Introduction
Klaus Schwab, founder and executive chairman of the World Economic Forum, has characterized the current phase of “digitalization” (involving a much more ubiquitous and mobile internet, smaller more powerful and cheaper sensors, artificial intelligence and machine learning) as a “fourth industrial revolution”.Footnote 1 This distinguishes this phase of rapid and disruptive technological change from earlier iterations.Footnote 2 For Schwab, the combination of information technology, artificial intelligence and biotechnology heralds the possibility of integrating the physical and virtual worlds, the biological body and machines in a post-human world. This change and its possibilities raise some fundamental questions about the way we understand ourselves and the way we organize our societies, economies and polities. The most basic commitments of constitutional democracy to individual agency and collective self-determination may now be threatened by disruptive technological change.Footnote 3
While the dominant narrative is “digitalization as progress”, there is another critical view, emerging especially in universities and civil society, which presents an alternative to this sunny perspective and sees “digitalization as progress” as being informed by an uncritical teleology that underestimates its potential costs. Evaluations of “digitalization as progress” are deeply rooted in the cultural and intellectual history of industrializing societies, which in the West is associated with the Enlightenment and the birth of modernity. The social, economic and political progress that took place in the 20th century is indeed strongly correlated with technological change of the first three industrial revolutions,Footnote 4 and so too the fourth iteration. However, in the authors’ view, the costs (which include, but are not limited to, privacy costs) must also be considered in fashioning a long-term regulatory and policy response to technological change. Recent incidents and trends (such as Edward Snowden's revelations about secret mass surveillance by the US National Security Agency, public disclosure that social networking platform Facebook had sold data to shape voter preferences and influence the outcome of ostensibly democratic elections, and the understanding of how technology platform companies track our online lives to attract advertising revenue and monetize personal data) call into question the simple association of digitalization with linear progress.
In addition, while Schwab's “digitalization as progress” story accurately presents digitalization as a global process, this process has differing impacts within states and is perhaps primarily responded to at the national level. This article focuses specifically on the response of the South African legal system to technological change. South Africa faces many socio-economic challenges arising from its apartheid legacy and its subordinate positioning in the global economy, yet, as a constitutional democracy, it must also face up to many contemporary “wicked problems”Footnote 5 including those associated with the fourth industrial revolution.
The critical perspective argues that South Africa is either in danger of becoming a surveillance state or has indeed already partially become one.Footnote 6 In 2018, Jane Duncan, a professor of journalism, commented that “[e]lements of a surveillance state are manifesting themselves most strongly in relation to the intelligence services, although there are signs that the police have been increasing their intelligence-gathering activities and have at the very least been attempting to develop their own capabilities”.Footnote 7 The UN Human Rights Committee has found South Africa's compliance with its international obligations inadequate to protect the right to privacy, observing:
“The Committee is concerned about the relatively low threshold for conducting surveillance … and the relatively weak safeguards, oversight and remedies against unlawful interference with the right to privacy contained in the Regulation of the Interception of Communications Act and Provision of Communications Related Information Act 70 of 2002. … The Committee is further concerned at reports of unlawful surveillance practices, including mass interception of communications carried out by the National Communications Centre and the delays in operationalizing the Protection of Personal information Act, 2003, due in particular to the delays in the establishment of an Information Regulator.”Footnote 8
With attention to the largely positive discourse on digitalization's potential impact on South African society and caution about its costs, the authors embark in this article on the development and illustration of their public law perspective on constitutional privacy. The article asks what legal resources, embodied in various legal instruments (such as the doctrines and concepts of constitutional rights, proportionality, horizontality and subsidiarity), are available in the South African legal system post-1994 to respond to the risks and benefits of digitalization. It explores this question from a “South African public law perspective”, focusing on the constitutional debates and case law regarding the right to privacy, adopting a method that is largely theoretical. The development of this perspective has been enabled by a “transformative constitution” with particular characteristics, including the component of horizontality, under which constitutional norms apply to both public and private actors. This contrasts sharply with the pre-1994 position in the South African polity where privacy was solely a private law, common law or delictual matter.
This perspective highlights questions of legal ordering that necessarily engage the normative foundations of constitutional democracies. What should be the limits of information stored by the government on its citizens? How can that information be appropriately shared with persons and firms in the private sector to unlock its economic value? Why does it seem as if the technology changes faster than the law can respond? What rights does an individual have in the information about him/herself?
This perspective does not ignore the benefits of digitalization, but is sceptical of the claims of the autonomous functioning of digital technologies and their supposedly benign transformative purposes. The article focuses attention on how the design of new generation technologies is being shaped by the interests and imperatives of states and private corporations, and on systemic harms to privacy and the functioning of constitutional democracies. As Jathan Sadowski has recently observed, “[b]y uncovering the technopolitics of smart tech, we … see how their impacts go far beyond the usual set of concerns about privacy intrusions and cybersecurity breaches”.Footnote 9
The authors therefore postulate the need for the development of a public law perspective on privacy, particularly one grounded in constitutional norms. It must: start with an examination of the internal logic and capabilities of digital technologies to identify the harms to which privacy law must now be responsive;Footnote 10 situate this reconsideration of privacy law in the context of the harms, risks and power dynamicsFootnote 11 generated by digitalization and the way these technologies are being used by governments and the private sector;Footnote 12 and examine the balances to be struck between the costs and benefits of digitalization in a constitutional democracy with its particular set of commitments to both individual and collective self-determination, and to the rule of law.
The first part of the article develops and articulates a theoretical perspective that informs a public law perspective on constitutional privacy in the era of digitalization, by discussing privacy law contextually in relation to state power, the logics of surveillance capitalism and the functioning of constitutional democracies. It then turns more explicitly to legal frameworks and considers the constitutional right to privacy in the context of South Africa's transformative constitutionalism and its potential to respond to the harms of digitalization. The authors argue that the South African Constitution of 1996 (the Constitution) instantiates a rights-orientated and rule-of-law-centred political theory that potentially facilitates the development of a privacy law for the digital age. This privacy law includes but goes beyond the regulatory domain of data protection. After surveying transformative constitutionalism, private power and constitutional privacy, the article discusses the case law of the Constitutional Court (the Court) on the right to constitutional privacy.
