. privilege
d. public interest (especially the public interest in information)
False or misleading data are not reasonably required to protect a justifiable interest. Therefore, for this reason, it
should not be permissible to save or use false or misleading data.
Intention
1. When wrongfulness of the identity infringement has been established, a presumption of animus iniuriandi
arises, which may be rebutted by the defendant
2. Presumption of animus iniuriandi may be rebutted by defences such as rixa, jest or mistake.

Juristic persons and personality rights

1. Dhlomo v Natal Newspapers: confirms that juristic persons / legal persons are entitled to personality rights.
2. Financial Mail v Sage Holdings: Appellate Division decided: a juristic person is entitled to a right to privacy.
3. Neethling: a juristic person can have a right to identity too.
4. Reason why personality rights can be extended to juristic persons: injured feelings do not constitute a
requirement for the infringement of these personality rights.
5. When a juristic person's personal information is collected wrongfully, the juristic person can institute an action
for infringement of personality.

Data Protection
Data protection: refers to: a group of policies designed to regulate the collection, storage, use and transmission of
personal information.
SA does not have data-protection legislation, though most developed countries do.
History:
1981 COE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
(the Convention)
1981 OECD Guidelines governing the protection of privacy and transborder flows of personal data
(OECD Guidelines)
1990 UN Guidelines concerning computerized personal data files
1995 EU Directive on the protection of individuals with regard to the processing of personal data and on the
free movement of such data
(the Directive)

