South African Data Privacy Legislation

Learning Outcomes

LO8: Data Privacy and Protection in South African Legislation

• Summarize relevant concepts and principles concerning data privacy and protection in the following South African legislations:
  • The Promotion of Access to Information Act (PAIA).
  • The Electronic Communications and Transactions Act (ECTA).
  • The National Credit Act (NCA).
  • The Consumer Protection Act (CPA).

LO9: Data Protection in POPIA

• Analyze various concepts and principles concerning data protection in the Protection of Personal Information Act (POPIA), with reference to the following:
  • Historical development of the Act.
  • Objectives of the Act.
  • Scope of the Act: application and interpretation provisions.
  • Conditions for processing personal information.
  • Grounds for lawful processing of personal information.
  • Data subject rights.
  • Responsible party and operator.
  • Special processing activities.
  • Supervision.
  • Codes of conduct.
  • Transborder information flows.
  • Enforcement.
  • Criminal offences, penalties, and administrative fines.

LO10: Application of Data Privacy and Protection Concepts

• Apply various concepts, principles, and requirements concerning data privacy and data protection from this theme to a given scenario.

PAIA (Promotion of Access to Information Act)

• Allows individuals access to records (manual and computer-based).
• Applies to records in both the public and private spheres, including mail, audio, video, files, notes, and documents.
• Information access is prohibited if it unreasonably infringes upon a third party's privacy.
• Destroying, damaging, altering, or concealing a record to deny access is an offense.

ECTA (Electronic Communications and Transactions Act)

• Main goal: to facilitate e-commerce by ensuring legal certainty and promoting trust in electronic transactions.

NCA (National Credit Act)

• Goal: to promote a fair and non-discriminatory marketplace, improve consumer information standards, and regulate credit information.
• Complemented by POPIA.
• Entities receiving, compiling, or storing confidential consumer information must protect its confidentiality.
• Information can only be used for permitted or required purposes and must be reported or released to the consumer.
• Credit bureaus have duties to verify information accuracy, retain information for a prescribed period, and maintain certain standards.
• If credit is refused, the provider must advise the consumer why and provide the contact information of the credit bureau if the refusal is based on a poor credit record.

CPA (Consumer Protection Act)

• Section 11 protects consumers' rights against unwanted direct marketing.
• POPIA supplements the CPA, and POPIA prevails when it offers better protection.
• CPA has more detailed provisions regarding non-electronic direct marketing, so it prevails in such cases.

POPIA (Protection of Personal Information Act)

• Implemented to conform to the General Data Protection Directive of 1995 and includes provisions of the amended GDPR of 2012.
• Objective: To protect the constitutional right to privacy while considering democracy, openness, and economic progress.
• Aims to regulate the processing of personal information in harmony with international standards.

POPIA Scope - Application

• Applies to any processing activity involving personal information where the responsible party is domiciled in South Africa or uses means within South Africa for processing.
• Applies to both the public and private spheres.
• Applies to all automated processing and manually processed information accessible according to specific criteria.
• Excludes certain information, such as crime, money laundering, and anti-terrorism information.

POPIA Scope - Interpretation Provisions

• Processing: Any operation or activity involving personal information, including collection, merging, receipt, and storing.
• Personal Information: Information relating to an identifiable, living, natural person and, where applicable, a juristic person (excluding the dead or previously existing juristic persons).
• Record: Any recorded information (in any medium) regardless of who created it.
• Data Subject: The person to whom the personal information relates (not limited to SA citizens or residents).
• Responsible Party: A public or private body that determines the purpose and means for processing personal information (similar to a data controller).

POPIA Scope - Exclusions

• Processing of de-identified data (e.g., blacking out patient identifying data).
• Processing for purely household activities (e.g., keeping telephone numbers).
• Processing by or on behalf of a public body for national security records.
• Processing activities by Cabinet (e.g., a committee processing information on schoolchildren).
• Processing activities by a court.
• Processing of personal information for journalistic, literary, or artistic expression, balancing the right to privacy with freedom of expression (naming someone in an article is allowed if public interest outweighs the right to privacy or if allowed by a code of ethics).

POPIA Scope - Exemptions

• Granted by the Regulator if in the public interest, the interest of a data subject, or a third party.
• Exemptions related to certain functions in the public interest.

