EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >Republic of South Africa|
Section 14 of the South African Constitution of 1996 states, "Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed." Section 32 states, "(1) Everyone has the right of access to – (a) any information held by the state, and; (b) any information that is held by another person and that is required for the exercise or protection of any rights; (2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state."
The South African Constitutional Court has delivered several judgments on the constitutional right to privacy. These deal with legislation prohibiting the possession of indecent or obscene photographs and child pornography, searches and seizures and the criminalization of prostitution. The court's interpretation of the right is a mixture of US and European jurisprudence. On the one hand, the court has emphasized that the roots of the right lie in the value of human dignity. On the other hand, the court has defined the right, along US lines, as protecting an actual (or subjective) expectation of privacy that society is prepared to recognize as reasonable.
The constitutional right to privacy also has application in private litigation. Recent decisions have considered the effect of the right in litigation seeking to prevent the publication of intimate photographs of a quasi-celebrity, an action for damages to compensate for publication of an inaccurate report that a person had been arrested for terrorism and the filming of the activities of members of a helicopter club by a competitor seeking evidence of contraventions of aviation safety regulations. There is currently no general statutory protection of privacy or general data protection legislation in South Africa.
In early 2000, the South African Law Reform Commission was requested by Parliament to investigate the introduction of privacy and data protection legislation. The request was made at the time that Parliament was considering the Promotion of Access to Information Act (the Act). Drafts of the Act contained a chapter proposing the regulation of access to, and dissemination of, personal information held in private and public "data banks." Parliament took the view that these matters would be better regulated by a comprehensive purpose-specific data protection statute and the chapter was removed from the Access to Information Act as finally enacted. The Law Reform Commission (the Commission), having researched the matter, then published an Issue Paper on Privacy and Data Protection in August 2003. The Issue Paper made a number of preliminary recommendations that closely tracked the provisions of the European Union (EU) Data Protection Directive. This is to be expected since the Directive, by requiring a basic level of data protection in countries doing business with the EU, is an important impetus for the law-reform initiative. The Commission recommended that legislation be enacted to govern the collection, use and dissemination of personal information in both the public and private sectors, and called for the creation of a specialized Commission.
The Commission then published draft legislation, the draft Protection of Personal Information Bill, for public comment in October 2005. The draft Bill proposes general legislation to regulate the processing of personal information by public and private bodies. The legislation centers on a set of “information protection principles” which flesh out a higher-level requirement that personal information must be processed “in order not to intrude upon the privacy of the data subject to an unreasonable extent.” The application and enforcement of the information protection principles will be the job of a data protection authority, to be called the Information Protection Commissioner, who will head an Information Protection Commission. In addition to its duties under the data protection legislation, it is proposed that the Commission should have oversight over the Promotion of Access to Information Act.
The final recommendations of the Law Reform Commission, made in response to a huge volume of comments received on its draft Bill, will be published in 2007 in the form of a Report to the Minister of Justice and Constitutional Development. Should the Commission’s recommendations be accepted, the Minister will then introduce the recommended legislation in Parliament. This is unlikely to take place before 2008 and the legislation is therefore unlikely to emerge from the Parliamentary process before the second half of that year.
The Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (the Interception Act) is the product of several proposals of the South African Law Reform Commission. In November 1998, the Commission recommended amendments to facilitate the monitoring of cellular phones and Internet service providers (ISPs). On July 18, 2001, a Bill was introduced into Parliament, proposing the repeal and replacement of the Interception and Monitoring Prohibition Act 127 of 1992. According to Johnny de Lange, Chairperson of the Parliament's Portfolio Committee on Justice and Constitutional Development, the Bill "aims to regulate the interception and monitoring of certain communications . . . to regulate authorized telecommunications monitoring," and "to prohibit the provision of certain telecommunication services which do not have the capacity to be monitored." Following 18 months of limited consultation with stakeholders, the Interception Act was enacted in December 2002. It entered into force on November 30, 2005.
