Overview of the South African Protection of Information Bill

The methods used to collect and store information and data have evolved over time.

In the past personal information was collected primarily through direct means by companies that people did business with. The collected information would be stored to enable the company to provide a service to the customer and to bill the customer after service delivery. The high cost of storing information typically meant that a company would only store information that was strictly necessary for these purposes and that the information would be stored for a limited time once it was no longer needed.

In the last two decades new technologies, including the internet and mobile devices, have dramatically changed the way in which people interact with each other and with companies, leading to an increase of the number of ways which companies can collect personal information about data subjects; a cell phone application which has access to your precise GPS coordinates, phone book and text messages; an internet website tracking its visitors; an in-store loyalty card which tracks shopping habits; an internet search engine which logs and stores each of your search queries; a social network application for your tablet computer which redirects your personal and business email to its own servers.

In many cases people are either unaware that data collection is happening or are unaware of the scope of the data collection. The falling cost to store information electronically now means that this personal information which is collected can be stored for longer periods of time, perhaps indefinitely.

Once this personal information has been collected, which could include individual’s names, gender, phone numbers, home address, email addresses, or shopping and internet browsing habits, the question has often been whether this information still belongs to the private individual or whether the information now belongs the company collecting the information? What can a company use the collected information for after collection?

In South Africa a person’s right to privacy has been entrenched in section 14 of the South African Constitution 1996, which provides that “[e]veryone has the right to privacy”, before going further to cater for specific circumstances. The South African Protection of Personal Information Bill, or POPI, which may become law soon takes further steps to entrench the right to privacy and to protect personal information which is collected and stored.

The Protection of Personal Information Bill draws on years of research and contains many broad principles which were developed and incorporated into the European Union’s Data Protection Rules. It seeks to introduce measures to ensure that personal information is protected, but aims to balance this objective against the right to access to information and the principle of free flow of information.

The bill accomplishes its objectives by codifying the rights that persons have in their own personal information and specifying eight conditions, or principles, that must be complied with by persons when collecting, storing and processing the personal information.

The Protection of Personal Information Bill may have far reaching consequences on some businesses operating in South Africa. Businesses should evaluate the information which is currently being collected to determine whether the bill will apply to the activities of the business. If the bill does apply a business will have to evaluate and determine what technical and organisational measures need to be taken to ensure that the legislation can be complied with once it is enacted.

Application of the Protection of Personal Information Bill

In terms of section 3, the Protection of Personal Information Bill applies to any activity concerning personal information which is either conducted in South Africa, or which is conducted outside South Africa by a responsible party which is domiciled (a resident) in South Africa.

The bill binds both public and private bodies, extending to any South African state department or administration, state functionary, state institution, private companies, private partnerships, sole proprietors and any other individual.

The activities relating to personal information which are regulated in terms of the bill include:

  • collection;
  • receipt;
  • recording;
  • storage;
  • retrieval;
  • dissemination; and
  • use.

The definition given to “personal information” ensures that the legislation will have a wide application.

Personal information is defined as any information relating to an identifiable, living natural person or existing juristic person, including a person’s:

  • name;
  • gender;
  • sexual orientation;
  • religion;
  • education;
  • identifying number;
  • e-mail address;
  • telephone number
  • personal opinions; and
  • correspondence.

There are, however, some exclusions, such as the exclusion of data relating to a purely personal or household activity, data which has been de-identified and data collected by a public body involving national security and the investigation or proof of criminal offences.

Rights Granted in Terms of the Protection of Personal Information Bill

The section 5 of the Protection of Personal Information Bill briefly sets out the rights granted in terms of the bill which are elaborated and expanded on in further chapters. The rights granted in terms of the bill include:

  • the right to be notified that personal information is being collected;
  • the right to be notified if there has been any security compromises and if personal information has been unlawfully accessed;
  • the right to establish if a person or entity holds any personal information and if so request access to the personal information;
  • the right to know the identity of third parties who have had access to the personal information;
  • the right to request the correction, destruction or deletion of personal information;
  • the right to object to the processing of personal information;
  • the right to submit a complaint to the Information Regulator, which is to be established in terms of the bill; and
  • the right to institute civil law suits to claim damages suffered as a result of a contravention of the bill.

Conditions for the Lawful Processing of Personal Information

Chapter 3 of the Protection of Personal Information Bill sets out eight conditions, or principles, which must be complied with when processing personal information.

Failure to comply with these conditions when collecting and processing information protected by the bill would constitute an interference with the rights of the individual in terms of section 73 and may result in civil liability in terms of section 93 for damages suffered by the individual.

Contravention of other chapters of the bill can also result in administrative penalties or a criminal conviction punishable by fines or imprisonment of up to ten years for some offences.

These conditions for the lawful processing of personal information are:

Condition 1: Accountability

The first condition provides that the responsible party, namely the public or private body which determines the purposes and means for processing personal information, must ensure that personal information is processed lawfully and that the conditions are complied with at the time when the purposes and means of data processing is determined and during the processing itself.

Condition 2: Processing Limitation

The second condition sets limits on the methods which may be used when collecting personal information and on the scope of processing the information. Focus is placed on the protection of privacy and prevention of excessive collection and processing.

This condition provides that personal information may generally only be collected directly from the individual and not from other third party sources.

It also provides that personal information may only be collected and processed if:

  • the individual has consented;
  • it is necessary to perform in terms of a contract concluded directly with the individual;
  • it protects a legitimate interest of the individual or the person collecting or processing the information; or
  • it is necessary for the proper performance of a public law duty by a public body.

Data subjects are also granted the right to object to the collection and processing of personal information, including the specific right to object to direct marketing from companies which they are not already an existing customer of.

Condition 3: Purpose Specification

The third condition sets limits on the reasons for the collection of personal information and limits the duration that the records may be retained.

This condition specifies that personal information may only be collected for specific and explicitly defined purposes and that data subjects must be informed of the purpose for collecting the information.

Once the personal information has been collected it may not be retained any longer than what is necessary for achieving the defined purpose. After the personal information is no longer required it must be either destroyed or “de-identified” in a manner which would make identification of the individual impossible either on its own or if combined with other information.