Conditions for Processing Personal Information

• Similar to GDPR with slight differences.
  • Accountability
  • Processing limitation
  • Purpose specification
  • Further-processing limitation
  • Information quality
  • Openness
  • Security safeguards
  • Data subject participation

Grounds for Lawful Processing of Personal Information

• Non-sensitive personal information:

  • Consent
  • Contract
  • Legal obligation
  • Legitimate interest of data subject
  • Public law duty
  • Legitimate interest of the responsible party or 3rd party

• Special/sensitive personal information:

  • List similar to special categories in GDPR.
  • Subject to heightened protection unless an exemption applies.
    • General Exemptions:
      • Consent
      • Exercise of or defending a right or obligation in law
      • Necessary for international public law
      • Historical/statistical research
      • Information is made public deliberately
      • One of the specific grounds for processing is present

Specific Exemptions (Special Info)

• Religious or philosophical beliefs processed by religious organizations for their aims/principles or if data subjects belong to that institution.
• Race/ethnic origin when processing is essential to identify the person or comply with laws protecting disadvantaged groups and unfair discrimination.
• Trade-union membership.
• Political persuasion by a political party if the data subject belongs and it's required to achieve its aims.
• Health/sex life processed by medical professionals, healthcare facilities, insurance companies, schools for care or proper administration.
• Criminal behavior/biometric info by bodies charged with applying criminal law.

Data Subject Rights

• Right to be informed
• Right of access
• Right of rectification
• Right to erasure (to be forgotten)
• Right to restriction of processing
• Right to object to processing
• Right not to have info processed for direct marketing by unsolicited electronic communications
• Right not to be subject to automated decision-making
• Right to submit a complaint to the Regulator
• Right to institute a civil claim

Responsible Party vs. Operator

• Responsible party: Determines the purpose and means for processing personal information (like a data controller).
• Operator: Processes personal information for a responsible party under a contract or mandate, without direct authority and does not determine the purpose of the processing. They may not use the data for its own purposes.

Duties of Responsible Party vs. Operator

• Responsible party: Must protect personal information. They may outsource processing activities.

• Operator: Must treat personal information as confidential, maintain security measures, and notify the responsible party of breaches.

• Responsible party Duties (Continued):

  • Maintain documentation
  • Ensure conditions for lawful processing
  • Collect information directly from the data subject (with exceptions)
  • Inform the data subject and/or Regulator of purpose, intended recipients, and planned processing
  • Give the data subject access to their information
  • Keep personal information up to date
  • Correct information
  • Delete records
  • Obtain prior authorization for certain sensitive activities
  • Ensure confidentiality and security of processing
  • Get prior consent for direct marketing by unsolicited communications
  • Comply with Information and Enforcement notices

Special Processing Activities

• Processing requiring prior authorization from the Regulator:
  • Linking personal information from different sources for a different purpose than originally collected.
  • Processing data subject’s criminal behavior, unlawful or objectionable conduct on behalf of 3rd parties.
  • Process information for the purpose of credit reporting
  • Transferring special personal information (or information of children) to 3rd countries without adequate levels of protection

Direct Marketing by Unsolicited Electronic Communications

• Data subject has the right to object, and the responsible party must cease processing.
• Prohibited unless prior consent is given.
• Opt-in: Required if the data subject is not a customer of the responsible party.
• Opt-out: Followed if the data subject is a customer of the responsible party.

Supervision

• The Information Regulator oversees compliance with POPIA and PAIA, reports to the national assembly, and is an independent administrative body.
• Composed of a chairperson and four ordinary members (usually attorneys or advocates).
• The regulator must:
  • Provide education promoting understanding of rights.
  • Monitor and enforce compliance by public and private bodies.
  • Consult with parties.
  • Handle complaints and conduct research and report to parliament.
  • Issue, amend, and retract codes of conduct.
  • Facilitate cross-border cooperation and enforcement of privacy laws.
  • Have due regard for certain matters.

Criminal Offences & Fines

• Less serious offences: Fine and/or prison time not exceeding 12 months (e.g., failure to notify the Regulator, breach of confidentiality, obstruction of a warrant).
• Serious offences: Period not exceeding 10 years (or fine and prison time) for serious offences like hindering, obstruction or unlawful influencing of the Regulator, failure to comply with an enforcement notice, giving false evidence, unlawful act wrt an account number.
• Criminal prosecution.
• Maximum fine is R10,000,000.
• The regulator may offer the option to pay a fine instead of pursuing criminal charges, payable within 30 days.

Regional initiatives

• This Act sets out what needs to be included in your data privacy laws should a member State enact a law. = Supplementary Act on Personal Data Protection.
• The ECOWAS (Economic Community of West African States) was the 1st sub-regional body in Africa to develop concrete data privacy laws in 2010.