The Directive:
1. the most prominent document in the data protection arena.
2. binding on all EU member states
3. prescribes that member states must prohibit the transfer of personal data to non-member countries that do not
ensure an adequate level of data protection.
4. all the circumstances surrounding data transfer to non-member countries must be taken into account when
assessing the adequacy of the level of protection afforded by a third country.
5. Factors that must be taken into account:
a. the nature of the data
b. the purpose and duration of the proposed processing operation or operations
c. the country of origin and the country of final destination
d. the rules of law in force in the third country in question
e. the professional rules and security measures that are complied with in that country
6. Derogations from the prohibition on transfer of data to third countries without adequate protection for privacy
in the following circumstances:
a. data subject has unambiguously consented to the proposed transfer
b. transfer is necessary for the performance of a contract between the data subject and the controller or
the implementation of precontractual measures taken in response to the data subject's request
c. transfer is necessary for the conclusion or performance of a contract, concluded in the interest of the
data subject, between the controller and a third party
d. transfer is necessary or legally required on important public interest grounds, or for the establishment,
exercise or defence of legal claims
e. transfer is necessary in order to protect the vital interests of the data subject
f. transfer has been made from a register established by law and intended for consultation by the public
or persons having a legitimate interest
g. where the controller provides adequate safeguards for the protection of the privacy and fundamental
rights and freedoms of individuals. This might be done by means of appropriate contractual clauses.
Principles of data protection
All data-protection laws have certain basic rules or principles in common (referred to as “data-protection
principles” or “fair-information principles”).
OECD Guidelines spell out the following data-protection principles:
1. Openness (or transparency) principle
a. Requires: a general policy of openness about developments, practices & policies regarding personal data
b. Means should be readily available to establish the existence and nature of personal data, the main
purposes for which it is used, as well as the identity and usual residence of the data controller.
2. Purpose-specification principle
a. Linchpin of two other principles: the collection-limitation and the use-limitation principles.
b. Requires: purpose for which personal data is being collected should be specified no later than at the
time of data collection.
c. Subsequent use of data: limited to the fulfilment of that purpose / another compatible with it
d. Data no longer serves the purpose for which collected: should be erased / given in anonymous form.
3. Limitation of collection principle
a. Requires: there should be limits to the collection of personal data and that any such data should be
obtained by lawful and fair means and, if appropriate, with knowledge or consent of the data subject.
b. Special provisions should be made in case of information which is regarded as being especially sensitive
in nature. E.g. information relating to race, gender, sex, health or religion.
4. Limitation-of-use principle
a. Requires: personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with the purpose-specification principle, except with the consent of
the data subject or by the authority of law.
5. Data-quality principle
a. Requires: personal data should be relevant to the purposes for which it is to be used, and, to the extent
necessary for those purposes, and should be accurate, complete and kept up to date.
6. Individual-participation principle
a. Individuals should have the right to:
i. obtain from a data controller confirmation of whether or not data controller has data relating to
them, and to have such data communicated to them
ii. be given reasons if a request is denied, and to be able to challenge such denial.
iii. challenge data relating to them and, if challenge is successful, have the data erased, rectified,
completed or amended. Thus entails: right to access, right to reasons and right to challenge
7. Security-safeguards principle
a. Personal data should be protected by reasonable security safeguards against such risks as loss or
unauthorised access, destruction, use, notification or disclosure of data.
8. Accountability principle
a. Data controller should be accountable for complying with measures that give effect to the principles
stated above.
Draft Bill on the Protection of Personal Information
Proposed Bill:
1. protects privacy of data subjects by prohibiting the processing of their personal information other than in
accordance with the conditions set out in the proposed Bill.
2. is a comprehensive, general law that governs the processing of personal information by both the public and the
private sectors with an oversight body that ensures compliance with the provisions of the proposed Bill.
3. makes provision for information protection officers to assist the oversight body
4. general provisions of the Bill can be made more specific for a particular profession by drawing up a code of
conduct for that particular industry, profession etc.
5. penalises any activity that is considered to be an interference of the protection of personal information in
addition to providing for civil remedies.
6. will also apply to the processing of personal information on the Internet
7. will in due course replace the provisions of the Electronic Communications and Transactions Act 25 of 2002
Objects of Bill
1. To give effect to the constitutional right to privacy by safeguarding a person's personal information when
processed by public and private bodies
2. To establish voluntary and mandatory mechanisms or procedures which will be in harmony with international
prescripts and which will, while upholding the right to privacy of personal information, at the same time
contribute to economic and social development in an era in which technology increasingly facilitates the
circulation and exchange of information
3. To promote transparency, accountability and effective governance of all public and private bodies by
empowering and educating all persons to understand their rights in terms of the Act in order to exercise their
rights in relation to public and private bodies
Scope
Determined by its definitional framework and its application provisions.
Bill applies to the
1. processing of
2. personal information
3. on a data subject
4. by
a. a data controller or
b. a data processor on behalf of the data controller

Bill's definition of “personal information”: information about an identifiable, natural person, and in so far as it is
applicable, an identifiable, juristic person.

Personal information:
1. the person must be “identifiable”
2. personal information of both natural and juristic persons is protected
3. PAI Act and the proposed Bill's definitions of personal information correspond, since the two pieces of
legislation are closely related
Data subject: the person to whom the personal information relates.
Responsible party: the natural/juristic person/administrative body/any other entity which, alone/in conjunction with
others, determines the purpose of and means for processing personal information. Synonymous with “data controller”.

Processing types exclusions:

1. Processing of personal information
a. in the course of a purely personal or household activity;
b. that has been de-identified to the extent that it cannot be re-identified again;
c. that has been exempted from the application of the information principles in terms of sec 33.
Information Protection Commission may exempt processing operations if the Commission is satisfied
that, in the special circumstances of the case
i. the public interest in that processing outweighs, to a substantial degree, any interference with
the privacy of the data subject that could result from that processing; or
ii. processing involves a clear benefit to the data subject/a third party that outweighs any
interference with the privacy of the data subject/third party that could result from processing
Conditions for processing personal information
Processing of personal information can only be done lawfully if the responsible party complies with eight
information protection principles:
1. Processing limitation
a. should be a ground of justification for the processing (such as consent)
b. limits are imposed by
i. the requirement of minimality (personal info is adequate, relevant, and not excessive)
ii. the requirement that personal information should be collected directly from the data subject
2. Purpose specification
a. personal information can only be processed lawfully if the personal information is collected for a specific,
explicitly defined and legitimate purpose
c. data subject should be made aware both of the purpose and the intended recipients of the information
d. records of personal information may not be kept in a form which allows the data subject to be identified
for any longer than is necessary for achieving the original purpose
3. Further processing limitation
a. Personal information must not be further processed in a way incompatible with a purpose for which it
has been collected in terms of principle 2
b. Responsible party must determine the compatibility of the further processing with the original purpose
by looking at the following aspects:
i. relationship between the purpose of the intended further processing and the purpose for which
the information has been obtained;
ii. the nature of the information concerned;
iii. the consequences of the intended further processing for the data subject;
iv. the manner in which the information has been obtained
v. any contractual rights and obligations existing between the parties.
4. Information quality
a. responsible party must take reasonably practicable steps to ensure that the personal information is
complete, not misleading, up to date and accurate
 b. the image created by the information should not be misleading and should give a complete picture of
the person's situation
c. The responsible party should only have taken “reasonably practical steps to ensure accuracy
5. Openness
a. Requires of the responsible party to notify the Commission and the data subject of the planned
processing of personal information, if reasonably possible before such processing takes place
6. Security safeguards
a. Requires the responsible party to implement appropriate technical & organisational measures to secure
vi. the integrity of personal information and
vii. against the unauthorised or unlawful access to or processing of personal information
e. Following measures should be taken by responsible party to comply with the safeguards principle:
i. identify all reasonably foreseeable internal and external threats to personal information in its
possession or under its control;
ii. establish and maintain appropriate safeguards against the risk identified;
iii. regularly verify that the safeguards are effectively implemented; and
iv. ensure that the safeguards are continually updated in response to new risks or deficiencies in
previously implemented safeguards
7. Individual participation
a. Right of access to personal information in the proposed Bill gives the data subject three entitlements:
v. to obtain (free of charge) confirmation of whether or not the responsible party holds personal
information about him/her/it
vi. to have communicated to him/her/it, after having provided adequate proof of identity, the
particulars of the personal information held, including information as to the identity of all
persons who have had access to the personal record (this should be done within a reasonable
time and in a reasonable manner and in a generally understandable form; if a charge is made, it
should not be excessive)
vii. to be advised that the data subject may request the correction of information.
8. Accountability
a. Responsible party must ensure that the measures that give effect to the information protection
principles set out in this Act are complied with
Sensitive information
Sensitive personal information may in general be processed where
1. this is carried out with the express consent of the data subject;
2. the information has manifestly been made public by the data subject;
3. this is necessary for the establishment, exercise or defence of a right in law;
4. this is necessary to comply with an obligation of international public law, or
5. this is necessary with a view to an important public interest (in this case appropriate guarantees must have
been put in place to protect individual privacy and the processing is provided for by law or else the Commission
has granted an exemption).

May also be processed for the purpose of scientific research or statistics where:
1. the research serves a public interest,
2. the processing is necessary for the research or statistics concerned,
3. it appears to be impossible or would involve a disproportionate effort to ask for express consent, and
4. sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy
of the data subject to a disproportionate extent
Supervision of proposed Bill by Information Protection Commission
Commission must:
1. promote an understanding & acceptance of information privacy principles and of the objects of those principles
2. monitor
a. compliance by public and private bodies of the provisions of this Act,
b. developments in information processing and computer technology to ensure that any adverse effects of
such developments on the protection of the personal information of persons are minimised
c. the use of unique identifiers of data subjects
3. consult with persons and bodies concerned with the protection of information privacy
4. act as mediator between opposing parties on any matter that concerns the need for action by one person in the
interests of the protection of the personal information of another person
5. provide advice to a Minister or a public or private body on their obligations under the provisions of the Act
6. receive and investigate complaints about alleged violations of the protection of personal information and make
reports to complainants
7. attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation
8. serve notices in terms of the Act to further promote the resolution of disputes
 9. report to the Minister on the desirability of the acceptance, by South Africa, of any international instrument
relating to the protection of the personal information of a person, and draw the Minister's attention to other
matters the Commission deemed necessary.
10.maintain an up-to-date register of the information processing notified to it
11.investigate troublesome planned processing activities before the processing starts

