Authored By: Nkosinathi Msibi
University of Johannesburg
ABSTRACT
The exponential growth of the digital economy has transformed personal information into one of the most valuable resources of the modern age. As data-driven technologies increasingly shape social, economic, and political life, questions surrounding control, protection, and entitlement to personal information have become more pressing. While data protection regimes grant individuals extensive rights over their personal information, they consistently avoid framing such rights in proprietary terms.¹ This article examines whether personal information can coherently be regarded as an object of ownership under South African law, with particular reference to the Protection of Personal Information Act 4 of 2013 (POPIA). Drawing on South African property law principles, constitutional jurisprudence, and comparative insights from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the article argues that South African law deliberately adopts a regulatory and personality-based model of protection rather than ownership.
- INTRODUCTION
Personal information has become central to the functioning of the contemporary digital economy.² From targeted advertising and algorithmic decision-making to artificial intelligence and biometric identification systems, vast quantities of personal data are routinely collected, processed, and exchanged. These practices have generated significant economic value, but they have also heightened concerns regarding privacy, surveillance, and the exploitation of personal information.
South Africa’s primary legislative response to these developments is the Protection of Personal Information Act 4 of 2013 (POPIA).³ POPIA regulates the processing of personal information and confers enforceable rights on data subjects. Notably, however, the Act does not recognise personal information as property, nor does it describe data subjects as owners of their data.
- INFORMATIONAL PRIVACY IN SOUTH AFRICAN LAW
Informational privacy refers to an individual’s interest in controlling the collection, use, disclosure, and dissemination of personal information relating to them.⁴ Section 14 of the Constitution of the Republic of South Africa, 1996 guarantees the right to privacy. The Constitutional Court confirmed in NM v Smith that the unauthorised disclosure of personal information may constitute a violation of both privacy and dignity.⁵
POPIA gives statutory effect to informational privacy by establishing conditions for the lawful processing of personal information, including lawfulness, purpose specification, and security safeguards.⁶
- PROPERTY LAW AND THE NATURE OF INFORMATION
Ownership in South African law traditionally refers to the most comprehensive real right in respect of an object.⁷ Information presents conceptual difficulties for property law due to its non-rivalrous and replicable nature.⁸ Legal protection of information does not necessarily imply ownership.⁹
- POPIA AND DATA SUBJECT RIGHTS
POPIA grants data subjects rights of access, correction, objection, and consent withdrawal.¹⁰ While these rights resemble incidents of ownership, POPIA avoids proprietary language.¹¹ This indicates a deliberate legislative choice to regulate rather than commodify personal information.
- COMPARATIVE INSIGHTS: GDPR AND CCPA
The GDPR treats data protection as a fundamental right rather than a proprietary entitlement.¹² Similarly, the CCPA enhances consumer control without recognising ownership of personal information.¹³ These regimes support a regulatory rather than ownership-based approach.
- SHOULD PERSONAL INFORMATION BE OWNED?
Recognising ownership of personal information risks commodification and inequality.¹⁴ A personality-based model better aligns with constitutional values of dignity and autonomy.¹⁵
- CONCLUSION
South African law adopts a model of control without ownership. POPIA, constitutional jurisprudence, and comparative frameworks confirm that personal information is protected through regulation and personality rights rather than proprietary entitlement.
OSCOLA FOOTNOTE(S):
1 Thaldar ‘The Conceptual Incoherence of Data Ownership’ (2018) 135 SALJ 123.
2 Van der Merwe et al Information and Communications Technology Law (2 edn Juta 2020) 3.
3 Protection of Personal Information Act 4 of 2013.
4 Neethling et al Law of Personality (2 edn LexisNexis 2016) 211.
5 NM v Smith 2007 (5) SA 250 (CC) para 33.
6 POPIA ss 8–25.
7 Van der Walt and Pienaar Introduction to the Law of Property (7 edn Juta 2019) 5.
8 Njotini ‘Evaluating the Position of Information or Data in the Law of Property’ (2019) 22 PER/PELJ 1.
9 Smidt and Burns ‘The Legal Status of Information’ (2015) 132 SALJ 568.
10 POPIA ss 23–25.
11 POPIA s 3.
12 GDPR art 1(2).
13 California Consumer Privacy Act of 2018 s 1798.100.
14 Erlank ‘NFTs: Buyer’s Remorse and a Flash in the Pan?’ (2022) 25 PER/PELJ 14.
15 De Stadler and Papadopoulos Information Privacy Law in South Africa (Juta 2021) 67.