Towards a public law perspective on constitutional privacy in the era of digitalization
This section considers: privacy law; the state and capital; and the interaction of democratic self-government and privacy.
Digitalization 2.0: Privacy law
Law is an adaptive resource that can and should respond to disruptive technological change by re-examining existing concepts and creating new, more adequate conceptions. This was the basic problematic of the famous and foundational article by Warren and BrandeisFootnote 13 in which they proposed that privacy should be recognized as a specific delictual right in light of the harms to individuals created by new technologies, like hand-held cameras.Footnote 14 In their articulation, this was a “right to be left alone”.Footnote 15
Digital technology today is more than a step beyond hand-held cameras. Today, privacy law should direct attention to the amplification of the privacy harms arising from “datafication” and “smartification” associated with mobile computing, cloud computing, the Internet of Things, machine learning, data mining and predictive analytics. An article of Daniel Solove's, although published some time ago, provides a useful starting point for assessing these enhanced risks and harms. There are four basic groups of potentially harmful activities under his taxonomy: information collection; information processing; information dissemination; and invasion.Footnote 16
Solove's taxonomy can, for the most part, accommodate an analysis of the risks to privacy in the current period of accelerated digitalization, but with some modifications. The amplified risk associated with digitalized “Big Data” of intentional and negligent data spills resulting from the failure of public and private record-keepers to secure their databases, for example, can be understood with reference to the risks inherent in the collection, aggregation and processing of increasing volumes of information across data sets by numerous public and private organizations.Footnote 17 Solove also anticipates the harms associated with decision-making concerning the “digital person” based on pooled data from many data sources. However, he does not specifically discuss the harms related to data mining and predictive analytics increasingly relied upon by public organizations to allocate public benefits and by private commercial organizations to monitor the preferences and behaviours of their customers. In this regard, Sandra Wachter and Brent Mittelstadt have recently usefully argued that the 2018 EU General Data Protection Regulation grants individuals little control over how their personal data is used to draw inferences that might damage their privacy and reputation, and that there is therefore a need for a new data protection right to “reasonable inferences”.Footnote 18
Soloves's taxonomy also usefully recognizes the structural impact of state surveillance (enabled by the new digital technologies) on power dynamics between states and individuals.Footnote 19 But his focus on the harms to the individual misses the systemic and collective nature of privacy harms that is now becoming evident. As Carissa Veliz notes, “[p]rivacy is not only about you … [p]rivacy is as collective as it is personal … privacy resembles ecological issues and other collective action problems”.Footnote 20 That your data is personal seems to imply that you are the only concerned party when it comes to sharing it, but this is not necessarily the caseFootnote 21 as, for example, the sharing of genetic information can impact on others in a family group.
These externalities and information asymmetries have important implications for how we think about the harms and risks to which privacy law must respond today. They call into question the framing of privacy as an exclusively individual and private right designed to remedy discreet, direct and immediate harms to individuals. Both the common law and statutory data processing law (focusing largely on notice and consent) are based on this conceptual edifice. However, this individualistic framing of the privacy right is no longer fully adequate when “we ourselves are utterly enmeshed in technological systems, which shape in turn how we act and how we think. We cannot stand outside them. We cannot think without them”.Footnote 22 Data protection itself may implicate other rights beyond privacy, such as equality and dignity.
The addition of a group of activities potentially harming our social and collective existence through their systemic impact (akin to Solove's item of “invasion” but without its individualistic conceptualization) would be a valuable modification to his typology of potentially harmful groups of activities. The following sections present arguments to support the idea that privacy should be reframed from a public law perspective as both a private and a public good, essential to the functioning of a constitutional democracy.
Digitalization 2.0: The state and capital
Solove's 2006 analysis of the privacy harms that arise from the information practices of public authorities also pays insufficient attention to the way digitalization augments the state's powers of surveillance and the contemporary accretions of private power associated with platform companies like Facebook, Amazon and Google. It has become increasingly clear that the analysis of the privacy harms associated with digitalization must be situated within the context of the political economy of what can be termed “surveillance capitalism”Footnote 23 or “digital capitalism”.Footnote 24
The modern bureaucratic state apparatus has always had to map its subjects and citizens systematically, by gathering and recording information in order to carry out its public functions.Footnote 25 Even those holding a restrictive view of the state's economic and social functions accepted the HobbesianFootnote 26 view that the state had to provide security and that its policing powers had to include powers of search and seizure.Footnote 27 Digitalization exponentially expands the contemporary state's bureaucratic powers of computation, controlFootnote 28 and surveillance, leading some scholars to turn to Foucaudian concepts such as biopower and disciplinary power to examine the way digitalization is fundamentally restructuring power relations between individuals and the state: “[t]he symbol of disciplinary power is the panopticon … The symbol of control is the computer network that invisibly, constantly and continuously records every action … control systems do not rely on mere threats of surveillance. They follow through on monitoring, judging and inhibiting your freedom”.Footnote 29
Law enforcement agencies in many countries are also increasingly relying on “big data” to investigate crime, as well as on dragnet surveillance technologies like CCTV cameras, GPS locational technologies and drones purchased from companies manufacturing the high-tech tools for “smart policing”.Footnote 30 Such technologies operate at a wholescale or systemic, rather than individual, level. These capabilities are of undoubted value in combatting sophisticated organized crime and transnational crimes such as money laundering. However, pervasive, systemic surveillance comes at a substantial cost to privacy and the freedoms that are essential to our ability to function and flourish as a community.