Commission may from time to time issue codes of conduct:

1. Flexible approach should be followed in which industries will develop their own codes of conduct which will be
overseen by the regulatory agency.
2. Individual codes of conduct for specific sectors may be drawn up on the initiative of the specific sector or of the
Commission itself.
3. Includes the possibility of making provision for an adjudicator to be responsible for the supervision of
information protection activities in the sector.
4. Commission will retain oversight authority
Civil remedies
Data subject may institute a civil action against a responsible party who has contravened any provision of the
proposed Act.
Commission may also institute the action on behalf of the data subject if the data subject requests this
Data subject/Commission) may claim compensation for patrimonial and non-patrimonial damages suffered by the
data subject in consequence of the contravention.
Punitive damages may also be claimed
Criminal offences and penalties
Bill creates several offences:
1. Failure to notify the Commission of processing
2. Failure to comply with an information notice or an enforcement notice
3. Obstruction of the Commission in the performance of its duties and functions
4. the obstruction of the execution of a warrant
Penalties
1. Obstructing the Commission in its functions:
a. Fine or imprisonment for a period not exceeding 10 years / to both a fine and imprisonment.
2. Any other case:
a. Fine or imprisonment for a period not exceeding 12 mo. / both a fine & imprisonment may be imposed
Automated decision making or profiling
Profiling: the inference of a set of characteristics, (profile) about an individual person or collective entity and the
subsequent treatment of that person/entity or other persons/entities in the light of these characteristics. The set of
characteristics will typically relate to the behaviour (actual or expected) of a person/entity.
Bill: No one may be subject to a decision to which are attached legal consequences for him, or which affects him
or her to a substantial degree, where this decision has been taken solely on the basis of the automated processing of
personal information intended to provide a profile of certain aspects of his or her personality or personal habits .

Exceptions: Provisions of subsection (1) do not apply where the decision referred to therein:
1. has been taken in connection with the conclusion or execution of a contract, and
a. the request of the data subject in terms of the contract has been met; or
b. appropriate measures have been taken to protect the data subject's lawful interests; or
2. is based on a law or code of conduct in which measures are laid down for protecting the lawful interests of data
subjects.

Transborder information flows

A responsible party in South Africa may transfer personal information about a data subject to someone (other than
the responsible party or the data subject) who is in a foreign country only if:
1. the recipient of the information is subject to a law, binding scheme or contract which effectively upholds
principles for fair handling of the information that are substantially similar to the Information Protection
Principles set out in Chapter 3 of this Act; or
2. the data subject consents to the transfer; or
3. the transfer is necessary for the performance of a contract between the individual and the organisation, or for
the implementation of pre-contractual measures taken in response to the data subject's request; or
4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the
individual between the organisation and a third party; or
5. all of the following apply:
a. the transfer is for the benefit of the individual;
 b. it is reasonably impracticable to obtain the consent of the data subject to that transfer;
c. if it were reasonably practicable to obtain such consent, the individual would be likely to give it.