The purpose of the Interception Act remains similar to previous versions. The Act prohibits wiretaps and surveillance, except for law enforcement purposes. It requires that all telecommunications services, including Internet Service Providers (ISPs), make their services capable of being intercepted before they could offer them to the public. There is a provision for the Minister to exempt ISPs from these provisions. However, while exemptions can be made from the requirement to enable a network for surveillance purposes, ISPs that are exempt will be required to contribute to a fund that will be used to purchase centrally held surveillance equipment. This equipment will be used on a rotational basis as needed by smaller ISPs that are required to comply with a surveillance request by law enforcement.
Generally, providers will be required to pay for the costs of making their systems wiretap-enabled. No model of cost sharing is proposed at this stage, and the state will be responsible for the costs of connecting central interception centers to telecommunications providers. Criminal penalties are also included should a service provider refuse to comply with the provisions of the Act or assist law enforcement. Repeat offenders might, in addition, face the revocation of their service license granted under the Telecommunications Act.
Several amendments made by Parliament during the consideration of the Interception Act widened the scope of the legislation. The definition of "communication" has been augmented to include all "direct" and "indirect" communications, which together cover all traffic, signaling and other call-related information, as well as the content of such communications. Amendments include: an expanded list of grounds for obtaining a wiretap order, including a wiretap to ascertain the location of a person in the case of an emergency; an expanded range of interception directions that can be granted, such as decryption orders; and an augmented list of offences under the Act, which includes being in possession of a stolen cellular phone and failure to report a stolen, lost or damaged SIM (Subscriber Identity Module) card.
Provisions on data retention require all telecommunication service providers (TSPs) to gather detailed personal data on individuals and companies (including photocopies of identity documents) before signing contracts or selling SIM cards for pre-paid mobile services. Provisions require that such data is made available to law enforcement agencies when requested. There is no limit specified for the length of time TSPs are required to retain personal data, but a requirement to store communication-related information is currently limited to 12 months.
The Minister has several broad powers in the Interception Act, including the discretion to stipulate in a directive all technical and security requirements for networks to be capable of surveillance, including capacity, the systems to be used, the facilities and devices to be acquired, the type of communication-related information to be stored, and the period for which such specified information must be stored. The first draft of the directive was released in August 2004 and addresses all of these issues. A consultation process has been initiated calling for opinions from interested persons in the telecommunications sector. The directive will become operational within six months of promulgation of the Interception Act.
While the various stakeholders prepared for the Interception Act to come into operation, several problems had begun to emerge. Various operational requirements appear impractical and hard to implement. An example is the requirement that before an Internet service contract can be concluded, ISPs are required to verify the identity of the subscriber. As many Internet users subscribe online, this creates many difficulties. Moreover, ISPs now have to verify identities and retain copies of identity documents. Another impediment to the Act's enforcement is the question of who will bear the great costs associated with the implementation and maintenance of the monitoring and storage equipment required for ISPs to fulfill their obligations under the new legislation.
The Interception Act has some impact on the privacy of communications in the workplace through some of the exceptions to the general prohibition of interception and monitoring, particularly Section 5 (interception with the prior consent of a party to the communication) and Section 6 (interception for business purposes, or as referred to in comparable foreign legislation – "the business exemption"). Before the enactment of Section 5 of the Interception Act, the interception of electronic communications in the workplace in South Africa was primarily regulated through electronic communications policies or employee consent agreements embedded in the employment contract. The business exemption (Section 6) appears to allow employers to intercept and store the e-mail messages of their employees, for transactional, record-keeping and network security purposes, that are sent in the course of company business over the company's telecommunications network and upon reasonable efforts to notify the parties of the communication of the possibility of interception.
South Africa does not have a data protection authority but has a Human Rights Commission (HRC), which was established under Chapter 9 of the Constitution. The HRC's mandate is to protect and investigate infringements of the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated. The Commission has limited powers to enforce the Promotion of Access to Information Act.
South Africa has a well-developed financial system and banking infrastructure. Despite the sophistication of the financial sector, the privacy of financial information was weakly regulated by a code of conduct for banks issued by the Banking Council. Adherence to the Code is voluntary and it is expressly declared to be not legally binding. Financial institutions subscribing to the Code undertook not to share personal information of their clients without consent except where the public’s or the banks' interests require disclosure. Information may be disclosed to third-party credit risk management services with prior consent, or after notice to the client.
Important new legislation, the National Credit Act 34 of 2005, has introduced sweeping changes in this area. The Act has a three-phase implementation process, coming partly into force June 1, 2006 and September 1, 2006. The Act came into force in its entirety on June 1, 2007.