The extent to which the South African Police Service is relying on these technologies is not publicly known because of inadequate oversight mechanisms and constraints on parliamentary reporting.Footnote 31 Also, under South African law, law enforcement agencies have not been required to observe the statutory processing rights of data subjects and so are not constrained by principles of data minimization when investigating actual crimes or even suspected criminal conduct.Footnote 32 Digitalized surveillance and crime investigation techniques based on data analytics obviously raise some important questions about the adequacy of search and seizure privacy laws, premised on a now-obsolete conception of a spatial boundary between public and private space.
To situate the threats to privacy (threats to the functioning of constitutional democracies in the digital age) properly, it is necessary to focus on these accretions of state power, as well as on the “logic of accumulation” in the age of surveillance capitalism:Footnote 33 ownership of the “means of behavioural modification eclipses ownership of the means of production as the fountainhead of capitalist wealth and power in the 21st century”.Footnote 34 Consciously invoking Marx, Shoshana Zuboff shows how an extractive economic logic has developed on the infrastructural backbone of smart computing, which instrumentalizes the most human and personal experiences to the commercial ends of platform companies and turns personal data into capital.Footnote 35 These network companies have morphed into behemoth monopolies whose competitive advantage is increasingly tied to their control of the “new oil” of personal data, which is sold to other businesses as a commercial asset. Protection of privacy rights is therefore now also a competition law issue.Footnote 36 Where required to do so, information collected and aggregated on the infrastructural backbone of these platform companies is also passed on to the surveillance state, creating a symbiotic relationship between the state and capital. In these circumstances, a conceptualization of privacy as a private harm threatened only by state action is an obstacle to the development of a privacy law for the digital age.Footnote 37 The harms associated with private commercial power must also be reckoned with.
Democratic self-government and privacy
Accretions of public and private power and surveillance, and monopolistic power associated with digital capitalism, have some important implications for the functioning of democracies as systems of democratic self-government, which requires us to think about the relationship between privacy and democracy. The harms to democracy arise from the processing capabilities of digital technologies, which have facilitated the dissemination of polarizing propaganda and false information. Reliable procedures for arriving at agreement on the facts by public deliberation are essential to the functioning of democratic societies that aim to structure conversation among a variety of opinions and interests. The capabilities enabled by digitalization have also weakened the mass media and political parties, and represent a real danger to the integrity of elections: the evidence is now clear that voter preferences can be manipulated through targeted advertising and psychological profiling.Footnote 38 The accretions of private power associated with digitalization and their intersection with public power are also accentuating underlying tendencies towards plutocracy and oligarchy in constitutional democracies today.Footnote 39 This undermines the claims of their systems of authority based on popular consent and political equality.
Therefore, the capabilities enabled by digital technologies and the power dynamics that have been unleashed require reinvigoration of a commitment to individual self-determination as well as to democratic self-government, and recognition of their interdependence. Under a public law paradigm, privacy today is much more than a negative individual rightFootnote 40 not to be interfered with by the state. It is also required as a defence against private power and a positive right essential to the functioning of a constitutional democracy based on the rule of law. In the digital era and the current pervasive system of surveillance, we need a richer concept of the constitutional value of privacy in constitutional democracies, instead of merely the right “to be left alone”. Privacy must be understood as being integrally related to individual autonomy and agency.Footnote 41 In Bernstein v Bester, the first privacy case in South Africa in the post-apartheid era, Ackermann J pointed in this direction in introducing a “communitarian” reading of the value of constitutional privacy. He said: “the scope of privacy has been closely related to the concept of identity and it has been stated that rights like the right to privacy are not based on the notion of the unencumbered self, but on the notion of what is necessary to have one's own autonomous identity”.Footnote 42
Understood in this way, privacy is not only a right to withdraw from society, but to be able to participate on respectful terms in a community of equals, without the constant external pressure of being watched, profiled and assessed by the state and commercial entities.Footnote 43
Transformative constitutionalism and the constitutional right to privacy
What textual and interpretive resources are there under the Constitution to develop a public law perspective on privacy law that is responsive to the harms associated with the current stage of digitalization? This article argues that the South African constitutional text instantiates a rights-orientated and rule-of-law-centred political theory that potentially facilitates the development of a constitutional law of privacy that is more suited to the digital age.
Judicial review, constitutional rights and the principle of proportionality
There are two important but unremarkable ways in which the text of the Constitution augments the conceptual resources available for judicial reasoning in the field of South African privacy law. The first is that it entrenches (as do many modern constitutions and human rights instruments)Footnote 44 a constitutional right to privacy. Section 14 of the constitutional Bill of Rights provides: “[e]veryone has the right to privacy, which includes the right not to have: (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed.”
It is important to note that the post-apartheid introduction of the Bill of Rights by no means extinguished the common law on the right to privacy, which continues as part of the South African legal system, albeit controlled by the Constitution as the supreme law. In addition, privacy legislation (which came fully into effect in mid-2021) created a statutory right to privacy and established a regulator for privacy rights, also with jurisdiction over the constitutional right of access to information.Footnote 45
Secondly, beyond the entrenchment of this fundamental right to privacy, various other provisions of the Constitution read together create a strong system of judicial review. Section 7(1) provides that the Bill of Rights “is the cornerstone of democracy”, which, under section 7(2), the state is required to “respect, protect, promote and fulfil”. The Bill of Rights applies to all law and conduct,Footnote 46 and binds the legislature, the executive and the judiciary.Footnote 47 Section 167 concentrates the power to decide questions of constitutionality in the Court. This includes parliamentary legislationFootnote 48 and “all law”, which must comply with the rights provisions of the Bill of Rights and the founding value of the rule of law.Footnote 49 The Constitution can therefore be understood to establish a system of constitutional dialogue between the judiciary and the elected branches, which enhances the capacity of the legal system to respond to disruptive technological change.