Condition 4: Further Processing Limitation

The fourth condition limits the use of personal information once collected, providing that all processing must only be in accordance with, or compatible with, the purpose for which the information was originally collected.

Condition 5: Information Quality

The fifth condition ensures that reasonable steps must be taken by the responsible person to ensure that all personal information which is collected or processed is complete, accurate, not misleading and updated where necessary.

Condition 6: Openness

The sixth condition ensures openness of records relating to the processing of personal information by requiring responsible persons who collect and process personal information to retain records of the processing operations in terms of the Promotion of Access to Information Act.

This condition also requires that data subjects are notified of their rights in terms of the bill. Steps must be taken before the actual collection of personal information to ensure that an individual is aware of:

  • what information is being collected;
  • the name and address of the responsible party collecting or processing the information;
  • the purpose of collecting the information;
  • the consequences of not providing access to the personal information; and
  • if the information is to be transferred to another country, the level of protection afforded to the information in that country.

Condition 7: Security Safeguards

The seventh condition introduces safeguards to protect the integrity and confidentiality of personal information once it has been collected.

In terms of this condition any person collecting or processing personal information must take appropriate and reasonable technical and organisational measures to ensure that personal information is not lost, damaged or unlawfully accessed or processed. This requires the responsible party to take measures to identify internal and external risks, establish and maintain safeguards and continually update procedures and safeguards in response to new risks or deficiencies.

Data subjects must also be informed of any security breaches as soon as reasonably possible.

Condition 8: Data Subject Participation

The final condition applicable to the lawful processing of personal information provides data subjects with the right to participate in the collection and processing of their personal information.

This condition provides data subjects with the right to:

  • request whether or not a person is in possession of personal information belonging to the data subject;
  • request a record of the personal information held;
  • request information regarding all third parties who have had access to the personal information;
  • request the correction or deletion of inaccurate personal information; and
  • request the deletion or destruction of personal information.

Simple Steps to Increase Online Privacy

Since the revelations by Edward Snowden on the online data tracking done by the government of the United States of America, the current state of online privacy has been thrust into public attention, in particular how much information is willingly, and more often unknowingly, given away by internet users.

Your online activities are tracked by every internet service you use, by every web site you visit and by the advertisers and content providers on each page you view. These companies track web users invisibly as they surf the internet recording everything that is searched for online, each link that is clicked and each web page that is visited. The list of people acquiring information that can personally identify you is longer than what you might expect.

Regardless of the reasons provided for tracking your online activities, which include the ability to serve you with targeted adverts and improved customized search results “for your benefit”, the fact remains that large troves of personally identifiable information often unknowingly falls into the hands of third parties.

For an illustration of information that is collected by search engines you should take a look at the database of user searches that America Online released to the public in 2006. This database contains the searches of more than 650,000 AOL users over a three month period and illustrates the privacy nightmares that can arise when even small amounts of private search data becomes publicly available. You can browse this database and see the search queries that the users entered and which links were followed by the user.

For instance, user #2258946 searched for boat motors, golf club grips and sport back braces; user #98280 searched for pregnancy calculators, whether bi-polar personality disorders are hereditary and spiritual beliefs on abortion; and user #110602 searched for Star Wars music, sex games and pornography. People have claimed to have been able to pinpoint the identities of various users using only the search data which was released.

If you have a Google Account and use Google’s services you can take a trip down memory lane and look at some of your own past search queries by logging into your Google account and going to www.google.com/history

Methods used to track internet users

The most common and simple methods used to keep track of internet users are through tracking cookies, internet browser referrers and IP addresses.

Cookies are small pieces of data which are sent by a web server to your computer when you access a website. These pieces of data, the cookies, are stored on the visiting computer. These are referred to as “first party cookies”. Each website visited may also be linked to and request content from third parties which deliver services to the website, for instance
advertisements or analytic services. These third parties may also upload and store tracking cookies on the visiting computer. These are referred to as “third party cookies”.

Cookies are a way for a website to identify and store information about each visitor. They are used to maintain data related to the visitors during navigation across various visits, store a visitors personal preferences and may also track a visitors web browsing in conjunction with the computers IP address and browser referrer fields.

An IP Address is a unique numerical address which is assigned to any device which connects to the internet. Because it is generally unique and is assigned based on your geographical region and internet service provider it can be used to track the device to the country and city in which the device is connecting to the internet. The IP address can be used to track recurring visitors to the same site or the same visitors across various sites, as visitors with the same IP address will generally be the same person or someone using the same internet connection. To see the IP address and location
information of the device you are currently reading this article on you can visit https://www.dnsleaktest.com/

A referrer is information about which page your request to the web server originated from, the referring page [8]. When you follow a link from a search query or a link on another website the website which you visit receives information about the website that directed you to it.

By analysing stored tracking cookies, IP addresses, referrers and other information made available it is possible to discover the pages the user has visited, in what sequence, and for how long.

How to increase online privacy?

There are some easy tactics that can be used to limit the amount of information that is gathered about your online activities, which will be discussed.

A word of caution: None of these methods will give you anonymity on the internet. Your internet service provider and any local law enforcement will still be able to use methods to track your movements across the internet and record the websites that you visit.

The methods presented here will only minimise the amount of personally identifiable information that can be gathered by private companies across the internet.

Replace Your Internet Browser

The first thing to consider is replacing your proprietary internet browser (such as Microsoft’s Internet Explorer or Google’s Chrome browser) with one that is Free and Open Source Software. Using a free and open source browser allows the community of users to ensure that the browser is secure, does not contain any intentional security back doors and does not do anything unknown that could be malicious or could be used to identify you.

