POPIA: RESPONSIBLE PARTIES AND OPERATORS

POPIA: RESPONSIBLE PARTIES AND OPERATORS

Our previous POPIA articles have examined various aspects of the Protection of Personal Information Act 4 of 2013 (“POPIA“) at length, most notably, the various conditions for processing personal information.  In this post, we will examine the roles of “responsible party” and “operator” in terms of POPIA and what each of these roles entails, along with the rights and responsibilities of the roles.

The main purpose of POPIA is to regulate the use of personal information (as defined by POPIA and summarised below) and to provide for adequate security measures to protect personal information, and the different parties in a relationship will have to comply with these measures in certain ways. Therefore, these roles are important to consider as they have a profound impact on the relationships between responsible parties and operators and also affect the way in which information is processed and used.

What do these terms mean?

  • responsible party” means the party who determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party.
  • operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, but does not come under the direct authority or control of the responsible party.
  • processing” means any activity (including automatic means) concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, distribution by means of transmission, distribution or making available in any other form or merging, linking, and restriction, degradation, erasure or destruction of information.
  • personal information” is information relating to an identifiable, living person and is not limited to information relating to race, gender, marital status, pregnancy, ethnicity, age, health, disability, religion, language, culture, education and employment, criminal history, identity number, contact details, biometric information, personal opinion, etc.

What is the difference between a responsible party and an operator?

As set out above, responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an operator is involved, the responsible party will still determine the purpose for processing etc, but will outsource the processing of the information to the operator. The responsible party therefore still makes all decisions in relation to the information and the operator acts in accordance with these decisions and on the instructions from the responsible party.

The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. The outsourcing or sub-contracting of any processing activities to operators does not absolve the responsible party from liability. If the operator contravenes POPIA, the responsible party will still be held liable by the Information Regulator.

The importance of contracts when appointing an operator

As with many other relationships, a contractual agreement between a responsible party and operator will prove very useful and high highly recommended in order to definitively address and govern the roles of each party and the boundaries of the relationship.

An agreement between the responsible party and operator should address, at the least, the following points:

  • That the operator only acts within the ambit of the agreement/mandate with the responsible party;
  • The purpose for processing of the information;
  • What information may be processed by the operator;
  • What the operator may or may not do with the information outside of the processing mandate;
  • A duty to protect the information received, not share it with third parties without consent, to keep the information received confidential and to otherwise act within the ambit of POPIA;
  • Limit the operator from appointing further operators without the responsible party’s knowledge or consent; and
  • Liability for the operator*.

Liability for the operator

As mentioned above, the responsible party will be held ultimately liable by the Information Regulator for a breach of POPIA by the operator. The Information Regulator will impose this liability on the responsible party where the breach occurred within the scope of the mandate agreement between the responsible party and the operator and will not be diverted to the operator where the breach is as a result of the operator’s failure to uphold the principles of POPIA.

Therefore, the agreement between the responsible party and the operator is extremely important for the responsible party as this agreement can result in the responsible party holding the operator liable for any claims that the Information Regulator and/or data subjects (the people whose personal information is being processed) bring against the responsible party as a result of a breach of POPIA by the operator. A liability clause will allow the responsible party to bring a claim for any loss suffered by the responsible party as a result of the operator’s negligence or breach of POPIA.

Some relief for a responsible party in this regard is where an operator breaches POPIA where the operator has exceeded its mandate. In these circumstances, the operator is seen to be acting as a responsible party in regard to the personal information as the operator is determining the purposes and means of processing.

Conclusion

We cannot emphasise the importance of an agreement between a responsible party and operator enough as such an agreement sets out the important details of the relationship between the operator and responsible party and aims to protect not only the responsible party, but also the operator by detailing the extent of the processing and other responsibilities that the operator undertakes.

Make sure that you know when you act as a responsible party and when you are acting as an operator as your responsibilities will differ along with your liability.

Conversations and agreements – when are they binding?

Conversations and agreements – when are they binding?

