POPI Series: Condition 2 – Lawful Processing

Introduction

In our March Newsletter we discussed the first Condition for lawful processing, namely “Accountability”. In this article, we continue our POPI series with a discussion of the second condition for lawful processing in terms of POPI, namely “Processing Limitation”. This may sound a bit vague…. Our aim is to explain to you in layman’s terms, how this condition should be considered and how it may impact on your business operations.

Condition 2: Processing limitation

This condition hinges on four key requirements: (i) lawfulness of processing; (ii) minimality (you may think this is a strange concept); (iii) consent, justification and objection; and (iv) collection of PI directly from Data Subjects.

Before we start, just a reminder that in our previous discussions, we have already dealt with the definition of the “data subject” (DS), but for ease of reference, note that the data subject is the person to whom PI relates – the one whose PI is being processed. And the “responsible party” (RP) is the one processing the PI.

Lawfulness of processing

Section 9 of POPI provides for the following in relation to lawfulness of processing:

Personal information must be processed—

(a) lawfully; and

(b) in a reasonable manner that does not infringe the privacy of the data subject.”

What does it mean to process PI “lawfully”? And could a data subject not take a view that each time that PI is being processed there will be an infringement of privacy?

In essence, this requirement comes down to acting in a manner that is “reasonable”. When looking at “lawfulness”, the RP must conduct itself within the confines of the law. In terms of our law, one may not steal. Loosely speaking, this also applies to PI – one cannot “steal” another company’s database and hope not to breach the requirement of lawfulness. It should be obvious that “stealing” a database or information, will be “unlawful”. If one considers POPI as a whole, the responsible party should at all times be able to say that it conducted itself in a manner that would not (reasonably) infringe on the privacy of the DS.

Minimality

In most instances, the question of how much PI is “more than is necessary” will depend on the purpose for which the PI is processed. The default position is that the RP should only collect and/or process as little PI as is necessary to achieve its business objectives. Next month we will discuss “purpose “in more detail, but it is important to understand that the purpose for which PI is collected and processed must be considered at all times and the amount of PI that can “lawfully” be processed, will be considered against the reason why the PI is processed. It simply means that if you only need a name and telephone number, don’t ask for address and ID number just because…. POPI says you must only process what you need to!

Consent, justification and objection

And now we get to the big CONSENT question….

We have previously written on this topic in an article Is consent the beginning and the end? (http://dommisseattorneys.co.za/popi-is-consent-the-beginning-and-the-end/). There is still a lot of confusion in the market around consent. In essence, consent is one of 6 grounds on which a RP can rely to process PI. This means that without consent, a RP can still be seen to process PI lawfully – but only if it can rely on one of the other 5 grounds provided for in this section. (Note that for electronic direct marketing specific rules around consent apply and therefore our consent discussion below does not necessarily apply to electronic direct marketing.)

Section 11 provides the following:

“Consent, justification and objection.—(1) Personal information may only be processed if—

(a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

It would often be easy to obtain or infer consent. If I am asked for certain information, and I know exactly what the RP is going to do with my information, and I continue to provide the information requested, surely one can take a view that I have “given consent” for that processing.

The more difficult question to answer would be when can the RP process my PI if I have NOT given consent? Let’s look at some examples when POPI allows processing without consent:

  • If processing is necessary to fulfil a contractual agreement in which the DS is involved [This refers to a situation where the RP has to process my PI in order to perform in terms of a contract with me];
  • If processing is in accordance with the law [This refers to a situation where the law requires from the RP to process my PI. It would be irrelevant whether I consented to it or not – the RP has an obligation in law to do certain things with my PI. Reporting my behaviour to authorities (where a law requires from the RP to report certain behaviour) may be an example of this.];
  • If processing is necessary to protect the legitimate interests of either the RP or third party [What does “legitimate interest” mean? POPI does not define it and reliance on this exception will need to be considered very carefully. In our view, an example could be the following: I enter into a credit agreement with company X for a credit facility to purchase clothing on credit. I do not honour my agreement and I am in arrears. Company X did not ask for my consent for them to trace me and collect on debt that I owe them. Even though they did not obtain my consent, company X can argue that they can (lawfully) trace me and collect debt from me, because it is in their “legitimate interest” to collect on debt that I owe to them.]

In the event of a data subject challenging the RP whether there was consent or not, the RP will bear the burden of proof, to prove consent. This could be very relevant – particularly for marketers.

So once the DS has given consent, can that consent be revoked? Yes, POPI provides for a mechanism in terms whereof a data subject can “object” to processing in certain circumstances. This means that even though (for example) a direct marketing consent was obtained when the DS entered into an agreement with the RP, that DS may at any time request that marketing to stop – basically “objecting” to the processing for the purpose of marketing.