In this fashion, the constitutional text already creates rich normative and interpretive resources for the judiciary to attribute meaning to the constitutional right to privacy as the centrepiece of privacy law in light of the harms associated with digitalization. Furthermore, the Bill of Rights also includes other fundamental rights, such as the rights to equalityFootnote 50 and dignity,Footnote 51 which can support the development of a public law perspective. In a case concerning an action for defamation against a media company under common law, Kate O'Regan J said the following about the symbiotic relationship between the constitutional right to privacy and another constitutional right, the right to dignity:
“The value of human dignity in our constitution therefore values both the personal sense of self-worth as well as the public's estimation of the worth or value of an individual. It should also be noted that there is a close link between human dignity and privacy in our constitutional order. The right to privacy, entrenched in section 14 of the Constitution, recognizes human beings have a right to a sphere of intimacy and autonomy that should be protected from invasion. This right serves to foster human dignity. No sharp lines then can be drawn between reputation, dignitas and privacy in giving effect to human dignity in our constitution.”Footnote 52
The core constitutional value of dignity works in two ways: reinforcing privacy as a liberty that protects intimacy and individual choice from interference by the state or third parties; and recognizing and protecting an individual's interest in public estimations of an individual's worth. This conception has the potential to reach the harms associated with digitalization that are much less plausibly conceptualized as intrusions in protected spaces or individual decisions, including the right to control information about oneself that may be published or disseminated on digital platforms. Some jurisdictions, including South Africa, have therefore given recognition to a specific right to informational privacy.Footnote 53
Constitutional rights to privacy and dignity in the Constitution are “strong” rights that cannot simply be weighed against some supposed public benefit.Footnote 54 They can only be limited in accordance with principles of proportionality expressly set out in section 36 of the Constitution itself. This limitation clause provides:
“The rights in the Bill of Rights may be limited only in terms of a law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking in to account all relevant factors, including:
(a) the nature of the right;
(b) the importance and purpose of the limitation;
(c) the relation between the limitation and the purpose; and
(d) less restrictive means to achieve the purpose.”
Section 36 embeds the limitations analysis in the normative framework of a constitutional democracy. It therefore enables the court to undertake a broader harm analysis (which can include systemic harms) when assessing the constitutional adequacy of legal rules of general application, and to examine carefully both the ends and means of legislative decisions in light of the constitutional commitment to privacy and dignity. Mere utilitarian balancing of costs and benefits is obviously excluded.
Constitutional supremacy, subsidiarity and horizontality
The Constitution has distinctive features of subsidiarity and horizontality that further enhance the potential for constitutional law to respond to technological change. In its continued development of these doctrines in the “digitalization plus” age, the Court will have to stay abreast of rapidly changing technologies and shoulder much of the responsibility for the constitutional response.
The doctrine of subsidiarity consists in South Africa of the founding principle of constitutional supremacy,Footnote 55 read with its correlate, the judge-made rule of subsidiarity. Parliamentary legislation must comply with constitutional norms to be valid. The legal norms created by legislation are therefore subsidiary ones. Where the wording of a constitutional right requires that the legislature give effect to the constitutional right,Footnote 56 litigants are usually required to proceed in the first instance on the basis of the more concrete statutory right and not directly on the basis of the constitutional right.Footnote 57 However, the Court has effectively embellished the statutory right with a constitutional gloss by insisting that a statutory right has to be interpreted in light of the norms of the more abstract constitutional right.Footnote 58 So, the constitutional right provides the governing norm, even after the legislature has enacted legislation giving effect to a constitutional right.
In other places, the Constitution does not expressly require a legislative enactment; this is the case with the constitutional right to privacy (at least if that right is assumed to be sourced entirely in section 14). In any case and as noted above, giving at least partial effect to the constitutional right to privacy, Parliament enacted a privacy law in the form of data protection legislation, the Protection of Personal Information Act 2013 (POPIA).Footnote 59
In a fascinating and significant case in January 2021, the Court grappled with the doctrine of subsidiarity precisely at the interface between common law and a statute giving effect to a constitutional right, the right to equality. In King NO and Others v De Jager and Others,Footnote 60 the Court had to decide whether to develop the common law or to depend on the Equality Act to counter the effects of gender discrimination while enforcing the freedom of testation. The common law provided at least as clear an option to counter gender discrimination as the statutory framework did. Seeing the issue through the indirect lens of the common law, the court minority would have developed the common law while the majority opinion instead opted not to do so, achieving the desired result via direct application of either the constitutional right of equality or the law giving effect to that right. Most interestingly for our purposes here, Victor AJ, concurring with the majority, wrote separately to argue for a more direct and robust application of the Equality Act on the basis of subsidiarity:
“Evidently, this case requires direct application as opposed to indirect application. The direct application of the Bill of Rights, however, must be consonant with the principle of constitutional subsidiarity. Therefore, in applying the Bill of Rights directly in this case, reliance must be placed on the Equality Act because its definition of unfair discrimination ‘covers the field’”.Footnote 61
While the authors’ public law perspective aligns with that of Victor AJ, there is one crucial difference between that equality question and the privacy-centred topic: the scope of the legislation enforcing the constitutional right or at least some part of it. In the authors’ view, Parliament's recently enacted privacy legislation does not cover the whole field of the constitutional right to privacy.Footnote 62 POPIA is an important statute with a significant role, but it does not even claim to treat the full scope of questions of interest exhaustively. While it is not the purpose of this article to answer them, clearly questions about the relationship between the constitutional right to privacy and the statutory rights and structures created by POPIA will arise. Although POPIA defines “personal information” and “processing” very broadly, it does not cover all the privacy harms associated with digitalization, particularly surveillance and dissemination harms, as identified above.Footnote 63 The authors thus argue that section 14 of the Constitution will therefore continue to occupy a (if not the) central place in the development of South Africa's privacy jurisprudence in response to technological change.Footnote 64
The Constitution also explicitly confers law-making powers on the Court by empowering it to develop the common law in light of the Constitution's normative commitments. Section 7(2) provides for the horizontal application of a right to bind a natural or a juristic person, depending on the nature of the right and any duty imposed by the right. The question of whether the constitutional right to privacy applies horizontally (against private actors) or only vertically (against public actors) will certainly arise as privately owned companies are an integral part of the political economy of capitalism. Where a right applies horizontally, the courts are empowered by section 8(3) to “develop the common law to the extent that legislation does not give effect to that right” and may also develop common law rules to limit the right in accordance with the constitutional limitation clause. We have already seen that no legislation covers the field of privacy harms in their entirety and can be said to give full effect to the constitutional right. Further, section 39(2) of the Constitution provides that, when developing the common law, every court must promote the spirit, purport and objects of the Bill of Rights.