Install Mozilla Firefox, the recommended Free and Open Source internet browser:

Change Your Browser Cookie and Tracking Settings

It is possible to easily minimise the information collected by means of cookies by simply changing some settings in your internet browser. Settings that you should consider changing are:

  • Disable third party cookies, which will immediately reduce the amount of cookies received from third parties and advertisers, reducing the amount of information that these companies can collect. A guide on how to do this in Mozilla Firefox is found at https://support.mozilla.org/en-US/kb/disable-third-party-cookies
  • Set your browser so all cookies are deleted when the browser is closed. This setting is found on the same setting page as third party cookies settings, so after deselecting “Accept third-party cookies”, right below it select “Keep until I close Firefox”. This will ensure that all cookies are deleted when you close your browser and are not stored for years.
  • The browser plugin “Self Destructing Cookies” destroys cookies as soon as a tab is closed and no longer used. This can be installed from https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
  • Turn on your browsers “do not track” feature. This tells websites not to track you, but unfortunately it is up to the individual websites whether they want to comply with your request. A guide on how to do this in Mozilla is found at https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature

Install a browser plugin to eliminate all online advertising

Install Adblock Edge to get rid of advertising on websites and to make sure that you do not accidentally click on any of these unwanted links. Adblock Edge is a fork of Adblock Plus software. Both these plugins are popular advertising blockers, but by default Adblock Plus allows adverts that it classifies as “acceptable adverts”. It may be noble to want to support websites and advertisers who promote advertising that does not destroy your viewing experience, but this would may contrary to the objective of increasing privacy. The business model of Adblock Plus, which allows advertisers to pay the company to have their adverts automatically white listed, has also raised some concerns.

Adblock Edge can be found at https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/

EDIT: The most recommended ad-blocker in August 2018 is “uBlock Origin”. 

Install a browser plugin to prevent social networks from being sent data by websites visited

Facebook, Twitter and other social networks have buttons which websites can incorporate to make sharing content easier for visitors. An example is Facebook’s “Like” button which is now found on many internet websites and not only on facebook.com. One feature that most internet users are unaware of is that these buttons collect and send information about your browsing back to the company (Facebook, Google or Twitter) regardless of whether or not you use or click the button. The process used is described in detail in this research paper.

Each time you visit a website incorporating a Facebook “Like” button the website sends a request to Facebook to retrieve the button for display, along with a cookie. If you are logged into Facebook at the time, or have visited Facebook and still have a Facebook cookie on your computer, then the cookie that is sent to Facebook will incorporate your unique Facebook user ID. This allows Facebook to monitor every website that you visit whether you are logged into Facebook or not.

Even if you do not have a Facebook account Facebook collects and stores this information about your browsing, creating what it calls “shadow accounts”.

You can prevent this by installing the Disconnect browser plugin, which blocks these requests and information sent to social networks. Disconnect can be downloaded from https://disconnect.me/

One criticism of Disconnect is that it does not go far enough because it only blocks cross-site requests from the largest known social networks and advertisers. To prevent all cross-site requests you can install the Request Policy plugin. This plugin does, however, break most websites but if you are willing to make the effort to configure it properly for the websites that you visit often it will greatly increase your privacy and security.

Install the HTTPS everywhere browser plugin

The HTTPS Everywhere browser plugin maximises your use of HTTPS encrypted connections and ensures that your browser will use a secure encrypted connection to a web server if one is available.

HTTPS Everywhere is found at https://www.eff.org/https-everywhere

Use a search engine that does not track uou

The major search engines, Google, Yahoo and Bing, record each search query entered into their search engine along with the links followed. This information is used together with your computers IP address to track your browsing habits and build databases containing all information and location details. This information is then used by the companies and their partners to attempt to increase their own revenue by serving you personalised, targeted, adverts.

Your search results can contain very personal and intimate details about you as highlighted in the released AOL database of user searches, and will likely contain personally identifiable information.

To prevent a company from building up a detailed database like this you must not use a search engine which generates income through advertising, but should instead use an alternate search engine which takes its users privacy seriously. Two search engines to consider are:

I personally use startpage.com because it provides search results as if you are using Google. When you search with Startpage the web results are generated by Google and not by Startpage itself. Startpage takes your search query and sends it to Google without providing Google with any identifying information about you. Startpage then delivers the Google search results to you. Startpage does not collect or store any personal information, including your IP address, and has been awarded the European Privacy Seal.

Set Startpage as your homepage, add Startpage search to your browser, and configure your internet browser so you can search Startpage from your URL bar.

Other privacy improvements to consider

There are many other methods that can be considered to improve privacy and security online, but each of these topics would require a separate guide on their own. These include:

  • turning off your internet browsers “referers”, so websites are not sent information about the links you followed to arrive on their page; I have, however, found that this breaks some websites which requires a login;
  • increasing the strength and uniqueness of your online passwords;
  • using services to hide your IP address, such as through a virtual private network (VPN) or Tor (the Onion Router);
  • taking steps to change and protect your internet browsers fingerprint;
  • installing browser plugins to prevent websites from loading java script; this has the benefit of increasing both privacy as well as security; and
  • encrypting emails.

Farewell to Facebook

I no longer have a Facebook account. I started my account in 2008, and gathered friends both old and new, but I found myself slowly neglecting the account more and more as time moved on.

I decided to finally close so my Facebook account so it doesn’t contribute to the database linkage accumulation slowdown “which is a major looming problem for web infrastructure and definitely not a thing I just made up”.

Free Software and its Security Advantages

Everyone loves free software, but not all free software is Free. With software there is a substantial difference between “free”, “Free”, and “open source”.

As an end user Free Software can in some cases offer advantages over closed and proprietary software, especially in the case of software which is relied on for security.

The definition of “free”

The Free Software Foundation defines Free Software as “software that respects users’ freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.”

Free Software is not about price, but about protecting users freedom to use, modify and distribute software. The four fundamental freedoms that are applicable to Free Software are:

  • The freedom to run the program, for any purpose (freedom 0). Does the software do what it purports to do? Does the software only do what it purports to do, free from any nefarious other uses or intentional back doors that are unknown to you? Is the software secure from attackers;
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1);
  • The freedom to redistribute copies so you can help your neighbour (freedom 2);
  • The freedom to distribute copies of your modified versions to others (freedom 3). Access to the source code of the software is a precondition for the practical exercise of these freedoms. This access is the largest difference between proprietary software and Free Software.