Collection of PI directly from the DS

This requirement provides for a general rule, in terms whereof organisations should collect the PI relating to a particular DS, directly from that DS. As with many other provisions, again some exceptions will apply, meaning that even though PI was not collected directly from the DS as per the general rule, but it was rather collected from a third party, the RP would still be seen to have collected PI in a lawful manner. Let’s look at some examples where collection from another source would be lawful:

  • where PI was made deliberately public by the data subject [This could mean that if I make my PI publically available to anyone on Facebook, without using any security and privacy settings, I should not have the expectation that no one will collect my PI from Facebook. (note that processing of that PI must still need to comply with POPI, but RPs could collect from this source – rather than from me directly)] ;
  • there has been a consent to collection from another party [Where I for example consent that company X may share my information with company Y for marketing purposes, company Y can “lawfully” collect my PI from company X (and not from me directly), because I consented to it];
  • where collection from other sources is necessary to protect the legitimate interests of the organisation [Again, one can look at the collections environment: If I owe money to a credit provider that is entitled to collect on the debt, and I have moved address, surely the credit provider can justify that he must collect my updated details from a tracing agency for example – in this case the credit provider should be able to justify that it was necessary to collect my updated details from a third party – in order to protect its legitimate interests.].

Conclusion

Do the right thing. Act in a reasonable manner and collect and process PI in manner that could be “defended”. POPI is not stopping organisations from collecting and processing PI. But POPI is requiring from all to do the reasonable thing. If you can obtain consent, it is advisable to do so. If not, think about what you are doing and make sure you can justify your actions. Business need to continue as usual – but within the prescribed rules.

Moral Rights In The Context Of Copyright Law In South Africa

INTRODUCTION

In simple terms, a “copyright” is a form of intellectual property right that grants the creator of an original work (“the author“), the legal and exclusive right to the use and distribution of the work (in return for compensation for the author’s intellectual efforts). In this sense, a copyright can be said to be an economic right.

A “moral right” in the context of copyright law, on the other hand, is rather a personal right which attaches to the author, allowing the author to receive the appropriate credit when his/her work is used and it also dictates, to an extent, the way in which an author’s work is treated by others.

In South Africa, copyright law is regulated in terms of the Copyright Act, No. 98 of 1978 (as amended) (“the Act“), and is administered by the Companies and Intellectual Property Commission, as a branch of the Department of Trade and Industry. In terms of the Act, nine classes of works are eligible for copyright protection and they include literary works, musical works, artistic works, cinematograph films, sound recordings, programme-carrying signals, broadcasts, published editions and computer programs.

 

THE CONCEPT OF MORAL RIGHTS

Section 20 of the Act creates a legal obligation to give credit to works of an author and not to treat it in a derogatory way, and further defines a moral right as a protected right that applies to literary, musical and artistic works, cinematograph films and computer programmes (but excludes sound recordings, broadcasts and published editions) (“work/s”). At its heart, a moral right consists of the right to paternity and the right to integrity of the author’s work. The right to paternity allows the author to claim authorship of the work, whereas the right to integrity allows the author to object to any distortion, mutilation or modification of the author’s work to the extent that any such distortion, mutilation or modification would be prejudicial to the author’s honour or reputation. In other words, if the author reasonably feels that making certain changes in or to his/her works would undermine his/her creative intent or “vision” embodied in those works, he/she can prevent that change from being made, regardless of any economic rights that another person may own in that same work by virtue of a license or copyright.

An author’s moral rights to his/her works are, however, qualified by the economic interests which a copyright seeks to protect, and section 20 of the Act further provides that an author may not object to modifications to his/her works which are absolutely necessary for the commercial exploitation of those works.

It is important to bear in mind that a moral right can only subsist in the above works if such works enjoy copyright in South Africa in the first place.

 

WAIVER AND TRANSFERABILITY OF MORAL RIGHTS

Just like many personal rights, moral rights can be waived by the author and the author can choose not to enforce them. No formalities are prescribed in the Act for the waiver of moral rights, although good practice dictates that any waivers of moral rights be reduced to writing.

Whereas copyrights are freely transferrable, a moral right attaches to the author throughout the author’s lifetime and terminates upon his/her death (or in the case of an author which is a corporate entity, the dissolution of that entity) and cannot be transferred. What is interesting in this regard is that an assignment of copyright leaves the author’s moral rights unaffected and in many instances, the holder of the copyright will still be required to obtain the necessary waivers from the author. In other words, no matter who gets to exploit the economic rights being the subject matter of the copyright, the author will still have the right to be named and given recognition for his/her work (unless he/she waives such right).