National Credit Act

Contains provisions regulating information privacy in the consumer credit sector in South Africa.
Act was introduced to:
1. promote a fair and non-discriminatory marketplace for access to consumer credit and for that purpose to
provide for the general regulation of consumer credit
2. improve standards of consumer information
3. regulate credit information

Act provides that:

1. a person, who receives, compiles, retains or reports confidential information pertaining to a consumer or
prospective consumer, must protect the confidentiality of that information
2. In order to protect such confidentiality, the Act provides that the person must in particular do two things:
a. use the information only for a purpose permitted or required by the Act or other legislation
b. report or release the information only to the consumer him- or herself.
3. information may be released to a third party only if
a. such third party is permitted by legislation to receive it, or
b. if the consumer has instructed the release, or
c. if the Court or the Tribunal established in terms of the NCA orders the release
4. failure to comply with a compliance notice issued to enforce these provisions, amounts to an offence

Act does not specifically require that the purpose for which the information is collected should be spelled out
before the collection takes place, but it is clear that the scope of the Act itself limits the purposes for which consumer
credit information can be used to consumer credit purposes

National register
1. National Credit Regulator must establish and maintain single national register of outstanding credit agreements
2. Whenever a credit provider enters into a credit agreement with a consumer, the credit provider must supply
certain information to either a credit bureau, or to the national register. Includes information about
a. the credit provider
b. the consumer, such as the name, address, identifying number
c. the credit provided, such as the credit limit, the principal debt involved and date on which the
agreement will come to an end
3. The termination or satisfaction of any credit agreement must also be reported
4. Any information reported to a credit bureau, must be given on by the credit bureau to the national register
5. National register of credit agreements will assist in making data processing in credit industry more transparent

Credit bureaus
CBs have certain duties in respect of consumer credit information:
1. take reasonable steps to verify the accuracy of such information reported to them
2. retain such information for prescribed periods
3. maintain consumer credit records in accordance with prescribed standards
4. expunge information that is not permitted to be stored
5. report to any person who requires it for a prescribed purpose or a purpose contemplated in the Act
6. may not knowingly or negligently provide a report containing inaccurate information.

Every person has the right to be advised of the fact that a credit provider is going to report adverse information on
him or her to a credit bureau, and to be given a copy of the information upon request.

Access & challenge

1. Act extends rights to access and challenge credit records and credit information to all persons
2. Person also has the right to inspect any credit bureau file or information concerning that person once a year
without being charged for such access.
3. Additional access opportunity exists if person is following up after successful challenge of accuracy of the info
4. Person may also have further access to records upon paying an access fee
5. Person may challenge the accuracy of any information concerning that person in a proposed report or in the
records of a credit bureau or national credit register
a. Once a challenge is made, the credit provider, credit bureau or national credit register must take
reasonable steps to seek evidence in support of the challenged information.
b. If credible evidence is not found, the information and all record of it must be removed from its files
 c. If such information is found and the challenge does not succeed, the person may apply to the NCR to
investigate the disputed information
d. Challenged information may not be reported until the challenge has been resolved

Refusal
Credit provider, who refuses credit to a consumer, must
1. advise the consumer of the dominant reason for refusing credit.
2. if decision is based on an adverse credit record received from a credit bureau, the consumer must be supplied
with the name and contact details of the credit bureau
3. provision will enable a consumer to request access to the records of the particular credit bureau and to
challenge inaccurate information in its records.