The National Credit Act is consumer protection legislation aiming to regulate the market in consumer credit principally by improving access to credit and preventing unfair business practices. The Act’s reforms occur against a background of an unprecedented expansion in the provision of consumer credit in South Africa. But this success has brought attendant social ills. Occasionally reckless credit extension by credit providers has led to the over-indebtedness of consumers who are often poorly informed if not deliberately kept in the dark. In addition, there are historically deep-rooted divisions in the South African credit market. High-income groups (about 15% of the population) can obtain credit from a wide range of mainstream providers, including banks, at regulated interest rates. Low-income groups have little access to conventional credit products such as mortgages, credit cards or overdraft facilities. Instead they are relegated to non-bank credit, informal sector loans and other marginal providers. The data protection provisions of the National Credit Act are in Part B of Chapter 4. Most of the provisions of this Part commenced September 1, 2006.
Section 68 of the Act creates a right to confidential treatment of “confidential information” received, compiled, retained or reported in terms of the Act. Confidential information is defined in s. 1 as “personal information that belongs to a person and is not generally available to or known by others.” The confidentiality of such information must be protected by its holder and must be used only for a lawful purpose, must be disclosed only to the person to whom it relates or to a third party where required by law, by court order or order of the Consumer Affairs Tribunal created by the Act or “as directed by . . . the instructions of the consumer.”
The other privacy provisions of the Part provide specific regulation of credit bureau information. The particularly stringent regulation of the credit bureau industry by the Act is justified as follows by the DTI Policy Document. According to the DTI, “There is immense frustration with credit bureaus and with credit bureau information amongst black South Africans, and with the practice of so-called blacklisting.” The purpose of the regulation is therefore to tightly regulate the flow of credit bureau information, to improve its accuracy and reduce the scope for discrimination in decisions about credit. Sections 70—73 of the Act impose several duties on credit bureaus in relation to “consumer credit information” (consumers’ personal details, financial history, employment and educational history). Notably, bureaus are required to allow consumers free access to their credit information for purposes of verifying and challenging it. There is a duty to take “reasonable steps to verify the accuracy of consumer credit information (s 70(2)(c)).” Access to and use of credit bureau data is limited to persons requiring it for a “prescribed purpose or a purpose contemplated in this Act (s. 70(2)(g)).” Data retention is regulated by several provisions and by s. 73 of the Act which allows the Minister to prescribe maximum retention period for the holding of credit information by credit bureaus. The regulations, issued on May 31, 2006, prescribe varying periods ranging from 1 year (for adverse qualitative information on consumer behavior) to 10 years (unrehabilitated sequestrations) to indefinitely (corporate liquidations).
When compared to the draft data protection legislation of the South African Law Reform Commission described above, what is immediately evident about the data protection provisions of the National Credit Act is their stringency. By contrast, the Commission’s draft Protection of Personal Information Act is relatively easy-going, and turns on the principle of reasonable processing of personal information rather than on the consent of the data subject. There is nothing in the current draft of the general Act that compares to the detailed and specific provisions regulating credit bureau information in the National Credit Act. The effect of the general Act on sector-specific legislation like the National Credit Act is one of the considerations of the Law Reform Commission in its formulation of its final proposals. What may well emerge from these considerations in the final version of the general Privacy Act expected in 2007 is a special chapter on credit bureaus along the lines of s. 70—73 of the National Credit Act or a provision allowing for the continued operation of these sections of the Act.
The Financial Intelligence Centre Act 38 of 2001 (FICA) is aimed at preventing money laundering. It was passed by Parliament in 2001 and the bulk of its provisions came into effect in 2003. Along the lines of similar legislation in other jurisdictions, the Act creates the Financial Intelligence Centre, a supervisory and investigative body that receives and analyzes information regarding suspected money-laundering activities supplied to it by financial institutions, and disseminates reports to the criminal investigative authorities, the intelligence services and the revenue service. Banks and other financial institutions are required to verify the identity of their customers, to maintain a considerable body of information about customers and their transactions, and must report suspicious transactions to the Centre. The bulk of customers would have to provide FICA-related information until September 2005. Non-compliance will bring restrictions on clients' ability to transact on their accounts.
