Information Technology & Cyber Law 

Business & Legal Documents

a) the consumer must return the performance of the supplier or, where applicable cease using the services performed; and
b) the supplier must refund all payments made by the consumer minus the direct cost of returning the goods.
Section 43 (5) states that the supplier must utilise a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.
In terms of section 43 (6) the supplier is liable for any damage suffered by a consumer due to a failure by the supplier to comply with subsection (5).
ECTA does not however deal with labour issues such as privacy of e-mails sent and received by an employee. This topic is dealt with by the controversial Regulation of Interception of Communications and Provision of Communication-Related Information Act No. 70 of 2002 (RICA), which came into operation in September 2005, and which states that on pain of a maximum fine of R2 million or imprisonment of a maximum period for 10 years, an electronic communication cannot be intercepted except in the following three circumstances: –
1. A party to the communication has consented to the other intercepting it;
2. The interceptor is a party to the communication;
3. A court order.
However, Section 6 of RICA provides that any person (including an employer) may in the course of carrying on any business intercept any indirect communication relating to that business if:
1. The interception is effected with the consent of the system controller; and
2. The telecommunication system concerned is provided for use in connection with that business; and
3. The system controller has made reasonable efforts to inform in advance the person concerned, that indirect communications may be intercepted with the express or implied consent of that person.
The interception may be made only for the purposes of:
1. Keeping a record for investigation of the unauthorised use of the system or to establish existing facts; or for
2. Monitoring indirect communications made to a confidential support service.
(Form 8.1 deals inter alia (amongst other things) with the interception of e-mails for employees and abuse by them of the internet.)
Section 51 of ECTA deals with the collection and dissemination of personal information of a data subject and provides that such information can only be collected with the written permission of the data subject. The data controller, i.e. the person or entity that electronically requests or collates the personal information must subscribe to all of the principles outlined in Section 51 if the parties enter into such an agreement. The rights and obligations of the parties are governed by the agreement entered into between them. However, Section 50 states it is not obligatory for the parties to have such an agreement. It follows that the provisions of Section 51 are not compulsory upon website operators. They are therefore of limited value. Whilst privacy rights of Europeans are protected in the EU Data Protection Directive and the privacy rights of the British by the Data Protection Act in the UK, the USA favours self-regulation of privacy rights in the Internet industry.
It is prudent that a website informs site visitors that it uses a cookie which is a potential invader of the privacy of a visitor to a website. A cookie is a computer storage data programme which enables a website server to record a visitor’s activities from the visitor’s computer hard drive. The information in the cookie is then available to the website server and is used by it to analyse the viewing habits of the visitor. The cookie facilitates interaction between the visitor and the server. It does not scan the visitor’s hard drive and extract such information as credit card details or passwords.
Rather it obtains such information as the visitor’s internet protocol (IP) address i.e. the website numerical address, his operating system, web pages visited on the site, length of visit, the expiry date of the cookie, the date when it was created and the visitor’s browsing habits. There are two types of cookies: Memory cookies and persistent cookies. The memory cookie exists only in the internet user’s computer memory and disappears when the user closes his web browser. The persistent cookie has an expiration date and is stored by the website server in the internet user’s hard disk without the latter’s consent until that date. Unless the website server links the visitor’s details with personal identifiable information, it is considered that monitoring website activity is not a violation of the visitor’s right to privacy, or at the most, not a serious violation. The website server will also fall foul of the unfair Business Practices Act 71 of 1988 if it uses persistent cookies to compile user preferences and combines such information with personal identifiable information such as a postal address or e-mail address without the visitor’s consent.

It is a growing trend for website owners to post privacy policies on their websites, stating what kind of information will be collected and how it will be used e.g. non-disclosure of personal information to third parties. It is important to display the policy at the beginning of the website to ensure the visitor sees it and reads it and to ensure compliance with Section 6 of RICA.
In the European Union the Directive on Privacy and Electronic Communications came into force on 31 July 2002. With regard to cookies it provides that cookies be used by website operators provided that:
1. The internet user is provided with clear and comprehensive information about the purpose for which the cookie will be used; and
2. The internet user is given the opportunity to refuse the acceptance of a cookie.
In any event, Section 14 of the Constitution of South Africa states that “Everyone has the right to privacy, which includes the right not to have … (d) the privacy of their communications infringed”. Consumer protection is dealt with in Chapter 7 of ECTA but it does not extend to privacy protection. Internet users place a high premium on their online privacy.
Where persistent cookies are employed it is suggested that a privacy policy be displayed on the website operator’s home page.
From the viewpoint of the visitor, the following methods of self-help measures against the infiltration of cookies are available: –
1. Click on the opt-out option (if any) provided by the website operator;
2. Adjusting the computer to reject cookies, if possible;
3. Installing anti-cookie software;
4. Adjusting the hard drive files.
(Form 8.2 sets out a privacy policy dealing with cookies for display on the website.)
Spamming is defined as unsolicited bulk and/or commercial electronic communications. Even a single unsolicited commercial communication is regarded as spam. In terms of the Electronic Communications and Transactions Act No. 25 of 2002 (ECTA) spam excludes unsolicited telephone calls, post and faxes but includes e-mail and SMS.
In terms of Section 45(1) of ECTA: “Any person who sends unsolicited commercial communications to consumers, must provide the consumer:
a) with the option to cancel his or her subscription to the mailing list of that person; and
b) with the identifying particulars of the source from which that person obtained the
consumer’s personal information, on request of the consumer.”
ECTA therefore does not outlaw spamming but it does provide the consumer with opt-out rights that may be enforced against the sender. The spammer should provide a link from the e-mail message to an opt-out page on the spammer’s website.
A spammer could be liable to a fine or imprisonment for up to 12 months in terms of Section 89(1) of ECTA for failure to provide the recipient with the requested information in terms of Section 45(1). The recipient may initiate civil or criminal proceedings if his/her personal information was obtained through illegal or unconstitutional means..