 

INFRINGEMENT, ENFORCEMENT AND REMEDIES

A moral right could be infringed by, for example, not properly attributing the work of the author, or treating it in such a manner so as to lower the reputation or dignity of the author. Given the closely related nature of copyright and the moral rights that subsist in the copyright, the statutory remedies which apply to an infringement of copyright would also apply to an infringement of an author’s moral rights. The Act provides for a claim for damages or the imposition of an interdict. These statutory remedies are complemented by common law remedies to the extent that any conduct that violates the dignity and reputation of the author can give rise to a similar claim for damages or an interdict to curtail the infringement.

 

CONCLUSION

Authors in South Africa enjoy a reasonable measure of protection regarding the intellectual products of their labours. South Africans have, however, been slow to enforce these rights and to date, there have been very few reported cases dealing with this area of law. Perhaps the reason why moral rights are so rarely asserted are, firstly, it is a fairly unknown concept in South Africa, and secondly, many commercial agreements governing the use of intellectual property will often include a waiver of the moral rights of the author.

Should you have any queries concerning your business and its use of its own intellectual property and that of others, please feel free to contact us – we would be glad to assist you.

New NCA regulations

The last year has certainly stirred the credit industry, with consumers and credit providers struggling to keep abreast of latest developments, dos and don’ts. Various credit providers have also been called upon to defend their credit practices, by the National Credit Regulator and consumers alike.

The National Credit Amendment Act was assented to on 19 May 2014, and new draft regulations were published on 1 August 2014, both of which contain significant changes to credit law as we know it, with new procedures, factors and requirements in general.

On Friday 13 March 2015, the mentioned Amendment Act and regulations were finally announced to be effective with immediate effect. The regulations however, contain numerous changes to the draft that saw the light in August last year, but the spirit and intention thereof remains. These regulations, in contrast with previous (2013) guidelines, for example require consumers to provide credit providers with authentic documentation to perform affordability assessments. Affordability assessment processes are also regulated more strictly, with defined items to be included in the assessment of income and expenditure. Reference is also made therein to obtain proof of income, even if a consumer does not receive formal payslips.

It is expected that most credit providers’ business models will have to change in line with these new requirements on an urgent basis.

For a detailed discussion on how these amendments may impact on you or your business, kindly contact our offices.

Introduction To The Exchange Control Rules And Regulations In South Africa

By: Kirsten le Roux and Tanya Lok

As a point of departure, it is important to understand why the Exchange Control Regulations of 1961 (promulgated in terms of the Currencies and Exchanges Act, 9 of 1933) (“the Regulations”) exist and how they apply to any person or corporate entity in South Africa, who/which intends interacting or doing business with any other person or entity abroad. To define their existence in the simplest terms, the purpose of the Regulations is to regulate the flow of funds into South Africa from external or foreign sources (non-SA resident natural persons or body corporates), as well as the outflow of funds by SA residents from South Africa to non-SA residents, with the over-arching reason being for the South African Reserve Bank to maintain control over South Africa’s balance of payments (or BoP as it is more commonly known).

For the purposes of this article, we have addressed one of the more practical issues our clients frequently face in cross-border transactions and the related requirements which need to be adhered to when a non-resident acquires shares in a resident company (by way of a transfer or a subscription for those shares).

It is very important to note the consequences of not following the correct procedure and obtaining the correct endorsement, i.e. the non-resident shareholder will not be entitled to repatriate any distributions of any kind or dividends declared by the resident company, or any sale proceeds from the disposal by the non-resident of its shares. In the event that the endorsement is not properly attended to within the time frame below, a condonation application will need to be made to the South African Reserve Bank in order to allow for such repatriation of funds to the non-resident shareholder.

Where a non-resident acquires securities (in this particular instance, shares) in a resident company, either by way of –

  • a subscription for a new issue of shares in that resident company; or
  • a sale and transfer of existing shares,

the funds which are paid across by the non-resident for the acquisition will be held back by the resident company’s (or the selling shareholder’s) bank until such time as the required documents are provided by the resident company (and/or the selling shareholder) to the authorised dealer (normally the resident’s bank) for approval and release of those funds.

In addition to the approval required for the release of the inward flowing funds, in accordance with the Regulations, when a non-resident purchases shares in a resident entity, certain specific and additional documentary evidence will be required to be produced to an authorised dealer before the funds will be approved for release, as well as for purposes of facilitating identification of controlled shares (shares registered in the name of a non-resident).