Introduction

A major cause of disputes occurs over the content of agreements. Sometimes these disputes are a result of poorly drafted contracts; content and deliverables not being adequately described; or as a result of variations to the original contract. Another source of dispute is verbal contracts and conversations where the parties dispute the content of what was agreed upon.

Both verbal and written contracts are, in general, legally binding. However, sometimes writing is unavoidable and is a formality for the contract to be valid, for example: the sale of immovable property, antenuptial contracts, wills and executory donations. Along with the preceding list, all documents that have to be submitted to and registered with the Deeds Office must also be set out in writing.

Written contracts have various advantages, among others, they:

  • ensure that both parties are fully aware of the contents of their agreement;
  • create transparency between the parties;
  • create and maintain trust between parties;
  • can stipulate formalities that must be met for validity; and
  • serve to avoid unnecessary disputes.

Electronic communication

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) recognises electronic messages (or “data messages“) as the functional equivalent of writing, meaning that data messages have the same legal validity as content written on paper. This results in any formality requiring writing to be met when the information is in the form of a data message. ECTA, however, imposes a requirement of accessibility to accompany data messages by requiring data messages to be easily accessible to the parties thereto.

The validity of electronic messages was confirmed by the Supreme Court of Appeal (“SCA“) in November 2014 in the case of Spring Forest Trading v Wilberry (Pty) Ltd. The court held that variations to an agreement between the parties made via email were binding – the arguments put forth were that the variation to the agreement was required to be made in writing and signed by both parties in order for it to be valid and that this requirement had not been met because the variations were only discussed and agreed to via email. The court stated that the email signatures at the bottom of the emails amount to signatures and that the email messages constituted writing in terms of ECTA.

Conclusion

Written contracts are always recommended. The rationale being that oral agreements offer no objective or clear record of the details of the agreement and the specific terms are often difficult to establish when a dispute arises. Well drafted agreements should include useful information and guidance to the parties to ensure a fair and smooth resolution of disputes or disagreements. The guidance information should address when parties may cancel the agreement, what constitutes breach and how the breach should be remedied.

Written agreements should also set out that any changes to the agreement are not valid if they are not in writing (and signed by both parties) – which prevents disputes over any amended terms of the agreement. This also prevents quarrels of a “he said, she said” nature as everything has been recorded. As set out above, this can be done via email or other electronic messages, including Whatsapp, for example, however, the name of the sender must be signed at the end of the message for it to be valid.

It is important to understand that following the abovementioned judgment, parties to a contract should specifically refer to an “advanced electronic signature” – which is a special signature provided for in ECTA – being required to amend the agreement if the intention is for the usual email type correspondence not to effect an amendment to the agreement.

Remember, you could be bound to a contract where you have willingly signed it even if you have not yet read it.

Important take-aways

  • electronic communication is legally binding and is the equivalent of writing;
  • some agreements can only be altered if the variation is in writing and signed by both parties;
  • some agreements must be in writing and signed (and sometimes commissioned or notarised) in order to be valid and binding; and
  • oral agreements are binding (but not advised!).
Website terms – purpose, importance and consequences

Website terms – purpose, importance and consequences

Nowadays, websites almost always contain policies and terms that govern your use of the site. Sometimes these policies will appear as banners on the site (which you have to “agree” to in order to make them disappear), links in the page footer (like we have on our website) or as a statement along with a tick box saying that you have “read and agree with” the terms (usually when transacting online).

The questions on peoples’ minds are firstly, why do I need all these different sets of terms and, secondly, are these policies binding.

Why do we need all of these terms?

The website terms which we feel are important are browser terms, privacy policies and commercial/transactional terms. Each one of these deals with specific aspects of the website’s use, including, for example, the collection of personal information, social media integration, payment methods and your rights as a user of the website. Below we discuss each policy and its importance. These policies also protect your rights and interests in your website and can allow for you to have a claim in law against people who infringe your rights.