The Cabinet approved a plan in March 1998 to issue a multipurpose smart card that combines access to all government departments and services with banking facilities. In the long term, the smart card was intended to function as passport, driver's license, identity document and bankcard, and was to be linked to fingerprint information. In 2003, a commission recommended major changes to the project. In February 2004, the report of the transaction advisors on the feasibility of procuring the new identity document through a public/private partnership recommended against the partnership. In 2005, the Department of Home Affairs awarded a contract for the cleaning of its database as the next step towards the rollout of the Hanis identity card system. It is expected that the first smart ID cards will be issued by the end of 2006. The first recipients of the cards will be beneficiaries of the state social development grants. A similar project has already been started by the South African Post Office (wholly government-owned) in the North West Province where social pensioners are provided with a Postbank account for receiving their social services grant. The account is linked to a smart card containing the thumbprint and ID photo of the pensioner in encoded form.
In 2004, the Department of Home Affairs began a pilot program to issue 30,000 smart cards to refugees (persons granted political asylum). In the Department's view, this program is an initial step towards a planned rollout of six million smart cards per year over a five-year period. The full program entails the conversion of 30 million paper-based sets of records into the Department's electronic document management system. The government agency aims to eventually produce "an integrated biometric database of all people the Department deals with – citizens, residents, refugees, illegal foreigners."
The Promotion of Access to Information Act (PAIA) came into operation on March 9, 2001. The Act is a general freedom of information law, modeled on the FOI laws of the United States and Commonwealth jurisdictions. It is, however, unusual and groundbreaking in at least two respects. First, it is based on, and backed up by, a specific constitutional right of access to information, entrenched in the Bill of Rights. Second, this right and, as a consequence, the Act are applicable not only to information in government hands but also to information held in the private sector. There is no freedom of information commission to monitor the implementation of the Act or to provide dispute-resolution services. Instead, the South African Human Rights Commission is charged with monitoring the use of the Act, publicizing the rights that it creates, assisting members of the public to make requests, conducting research and publishing explanatory material about the Act. Disputes about alleged maladministration of the Act (e.g., requests for information not answered, indexes of records not submitted as required by the Act) can be heard by the Public Protector (the South Africa's Ombudsman). Disputes about the substance of a refusal of a request for information can be resolved by applying to the ordinary courts.
Concern has been expressed from various quarters (including the Human Rights Commission) about the ineffectiveness of the Act's dispute-resolution processes. Litigation is widely recognized as being too inaccessible and cumbersome to be an effective tool of to enforce the freedom of information rights in the Act and in the Constitution. Some amelioration of this situation has been proposed by the South African Law Reform Commission in its draft Protection of Personal Information Act (see above). The draft Act recommends that the regulatory commission that will enforce rights and duties in the field of data protection also be responsible for similar enforcement of the PAIA. This would create a “joined-up” Information Commission with oversight over both laws, along the lines of the UK’s ICO. This is an interesting proposal which ought to be supported. It has the prospect of curing one of the most obvious deficiencies in the current access to information regime, the absence of an authoritative dispute-resolution mechanism intermediate between a decision-maker and the courts.
On paper, the PAIA grants extensive freedom of information rights. However, these rights have not been particularly effective in practice. Research conducted by the Open Democracy Advice Centre showed that PAIA requests to both the public and private-sector were dealt with extremely slowly or, more troublingly, simply ignored. There appears to be widespread ignorance of the requirements of the Act, even of its existence, in the public sector.
There have been a number of high profile cases involving the use of PAIA. For example, the leader of the Opposition made a successful request to the Presidency and the Ministry of Justice for records relating to a number of controversial presidential pardons of prisoners who had been refused amnesty by the Truth and Reconciliation Commission. One of the most active users of the Act – the South African History Archive (SAHA), a NGO that collects and archives apartheid-era documentation – has retrieved large quantities of classified material from military archives and documents collected by the Truth and Reconciliation Commission. While SAHA has had some important victories, the organization suggests that use of the Act has been limited because the culture of freedom of information has not taken root yet and because PAIA has been poorly publicized. The Institute for Democracy in South Africa (IDASA) launched a campaign to use the access rights granted by the PAIA to require political parties to disclose the sources of their funding. Predictably enough, the requests for this information were not met with transparency by political parties, and the organization began a court process to test the principles at stake.