Free Software, and its accompanying freedoms, should not be equated or confused with software that does not have a price; it is possible for a company to charge a price for Free Software, just as it is possible for a company to give away its own proprietary software at no cost. Also, just because software is Free, does not necessarily mean it is not subject to copyright; one method used to protect Free Software is to make it subject to a “copyleft” license, such as the GNU GPL License, which requires modifications to the software to be distributed under the same license, preventing persons from modifying Free Software and re-releasing it as proprietary code.

Free Software is about liberty, not price. As the FSF puts it, “[t]o understand the concept, you should think of ‘free’ as in ‘free speech,’ not as in ‘free beer’.”

The term “open source software” is often incorrectly used interchangeably with the term “Free Software”. With open source software you can usually view and modify source code, but open source software does not necessarily grant all the freedoms associated with Free Software.

Security advantages offered by free software

When selecting a software to use there are often various programs available, some proprietary and others Free Software. When using any software it is essential to be able to ensure that:

  • the software indeed does what it says it does;
  • the software does not do anything malicious or contain “back doors”; and
  • the software does not contain any exploitable bugs or security flaws.

These concerns are amplified if the software it being used to preform a critical function, to protect systems or store and safeguard confidential information.

Proprietary software is developed in a closed fashion by a limited development team. Nobody has the right or the ability to examine the source code. This means that you are putting your trust in the software’s development team. Unfortunately trust can be placed in the wrong people.

How certain can you be that your encryption software does indeed encrypt your data using the algorithm that it says it does? Does the encryption program implement the algorithm correctly? Does your software phone home or otherwise send requests or information to an unknown server? Does your software contain intentional back doors to allow third parties or law enforcement to circumvent security? Is your software free from security vulnerabilities that can be exploited?

These concerns are addressed by Free Software.

First, with Free Software you can be certain that the software does indeed do what it purports to do. The source code is available and users are able to examine exactly what the software does and how it aims to do it.

Secondly, because users are able to examine the source code any intentional back doors build into the software can be more easily discerned and anything malicious in the software can be identified.

Thirdly, serious security flaws can be quickly identified and addressed. Linus Law, named in honour of Linus Torvalds, is “given enough eyeballs, all bugs are shallow”. Free Software is often developed by extremely large groups of people, for example the latest Linux report states that more than ten thousand people have contributed to the Free operating system. Arguably the large amount of people actively combing through, improving and adding to the software source code weed out many of the exploitable bugs and security flaws.

Some opponents of Free Software argue that by having code open for inspection it makes software less secure, allowing people to look at the software code, find and exploit flaws. This is an argument in favour of “security through obscurity”, an argument that a security flaw in code is acceptable as long as it is hidden and no body can easily see it. Security through obscurity is never a good idea as it works off of the premise that would be attackers are not looking for vulnerabilities that exist in the proprietary software.

Unfortunately no software can ever provide a guarantee that it is one hundred percent secure, but it should not be necessary to place your trust in a group of developers who may not have your best interests in mind. With Free Software you don’t have to trust so blindly.

Edit: A fascinating perspective on the topic of trusting code is given in this speech by Ken Thompson titled “Reflections on Trusting Trust: To what extent should one trust a statement that a program is free from Trojan horses. Perhaps its more important to trust the people who wrote the software”.

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect …”

Ken Thompson, Communications of the ACM, August 1984 Volume 27 Number 8.

How Existing Human Rights Law Applies to Modern Digital Surveillance

A group of worldwide privacy organizations and advocates have adopted and released a document entitled “The International Principles on the Application of Human Rights to Communications surveillance“.

The document sets out how existing international human rights laws applies in the digital environment and details thirteen principles that must be adhered to by any government in order to comply with current international law.

Importantly, the document addresses the distinction between collection of the content of a communication and the collection of the “communications metadata”, and concludes that the distinction between the two are no longer appropriate; metadata and other non-content data deserves equal protection because it may reveal even more about an individual than the content of the communication itself.

The thirteen principles, based on current international law, outlined in the document are summarized below.

Legality

Any limitation to the right of privacy must be prescribed by a publicly available legislative act, and subject to periodic review.

Legitimate aim

Laws should only permit surveillance by specified state authorities.

Any surveillance must be conducted to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.

Necessity

Surveillance should not be widespread, but must be restricted only to what is necessary to achieve the legitimate aim.

Surveillance should only be conducted when it is the only method to achieve the legitimate aim, or is the method that is least likely to infringe on the persons human rights.

Adequacy

The surveillance must be able to fulfil the legitimate aim.
Proportionality

Before any state engages in surveillance for the purposes of a criminal investigation it must establish before an independent court that:

  • there is a high degree of probability that a serious crime has been or will be committed;
  • evidence of that crime will be obtained by the surveillance;
  • other less invasive techniques have been exhausted;
  • the information gathered will be limited to that which is relevant to the alleged crime; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

If the surveillance will not put the person at risk of criminal prosecution the state must establish before an independent court that:

  • less invasive investigative techniques have been considered;
  • the information accessed will be confined to what is reasonably relevant and any excess information will be destroyed or returned; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

Competent judicial authority

All determinations relating to surveillance should be made by a competent, impartial and independent court which is separate from the authority conducting the surveillance.

Due process

In the determination of human rights everyone is entitled to a fair and public hearing. The mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorization.
User Notification

Users must be notified of a decision authorizing surveillance to enable them to appeal the decision. Delay in notification is justifiable if:

notification would would seriously jeopardize the purpose of the surveillance; or
authorization to delay is granted by the judicial authority; and
the individual is notified within a reasonably practical time period.

Transparency

States must be transparent about the use and scope of surveillance techniques used. States should publish transparency reports detailing the type and nature of surveillance, including the number of surveillance requests approved or rejected, in order for individuals to fully comprehend the scope, nature and application of the laws permitting surveillance.

Public oversight

Independent oversight mechanisms, which has access to all potentially relevant state information including secret and classified information, must be established. This is to ensure that the state is acting within its lawful authority.

Integrity of communications and systems

States should not compel service providers or hardware or software providers to build in surveillance capabilities into their systems; compromising security for the state always compromises general security which would make these systems more vulnerable to attack by unauthorized third parties.