The latter purpose (being the identification of foreign-held shares as a regulatory requirement), is one of the most fundamental requirements for ownership by a non-resident of a resident company’s shares. The Regulations provide that within 30 days of a person acquiring ownership of shares in a resident company, that person must submit those shares to an authorised dealer, along with the following information / documentation –

  • the full name and country of residence of the non-resident who owns or is interested in the shares, together with a declaration as to non-residency;
  • the name of the resident company in which the shares are held;
  • the total number of shares held by the non-resident in the resident company; and
  • the full name and residential address of the non-resident in whose possession the shares are.

Practically, in addition to the above requirements set out in the Regulations, most authorised dealers will require the following information / documentation –

  • a declarationon an official letterhead of theresident company that the beneficial owner of the shares is permanently resident outside of the common monetary area, alternatively confirming emigrant status. The declaration should also confirm that the funds being introduced into South Africa do not form part of a resident’s foreign investment allowance, foreign earnings, foreign inheritances, or funds for which amnesty has been granted or in respect of a voluntary disclosure programme, and that there is no South African interest in the non-resident (this is to identify and prevent the so-called “loop structures”);
  • in the case of an individual non-resident, a copy of their passport and a written declaration confirming that they were never resident in South Africa or details of their emigration from South Africa would be required. If a non-resident entity, an organogram of that entity;
  • a resolution of the board of directors of the resident company authorising the equity investment transaction;
  • the agreement in terms of which the equity investment is being made, for example, a shareholders’ agreement, funding agreement,sale of shares agreement orsubscription agreement;
  • an independent auditor’s written confirmation that the transaction was concluded at arm’s length and at a fair market related price, illustrating the basis upon which the value of the transaction was determined;
  • latest annual financial statements of the resident company;
  • organogram of the resident company (including the full names of the shareholders, domiciles and percentage shareholding);
  • in the case of a transfer of shares, the existing original share certificate as well as the new original share certificate;
  • in the case of a subscription for shares, the new original share certificate; and
  • a copy of the securities register, the share transfer forms (where applicable) and the resident company’s registration and incorporation documents.

Once the authorised dealer has received and assessed the above information and is satisfied with the findings, they will affix their stamp to the new share certificate, along with any endorsements determined by the Minister of Finance (this process is commonly referred to as “endorsing the share certificate as non-resident”).

While it may appear that the authorised dealers require a high level of documentary evidence for purposes of releasing funds and endorsing the related share certificates, we are dedicated to making a seemingly cumbersome process as painless and effortless for you should you require our assistance with this approvals process.

POPI Series: Condition 1 – Accountability

Introduction

In our February Newsletter we indicated that we have identified the need to provide our clients with a more detailed discussion on the requirements and Conditions of Lawful Processing as provided for in the Protection of Personal Information Act 4 2013 (POPI). Last month we introduced you to our POPI series.

This article is the second of the series and the first article to start specific discussions around the 8 Conditions for Lawful Processing in accordance with POPI requirements.

Accountability

Condition 1 relates to “accountability” of the organization.

In terms of section 8 of POPI:

Accountability

Responsible party to ensure conditions for lawful processing.—the responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself”.

In our view, Accountability is essentially the point of departure in that it provides for a general requirement to take the necessary steps to ensure that all other POPI conditions and requirements are met.

What does “accountability” mean?

“Accountability” is not defined in the Act. Some dictionary definitions include:

  • “The fact or condition of being accountable or responsible”
  • “To give an account or be answerable”
  • “The obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner.”
  • “Taking or being assigned responsibility for something that you have done or something you are supposed to do.”

From the above it is clear that accountability relates to accepting responsibility by taking ownership -to ensure that the organisation processes personal information in the manner intended by the Act.

Who is accountable in this regard?

In terms of POPI, this responsibility has been put squarely on the shoulders of the person (natural or juristic) whom the Act refers to as the “Responsible Party”. The Act defines “Responsible Party” as follows: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

What does it mean practically?

Condition 1 requires from the Responsible Party to ensure that all conditions are complied with from the time the PI is collected up to and including the time of destruction.

How will the RP achieve this?

We believe that although an Information Officer will be appointed for the organisation, it would be best to implement a strategy in terms whereof each department within the business takes responsibility for POPI compliance by that division – being accountable as a business unit.

We furthermore believe that organisations will need to implement measures to keep individuals accountable – meaning that there should be consequences for “not doing what you are supposed to be doing”. For example, if a policy exists (consider something like a clean desk policy for example), the business division will need to take responsibility to ensure (and monitor) that the division actually implements the policy.

Ongoing training will of course also assist with this challenging task to become and remain an organisation that processes personal information in accordance with the POPI principles.