The political party funding litigation ended in 2005 with a decision of the Cape High Court holding in effect that IDASA could not cross the ‘need to know’ threshold for private-body requests under PAIA. PAIA grants an unqualified right to request information from a public-sector holder, but for “private bodies” the Act requires a requester to show that the information requested is “required for the exercise or protection of any rights.” In the IDASA case it was held that, first, political parties were private bodies under the Act. That being so, IDASA was non-suited to request the information it had sought from them (essentially, details of their funders and the extent of the funding) because it could not show that there was a link between the information and the exercise or protection of the organization’s rights.
Outside occasional high-profile litigation, there appears to have been little use by requesters of the private-sector provisions of the Act, but the extent to which the Act has had an impact on the private sector is almost impossible to measure. Certainly, the Act's requirements that private bodies publish indexes of their records have widely been ignored.
 The Constitution of the Republic of South Africa, Act 108 of 1996, available at <http://www.info.gov.za/documents/constitution/index.htm>.
 Case v.
Minister of Safety and Security 1996 (3) SA 617 (CC) (wide and vague
apartheid-era prohibition on possession of pornography a violation of right to
privacy). All judgments of the South African Constitutional Court are available
 De Reuck v. Director of Public Prosecutions (Witwatersrand Local Division) 2004 (1) SA 406 (CC) (justifiable to limit the right to privacy to protect children from the exploitation and degradation inherent in child pornography).
 Bernstein v. Bester NO 1996 (2) SA 751 (CC); Mistry v. Interim National Medical and Dental Council of South Africa 1998 (4) SA 1127 (CC).
 S v. Jordan 2002 (6) SA 642 (CC) (no significant privacy interests in the act of prostitution).
 Id. at paragraph 81.
 Bernstein v. Bester NO 1996 (2) SA 751 (CC) paragraph 67. Judgments of the South African Constitutional Court are available at <http://www.concourt.gov.za>.
 The South
African Bill of Rights has both direct and indirect application in so-called
"horizontal" disputes (disputes not involving state actors or legislation).
 Prinsloo v. RCP Media Ltd t/a Rapport 2003 (4) SA 456 (T) (injunction available to prevent publication of purloined photographs of notorious surgically-improved Pretoria lawyer).
 Independent Newspapers Holdings Ltd v. Suliman 2005 (7) BCLR 641 (SCA) (no privacy interests in information and photographs of person publicly arrested at airport), available at <http://wwwserver.law.wits.ac.za/sca/summary.php?case_id=12818>.
 Huey Extreme Club v. McDonald t/a Sport Helicopters 2005 (1) SA 485 (C), (extensive, continuous filming an invasion of privacy that is not justified by the need to promote aviation safety).
 Issue Paper 24 (Project 124), Privacy and Data Protection, available at <http://www.doj.gov.za/salrc/ipapers.htm>. An Issue Paper is the first stage in the Law Reform Commission's research process. It consists of a document identifying the broad issues for consideration in the development of new legislation and requesting public comment on these issues.
Paper 109 (Project 124), Privacy and Data Protection, available at
<http://www.doj.gov.za/salrc/dpapers.htm>. The Draft Bill is in Annexure B
of the Discussion Paper. A Discussion Paper is the second stage of the Law
Reform Commission’s investigation process, usually containing draft
legislation. This is published to seek comment and the process is then completed
by the publication of a Report which contains the Commission's recommendations
to the Cabinet on the form of draft
 Clause 7 of the draft Bill.
 See Chapters 5, 7 and 8 of the draft Protection of Personal Information Bill.
Paper 78 (Project 105), Review of Security Legislation, The Interception and
Monitoring Prohibition Act 127 of 1992 (November 1998), available at
 Adv. Johnny de Lange, Press statement, available at <http://www.sfu.ca/cprost/prepaid/relateddocs/SouthAfrica/Interception%20and%20Monitoring%20Bill%20PR%20July%202001.htm>.
 Act No. 103 of 1996, as amended.