Data protection principles and the Internet

Data-protection principles that are most likely to be infringed in the Internet environment are:
1. the principles that require the specification of the purpose of the data for collection
2. the consent of individuals in connection with the treatment of their personal information
3. the transparency of data practices for individuals, including awareness of data collection and access to stored
personal information
4. special protection for sensitive data
5. the establishment of enforcement remedies and mechanisms
SA position: Electronic Communications and Transactions Act 25 van 2002 (ECTA)
Section 50: determines the scope of the protection
Section 51: provides for principles that should be adhered to when personal information is collected electronically.
Scope: applies to personal information on natural persons that has been obtained through electronic transactions
after the introduction of the Act.
ECTA enumerates principles that a data controller who electronically collects personal information can comply with
voluntarily by stipulating this in an agreement with the data subject
Principles for electronic processing of personal information
Section 51 lists 9 principles that data controllers should adhere to when collecting personal information
electronically:
1. Express written consent of data subject must be given before data controller may collect, collate, process or
disclose personal information on data subject, unless data controller is permitted/required by law to process
data
2. data controller may not:
a. electronically request, collect, collate, process or store personal information on a data subject that is not
necessary for the lawful purpose for which the personal information is required
b. data controller may not use the personal information for any other purpose than the disclosed purpose
without the express written permission of the data subject, unless he or she is permitted or required to
do so by law
c. disclose to a third party any of the personal information it held, unless required or permitted by law or
specifically authorised to do so in writing by the data subject
3. data controller must:
a. disclose in writing to the data subject the specific purpose(s) for which any personal information is
being requested, collected, collated, processed or stored.
b. keep a record of the personal information and the specific purpose for which the personal information
was collected, for as long as the personal information is used and for a period of at least one year
thereafter
c. for as long as the personal information is used and for a period of at least one year thereafter, keep a
record of any third party to whom the personal information was disclosed and of the date on which and
the purpose for which it was disclosed
d. delete or destroy all personal information that has become obsolete
4. data controller may:
a. use the personal information to compile profiles for statistical purposes and to trade freely with such
profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific
data subject by a third party

Examples of privacy infringement in cyberspace

Collection of personal information
After personal information has been collected, it can be put to different uses, i.e. spam / building user profiles.
Spam
1. When one receives junk e-mail that is disturbing to one's peace of mind, the iniuria that is committed is an
infringement of one's right to feelings.
2. Bulk sending of unsolicited e-mail poses a threat to privacy because an e-mail address contains personal info.
3. An individual's privacy is infringed when his or her e-mail address is freely circulated in countless directories.

ECTA does not prohibit spam, but contains provisions to regulate it:
1. Section 45(1)(a): provides that a person who sends unsolicited commercial communications to consumers must
provide the consumer with the option of cancelling his or her subscription to the mailing list of that person.
2. Section 45(1)(b): provides further that such person must provide the consumer with the identifying particulars
of the source from which the person obtained the consumer's personal information, on request of the
consumer.
a. Once the recipient of the spam has received the identifying particulars of the source, he or she can
institute a civil claim for privacy infringement if the elements of the delict can be proven.
3. If a “spammer” fails to comply with the provisions of section 45(1), he or she is guilty of an offence and liable
to a fine or imprisonment not exceeding 12 months.
Cookies
Used for tracking personal information on the web: a small file containing an ID number that is placed on the
user's hard drive by a website and which helps websites to track users over a session.
Informs website if a user returns to a website & can allow the site to track user’s activities across many websites.
Use of a “cookie” can infringe on the individual's privacy:
1. The information in the “cookie” (i.e. IP address) combined with other information that is provided by the ISP,
can identify an individual user.
2. Consequently, this information can be typified as personal information. If personal information is collected, it
must comply with the data-protection principles.
3. Where the user of the Internet is not aware that “cookies” of information about him or her are being collected,
this does not comply with the principles of data protection, which require that the data subject must be
informed that his or her personal information is being gathered, the reason for this and what it will be used for
Interception of electronic communications
Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002
(RICPCIA)
RICPCIA prohibits the interception of any communication, unless allowed by the Act.
Definitions:
Communication: includes both a direct communication and an indirect communication (email).
Indirect communication: is defined as the transfer of information in the form of speech, data or text, signals, et
cetera, that is transmitted in whole or in part by means of a postal service or a telecommunication system.
Direct communication: communication between two or more persons that occurs face to face.
The Act allows the interception of communication in the following situations:
1. under an interception direction
2. by a party to the communication
3. to prevent serious bodily harm
4. for purposes of determining location in case of an emergency
5. where authorised by certain other Acts
6. with the consent of a party to the communication
7. interception of indirect communication in connection with carrying on of a business
a. be used to enter into a transaction in the course of that business;
b. otherwise relate to that business; or
c. otherwise take place in the course of the carrying on of that business.