 

Conclusion

Essentially, appointed individuals within an organisation will be required to take initiative to implement POPI requirements, and ensure that business units comply with requirements through implementing business processes and policies to assist with POPI compliance. As the “person” (responsible party) who makes the decisions around the use of and means for processing personal information, you need to accept accountability to ensure that your organisation processes personal information in a responsible manner and in compliance with the Act.

Launching Your Corporate Expansion Into Africa

At a certain point in a business’ corporate lifecycle, the question arises as to whether expansion opportunities into new territories should be explored. This is often an exciting question to ask internally, as the prospects for the growth of your business then increase exponentially. However, we recommend (whenever possible) asking ‘the tough questions’ before jumping into your expansion plans – this (boring) exploratory work is all too often overlooked, but may ultimately save you time and money.

Our firm has prepared a basic guidance note for African Expansion (available to any client on request), which is intended to provide an introductory list of questions and considerations for your expansion plans. These considerations are included in this article in a simplified form, and we would encourage you to engage with these before even meeting with the legal and/or accounting professionals who will assist you with your corporate expansion:

  1. General Considerations

Political, financial, economic and socio-economic considerations, communications, electricity and road infrastructure, language, culture, labour force – these considerations are all too often overlooked when investors and companies scope out opportunities in new territories. These factors may have a massive initial impact on your budget and forecast for expansion spending, and an ongoing impact on your ability to do business in an efficient and cost-effective way. In our experience, these factors are very rarely prohibitive, but we do recommend taking them into account, particularly if specifically relevant for your industry.

  1. Regulatory Considerations

Consider arranging a meeting with the in-country regulator specific to your industry before commencing your expansion plans, and scope out the regulations which apply to your industry so that you can address these early. Consider visa and work permit requirements, competition law implications, consumer protection laws, and any bilateral and multilateral relationships between countries which might affect you.

  1. Financial Considerations

These considerations can be broadly lumped into three essential categories: profit extraction, taxes, and exchange control. We have yet to meet a for-profit business which is not ultimately interested in making a profit in a new territory, although of course many businesses have a comfortable buffer in place which enables new territory operations to operate at a loss for an extended period of time. Profit extraction, taxes and exchange control will inevitably have an impact on the best way in which to invest in a new territory, and we recommend obtaining this advice as one of your first expansion steps, in a way which addresses all the relevant considerations of your business type and group structure.

  1. Corporate Structure and Secretarial Considerations

In general, there are 4 ways in which investors and companies can expand into a new territory for the purpose of commencing business in that territory:

(i)                  Incorporating a new subsidiary in the local market

(ii)                Partnering with an existing local entity or person for a joint enterprise or partnership

(iii)               Licensing a product or service to an existing local entity or person

(iv)              Acquiring shares in, or merging with an existing local business entity

We recommend carefully considering the costs, implications, benefits and pitfalls of each of these expansion structures before launching your expansion. Some businesses may also want to expand into a new territory to open a branch office or to set up a billing entity without the need for employees and on-the-ground operations: this is often a worthwhile group structuring goal and a less intensive investigation of the above considerations would then apply.

Ultimately, we believe that asking the necessary questions above so as to choose your new market and plan your next steps carefully, will assist your successful expansion. If and when your business finds itself asking itself expansion questions, please feel free to contact our offices to discuss the considerations addressed above in a way that is specifically relevant to your industry.

 

POPI Series: Introduction

  1. INTRODUCTION

In previous newsletters we have touched on some general considerations relating to the Protection of Personal Information Act 4 2013 (POPI). We have however identified the need to discuss the POPI requirements in more detail. All clients, whether it be start-ups, medium sized or big corporates and listed companies, will need to comply with POPI. This article is therefore the first in a series of POPI articles that will assist you with your POPI compliance project (or if you have not started a project, to get you thinking about what lies ahead.)

In this article we will include information on how POPI differentiates between different “types” of personal information (PI), who the different “role players” are and what responsibilities each will have.

  1. DIFFERENT TYPES OF PERSONAL INFORMATION

POPI requires that all businesses that “process” “personal information” must comply with the requirements prescribed in the Act. What is meant by the two terms “processing” and “personal information”? In terms of the Act, “processing” refers to any use of information by an organization. This could, for example, include any sharing of a record, storing it, destroying it, etc. In essence, whatever form of use of the record, is likely to fall within the umbrella of the term “processing” in terms of the Act.

Another important definition is of course that of “personal Information”. This term refers to any information pertaining to any identifiable person or business, and includes a whole long list of items that should be considered. You can read the definition yourself, but a few interesting and challenging terms have been included. By way of example: views or opinions expressed by someone about a person, could form part of the personal information record of that person.