Service providers should not be compelled to collect information purely for state surveillance purposes.

Individuals have the right to express themselves anonymously, and states should not require service providers to identify their users as a precondition
for providing services.

Safeguards for international cooperation

When concluding multinational mutual legal assistance treaties, states must ensure that when the laws of more than one state applies to the communication then the law which provides the greatest protection to the individual is applied. This prevents states from circumventing their own domestic legal restrictions.

Safeguards against illegitimate access

Legislation criminalizing illegal surveillance by public and private persons, and providing for significant criminal and civil penalties if contravened, must be enacted.

Legal protection must be provided to whistle blowers

Information obtained in contravention of the principles must be inadmissible as evidence in any proceedings.

Private Companies, Share Transactions and Regulated Affected Transactions

Are you unknowingly a director or shareholder of a regulated private company? If so, what effect does this have on transactions involving the company’s shares?

The Companies Act, No 71 of 2008 (the new Companies Act) expanded the circumstances in which a private company may be regarded as a regulated company, having the effect that certain provisions of the new Companies Act and the takeover regulations, which would otherwise not be applicable to a private company, are unknowingly applicable to numerous private companies in South Africa. The application of these provisions may have adverse and unforeseen consequences in transactions involving the company’s shares.

In short, a shareholder increasing their shareholding in a regulated company is required to notify the company with each multiple of five percent of the shareholding that it acquires, is required to make a mandatory offer to purchase all remaining shares once its shareholding crosses the prescribed threshold, and may acquire the right to force minorities to sell their shares.

Having a share transaction reversed because the regulatory procedure was not followed, being unknowingly obliged to make a mandatory offer to all shareholders to acquire their shares, or unknowingly becoming a minority shareholder who can be squeezed out of a company, are situations which shareholders may best be advised to avoid. These risks can be amplified in long term share acquisition transactions, such as joint ventures which make use of shareholder earn-in provisions.

Regulated private companies in terms of the Companies Act

A private company becomes a regulated company in terms of the new Companies Act if the company expressly elects to be regarded as a regulated company in the company’s memorandum of incorporation, alternatively, if more than ten percent of the company’s issued securities have been transferred within the previous twenty four months other than by transfer between related or inter related persons.

Therefore, in the event that share transactions have taken place within the previous twenty four months a private company may potentially be classified as a regulated company. Once regarded as a regulated company the takeover regulations becomes applicable and the takeover regulation panel (TRP) becomes responsible for regulating all affected transactions, including any offer to enter into an affected transaction.

Share transactions as affected transactions

The definition of affected transactions insofar as it relates to share transactions include compulsory disclosures on the acquisition of shares amounting to five percent, ten percent, fifteen percent or any further multiple of five percent of the company’s issued shares, mandatory offers requiring any shareholder who acquires enough shares to take its shareholding above thirty five percent of the shares in the company to make an offer to the remaining shareholders to purchase their shares, and compulsory acquisition and squeeze out of minority shareholders.

Affected transactions are further governed by the takeover regulations and regulated by the TRP, meaning that the parties cannot give effect to the share transaction unless the procedures set out in the takeover regulations have been complied with and the TRP has either issued a compliance certificate or granted an exemption for the transaction.

The compulsory disclosure provisions apply to any person who sells or purchases shares in a regulated company and as a result of that acquisition the person holds a beneficial interest amounting to five percent, ten percent, fifteen percent or any further multiple of five percent. The seller or purchaser must notify the company within three business days after the disposal or acquisition of the shares. Once the company has received the disclosure notice the company must file the notice with the TRP.

In addition to the compulsory disclosures a fundamental provision within the new Companies Act is the provision requiring a mandatory offer to all shareholders to acquire their shares in a company if a person acquires shares in a regulated company and as a result of that acquisition the persons shareholding increases from an amount of less than thirty five percent to an amount of thirty five percent or more.

Once this threshold is reached the shareholder is required to give notice to the remaining shareholders offering to acquire any remaining shares and must comply with the takeover regulations.

The mandatory offer provisions are designed to protect minority shareholders, however, the squeeze out provisions may work to the detriment of minority shareholders.

In terms of the squeeze out provisions minorities holding less than ten percent of the issued share capital of a company may be forced to sell their shareholding, or “squeezed out”, should an offer for the acquisition of the entire class of shares of a regulated company be made and that that offer has been accepted by holders of at least ninety percent of that class of securities.

These provisions allow an offeror to acquire the shares of a minority holding less than ten percent of the issued share capital on the same terms and conditions as the shareholders who had accepted the original offer.

A word of caution in share transactions involving private companies

It becomes imperative that before shares in a private company are sold or purchased that it is determined that the private company has not elected to be a regulated company in its memorandum of incorporation and that no more than ten percent of the shares in the company have been transferred in the previous twenty four months. If so the company may be classified as a regulated company, requiring compulsory disclosures to be made with each five percent of the shares acquired, and once the threshold of thirty five percent shareholding is reached requiring a mandatory offer to acquire the remaining shares.

Caution must be taken to ensure that share transactions are structured in such a way to account for the company being classified as a regulated company.

In long term share acquisition transactions, such as joint ventures which make use of shareholder earn-in provisions, care must be taken in the drafting of the applicable contracts and the transaction should be structured to ensure that the intentions of the parties are not eroded should the company become a regulated company after the conclusion of the contracts and that both the rights of the acquiring shareholder is protected with each share tranche acquired, as well as the rights of minorities which may hold less than ten percent of the shares after the implementation of the transaction.

Notes on the Jurisdiction of UK Courts under the Brussels I Regulation

Note: Much of what is laid out below has been superseded by later events. In particular:

  • the Brussels I regulation (44/2001) has been replaced (recast) by regulation 1215/2012, that came into effect from 10 January 2015;
  • the interpretation of article 60, and the meaning of “central administration” was directly considered subsequent cases, including:
    • Young v Anglo American South Africa Limited and Others [2014] EWCA Civ 1130; and
    • Vava and Others v Anglo American South Africa Limited and Others  [2013] EWHC 2131 (QB).

I’m leaving the rest of this note as is, as a summary of some of the applicable cases leading up to these developments.