The cumulative effect of these provisions is that all privacy law in South Africa is effectively constitutional law. As the late Chaskalson J observed: “[t]here is only one system of law. It is shaped by the Constitution, which is the supreme law, and all law, including the common law, derives its force from the Constitution and is subject to constitutional control”.Footnote 65 Therefore, the meaning attributed to the constitutional right to privacy by the judiciary and the effect of that right on other existing legal frameworks (ranging from statute to subordinate legislation to agreements to common law doctrines) will be the central question in the digital age in South African privacy jurisprudence. It is a question that has received little attention until recently.Footnote 66
Transformative constitutionalism, private power and constitutional privacy
The text of the Constitution has certain unique provisions that distinguish South Africa's version of the constitutionalist ideal from the “classical” version in the balance it strikes between “conservation” and social change. One particularity is the fact that it reaches both public and private power. This was Karl Klare's central point in his influential 1998 article in which he argued that the Constitution's transformative potential could be unlocked if the judiciary abandoned formalist interpretive practices and recognized the imperative to contribute to the realization of the political project instantiated in the text by adopting a “post liberal” theory of adjudication.Footnote 67 By “transformative constitutionalism”, Klare meant “a long term project of judicial enactment, interpretation and enforcement committed … to transforming the country's political and social institutions and power relations in a democratic, participatory and egalitarian direction”.Footnote 68
The main focus of the work of the generation of scholars who enthusiastically embraced Klare's work was on expansive readings of equalityFootnote 69 and socio-economic rights,Footnote 70 not constitutional privacy. However, the two sets of provisions that Klare identified in making his case for transformative constitutionalism will certainly be relevant to the development of South Africa's law of privacy in the digital age: section 7(2), which imposes affirmative duties on the state; and section 8(2) and (3), which extends the application of the Constitution's rights provisions to private relationships regulated by common law and thus potentially directly to private power.
Klare's characterization of the Constitution as transformative is broadly accepted in the legal community. Such scepticism as there has been has concerned the limits of constitutional law as an instrument of progressive social changeFootnote 71 and whether transformative constitutionalism requires judicial interpretive practices informed by critical legal theory. Theunis RouxFootnote 72 has argued that the progressive purposes of the Constitution (for which he agrees there is ample textual evidence) can just as easily be realized by conventional adjudicative practices informed by a DworkinianFootnote 73 conception of the political morality that should inform constitutional reasoning. In this context, the authors agree with Roux to this extent: rights and rule-of-law constitutionalism provide rich resources for the development of privacy rights protection. However, for the Court to develop a harm principle in the field of privacy rights, the authors think judges might have to “step outside the text” and the universe of legal norms to examine not only how technologies work (the Brandeis paradigm) but also the power relations associated with the surveillance state and digital capitalism. Klare's understanding of adjudication as inevitably political lends itself more naturally than does Dworkin's to judicial interpretive practices that incorporate consideration of the implications of power relations, which a public law perspective on constitutional privacy must take account. This raises questions about the boundaries of constitutional law as an interpretive practice. For example, can constitutional law not function more like competition law,Footnote 74 a field of law in which it is necessary to analyse how digital markets actually work and that also examines a range of formal and informal legal frameworks?Footnote 75 Judges of the Court will understandably be reluctant to stray into uncharted waters, especially those that threaten to erode the distinction between law and politics. However, an overanxious regard for existing boundaries will limit the court's ability to respond to the harms to constitutional democracy associated with digitalization.
The South African Constitutional Court's privacy jurisprudence
The right to constitutional privacy has been invoked in only a handful of cases in the democratic era as, before 2021, the Court had not had to engage explicitly with the implications of digitalization for privacy rights. Nonetheless, the existing body of case law will probably frame the court's reasoning in future cases. Some departures and new formulations will be necessary if the court is to respond to the harms associated with digital surveillance by the state and its law enforcement agencies, as well as harms that come from the increasing aggregation and dissemination of data by private companies and especially by platform companies for commercial purposes. This section examines two types of cases: those concerning the state's coercive powers of search and surveillance (comprising four cases of the Court); and those concerning constitutional control of the publication of private facts under the common law, as yet made up of cases decided by lower courts.
Search, seizure and surveillance
The first and leading Constitutional Court case in South African privacy law is Bernstein v Bester (Bernstein),Footnote 76 a “search” case in which Ackermann J provided an extended exposition of the philosophical underpinnings of the right to privacy and comparative jurisprudence. Although this case was decided under section 13 of South Africa's Interim Constitution (Interim Constitution),Footnote 77 all subsequent cases have invoked the core elements of his reasoning, sometimes somewhat formulaically, and generally avoided any further reflections on the content and scope of constitutional privacy. The case involved a challenge to the constitutionality of sections of the Companies Act 1973 that provided for the directors, officers and persons known or suspected to be in possession of any property of a company in a winding-up to be summoned and to be required to answer questions. The attack was based on the section 13 right to personal privacy and the right not to be subject to the seizure of private possessions or the violation of private communications.Footnote 78
The Court, distinguishing place, relationship and person-oriented conceptions of privacy, came to the conclusion on the facts that it could not be said that there had been an invasion of private living space, of any specified relationship or that the information within the knowledge of a director, officer or auditor of a limited liability company regulated by law fell within that person's personal privacy. Regarding the determination of the scope of the right, Ackermann J adopted the “reasonable expectation” test. Under this test, there is an inviolable inner sanctum, such as family life, sexual preference and the home, which becomes progressively more attenuated as individuals enter public spaces and communal relationships with others.Footnote 79 The test has found an enduring place in the Court's privacy jurisprudence and will be important in future cases concerning the impact of digitalization on constitutional privacy.