The Act differentiates between the following types of PI:

  Ø   “normal or ordinary personal information” for example:

o   Identity Document number or registration number (if it’s a business),

o   cell or telephone number,

o   email address,

o   physical address.

  Ø   “special personal information” for example:

o   religious or philosophical beliefs,

o   race or ethnic origin,

o   trade union membership,

o   political persuasion,

o   health or sex life,

o   criminal behaviour, or

o   biometric information.

  Ø   “children’s personal information”:

o   This information refers to any information relating to any natural person under the age of 18 years.

What is the reason for the distinction and why is it important to know whether you process “normal”, “special” or “children’s” PI? It is indeed very important to identify the type of PI that you process, because different requirements may apply. With special and children’s PI, specific limitations have been imposed that would not necessarily apply to other PI.

  1. THE DIFFERENT ROLE PLAYERS

POPI talks about a “data subject”, a “responsible party” and an “operator”. These are terms that we don’t often use. So who are they?

The data subject is the one whose PI is being processed. So this could be a candidate or employee; a customer or prospect; a vendor or applying vendor; or any other person whose PI is being processed by your organisation. Legal entities’ PI is also included within the ambit of POPI, meaning that if you process information relating to an identifiable legal entity, that legal entity would also be a data subject.

The responsible party is the one who decides what to do with the information. We often find that clients refer to responsible parties as the ones who “own” the information. On the other hand, an operator is someone who processes the PI on behalf of the responsible party.

Practical examples would include the following:

  • An employer recruiting employees: The employer who receives CVs of candidates would be the responsible party (the candidate is obviously the data subject). If the employer makes use of a third party’s software during this process and the third party service provider (or its system) processes the information on behalf of the responsible party, that service provider will be the operator. The operator cannot take those CVs and do with it whatever it wants to. It may merely process it on behalf of the employer.
  • A retailer sending marketing material to its customers: The retailer will be the responsible party (deciding to process its customers’ details for marketing purposes) and the customer will be the data subject. If the retailer as part of this process makes use of a third party to send the actual sms messages or emails to the customers on behalf of the retailer, the third party would be the operator. The third party cannot take the customers’ details and use it for any other purposes.

Conclusion

The POPI terminology will not always be easy to understand. We can assist you with the interpretation of the difficult terms and requirements. In previous articles we have referred to the “8 Conditions for lawful processing”. Our next article in this POPI series will include a discussion on the first of the eight Conditions, namely Accountability. Look out for this in our March Newsletter.

Protection Of Personal Information Act: Effective Date

The Protection of Personal Information Act has been a long time coming. And since its promulgation in 2013, various organisations have embarked on projects to bring their operations – and the way in which they handle personal information, in line with POPI’s requirements and conditions.

Once this seemingly daunting task has been started, we have seen that many organisations realise that POPI is not that “unfair” to responsible parties (organisations or persons who collect, process (read “use”) and store personal information) after all – it actually comes down to good business practices that can have a very positive overall effect on the controls and processes of the company.

Tackling a compliance project like a POPI compliance project can however take a significant amount of time, require dedicated resources and will also require the necessary guidance to fully understand the POPI impact on the organisations – especially with regards to obligations that can pose large risks if neglected. In newsletters to follow, we will unpack these in more detail. So watch this space for the first information sheet of our “POPI series” next month.

There have been some rumours in different industries that POPI’s effective date is imminent, which have caused an anxious state for many organisations that suddenly realised that their current non-compliance needs to be addressed. Although we believe that it is unlikely that the commencement date will be published in the near future (please note that we have been wrong before, and this is merely our view, based on all the steps that we believe should probably take place first – to ensure effective enforcement), we seriously advise organisations who have not started their projects to commence without any further delays. Companies who started their projects but somehow lost a bit of steam (granted, it is rather difficult to keep the momentum going without a fixed date) should pick up on it again and finish the good work that it started!

Remember that there is NO quick fix for POPI compliance. Any project will also require training to really be successful. Depending on the size of your organisation, it may take years to complete a successful project.

Currently the only POPI sections already in force, are those relating to the administrative side and that allow for the Information Regulator to be set up. The Information Regulator will comprise of 4 members and 1 chairperson. After the Information Regulator has been appointed, it will first need to create its administration and staff, in order to give effect to and enforce POPI rights.

Lastly, the Regulations will also need to be created.

To conclude – there is no real indication as to when the commencement date will be published. Organisations will have a one year period from the commencement date to become compliant. If you have not started your project, we suggest that you start without any further delay.