A person may only intercept an indirect communication in terms of section 6(1) if

1. the system controller consents to such interception;
2. the interception is for certain purposes (i.e., monitor/keep a record in order to establish the existence of facts)
3. the telecommunication system concerned is provided for use wholly or partly in connection with that business
4. the system controller has made all reasonable efforts to inform in advance a person who intends to use the
telecommunication system concerned that indirect communications transmitted by means thereof may be
intercepted, or if such indirect communication is intercepted with the express or implied consent of the person
who uses that telecommunication system
Cybercrime
Electronic Communications and Transactions Act
Chapter XIII of the ECT Act establishes the following cyber crimes.
Unauthorised access to, interception of or interference with data
Section 86 of the Act provides that
1. ... a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty
of an offence.
2. A person who intentionally and without authority to do so, interferes with data in a way which causes such data
to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
3. A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or
possesses any device, including a computer program or a component, which is designed primarily to overcome
security measures for the protection of data, or performs any of those acts with regard to a password, access
code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section,
is guilty of an offence.
4. A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully
overcome security measures designed to protect such data or access thereto, is guilty of an offence.
5. A person who commits any act described in this section with the intent to interfere with access to an
information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty
of an offence.
Computer-related extortion, fraud and forgery
Section 87 of the Act provides that:
1. A person who performs or threatens to perform any of the acts described in section 86, for the purpose of
obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by
undertaking to restore any damage caused as a result of those actions, is guilty of an offence.
2. A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful
advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were
authentic, is guilty of an offence.

Attempt, and aiding and abetting

Section 88 of the Act provides
1. a person who attempts to commit, or who aids and abets someone to commit an offence, as detailed in
Sections 86 and 87, is guilty of an offence.

The penalties range from a fine to imprisonment for a period not exceeding five years, depending on the offence
committed. Intent is the form of culpability required in respect of the unauthorised access to, interception of or
interference with data.

Search & seizure

Cyber inspector's power to inspect, search and seize is derived from Section 82 of the Act:
1. A cyber inspector may ... on the authority of a warrant ... enter any premises or access any information system
that has a bearing on an investigation and -
a. search those premises or that information system;
b. search any person on those premises if there are reasonable grounds for believing that the person has
personal possession of an article, document or record that has a bearing on the investigation;
c. take extracts from, or make copies of any book, document or record that is on or in the premises or in
the information system and that has a bearing on the investigation;
d. demand the production of and inspect relevant licences and registration certificates as provided for in
any law;
e. inspect any facilities on the premises ... which have a bearing on the investigation;
f. have access to and inspect the operation of any computer or equipment forming part of an information
system ... which the cyber inspector has reasonable cause to suspect is or has be en used in connection
with any offence;
g. use or cause to be used any information system ... to search any data ...;
h. require ... any person in control of, or otherwise involved with the operation of the computer ...to
provide ... reasonable technical ... assistance
Evidence
ECT Act repeals the Computer Evidence Act.
Regulates in respect of the admissibility and evidential weight of data messages in all legal proceedings.
Act provides that the rules of evidence must not be applied to deny the admissibility of a data message purely
because it is constituted by a data message; or on the grounds that it is not in its original form if it is the best
evidence that the person adducing it can obtain.
 Information in the form of a data message must be given due evidential weight, having regard to
1. the reliability of the manner in which the data message was generated, stored or communicated;
2. the reliability of the manner in which the integrity of the data message was maintained;
3. the manner in which its originator was identified; and
4. any other relevant factor.

A data message made in the ordinary course of business, or a copy or printout correctly certified to be correct is
on its mere production admissible in evidence and is rebuttable proof of the facts contained in such record, copy,
printout or extract.