The test is drawn from the Fourth Amendment to the US Constitution. Under this test, a party seeking to establish an unconstitutional invasion of the right to privacy by the government must have “a subjective expectation of privacy that the society has recognized as objectively reasonable”.Footnote 80 Announcing this test of an unconstitutional search, Katz v US significantly reversed the US Supreme Court's earlier decision in Olmstead v US,Footnote 81 which had held, over an eloquent dissent by Brandeis J, that wiretapping did not amount to “trespass” as there was no physical entry and so there was no unconstitutional “search”. The formulation of the new Katz test was an attempt to preserve an original conception of freedom that technological change had erased. The aspiration, says Lawrence Lessig “was to draw a line around private spaces that reflected our … understanding of privacy, in the light of the current potential of technology”.Footnote 82
However, in the age of “digital surveillance”, these original understandings of the boundary between the private and public domains, and accordingly of the application of the Katz test, are obsolete. Digital technologies, as Lessig has observed elsewhere: “change … radically. They not only make more behavior monitorable; they also make more behavior searchable. The same technologies that gather data now gather it in a way that makes it searchable. Thus increasingly life becomes a village composed of parallel processors, accessible at any time to reconstruct events or track behavior”.Footnote 83 Lessig thus asks, the authors believe appropriately, whether we need a second kind of privacy: “privacy in public”.Footnote 84
Langa J, appeared to open the door to reconsideration of the application of the reasonable expectations test in South Africa in light of technological change in Investigating Directorate, Serious Economic Offences v Hyundai Motor Distributors,Footnote 85decided some years after Bernstein. This matter concerned the constitutionality of legislation that did not specifically require the prosecuting authorities to show reasonable suspicion as a condition precedent when applying for a judicial warrant authorizing a search. In an incidental but important dictum, Langa DP, for the Court, added the following gloss to the reasonable expectation test of the scope of constitutional privacy:
“The right … does not relate solely to the individual within his or her intimate space. Ackermann J did not state …. that when we moved from this established ‘intimate core’, we no longer retain a right to privacy in the social capacities in which we act. Thus, when people are in their offices, in their cars or on mobile phones, they still retain a right to be left alone by the state unless certain conditions are satisfied. Wherever a person has the ability to decide what he or she wishes to disclose to the public the expectation that such a decision will be respected is reasonable, the right to privacy will come into play.”Footnote 86
When a court reconsiders this language in a future case where the specific question before it concerns constitutional privacy in the time of digitalization, it will have to consider when and whether individuals are able to decide effectively what information to reveal publicly. Much of the collecting, permanent recording and transfer of data today occurs without the knowledge or even awareness of data subjects. Consent under these circumstances is no more than a fiction. What the courts will demand to enable a meaningful exercise of choice will be a critical constitutional question, as will the nature of the constitutional enquiry into both subjective and objective reasonableness.
The relevant case subsequent to Bernstein was also a physical search case under the Interim Constitution. In Mistry v Interim National Medical and Dental Council (Mistry),Footnote 87 legislative powers were broad enough to allow inspectors to “enter any home where aspirins, ointments or analgesics happen to be and once there … [to] inspect not only medicine cabinets or bedside drawers, but also files that might contain a person's last will and testament, private letters and business papers”.Footnote 88 In finding that the statutory authority to enter private homes without a warrant and to rifle through intimate possessions intruded the inner sanctum of persons in breach of their privacy rights, the Court held that it was not necessary to decide threshold questions such as what constituted a search and seizure.Footnote 89 While leaving open other textual sources, including the right of access to information, the Court effectively recognized for the first time in South African law that a constitutional right to informational privacy is “covered under the broad protection of privacy guaranteed by section 13”.Footnote 90 Mistry went on to say that whether this privacy right is violated depends on the intrusiveness of the manner in which the information is obtained, whether it is about intimate aspects of personal life, whether it involves data provided for one purpose that was then used for another and whether it was disseminated to the press or general public, or to persons from whom there was a reasonable expectation that it would be withheld.Footnote 91
Although the matter did not examine the implications of digitalization for data collection, processing and dissemination, the influence on Mistry of a case of the German Constitutional Court,Footnote 92 the case that first recognized a personal right to control private information, is clear. In this 1983 case, the German Constitutional Court engaged the digitalization question directly: “[t]he individual's decisional authority needs special protection in view of the present and prospective conditions of automatic data processing. It is particularly endangered because … the technical means of storing highly personal information about particular persons is practically unlimited, and information can be retrieved in a matter of seconds with the aid of automatic data processing, irrespective of distance”. As the German court correctly observed, “[t]he possibilities of acquiring information and exerting influence have increased to a degree hitherto unknown and may affect an individual's behaviour because of the psychological pressure that public awareness may place upon the individual”.Footnote 93
The fourth case is AmaBhungane v Minister of Justice and Correctional Services,Footnote 94 which concerned the constitutionality of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002 (RICA) under the general right of constitutional privacy in section 14 of the Constitution, despite the fact that the section also specifically prohibits “searches of one's person and home”Footnote 95 and protects the privacy of communications.Footnote 96 A 2021 decision, it is the most recent and most important case in this context, because the Court dealt explicitly with the impact of digital technologies on the functioning of the coercive apparatus of the state from a privacy perspective for the first time
In the Court's telling, the adoption of RICA was “informed by considerable technological developments in electronic communications”,Footnote 97 as the legislation authorizes “the interception of both direct and indirect communications, which are defined broadly to include oral conversations, email and mobile phone communications (including data, text and visual images) that are transmitted through a postal service or telecommunications system”.Footnote 98 We do not yet know how a court will deal with “digital searches” by agencies of law enforcement under section 14(a) and (b), but of some considerable significance is the fact that the Court introduced the concept of “state surveillance” into its lexicon and analysis. This includes searches by technology. The opening paragraph of the judgment states:
“The Constitution proclaims that ‘national security must reflect the resolve of South Africans, as individuals and as a nation, to live as equals, to live in peace and harmony, free from fear and want and to seek a better life’. It does so against the historical backdrop in which the pursuit of a skewed notion of national security was weaponised and calculated to subvert the dignity of the majority of South Africans. As part of the pursuit, law enforcement involved searches of people, their homes and belongings. Over the years, law enforcement evolved to include surveillance of people, their home, their movements, and their communications. Today technology enables law enforcement agencies to not only physically - as opposed to electronically - invade the ‘intimate personal sphere’ of people's lives, but also to maintain and cement its presence there, continuously gathering, retaining and - where deemed necessary - using the information.”Footnote 99
The first point to be made about the Court's rights analysis in terms of the constitutional right to privacy is that it attached particular importance to constitutional privacy in the light of South Africa's experience under a “police state”.Footnote 100 It said the privacy right is “axiomatically … singularly important in South Africa's constitutional democracy”.Footnote 101 The Court added that invasion of an individual's privacy rights infringes the “cognate right to dignity”,Footnote 102 which the Court has termed elsewhere the “cornerstone of South African democracy”.Footnote 103 The effect of this reasoning is to strengthen privacy protection and to require persuasive justification for state action that invades the right.
It is a short step from here to recognize the particular threats posed by digital policing to constitutional privacy, which are evident in the paragraph quoted above. Yet the Court also continues to rely on the Bernstein privacy paradigm, which affords strong protection for intimacy but works less well as a framework for identifying the threats posed by digital policing to constitutional privacy. The Court reasoned as follows: “[i]magine how an individual in that situation would feel if she or he were to know that throughout those intimate communications someone was listening in or reading them”.Footnote 104 The clandestine interception and surveillance of an individual's communications is therefore “violative of an individual's inner sanctum” and “a highly and disturbingly invasive violation of privacy”.Footnote 105 However, is surveillance and monitoring, with our knowledge, of communications that are not intimate less disturbing and invasive? The Court appears to recognize potential problems with its reasoning, which arise from the impact of digitalization on the boundary between the private and the public or, as Lessig would term it, “privacy in public”.Footnote 106 It acknowledges that the legislation “allows interception of all communications. The sanctioned interception does not discriminate between intimate personal communications and communications … privacy is breached along the entire length and breadth of the ‘continuum’. And this intrusion applies equally to third parties who are not themselves subject to surveillance”.Footnote 107
After finding that there can be no question that “surveillance of private communications limits the right to privacy”,Footnote 108 the Court then considered whether the limitation is “reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom”.Footnote 109 It is at this second stage that some of the main elements emerge of the Court's reasoning in upholding the High Court's declaration that the basic structural elements of RICA are unconstitutional. In essence it said that RICA did not pass the test of constitutionality because its design features fell short of what the rule of law requires, in that it failed to provide safeguards for independent judicial supervision and for the notification of subjects of surveillance; it allowed the police to seek permission to intercept on an ex parte application without adequate safeguards; it failed to provide adequate procedures to ensure that data obtained through surveillance is managed lawfully; and it failed to provide adequate safeguards where the subject of surveillance is a practising lawyer or journalist.Footnote 110 The rule of law also informed the Court's conclusion that unregulated, untargeted bulk surveillance of all information is “an extreme violation of privacy … in violation of comparative and international law”.Footnote 111 It is clear therefore that the Court in this case relied on its proportionality analysis to impose strong rule-of-law constraints on state surveillance, thereby subjecting systemic aspects of the system of surveillance to constitutional standards.
Of these four cases, only the 2021 matter, AmaBhungane, engages with the consequences of digitalization. On a superficial reading, the earlier cases of Bernstein, Hyundai Motor Distributors and Mistry would not appear to offer much to those concerned with the dangers posed to privacy by digitalization. However, a reading of them based on dignity rather than narrowly on liberty has emphasized the links and the potential these types of cases have in safeguarding the concept of privacy in public and the right of information privacy. However, taken as a whole, South Africa's decided privacy jurisprudence demonstrates how the constitutional elements of rights and proportionality analysis, as well as constitutional supremacy, have laid a good foundation for continued engagement with future state surveillance practices.
Publication, dissemination and use
Before the adoption of the Constitution and the right to privacy, and before the Interim Constitution was introduced, the South African legal system recognized the right to privacy as an independent personal right under the common law of delict, the actio iniuriarum. In this context, the main importance of the actio has been in affording some protection to individuals against the excesses of the mass media. In Financial Mail (Pty) (Ltd) v Sage Holdings Ltd Footnote 112 the Appellate Division, the country's highest court at the time, clarified that a breach of privacy under common law could occur either by unlawful intrusion upon the personal privacy of another or the unwanted disclosure of private facts that a person has a right to conceal. In his taxonomy of the common law right to privacy, Professor David McQuoid-Mason adds placing a person in a false light by publishing non-defamatory but false statements, and the misappropriation of a person's image or likeness without consent or permission.Footnote 113 It has been suggested that the latter is more properly considered as a breach of the separate right to an identity.Footnote 114 However, in Bernstein, Justice Ackermann pointed to the close relationship between privacy and “what is necessary to have one's own autonomous identity”.Footnote 115 In agreement with McQuoid-Mason, the post-1994 Supreme Court of Appeal extended protection to features of a person's identity in Grutter v Lombard Footnote 116 under the actio iniuriarum. Appropriation of an individual's image or likeness for the benefit of another, or for commercial purposes and without consent, therefore constitutes an actionable breach of privacy rights under both South African common law and the Constitution,Footnote 117 on which further below.