Amending Your Agreements Through An Exchange Of Emails

If you have ever received a formally drafted contract, it will almost inevitably contain a ‘non-variation clause’ along the lines of “no amendment or variation of this Agreement shall be valid unless in writing and signed by or on behalf of each of the Parties“. These clauses have a long history in South Africa of being strictly interpreted, with the rationale being that this prevents uncertainty on the actual terms of the contract, and prevents ‘informal amendments’ which one party may not consider to be a true amendment. A recent judgment of the Supreme Court of Appeal (“SCA“) delivered in November 2014 has opened up the non-variation clause to a new and intriguing challenge by providing for an exchange of emails to have effectively cancelled an agreement between two parties, on the basis of certain provisions in the Electronic Communications and Transactions Act (“the Act“), and in particular the Act’s recognition and definition of ‘electronic signatures’.

Use of ‘signatures’ as proof of an individual’s identity or intent is a well-established global practice, and the notion of what constitutes a “proper” signature has evolved over the course of history – from the use of a personalised seal (still a strict company law requirement in several South East African countries), to handwritten signatures, to modern day’s digital signatures in email or other electronic communication.

In recent history, South African courts have placed emphasis on the importance of handwritten signatures (often requiring ‘wet signatures’ on original documents) to prove identity and approval in commercial agreements – it was generally accepted that these ‘signatures’ would be the most difficult to falsify. However, business reality has evolved so that more and more people are concluding agreements through emails (with name and address footnote ’email signatures’), over web-based platforms (with ‘click to accept’ signatures), and other faster, more efficient methods. The question inevitably arises as to whether or not, and in what circumstances, these new types of signatures could validly amount to proof of an author’s identity and agreement, and whether the law could keep pace with technology and commercial reality by recognising them as such.

In 2002, the legislature finally tackled this problem head-on, when it enacted the Electronic Communications and Transactions Act. The Act recognises and regulates electronic communications and transactions at large (broadly recognising the ability of two parties to conclude a valid agreement via email, for example). The relevant sections of the Act for our purposes are as follows –

Section 13(1): “Where the signature of a person is required by law and such law does not specify the type of signature, that requirement in relation to a data message is met only if an advanced electronic signature is used.”

Section 13(3): “Where an electronic signature is required by the parties to an electronic transaction and the parties have not agreed on the type of electronic signature to be used, that requirement is met in relation to a data message if –

(a)    a method is used to identify the person and to indicate the person’s approval of the information communicated; and

(b)   having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated.

The Act therefore essentially distinguishes and recognises two categories of signatures, namely an advanced electronic signature (section 13(1)) and an ordinary electronic signature (section 13(3)):

An ordinary “electronic signature” is defined in the Act as follows: “data attached to, incorporated in or logically associated with other data and which is intended by the user to serve as a signature”. This may for example include a scanned signature, or your name and details at the bottom of an email, provided the ‘signatory’ intended it to serve as a signature.

An “advanced electronic signature” is defined in the Act as follows: “an electronic signature which results from a process which has been accredited by the authority as provided for”. This essentially means a secure type of digital signature purchased from a third party who has been accredited by the Department of Communication (Law Trust was the first such authentication service provider to be accredited).

This brings us to the recent judgment delivered by the SCA in Spring Forest Trading CC v Wilberry:

Two parties, Spring Forest and Eco Wash respectively, had entered into an agreement in terms of which Spring Forest was appointed as operating agent for Eco Wash, and would be entitled to promote, operate and rent out the latter’s “Mobile Dispensing Units” (Eco Wash’s car wash equipment) to third parties. The parties’ agreement (“the Agreement“) contained a standard non-variation clause which required that any consensual cancellation or variation of the Agreement be in writing and signed by both parties.

Spring Forest eventually began to struggle to meet its rental commitments. Following a meeting between the parties to discuss how they would proceed, a string of emails were sent between the parties. Based on the content of this string of emails, Spring Forest believed that the agreement had been validly cancelled by both parties’ agreement expressed through these emails. When Spring Forest began competing with Eco Wash, Eco Wash applied to the Kwazulu Natal High Court for an interdict restraining Spring Forest from doing so on the basis of the competition being in breach of the Agreement. Eco Wash alleged in its court papers that its representatives viewed the emails as negotiations only, and not as a consensual agreement to cancel their previous Agreement. Eco Wash were granted their interdict by the Kwazulu Natal High Court, and Spring Forest appealed to the SCA.

