RICA, as a tool to fight crime, can also infringe on a person's right to privacy if their communications are intercepted unlawfully. This issue came up in a case involving Vodacom and a victim of "click fraud", who sought customer information on the suspected culprits from the mobile company.
- For more financial news, go to the News24 Business front page.
Since the enactment of the Regulation of Interception of Communications and Provision of Communication Related Information Act 70 of 2002 - commonly known as RICA - more than 20 years ago, electronic communications technology has rapidly evolved and communication tools have changed and advanced.
The object of RICA is, firstly, to prohibit the interception of communications and, secondly, to regulate the exceptional circumstances under which communications may be intercepted.
This being the case, RICA, as a tool to fight crime, can also infringe on a person's right to privacy if their communications are intercepted unlawfully.
The Supreme Court of Appeal (SCA) recently had occasion to consider the extent to which RICA can seemingly protect the privacy of customers of mobile network operators in Giftwrap Trading (Pty) Ltd v Vodacom (Pty) Ltd and Others.
Facts
As a cellular phone and internet service provider, the first respondent, Vodacom, was required by law to obtain and keep specified information in respect of their customers.
The appellant, Giftwrap, as the victim of “click fraud”, managed to obtain the local internet protocol (IP) addresses of devices from which the click fraud had emanated and also identified the service provider that each of the IP addresses used to gain access to the internet.
Seeking disclosure of the customer information in respect of each of the IP addresses, Giftwrap launched an application against the respondents (as the relevant service providers) in the High Court. The purpose of this application was to identify the wrongdoers in order to take legal action against them.
Vodacom submitted that the provisions of RICA precluded the disclosure that Giftwrap sought. The court agreed and held that section 42(1)(c) of RICA does not permit disclosure of customer information for the purpose of identifying wrongdoers.
Giftwrap brought an appeal to the SCA.
The issue
The salient issue on appeal was whether the provisions of RICA, particularly section 42, allow for the disclosure of customer information for the purpose of identifying wrongdoers.
The relevant provisions of RICA and arguments
Sections 39 and 40 of RICA are concerned with customer information and specifies the type of customer information that must be obtained and verified before a service provider enters into a contract with any person for the provision of electronic communication service. This includes information of both natural and juristic persons and includes, amongst others, physical addresses, full names and identification numbers or registration numbers as the case may be.
Insofar as the disclosure of customer information (as mentioned above) is concerned, section 42(2) provides that no service provider may disclose any information obtained in the exercise of its powers or the performance of its duties in terms of RICA, except for the purposes mentioned in section 42(1). To this end, section 42(1) provides for the disclosure of customer information -
- to any other person who of necessity requires it for the performance of his or her functions in terms of RICA
- if he or she is a person who of necessity supplies it in the performance of his or her functions in terms of RICA; or
- information which is required in terms of any law or as evidence in any court of law
It was argued by Giftwrap that it was entitled to the customer information behind the IP addresses in terms of RICA as it wished to identify the wrongdoers of click fraud in order to take legal action against them.
Vodacom did not dispute Giftwrap's factual averments nor that the information in question could be useful for the purpose for which it was required. It said that were the decision solely up to it, Vodacom would have provided the information to Giftwrap.
In its view, however, the provisions of RICA precluded the disclosure that Giftwrap sought, hence the opposition to the application.
Findings of the SCA
The SCA held that Giftwrap required the customer information as part of an investigation (to identify perpetrators of click fraud) with a view to taking appropriate legal action. Therefore, it goes without saying that disclosure of the customer information in respect of the listed IP addresses would not necessarily lead to legal action against a person so identified.
The question then is whether section 42(1)(c) of RICA permitted this or, put differently, whether section 42(1)(c) permitted disclosure for this purpose.
The SCA held that the answer to this question lays in the interpretation of section 42(1)(c) of RICA by a holistic consideration of its text, context and apparent purpose.
The SCA held that according to its text, section 42(1)(c) conveyed that the information must at the time of its disclosure be required as evidence in a court of law. It therefore envisaged disclosure of information which was required as evidence in proceedings that were pending in a court of law.
On that basis, information that is required to investigate whether legal proceedings could be instituted falls outside the ambit of section 42(1)(c). Reverting to the reason for which Giftwrap required the customer information, the court found that RICA did not permit the disclosure of customer information of a service provider for purposes of investigation or identifying wrongdoers.
Conclusion
In light of the SCA's decision, the crux issue conclusion clarifies that Giftwrap did not fit the criteria per section 42(1)(c) of RICA that allowed it to obtain customer information for its own "investigation" and not for "evidence" in court for a pending matter. This was detrimental to Giftwrap's case.
The SCA did not make reference to the relevant provision of the Protection of Personal Information Act 4 of 2013 ("POPIA"), yet the privacy of customers is relevant from a POPIA perspective.
There are competing interests in this regard:
- On one hand, section 14 of the Constitution guarantees the right to privacy. In particular, section 14(4) of the Constitution specifically protects an individual's right not to have the privacy of his communications infringed.
- On the other hand, the interception of a communication or access to customer information pursuant to RICA is, on the face of it, an infringement on a person's right to privacy.
However, it should be borne in mind that section 6(1)(c) of POPIA provides that POPIA does not apply to the processing of personal information when it relates to the judicial functions of a court.
Ahmore Burger-Smidt and Dale Adams, Director and Associate, Werksmans Attorneys. News24 encourages freedom of speech and the expression of diverse views. The views of columnists published on News24 are therefore their own and do not necessarily represent the views of News24.