Browser terms

Although browser terms are not a legal requirement, they are useful to ensure that the “web surfer” understands and agrees to certain key points. Browser terms should be used to inform the surfer that:

  1. you, as the website owner, owe them no responsibilities;
  2. they get no rights to any services or IP merely by browsing;
  3. they are required to respect your website and the content thereof; and
  4. you comply with all necessary legal disclosure requirements.

Browser terms are “agreed” to through the surfer continuing to browse the website. These types of agreements are called “web-wrap” agreements. More on this below.

Privacy policies

Privacy policies are essential whenever the website collects or makes use of personal information. Personal information is often collected through cookies as well as when browsers become users of a website by creating an account or by integrating their social media accounts with the website.

The Protection of Personal Information Act 4 of 2013 (“POPI”) sets conditions for the lawful processing of personal information. Included in POPI’s ambit will be the mere storage of personal information when it is collected by cookies. POPI also requires that companies make certain information available to users when they collect their personal information. This can be achieved through a privacy policy. Privacy policies therefore also assist the website owner to comply with legal requirements

Privacy policies usually include the following important aspects:

  1. the use of cookies to collect certain information;
  2. the purposes for the processing of the personal information;
  3. the sharing of personal information by the website owner with certain select third parties;
  4. the storage of personal information, including the security measures taken and whether cross-border storage will occur; and
  5. the user’s rights in relation to his/her personal information and the recourse that he/she has.

Privacy policies are, like browser terms, usually agreed to by browsing, however, a recent trend has been to display the fact that cookies are used as a banner on a website requiring a “click-wrap” agreement to be entered into in order to remove the banner.

Commercial/transactional terms

As the name suggests, the commercial terms become applicable where the website enables users to transact with the website owner through the website. These terms serve as the terms of the contract which you conclude with the user when the user becomes a customer. The important aspects that this policy should govern includes:

  1. a general explanation of the service or product being offered by the website;
  2. the fees that are payable, which may be a once off purchase price or a subscription fee, as well as the fees relating to delivery costs, insurance and VAT;
  3. the terms applicable to returns;
  4. limitation of liability, which will be subject to the Consumer Protection Act 68 of 2008 (if it applies);
  5. the applicability of promotional codes and vouchers; and
  6. acceptable use policies, however, this is more applicable where the website offers a service and not a product.

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) requires certain disclosures in terms of section 43 by the website owner when goods or services are offered for sale or hire through an electronic transaction. Some of the disclosures required include:

  1. company name, registration number and contact number;
  2. addresses, including physical, website and e-mail;
  3. a description of the main characteristics of the goods/services offered (which fulfils the requirement of informed consent;
  4. the full price of the goods, including transport costs, taxes and any other and all costs;
  5. the manners of payment accepted, such as EFT, cash on delivery or credit card, as well as alternative manners of payment such as loyalty points;
  6. the time within which delivery will take place;
  7. any terms of agreement, including guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers;
  8. all security procedures and privacy policy in respect of payment, payment information and personal information; and
  9. the rights of the consumer in terms of section 44 of ECTA.

ECTA also requires that the customer must have an opportunity to review the transaction, correct any mistakes and withdraw from the transaction without penalty before finally concluding the transaction. ECTA non-compliance gives the consumer the opportunity to cancel the order and demand a full refund.

Additional requirements are placed on suppliers transacting online regarding payment systems. The payment system used must be sufficiently secure in terms of current accepted technological standards. Failure to comply with these security standards can render the website owner liable for any damages suffered due to the payment system not being adequately secure.

Are these policies binding?

Essentially, yes, website terms will be binding based on the principles of contract law. Website users must be made aware of the terms that apply to their use of the website and you should always ensure that you include wording to the effect that by anyone continuing to use the website they agree to the terms.

To this effect, web-wrap and click-wrap agreements come into play.

Web-wrap agreements

Web-wrap agreements (also referred to as browse-wrap agreements) are used to acknowledge the terms of use of a website by continuing to use the website. The user indicates acceptance of the terms by using the website and does not expressly indicate acceptance of the terms. Such agreements are usually used in browser terms and privacy policies.