When will a court in the United Kingdom hear a case where the action or liability didn’t arise in the UK?

The issue of legal jurisdiction is largely determined by the Counsel Regulation (“EC”) No 44/2001 of 22 December 2000, on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, (“Brussels I”).

Jurisdiction as Determined in terms of the Brussels I Regulation

The scope of Brussels I is largely defined in articles 1, 2, 3 and 4, as read with article 59 and 60.

Article 1 of the regulation states:

1) This regulation shall apply in all civil and commercial matters whatever the nature of the court or tribunal.  It shall not extend, in particular, to revenue, customs or administrative matters.

2) The regulation shall not apply to:

a) the status or legal capacity of natural persons, rights and property arising out of a matrimonial relationship, rules and succession;

b) bankruptcy, proceedings relating to the winding up of insolvent companies or other legal persons, judicial arrangements, compositions and analogous proceedings;

c) social securities;

d) arbitration.

To determine if a court has jurisdiction over a foreign (peregrinus) company, article 2 and article 60 must be applied. These articles read:

2.1   Subject to this regulation, persons domiciled in a Member State shall, whatever their nationality, be sued in the courts of that members state.

2.2   Persons who are not nationals of the Members State in which they are domiciled, shall be governed by the rules of jurisdiction applicable to nationals of that state.

60.1   For the purposes of this regulation, a company… is domiciled at the place where it has its:

a) statutory seat; or

b) central administration; or

c) principal place of business …

In terms of these provisions, the decisive consideration regarding jurisdiction in the courts of a member of the EU, such as the UK, is whether the defendant is domiciled in the member state irrespective of the nationality of the parties to the law suit and irrespective of the domicile of the plaintiff.

It is therefore critical to determine the legal definition of “domicile” as interpreted by the UK Courts.

Definition of “central administration” and “principle place of business”

A UK court will have jurisdiction over a company if it is domiciled in the UK; if the company has its statutory seat, central administration or principle place of business in the UK.

The definition of central administration and principle place of business has received considerable judicial consideration within the UK, and is best illustrated with reference to some of the applicable decisions.

The Rewia decision

In the case of the Rewia [1991] 2 Lloyds Rep 325 (“Rewia”) the court considered the meaning of the term “the principle place of business” of a corporation. The defendant contested jurisdiction and argued that they were domiciled within Germany and not in the UK.

It was common cause that the defendant was domiciled in West Germany because the company’s central management and control existed there.  The court a quo came to that conclusion, which was not subject to appeal, on account of the following facts:

  • all the directors were German and resident in West Germany;
  • the shares in the Defendant were all beneficially owned or controlled by German companies;
  • major policy decisions were made in Germany;
  • meetings of the directors were held in Germany; and
  • the management agreement concluded between the defendant and the managing company of the vessel, which operated from Hong Kong reserved major policy decisions for the board of directors of the defendant.

A matter to be decided on appeal was the location of the defendant’s principle place of business, and in particular, if the principle place of business was located in Hong Kong where the management company carried out the day to day management, or in West Germany.

Leggatt LJ cited various precedents with approval. The decision in De Beers Consolidated Mines Limited v Howe [1906] AC 455 stated that “while it is accepted that for the purposes of income tax a company resides where its real business is carried on, the true rule would be where the central management and control of the company actually abides”.

In Daimler Co. v Continental Tyre and Rubber (Great Britain) [1916] 2 AC 307, it was held that the test of residence was “the place where the real business centre from which the governing and directing minds of the company operated, regulating and controlling its important affairs”.

Similarly, in the case of Polzeath [1916] P241 the court had to decide if a company’s principle place of business was in the UK.  The court considered the shareholding and directors of the company, the company’s financial control and banking, the charging and insurance of the vessel, as well as the day to day management of the company, all which were conducted in England. The court, however, held that the control and management of the company was in Hamburg. It was held:

…in considering what is the principle place of business of the company, one has to consider the centre from which instructions are given, and from which control is exercised on behalf of the company over the employees of the business of the company, and where control is exercised, and the centre from which the company is managed without any further control, except such control as every company or the directors of the company which they represent, the shareholders of the company in general meetings.

The court held that irrespective of the fact that the manager had exercised full control over the day to day management of the company, he had always acted under the direction of the company chairman located in Hamburg.

In determining the principle place of business in the Rewia case, the court stated that the principle place of business does not mean “main”. The court held that in this context, it means “chief” or “most important”. The principle place of business is not necessarily the place where most of the business is carried out. It was stated:

… the principle place of business was not necessarily the place where most of the business was carried out; there was nothing uncommercial or inapposite about the conclusion that the principle place of business was in Hamburg or the company registered in Liberia owning a ship, the means of which will ultimately be remitted to Germany, and about which the most important decisions would be taken in Germany; although in practice, [the management company] had a free hand in the day to day management in the vessel from Hong Kong. All that they did was subject to the control of the directors in Hamburg; that was the centre from which instructions were given when necessary and ultimate control exercised; the reference to “principle place” did not require identification of a particular building…

Douglas King v Crown Energy Trading A.G

In the case of Douglas King v Crown Energy Trading A.G and Another [2003] EWHC 163 (COMM) (“Crown Energy”) the court considered the definition of both “central administration” and “principle place of business”.

The company had two offices, in London and Zug. The court considered various factors to determine where the company’s place of central administration and principle place of business was. The factors included the size of the London office, which was larger than any of the other offices operated by the company, and the fact that the principle executive and all operational staff were employed in London, including the chairman, chief executive officer and chief operating officer and the head of each of the firms main departments.

The court didn’t place any emphasis on the location at which the board members met or where resolutions were tabled and passed for the purposes of determining the location of the company’s central administration or principle place of business. The court held that:

Administration is clearly an aspect of the conduct of business. Administration ensures that all runs smoothly; moneys got in, debts are paid, leases and transport are arranged, personnel are looked after. But what of central administration?…The larger the organisation, the easier it should be to discern a division of responsibilities. The location of the company’s secretary’s office in a major organisation might provide a good clue…I think that in this case a simple listing of those with important responsibilities…will be enough to show where the central administration is to be found.  Also it seems to me that the same approach shows where one may find the company’s principle place of business.