In the course of the SCA’s judgment, the court found Eco Wash’s contentions that the emails merely record a negotiation and do not amount to an agreement to cancel to be “utterly without merit”, based on a reading of this exchange of emails. The court acknowledged the history and efficacy of the non-variation clause, which has been consistently upheld in previous judgments. The court then determined that the legal question at hand was the proper interpretation of ss 13(1) and (3) of the Act. Referring to the aims of the Act and the wording of the sections, the SCA found that it was clear the Act distinguishes between situations where the law requires the signature, and situations where the parties to a transaction impose this obligation upon themselves:

  1. Where a signature is required by law and the terms of the Act do not specify the type of signature required, then s 13(1) of the Act requires that an advanced electronic signature be used. An example of this would be the National Credit Act that specifically provides in the “Interpretation” section, for an advanced electronic signature to be used if the Act requires any document to be “signed”.
  2. Where, however, an agreement between two parties requires signature and does not specify the type of signature, then an ordinary electronic signature will suffice in terms of s 13(3) of the Act.

The court found that the email signatures used by each party constituted ordinary electronic signatures within the definition of the Act, and accordingly found the Agreement to be validly cancelled by way of the parties’ email correspondence agreeing to the cancellation (which satisfied the requirements of the non-variation clause in that the emails were ‘in writing’ and ‘signed’ by way of ordinary electronic signatures).

We believe that there are a few very interesting lessons to be learnt from the Spring Forest judgment. The first is of course to be careful what you put in your emails to commercial partners, clients and third parties with whom you have concluded written agreements. The second is that, if you would prefer amendments only through more “formal” means, we recommend requesting your legal representatives to strengthen the non-variation clause to require (for example) only handwritten or advanced electronic signatures for amendment or cancellation of an existing agreement. The judgment is ultimately a triumph of pragmatism over formalism, however it does open up the possibility of parties perhaps unwittingly amending or cancelling important agreements. It should be borne in mind that ultimately the question of when email correspondence will amount to an amendment or cancellation will depend on the content of those emails, which should be relatively clear and unequivocal on the part of both parties. Which brings us back to our first point – be mindful of what you put in writing.

 

 

POPI in a Nutshell

Introduction

The new Protection of Personal Information Act (POPI) was signed into law in November 2013. POPI is legislation similar to the UK’s Data Protection Act and aims to give effect to the constitutional right to privacy as enshrined in section 14 of our Consitution. POPI therefore prescribes some “rules” in terms whereof businesses will need to process all personal information (that qualifies as “personal information”in terms of POPI) in future.

POPI is not a bad thing. If you read about POPI on the internet, the picture may seem a bit gloomy. There is unfortunately also a lot of wrong information available on POPI on the internet. We therefore urge you to speak to someone with the relevant knowledge to assist you with interpreting the way in which POPI will apply to your particular business.

Implementation

It is important to understand that while POPI has been “signed into law”, therefore meaning that it is an Act (and no longer a Bill that may still change), the majority of provisions are not yet in force. This means that the majority of povisions cannot yet be enforced.

A commencement date will be published in the government gazette and after a one year period from the commencement date, all businesses will need to comply with the POPI requirements (unless the one year period is extended). In effect this means that there will be a “one year compliance period” for businesses to get their ducks in a row. Don’t be fooled by this….There is no quick fix for POPI and businesses should consider this as a “longer term” project. Therefore, the time is most definitly right to start your compliance project (if you have not done so).

POPI conditions

POPI is priciples based. This mean that POPI does not necessarily bed down hard and fast rules in all circumstances. No, POPI rather prescribes certain principles (similar to “good business practices” but with the intention to compel businesses to implement these practices) that all businesses will need to adhere to.

In further articles we will discuss the different conditions in more detail, but by way of summary you can consider the following:

  • In terms of POPI you need to identify the reason why you want to use the personal information and then only use it for those specific reasons. POPI refers to this as the “purpose of use”. The reason for this rule is that a person should be able to know for what reason you will use his or her information.
  • In certain circumstances you may only use (the Act talks about “process”) personal information if you have consent to do so. But note that you will still be able to use information in some instances even if you do not have consent.
  • You need to implement meassures to ensure that you do not lose personal information or share it with other businesses not entitled to have it.
  • People have the right to ask you what information about them you hold.
  • When you market products or services to people, they always have the right to opt out. In some instances you will not even be able to market to people at all without their consent.
  • POPI has implications for transborder flow of information (this will be important if you store information cross border or make use of cloud service providers for example).
  • POPI very specifically requires certain measures from you when you use service providers that will process personal information on your behalf.
  • POPI requires from you to deal with children’s information and “special information” (as defined in POPI) in a very specific manner.

Conclusion

POPI should not be a threat to your business. You can rather embrace this and use it as a differentiating factor, considering that your competitors may not yet be compliant.

Yes, penalties of up to R 10 000 000 could be imposed, but our view remains that reputational risk is a real factor that should also be considered. If you have not started your compliance project, the time is now. You can contact Jana van Zyl at jana@dommisseattorneys.co.za for more information.