A full specification of the public law perspective on privacy should identify the potential of the four privacy delicts (intrusion, disclosure, false light and appropriation) recognized under common law to provide protection against the specific harms associated with digitalization. As noted above, digitalization magnifies the risks of data spillages and uses and abuses of personal information harmful to the privacy of individuals in ways that could not have been imagined in Brandeis's world of the hand-held camera.Footnote 118 While the detail must await further research, we can offer a high-level answer here to the question of what relief the law of delict provides. The answer is some protection, but that the conceptual structure of the law of delict as designed to remedy specific, discreet and quantifiable harms does not reach the systemic issue of power or Solove's aggregation problem.Footnote 119 The delicts are all furthermore currently cast in the paradigm of concealment and secrecy.Footnote 120 The delict of intrusion, for instance, can provide only limited protection in the face of the consolidation of public records in centralized databases, and the collection and dissemination of information in cyberspace, which is a public space. Of course, we do not yet know how the Court will use its powers to develop the common law in response to digitalization and we do not yet know whether it will recognize a new “constitutional delict” for the breach of privacy rights as proposed by McQuoid-Mason. The authors’ view, which aligns with McQuoid-Mason's and is open to exploring the possibilities of developing the common law of delict within a constitutional framework, also finds some support in the argument recently made by Emile Zitzke, reflecting on the award for damages for egregious failures by the Gauteng Department of Health for the care of mental health patients. Zitzke asks whether constitutional damages as opposed to the “old” version of the common law was the appropriate vehicle to consider what remedy would be “just and equitable” in this case.Footnote 121
The two delicts with the greatest potential, in the authors’ view, are the appropriation delict and disclosure of private facts delict. Under a public law paradigm and a transformative constitution, it is difficult to see why the sale of personal information collected from users or purchased as a commodity cannot potentially give rise to liability, at least where there is a “spillage”. The disclosure of private facts delict has thus far primarily been invoked against traditional mass media. But who are the media today? And what constitutes “publication” in the time of digitalization? We increasingly rely on social media companies to communicate and on Big Tech platform companies that aggregate and sell our personal data for information and news. This is why Jack Balkin has suggested that they should be regarded as “information fiduciaries” that should be held to higher legal and ethical standards than they are at present under US law.Footnote 122
It is becoming clear that these monopolies can (and do) exercise control over content and therefore effectively act as custodians of the virtual public square. However, under South African law, it is not clear whether they can attract liability as other media companies do for the publication or inadvertent disclosure of private facts or defamatory statements under the actio iniuriarum. Section 73 of the Electronic Communications and Transactions Act 2002 immunizes internet service providers that are “mere conduits” from liability for “providing access to, or for operating facilities for information systems, or for information systems or transmitting, routing or storage of data messages”. So far as the authors are aware, there is as yet no South African case in which monopolistic platform companies or other web-based publishers have been sued under common law. However, individuals who post material are treated as publishers and can be held liable under common law. This is what happened in a recent case, Economic Freedom Fighters and Others v Trevor Manuel,Footnote 123 in which a former minister successfully sued members of a political party under common law for delictual damages for posting defamatory statements about him on Twitter. The corporation owning the digital platform was not cited as a respondent. However, what about other kinds of harms to privacy that result from digital processing of personal information or result from the publication of such information on digital platforms? Or from the “spillage” of personal information? And can the platforms themselves be held liable? This question, in turn, implicates the issue of the design of intermediary liability rules in South Africa. Indeed, to what constitutional standards can and should they be held? These questions have not yet been answered. However, the authors think that within our system of constitutional democracy exist considerable normative and institutional resources to develop a “public law paradigm” that is responsive to the risks to privacy and other rights in our age of digitalization.
Conclusion
Intervening in a set of rapidly evolving debates occurring at both global and national levels, this article has asked what legal resources are available in the South African legal system to respond to the risk and benefits posed by digitalization.
First, the article argued that this question is best answered through the lens of a South African public law perspective. In the authors’ view, while any particular legal system may often lag behind, the law constitutes an adaptive resource that can and should respond to disruptive technological change by re-examining existing concepts and creating new, more adequate conceptions. In particular, our public law perspective would reframe privacy law as both a private and a public good essential to the functioning of a constitutional democracy in the era of digitalization.
Secondly, it argued that the South African constitutional text instantiates a rights-orientated and rule-of-law-centred political theory that potentially facilitates the development of a privacy law adequate for the digital age. This view takes into account South Africa's transformative Constitution, with particular characteristics, including the components of horizontality and subsidiarity.
The third and final argument was built on a discussion of the Constitutional Court's case law on the right of constitutional privacy, dividing that discussion into the recent cases addressing surveillance harms and those resolving disputes addressing the harms associated with publication, dissemination and use. The article argued that constitutional privacy jurisprudence in South Africa has not explicitly confronted the implications of impacts of disruptive technological change (until recently). Nonetheless, it has demonstrated the potential to do so. The authors acknowledged the creative potential of proportionality / rule-of-law analyses simultaneously to focus on the need for systemic controls of harms to privacy and democracy, and to recognize the need to incorporate an assessment of the benefits for sectors such as law enforcement and social rights in the constitutional analysis.
Delving into and drawing from one particular national context, in developing our public law perspective, this article has argued that the South African constitutional framework provides rich resources for developing a constitutional right of privacy at least roughly adequate for the challenges posed by the current era of digitalization.
Competing interests
None