In April 2023, the Supreme Court of Appeal (“SCA”) handed down judgment in the case of Giftwrap Trading (Pty) Ltd v Vodacom (Pty) Ltd and Others[1] (Vodacom). The case set a consequential precedent for data privacy law but may also have the effect of stifling the ability of potential litigants to obtain information from internet and cellular service providers necessary to institute legal proceedings against third-party wrongdoers.

The case involved a company, Giftwrap, that had been the victim of ‘click fraud’: where a person or, more usually a bot, ‘clicks on’ an advertisement repeatedly with the intention of increasing the cost of that advertisement or limiting genuine access to the advertiser’s webpage. To identify the perpetrators of the fraud, Giftwrap required personal customer information pertaining to certain IP addresses that Giftwrap’s investigation had found to be involved in the fraud. Vodacom had a record of this information.

Giftwrap sought an order compelling Vodacom to hand over the customer information relating to those IP addresses, so that it could pursue legal proceedings against the third-party wrongdoers. In support of its application, Giftwrap initially relied on a previous judgment of the Johannesburg High Court, Nampak Glass (Pty) Ltd v Vodacom (Pty) Ltd & Others[2] (Nampak), in which the Court granted a similar application to compel cellular service providers to provide the applicant with third-party information necessary for the applicant to institute legal proceedings. The Court in Nampak had admitted that the application was “novel” but held that constitutional imperatives and the interests of justice required it to develop its own procedure to allow the applicant to obtain the information it needed from the service providers to seek legal redress against the third-party wrongdoers.

Giftwrap also placed reliance on section 42(1)(c) of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (“RICA”). As the name suggests, RICA regulates the interception of all “communications”, which is broadly defined to include essentially any form of communication (electronic or otherwise) between two or more persons.

In terms of sections 39 and 40 of RICA, internet and cellular service providers are required to obtain and keep certain personal information about their customers, such as their name, ID number and residential address. Section 42(1) however prohibits them from disclosing this information, except in certain limited circumstances:

  • “to any other person who of necessity requires it for the performance of his or her functions in terms of this Act;
  •  if he or she is a person who of necessity supplies it in the performance of his or her functions in terms of this Act;
  •  information which is required in terms of any law or as evidence in any court of law; or
  •  to any competent authority which requires it for the institution, or an investigation with a view to the institution, of any criminal proceedings or civil proceedings as contemplated in Chapter 5 or 6 of the Prevention of Organised Crime Act.” (Emphasis supplied).

Giftwrap argued that because it required the information held by Vodacom to institute legal proceedings against a third party, the information was therefore required as “evidence” in a “court of law” (for future legal proceedings) in terms of section 42(1)(c) and Vodacom was therefore obliged to provide Giftwrap with that information.

In dismissing Giftwrap’s application, the SCA overruled the Nampak decision, reasoning that the judgment was flawed since it failed to consider the limitations imposed by section 42(1) of RICA. In its interpretation of section 42(1)(c), a service provider could only be compelled to provide an applicant with customer information if legal proceedings had already been instituted and the information was required as evidence for trial. The SCA reasoned that information required “to investigate whether legal proceedings could be instituted” did not fall within the ambit of section 42(1)(c).[3]

The Court further reasoned that there were alternative remedies available to persons in the same position as Giftwrap, namely:

  • A preservation order in respect of the cellular service provider’s customer information pending the institution of legal proceedings in which it would be required as evidence; or
  • A criminal complaint, after which section 205 of the Criminal Procedure Act 51 of 1977 (“CPA”) or section 42(1)(d) of RICA may be used.[4]

The judgment can be lauded for strengthening consumers’ data privacy rights and for preventing possible “fishing expeditions” into personal consumer information by bad-faith actors. However, the Court’s decision places people such as Giftwrap – who have legitimate grievances that call out for justice to be done – in a helpless situation. A preservation order, as the SCA suggests, would do little to assist the applicant in identifying the wrongdoer against whom it intends to institute legal proceedings; the suggestion to refer the matter to the police also offers little comfort given its current backlogs, incapacities, and inefficiencies.

In Nampak, the Court considered the position of English law, where orders of the kind sought by Giftwrap have been recognized for over 50 years. However, given the SCA’s judgment, any legal development will have to be effected through Parliament, by means of an amendment to RICA.

The provisions of the Protection of Personal Information Act 4 of 2013 (“POPIA”) further limit the uses to which personal customer information held by internet and cellular service providers can be put, especially without the customer’s express consent. It is, however, unfortunate that the SCA did not consider the effect of section 11(1)(f) of POPIA, which allows, amongst others, internet and cellular service providers to use personal customer information if it is necessary “for pursuing the legitimate interests of […] a third party to whom the information is supplied”. This would seemingly allow persons such as Giftwrap to lawfully obtain the information required to pursue legal proceedings against a third-party wrongdoer. The SCA’s failure to consider section 11(1)(f) of POPIA and its interaction with section 42(1) of RICA is therefore unfortunate and creates some uncertainty in our data privacy law. The result is an unfavourable situation for victims of cyber fraud who require the information held by internet or cellular service providers to obtain legal redress.

If you have any queries regarding the recent Vodacom judgment and the effect it has on our data privacy laws, please give us a call and we will gladly assist you.

[1] (1009/2020) [2023] ZASCA 47 (4 April 2023).

[2] [2019] JOL 43631 (GJ).

[3] Supra note 1 at para 24.

[4] Ibid at para 26.