Based on the fact that ultimate control rested with the board members located in the company’s London office, the court held that the central administration and principle place of business was located in London, and that the court therefore had jurisdiction.

Ministry of Defence and Support of the Armed Forces for the Islamic Republic of Iran v Faz Aviation Limited

In the case of Ministry of Defence and Support of the Armed Forces for the Islamic Republic of Iran v Faz Aviation Limited ([2007] EWHC 1042 (COMM) (“Faz”) the court considered the meaning of “the principle place of business” of a company.

The court applied the judgment of the Rewia case, and stated that the Rewia decision supports a number of obvious propositions, namely:

(i)   the central administration and principle place of business of a company may be, and I would add, frequently will be, in the same country;

(ii) the focus, in matters of jurisdiction, is on the country rather any one particular location;

(iii) the principle place of business (if there is one) is likely to be the place where the corporate authority is to be found (shareholders and directors), and it is to be the place there the company is controlled and managed;

(iv) the place where the day to day activities of the company are carried out may not be the principle place of business if those activities are subject to the control of senior management located elsewhere.

The company gave evidence that it had at all times been emphasised that, for UK tax reasons, all decisions relating to its business must be taken outside the UK. Evidence was also presented that all decisions taken by Faz were made under the direct supervision and with the express authority of a certain shareholder located in Cyprus.

The court held that notwithstanding that the day to day management of the company was conducted in England, in a real sense the business of the company was controlled largely from Cyprus.

Further, the court held, based on facts and evidence, that no business was administered from London. The court therefore held that the court did not have jurisdiction in the matter.

Alberta Inc V Katanga Mining Limited

In the case of Alberta Inc v Katanga Mining Limited [2008] EWHC 2679 (COMM) the court considered the definition of “central administration”.

The company was incorporated in Bermuda and resident in Canada for tax purposes.  The company had ten directors, three based in London. The key decision making for the company’s business took place by way of board meetings which were held predominantly in Canada with only two of the thirty two board meetings taking place within England.

The company also had a UK service company that provided consultancy services to the entire group, which included not only the company but also the its mining operations carried on by its subsidiaries in the Democratic Republic of Congo (“DRC”).

The court held that the central administration of the company was located within England and that the court held jurisdiction. The court stated:

Whilst it can plausibly be said that [the Defendant] has a real connection with Canada, to my mind the connection with England is much more real. It is where the entirety of the administration takes place and where all known management resides – the sole executive director, the president, the chief executive officer, the senior vice president and the chief financial officer, albeit that it is only two people. London must be the centre from which management instructions are given when necessary. Whilst key decisions may be made in board meetings, co-ordinated from Canada and sometimes taking place in Canada, everyone active on [the Defendants] behalf operates in London.

Central administration and principle place of business may well and will frequently be found in the same country… but that is not always so. Although I am not attracted to it, there may be a case for saying that the principle place of business is here in Canada because that is where the corporate authority ultimately resides, even if only for the most part by reason of a conference call being facilitated through a Canadian telephone connection. I cannot, however, conclude that central administration is to be found in Canada. No administration is found in Canada, and it is not shown that the day to day activities in London are subject to the control of senior management located elsewhere…One approach to central administration in the Regulation may be to examine where those who have the serious responsibilities in the company have their place of work, and this may also indicate the principle place of business. I agree that this is a helpful approach…I find that the central administration is here in London. I do not need to decide where is the principle place of business…

Distinction Between “central administration” and “principle place of business”

A company’s principle place of business is found to be in a location where instructions to the company are given, and where ultimate control of the business is exercised, without any further control. Emphasis is placed on the persons or entities controlling the affairs of the company, which may include shareholders,  and not on the location where the board of directors of the company are located, where board decisions are formally taken, or where the day to day activities and/or management of the company occurs.

The place where the board of directors resides, and/or holds office will be considered when determining the location of a company’s central administration.

It can therefore be said that the principle place of business of a company is the location from which the company is controlled and policy decided, while central administration is the location from which the policy is executed.

Shadow directors, and “control” of a company

If it is found that a peregrinus company is controlled from the UK, the UK courts will have jurisdiction over a matter instituted.

To determine ultimate control of a company, and where such control vests, it is useful to examine “directors” as well as “shadow directors”  within the UK law as well as the South African position. While these definitions and provisions may not be the only way of determining control within a company, they serve a useful purpose for the purposes of this discussion, because the presence of a shadow director in the UK who may have control over a peregrinus company would mean that the UK courts may have jurisdiction.

A shadow director is defined in section 251(1) of the UK Companies Act, 2006 (“UK Companies Act”) as “a person in accordance with whose directions or instructions the directors of [a] company are accustomed to act”.

Section 251(2) states that “a person shall not be considered a shadow director by reason only that the directors act on advice given by him in a professional capacity.”

Further, section 251(3) qualifies section 251(1) by excluding a body corporate from being regarded as a shadow director for the purposes of general duties of directors, transactions requiring members approval and contract/s  with a sole member who is also a director from falling within the meaning of “shadow director”, even if a subsidiary is accustomed to act in accordance with a body corporate’s directions or instructions.

The pre-eminent English case in respect of shadow directors is that of Secretary of State for Trade and Industry v Deverell [2001] Ch 34. Morrit LJ provides a comprehensive explanation of the requirements for a shadow director:

  • the purpose of the legislation is to identify those, other than professional advisors, with real influence in the corporate affairs of the company;
  • it is not necessary that such influence should be exercised over the whole field of the company’s corporate activities;
  • the concepts of “direction” and “instruction” do not exclude the concept of “advice” for all three share the common feature of “guidance”;
  • it is not necessary to show that in the face of “directions” or “instructions” from the alleged shadow director that the directors cast themselves in a sub-servient role or surrendered their discretion, it is only necessary to prove that the communication was given and that the directors were accustomed to act on such directions; there must be a pattern of compliance;
  • instructions need not extend over all or most of the corporate activities of the company, nor is it necessary to demonstrate a degree of compulsion in excess of that implicit in the fact that the board are accustomed to act in accordance with them.