Click-wrap agreements

Click-wrap agreements require the user of a website to indicate their agreement with the terms through positive action – usually by clicking “I accept” before proceeding with their activity on the website. These agreements are usually used for more important agreements, such as when installing new software on your computer or when entering into online transactions.

Conclusion

Even though all of these policies may seem excessive, they are worth having. Yes, copying and pasting clauses from other policies will get the job done, but you may leave yourself vulnerable to certain consequences that you haven’t thought about. These consequences may be even worse when it comes to commercial terms. Contact us for a free quote and ensure that your online business is fully protected!

Pyramid schemes and other related practices: what you need to know.

Introduction

In terms of our law, a pyramid scheme is an unlawful practice in terms whereof the newest members fund the “investments” of the existing members. The return on “investment” is usually too good to be true and not at all market related. As soon as new members stop joining the scheme, it falls apart resulting in the newest members losing the most.

The law

The Consumer Protection Act 68 of 2008 (“CPA” or the “Act”) defines a pyramid scheme along with the other related schemes falling within the ambit of the CPA. The general prohibition on these schemes is found in section 43(2) of the Act, and includes multiplication schemes and chain letter schemes.

“(2)      A person must not directly or indirectly promote, or knowingly join, enter or participate in—

  1. a) a multiplication scheme, as described in subsection (3);
  2. b) a pyramid scheme, as described in subsection (4);
  3. c) a chain letter scheme, as described in subsection (5); or
  4. d) any other scheme declared by the Minister in terms of subsection (6), or cause any other person to do so.”

Let’s look at these schemes in more detail:

Pyramid scheme

A pyramid scheme is a system into which people buy in exchange for a pay-out at a later stage when new members are introduced into the system. One normally pays a “joining” or “admin” fee to become a member of the scheme. The people who recruit the new members are paid out from the new members’ joining and admin fees. In some instances the scheme will involve the new members purchasing a product; however the product is of very low value and is a distraction from the main objective of the scheme.

The new money coming into the scheme is not used to derive profits but is merely used in order to pay out the existing members of the scheme: repayments are paid from new capital and not from profits generated. As soon as people stop joining the scheme it will start to fail and eventually collapse.

In terms of the CPA a pyramid scheme is defined as follows:

“(4)      An arrangement, agreement, practice or scheme is a pyramid scheme if—

  1. a) participants in the scheme receive compensation derived primarily from their respective recruitment of other persons as participants, rather than from the sale of any goods or services; or
  2. b) the emphasis in the promotion of the scheme indicates an arrangement or practice contemplated in paragraph (a).”

Multiplication scheme

A multiplication scheme is different to a pyramid scheme in that the CPA clearly states that it will only occur when the return on investment is 20% above the REPO rate at the date when the person invested into the scheme. A multiplication scheme occurs as soon as the investor is offered, promised or guaranteed returns that are 20% above the repo rate. Multiplication schemes do not have a hierarchical structure like pyramid schemes but generate revenue through repeated or once-off investments of varying amounts by members. The investments are then used to finance the interest pay-outs owed on investments made at an earlier date.

In terms of the CPA a multiplication scheme is defined as follows:

“(3)      A multiplication scheme exists when a person offers, promises or guarantees to any consumer, investor or participant an effective annual interest rate, as calculated in the prescribed manner, that is at least 20 per cent above the REPO Rate determined by the South African Reserve Bank as at the date of investment or commencement of participation, irrespective of whether the consumer, investor or participant becomes a member of the lending party.”

Chain letter scheme

Chan letter schemes require participants to continually recruit more participants in order to start receiving pay outs from their investment. The investment made is a joining fee of sorts. Each new participant joins at the lowest level in the scheme and “move up” by recruiting new members below them. Once a participant reaches the highest level of the scheme they are removed from the scheme.

