There is a common perception that ISPs monitor subscribers’ online activities and collect personal information which they may hand over to third parties including the South African Police Service (SAPS). This is not, however, an accurate reflection of how ISPs in SA operate, according to the Internet Service Providers’ Association (ISPA).
Firstly, ISPs – like everyone else – are bound by the provisions of the Protection of Personal Information Act. They are required to ensure that any collection and processing of personal information is lawfully done in accordance with POPIA’s provisions.
Secondly, under the Cybercrimes Act and other legislation, ISPs are not required to actively monitor the data which they transmit or store or to actively seek facts or circumstances indicating an unlawful activity.
In other words, ISPs are not required by law to police their networks and services. Further, under interception and monitoring legislation ISPs are prohibited from monitoring and intercepting subscriber communications in the absence of a lawful justification.
A third consideration is that the interaction between ISPs and law enforcement agencies (LEAs) is heavily regulated and ISPA members receive training and support to ensure subscriber personal information is not released to a LEA other than where a lawful request has been made.
Importantly, ISPs are required by law to collect and store customer information (e.g. through the RICA customer registration process) and to make this available to LEAs where lawfully requested to do so.
This is very different from collecting and storing customer communications, which is not done: ISPs are generally not, in practice, required to assist LEAs with monitoring and intercepting client communications.
In the digital age people increasingly live their lives online and ISPs – which provide a gateway to the internet – are becoming more and more useful to government and LEAs in combating and prosecuting illegal and unlawful conduct in the real world.
An example is the role played by ISPs in addressing gender-based violence in SA. Recent amendments to the Domestic Violence Act require ISPs to take down online material forming part of the domestic violence and to provide information about alleged perpetrators.
Similarly ISPs are obliged to provide information to the courts about people alleged to be guilty of harassment or defaulting on maintenance payments.
One area of concern for ISPA is overlapping reporting requirements where some criminal conduct is required to be reported to both SAPS and the Film and Publication Board (FPB). This is being addressed with the Department of Justice and the FPB.