 These include: broad interception direction; an archived communications direction (any communication related information in the possession of a telecommunications service provider (TSP) and which is being stored by that TSP for up to one year, regarding the transmission of the indirect communication) and real time (real time information on an ongoing basis without interception) or supplementary direction, or a combination thereof. Also on application are entry warrants (to rig premises and intercept postal articles) and decryption directions. All can be obtained as oral directions when urgent circumstances prevail.
 Section 21.
 Chapter 9.
 See Notice 1601, Government Gazette, Vol. 470, 4 August 2004, available at <http://www.info.gov.za/gazette/notices/2004/26644.pdf>. See also "Draft Directive for Telecommunication Service Providers who have not been issued with the Directive for mobile cellular operators, fixed line operators or Internet Service Providers" available at <http://www.internet.org.za/draft-directive-ptnv.html> and "Draft Directive for value added Network (VAN) Licence holders providing Internet Services," available at <http://www.internet.org.za/draft-directive-vans.html>.
 This trend can be observed in the growing number of cases concerning interception of e-mail in the workplace, e.g., Bamford & Others v. Energizer (SA) Ltd  12 BALR 1251 (P) (employees suspended for forwarding e-mails with pornographic, sexist and racist nature) and Cronje v. Toyota Manufacturing  3 BALR 213 (CCMA) (an employee was suspended for circulating a racist e-mail).
 Act 25 of
2002. Available at <http://www.info.gov.za/gazette/acts/2002/a25-02.pdf>.
 Chapter III.
 Chapter XIII.
 By incorporating notice and take down procedures; mere conduit recognition and safe harbor provisions. Liability will only attach where an ISP has direct knowledge of illegal or objectionable material and fails to take effective action as required by law.
 Act No. 2 of 2000.
 The background to the Act’s reforms are set out in a useful policy document of the South African Department of Trade and Industry (Consumer Credit Law Reform (August 2004), available at <http://www.dti.gov.za/ccrdlawreview/policyjune2005.pdf>. The Act is available at <http://www.dti.gov.za/ccrdlawreview/creditact2006.htm>.
 See para 3.12 of the policy document above.
Cards to Replace ID Books in SA in 2001," Africa News, February 1,
 "Joint leader in portfolio management," Financial Mail, November 25, 2005, available at <http://free.financialmail.co.za/innovations/05/1125/linn.htm>.
 Deputy Minister of Home Affairs, Malusi Gigaba: Home Affairs Department Budget Vote 2004/2005.
 Act 2 of
 Section 32 of the 1996 Constitution. The section grants a right of access to "any information held by the state" and to "any information . . . held by another person and that is required for the exercise or protection of any rights."
 "Concerns Raised over Access to Information Act," Mail & Guardian, May 10, 2001.
 Application can be made either to the High Court or to a magistrates' court. The courts have wide powers to inspect the disputed records and to order disclosure of records.
 "Information Law not Accessible to Public – HRC," Business Day, February 3, 2004.
Democracy Advice Centre ‘Southern Africa Summary Country Report: Open
Society Institute Justice Initiative: 2004 Monitoring Study’, available at
 A earlier survey conducted by the Open Democracy Advice Centre revealed that 54 percent of the public bodies contacted by the Centre were unaware of the Act, 16 percent were aware of the Act but did not implement it and only 30 percent were aware of it and implementing it. "Few Groups Aware of Act on Access to Information," Business Day, October 14, 2002.
 "Leon Set
to Get Data on Pardons," Business Day, October 15,
 Descriptions of the collection, and some digitized material are available at <http://www.saha.org.za/collections.htm>.
 See <http://www.saha.org.za/overview.htm>.
 Political party funding is currently unregulated in South Africa. There are no limits on the amounts of funding a party can receive, nor are there any disclosure requirements.
 See <http://www.idasa.org.za/>.
 Institute for Democracy in SA v African National Congress 2005 (5) SA 39 (C), available at <http://www.constitutionalcourt.org.za/Archimages/4397.PDF>.
 The Human
Rights Commission's duty to compile statistics on the use of the Act applies
only with respect to requests made to public bodies.
 Widespread failure by both public and private bodies to comply with the Act's publication requirements resulted in the Minister of Justice granting a six-month extension on the Act's deadline for compliance until February 2003, a second extension until August 2003 and a third (ostensibly "final") extension until August 2005.