Morrit LJ adds that the director needs not have to lurk in the shadows and can openly direct the company.  An example which Morrit LJ believes is likely to qualify as a shadow director is:

a person resident abroad who owns all the shares in the company but chooses to operate it through a local board of directors. From time to time, the owner to the knowledge of all to whom it may be of concern, gives directions to the local board what to do but takes no part in the management of the company himself.

The South African Companies Act, No 71 of 2008 (“SA Companies Act”) does not include a definition of “shadow director”.  It has, however, been submitted that the definition of a directorin section 1 of the SA Companies Act is wide enough to include shadow directors because the definition is not limited to persons who are formally appointed as directors. The wide, open ended definition ensures that most persons who have control over the management of companies fall within the ambit of the definition.

Despite that the South African legislation does not expressly provide for addressing the position of shadow directors, the principle has been addressed judicially. In the case of Robinson v Randfontein EST GM Co Limited 1921 AD 168, the court was tasked to decide the matter wherein the directors of a subsidiary company were accustomed to act in accordance with the wishes of the chairman of the holding company.

In this case, the directors of the subsidiary company administered the separate mining activities of the subsidiary companies. The directors denied the allegation that they did not use their own discretion, claiming that only matters of finance and policy were dictated by Robinson, the chairman of the holding company. The directors testified that they left all decisions on policy and finances to Robinson because he was a respected businessman and they trusted his judgment.

The court did not decide the matter based on the fact that Robinson was a shadow director, but found that Robinson had an implied mandate, alternatively that he put himself in a position of trust and owed the same fiduciary duties as a director towards the subsidiary companies. It has been stated that the decision in the Robinson case is authority that the South African Law recognises shadow directors, and that shadow directors owes the company the same fiduciary duties as any other director.

With regard to the holding company and subsidiary company relationship, it has been held in terms of the UK law in Re Hydrodam (Corby) Limited [1994] 2 BCLC 180 (CHD) that a holding company can be shadow directors of their subsidiaries but only if they act outside the scope of activities of a shareholder.

Therefore, where directors of a holding company, or the holding company itself, partakes in the activities of a subsidiary company outside of general meetings of shareholders, the holding company, or the directors of the holding company, may be found to be shadow directors of the subsidiary company.

The Companies Act 2008 and Pre-Existing Shareholders Agreements

On 1 May 2013 will your company’s shareholders agreement be worth the paper that it is written on, as after this date most of what is contained in current shareholders agreements could automatically be rendered void.

This is an important corporate law consideration which must be addressed by all South African companies and their shareholders which rely on shareholders agreements concluded prior to the commencement of the Companies Act, No 71 of 2008 (the new Companies Act).

Historical use of shareholders agreements

In terms of the previous Companies Act, No 61 of 1973 (old Companies Act) a company’s constitutional documents consisted of its memorandum of association and articles of association. In addition to these statutory documents, shareholders often concluded an additional shareholders agreement to regulate the internal affairs of the company.

A shareholders agreement typically provided that in the event of any conflict between the company’s articles of association and the shareholders agreement, the shareholders agreement would be the document that takes precedence. Shareholders therefore regularly used shareholders agreements to regulate important aspects of the company without the need to amend its articles of association and, by doing so, make the provisions public.

Shareholders agreements under the new Companies Act

The new Companies Act has, however, dramatically changed the possible scope and effectiveness of not only the new shareholders agreements concluded in terms of the new Companies Act, but also shareholders agreements which were concluded prior to the new Companies Act’s commencement date on 1 May 2011.

In terms of the new Companies Act, all shareholders agreements must be consistent not only with the provisions of the act itself, but also with companies constitutional documents, namely the memorandum of incorporation. Should there be any inconsistency between the shareholders agreement and a provision of the new Companies Act or memorandum of incorporation, the provision contained within the shareholders agreement shall be void.

A provision in a shareholders agreement which provides that the shareholders agreement will take precedence over the act or memorandum of incorporation shall itself be void and shall not provide any assistance to the shareholders.

Transitional period

Companies which were incorporated under the old Companies Act and which had pre-existing shareholders agreements are, however, provided with a two year transitional period which ends of 30 April 2013.

During the transitional period, pre-existing companies may update their constitutional documents to comply with the provisions of the new Companies Act, and during such time should a shareholders agreement conflict with the provisions of the new Companies Act, or the company’s articles of association, the provisions of the shareholders agreement shall take precedence.

On 1 May 2013, any provision in a pre-existing shareholders agreement which directly conflicts with the new Companies Act or the company’s memorandum of incorporation will be void.

A company which takes no steps to align its current articles of association and shareholders agreement with the provision of the new Companies Act may find itself in a situation where most, if not all, provisions contained within the shareholders agreement are void as they conflict with the company’s articles of association which is automatically deemed to be its new memorandum of incorporation for the purposes of the new Companies Act.

Important provisions which are ordinarily contained within the shareholders agreement which may be void include provisions restricting or allowing the alteration or conversion of share capital, provisions regulating company meetings, provisions granting minority shareholders or specified shareholders rights to appoint directors to the company’s board, minority protection provisions including provisions which limit the board of directors powers, and provisions regulating borrowing powers and the determination and payment of dividends to shareholders.

Where to from here?

What can be done to ensure that essential provisions contained within a shareholders’ agreement are not rendered void?

It will be necessary to determine where conflicts currently exist between the new Companies Act, articles of association and shareholders agreement. Once conflicts have been identified, it will be necessary to determine which matters are now classified as alterable or non-alterable provisions in terms of the Companies Act.

Should any of these matters be classified as alterable or non-alterable provisions within the new Companies Act, it will not be possible for the shareholders to regulate these matters in a shareholders agreement, as non-alterable provisions cannot be altered at all, and alterable provisions can only be altered in the company’s memorandum of incorporation and not in a shareholders agreement.

Once this analysis has been done it will then be necessary to update the company’s memorandum of incorporation to deal with all alterable provisions which can only be altered in the memorandum of incorporation, and then draft an amended shareholders agreement relating to the remaining company matters.