The Government announced that it would be using mobile tracking technology and other methods as a way to combat SARS-CoV- 19 (the Virus) and COVID-19. The tracking and tracing of people with the Virus is vital in the fight against it’s spread. However, amaBhungane, have highlighted that the regulations allowing for the tracking of peoples mobile phones need stricter controls to ensure they are not abused. This article aims to briefly explore the regulations that have been imposed, criticised and more recently corrected and the effect these have on South African society and what business must do to ensure their activities remain within the bounds of what is considered lawful
Overview – Privacy and Prejudice
The goal of the recent regulations by the Department of Telecommunications and Postal Services, as amended, on 6 April 2020, is to assist in the management of COVID-19. The regulations provide clarity and a sense of stability to the industry and the public at large. All service providers must continue to meet demand and offer their services. Additionally, service providers must deploy emergency type infrastructure when requested to do so by the State. Of benefit to private individuals and business is that the telecommunications industry may not increase their prices for so long as the regulations are in place.
The plights of the consumer aside, the concern lies in the now state-sanctioned ability for state-authorities to demand that telecommunications service providers, including mobile network operators, and internet service providers, must provide location-based services to the State. Further, the Post Office must make any database it has available for use to the authorities. In addition, the private sector must allow for this database to be cross-referenced against its own. This highlights a recurring theme in these regulations: the private sector being called upon to divulge sensitive and private personal information of its customers to the State.
The regulations not only have an impact on the privacy of these individuals who have tested positive for being infected with the Virus but also apply to those who may have been in direct contact with an infected person. In other words, the State must draw up a database of the personal information of persons who are and were infected with the Virus, and all those people who may have been in direct contact with that person.
Impact on private companies and individuals
Private companies may be asked to submit the personal information of their employees, customers and clients to the State. This would, in effect, mean that companies would be asked to prejudice compliance with their internal privacy controls, the European Union’s General Data Protection Regulations (GDPR) or those proactively in compliance with the yet to be promulgated Protection of Personal Information Act (‘POPIA’).
The Information Regulator (‘the Regulator’), the regulatory authority in charge of the protection of personal information by virtue of POPIA, released its guidance notes. The Regulator provided that it viewed the new regulations as lawful, but provided for detailed provisions as to how the data could be lawfully acquired, processed and stored.
Private business must ensure that any private information must still be carefully guarded and only shared in circumstances where the necessary data protection methods have been put in place. The risk of merely sharing access to personal information is that the company doing so may face liability for causing any harm or liability to the data subject as a result of a breach of privacy.
As it relates to mass surveillance, the Regulator further condoned the use of information acquired by tracking and tracing of infected persons, as well as mass surveillance of data subjects. However, surveillance may only be conducted in a manner in which the personal information of data subjects is made suitably anonymous and is not capable of being reconstructed. With these measures in place, the Regulator has provided clarity as to how this personal information can be used.
These regulations are more worrying, however, when considered in tandem with other laws. More particularly the provisions which criminalise the publication of any statement, through any medium with the intention to deceive another person about any measure taken by the Government to address COVID-19 or to deceive a person about COVID-19 or the infection status of any person. The concern is how authorities will interpret the meaning of ‘deceive’ and what this might mean for companies required to disclose and share COVID-19 information and how this will impact on society in general.
Conclusion – Intersection of Public and Private Accountability
In Turkey and other countries, writers and journalists have noted that governments are in some instances pushing the boundaries of what is considered justified under the phantasm of a global pandemic. Already, local and international journalists have cautioned the State and civil society against allowing a temporary state of emergency and crisis to make permanent changes to what we consider acceptable infringement of our rights.
In uncertain times, the State is often called upon or sees an obligation to curtail individual civil liberties to resolve or mitigate against an unfolding crisis such as the one presented by the Virus and COVID-19. It is up to the members of that State, of that society to act with longanimity to stay the course and comply with what is demanded. As per the Regulators notice the sharing of private information must be done lawfully and within reason to protect society. Companies must ensure that they comply with all laws promulgated to combat the spread of the Virus and ensure they protect their own company from any additional liability.
If you have any questions or queries as it relates to this or any other topic, please feel free to contact SchoemanLaw Inc. for expert guidance. We are open for business and ready to help.
 Regulation 318 of Government Notice 43107 of 17 March 2020 as Amended (https://www.mylexisnexis.co.za/Index.aspx?permalink=emIvdmxheWEvaGV6a2cvaWV6a2cvbWV6a2cvaTl3bGckLTEkNyRMaWJyYXJ5JGRwYXRoJExpYnJhcnk ) (accessed 13 April 2020)