In terms of the CPA a chain letter scheme is defined as follows:

“(5)      An arrangement, agreement, practice or scheme is a chain letter scheme if—

  1. a) it has various levels of participation;
  2. b) existing participants canvass and recruit new participants; or
  3. c) each successive newly recruited participant—
  4. i) upon joining—
  5. aa) is required to pay certain consideration, which is distributed to one, some or all of the previously existing participants, irrespective of whether the new participant receives any goods or services in exchange for that consideration; and
  6. bb) is assigned to the lowest level of participation in the scheme; and
  7. ii) upon recruiting further new participants, or upon those new participants recruiting further new participants, and so on in continual succession—
  8. aa) may participate in the distribution of the consideration paid by any such new recruit; and
  9. bb) moves to a higher level within the scheme, until being removed from the scheme after reaching the highest level.”

Characteristics of these schemes

The characteristics of these schemes include:

  • No product or product of little value being purchased by new participants.
  • A hierarchical, pyramid shaped structure where the members at the top benefit the most and the members nearer the bottom only benefit after the “top dogs” have been paid.
  • The incentive to recruit members is to ensure that a pay-out to the existing member recruiting and not in order to sell them a product of value.
  • The main source of income generated is from the introduction of new members and not through investment or other forms of wealth creation.

Outcomes of these schemes

  • The possible outcomes to these schemes:
    • The founding member or principal of the scheme gathers as much money from the scheme as possible and disappear with the funds.
    • The scheme collapses due to its “weight”. The scheme starts to lose speed as fewer members join resulting in a lack of funds available for existing members.
    • The scheme is unveiled as a pyramid or other prohibited scheme and authorities put a stop to the scheme.

Can members claim money back?

It is possible for the investors in pyramid schemes to attempt to claim their money back once the scheme collapses, however, chances of successfully retrieving all the funds you have invested are slim. Once the schemes collapse they are liquidated, as the scheme is declared insolvent. The liquidators will ensure that they receive their fee along with as many creditors of the scheme getting paid at least a portion of their outstanding debts leaving little to nothing for the victims of the scheme.

Prosecuting pyramid and related schemes along with their founding members is a major concern and problem faced by the South African Reserve Bank. Investigations into the schemes can take years to complete, depending on the complexity of the scheme. Another catalyst to the extended investigation period is the fact that the initiators of the schemes tend to disappear with investor funds as soon as the scheme starts showing signs of collapsing or gains too much attention from authorities.

The Companies Act, 2008, provides a mechanism for placing financially distressed businesses under “business rescue proceedings”. These proceedings are also often a barrier to investigation by the Reserve Bank and further prosecution.

Consequences for the person starting the scheme

Charges that could be laid against the founders of such schemes, as well as any persons involved in the schemes who should have noticed that fraudulent schemes were taking place include: theft, fraud, reckless trading, forgery and uttering, tax evasion, contravention of the Gambling Act, contravention of the Companies Act and contravention of the Banking Act.

Things to look out for

  • Interest rates that are “too good to be true” and much higher than interest rates offered by established institutions, such as banks and investment portfolios.
  • Promises of a guaranteed return on investment in a short amount of time.
  • The requirement to recruit additional members.
  • No link to established organisations.
  • When the investment does not disclose how returns are made.
  • The institution running the scheme is not licensed as a financial services provider with the Financial Services Board.
  • Where there is little or no information or an official mandate or documentation relating to the scheme.

Recent developments

The National Consumer Commission (NCC) have over the last 6 months launched investigations into the business practices of various companies, based on suspected pyramid scheme practices and other prohibited practices in terms of the CPA.

One example is the DiPESA scheme that was investigated earlier this year, but the investigation indicated that the business was in fact legitimate as it did not meet all the characteristics of any of the prohibited schemes in terms of the CPA.

Conclusion

In economically distressed times, companies may consider and initiate different kinds of business opportunities. It is important to understand that when considering your business model, prohibited practice in terms of consumer laws like the CPA, should be considered as a first step.

When considering pyramid and other related schemes it is also important to also take into account section 38 of the CPA, which regulates referral selling. The prohibited referral selling model aims to protect consumers against “unfair” marketing practices in terms whereof the consumer would agree to enter into an agreement (and pay for) goods or services on the basis that the consumer could possibly receive a benefit after entering into the agreement.