Jurisdiction
Court in the Republic trying an offence in terms of the Act has jurisdiction where
1. the offence was committed in the Republic;
2. any act of preparation towards the offence or any part of the offence was committed in the Republic, or where
any result of the offence has had an effect in the Republic;
3. the offence was committed by a South African citizen ... or a person carrying on business in the Republic; or
4. the offence was committed on board any ship or aircraft registered in the Republic

Evidential matters
Electronic signatures and related concepts
Advanced electronic signature: an electronic signature which results from a process which has been accredited by
the Authority as provided for in section 37.
1. Accreditation Authority
a. Means the Director-General of the Department of Communications: acts as accreditation authority
b. An application for accreditation must
i. be made to the Accreditation Authority in the prescribed manner supported by the prescribed
information;
ii. be accompanied by a non-refundable prescribed fee, and
iii. a person falsely holding out its products or services to have been accredited by the
Accreditation Authority is guilty of an offence.
2. Process
a. Accreditation Authority may not accredit authentication products or services unless the Authority is
satisfied that an electronic signature to which such authentication products or services relate
i. is uniquely linked to the user;
ii. is capable of identifying that user;
iii. is created using means that can be maintained under the sole control of that user; and
iv. will be linked to the data or data message to which it relates in such a manner that any
subsequent change of the data or data message is detectible;
v. is based on the face-to-face identification of the user.
3. Electronic signature
a. means data attached to, incorporated in, or logically associated with other data and which is intended
by the user to serve as a signature;

Cryptography service: any service which is provided to a sender or recipient of a data message or to anyone
storing a data message, and is designed to facilitate the use of cryptographic techniques for the purpose of ensuring:
1. that such data or data message can be accessed or can be put into an intelligible form only by certain persons;
2. that the authenticity or integrity of such data or data message is capable of being ascertained;
3. the integrity of the data or data message; or
4. that the source of the data or data message can be correctly ascertained.

Data message: data generated, sent, received or stored by electronic means and includes:
1. voice, where the voice is used in an automated transaction;
2. a web page; and
3. a stored record.

Automated transaction: an electronic transaction conducted or performed, in whole or in part, by means of data
messages in which the conduct or messages of one or both of the parties are not reviewed by a natural person in the
ordinary course of such natural person's business or employment.
Substantive evidential provisions
1. Section 11: determines that information shall not be without legal force and effect merely on the grounds that
it is wholly or partly in the form of a “data message” or is referred to in a data message.
2. Section 12: determines that the requirement that a document or information be in writing will be complied with
if the information is in the form of a data message and accessible in a manner usable for subsequent reference.
3. Section 13: provides that a data message will only comply with the legal requirement of a signature if an
advanced electronic signature has been used. An electronic signature will not be deprived of legal force and
effect merely on the grounds that it is in an electronic format. The onus of proof is placed on the party who
alleges that an advanced electronic signature is not valid.
4. Section 14: addresses the question of the original form of information. If this is a legal requirement, a data
message will comply, provided that the information is capable of being displayed or produced for the person to
whom it is to be presented and if the integrity of the message complies with the following test:
a. considering whether the information has remained complete and unaltered, except for the addition of
any endorsement and any change which arises in the normal course of communication, storage and
display;
b. in the light of the purpose for which the information was generated; and
c. having regard to all other relevant circumstances.
5. Section 15: provides for the admissibility in evidence of a data message and that it be given due evidential
weight. The assessment of its weight should be carried out according to the following criteria:
a. the reliability of the manner in which the data message was generated, stored or communicated;
b. the reliability of the manner in which the integrity of the data message was maintained;
c. the manner in which the originator was identified; and
d. any other relevant factor
e. Messages generated n the ordinary course of business are admissible and shifts the onus of proof
6. Section 16: provides for the legal retention of information in the form of data messages, applying the same test
laid down for writing in section 13, coupled with additional guarantees of authenticity, as well as the fact that
the origin and destination of that data message and the date and time that it was sent or received can be
determined.
7. Section 17: deals with the production of documents and information (especially in civil procedure) and provides
that data messages may also fulfil this role, provided that certain conditions have been met.