🔒 POPI is set to overhaul your business. Two of SA’s brightest legal minds explain the basics – part 1

POPI  – Protection of Personal Information Act, 2013 – is the acronym for South Africa’s wide-ranging data protection and privacy act, which is to come into force this week. The law is aimed at bringing South Africa’s data laws into line with regulations in the UK and Europe. As two of South Africa’s smartest lawyers tell BizNews founder Alec Hogg in this webinar, the POPI rules affect every business – because all businesses hold data and personal information. Noncompliance can lead to huge fines of up to R10m and jail sentences of up to 10 years. – Editor

 


___STEADY_PAYWALL___

Welcome. I’m Alec Hogg and we have fantastic guests today; Okyerebea Ampofo-Anti and Emma Sadleir. I’ve looked at their CVs and gone through their backgrounds and I can tell you that they are the brightest minds that we have in the legal fraternity here in South Africa. What I like about you is that you run your own businesses, that’s a little different. Okyerebea, did you meet Emma at Webber Wentzel? I know you were both working there – did your time overlap? 

Indeed, that’s where our love affair began. We shared an office (against my will anyway). I like to have my own space and that’s where Emma forced herself on me to my eternal delight – and we’ve been friends ever since. 

Okay, I’m not going any further down that rabbit hole. Was it because you shared the same office that you were brought into a very similar speciality of law? 

So we both were in the media law team at Webber Wentzel – we were both candidate attorneys. Okyerebea was a year ahead of me and she and I worked on all manner of media matters. In those days, it was a lot of defamation law, a lot of privacy law, this – obviously being an extension of privacy law, this new act – which was signed in 2013. The fact that we’re talking about it now is absurd but it’s taken a hell of a long time to really become effective – we’ve been waiting for this effective date for so long, and President Ramaphosa has now announced the first of July – that’s it! We’re getting POPI – finally. 

Next week it comes in, and we’re going to unpack all of this. Let’s start off with a little bit of background. Okyerebea; what is POPI? Why was it brought at that time? And of course, the obvious reason is – why has it taken so long to finally become enacted?

Unfortunately, the question as to why it’s taken so long to get enacted is really down to bureaucracy that has been experienced by the government in getting, first of all, the new regulator – that’s the office of the Information Regulator – headed by Advocate Pansy Tlakula (the former head of the Independent Electoral Commission and the African Commissions and Freedom of Expression and access to Information Rapporteur). It took some time for the government to appoint the members of the Regulator and to get them properly resourced so that they could start doing their job. The thing about POPI is that it’s going to fundamentally change the way everyone – not just private entities – but the government handles personal information and because of that, it actually requires a huge mechanism to oversee this and to handle the complaints and to provide guidance and all of those types of things. It’s just been difficult to get that off the ground. That’s really the bottom line of why it’s taken so long. As to what it is that POPI actually does; it really is to indicate how we’re supposed to deal with personal private information. I’ll hand over to Emma to talk a little bit more about some of the details around that.

POPI is loosely based on the EU Data Protection Directive. On the 24th of May 2 years ago – suddenly – every company we’ve ever done business with abroad sent us emails saying; would you like to opt into our marketing, that kind of thing. It really is a fundamental change in the way that we deal with privacy. Up until this point, we do have the right to privacy in South Africa (Section 14 of the Constitution – a fundamental constitutional right), but up until this point, we haven’t had a specific piece of legislation which governs our rights to privacy. That’s what POPI does.

Up until this point, the common law right to privacy test is; do I have a reasonable expectation of privacy in a particular set of circumstances? It’s a little wishy-washy, it’s a bit subjective. What this does is provides an enormous amount of clarity about what can happen with our personal information. That’s why we call it the Protection of Personal Information Act – it is about everything to do with your personal information. We’re talking about your name, your race, your gender, your phone number, your identity number, all of that sort of personal information.

There’s a separate category in the act which deals with sensitive personal information. Which is information or under a trade union membership, your criminal behaviour, your sex life, religion, your philosophical views and that’s dealt with in an even stricter way. It basically gives us guidelines and rules about what we can do with people’s personal information. We’re talking about where you visit a friend at an estate, and you always used to sign in, but now you give them your driver’s licence and they scan – what happens to that information? Where do they keep it? How do they store it? How long are they allowed to keep it for? What are they allowed to do with that information? Can they give it to anybody else? Maybe they use operators in India and they need to send that information to somebody, somewhere to a different country.

This piece of legislation is lengthy and it’s very thorough in what you are allowed to do. We get these eight processing principles which basically say; this is what you are allowed to do with it, it’s all these rules around how we process information, how we collect, how it’s stored, and where we can distribute that kind of information. It really is a complete overhaul in our privacy law. It will be governed by this Information Regulator, which Okyerebea was just talking about. Much as in the same way as with all competition issues you have to go to the Competition Commission, anything around this will be overseen by the Information Regulator.

The fines are hectic – up to R10 million fine if you get it wrong, up to 10 years in prison. It gives the requirements around having to appoint the information officer within the organisation, raising awareness amongst all the employees. What do you do if there’s a data breach? If you’re hacked or if somebody has arrived at OR Tambo and they take the Gautrain into Sandton and they leave their laptop on the train, and then that laptop contains personal information of clients, you’ve got to go to notify the Regulator. It’s all these new rules. It affects everybody because we all deal with information. Every time I get an email from a prospective client, they’re sending me personal information and so all need to know what this act is. We’ve got to think quite carefully about how it’s going to affect each of our individual organisations. 

I’m not surprised that it’s taken this long – 6 years, 7 months. Is this the usual period that it takes for big laws or big commercial laws like this to go through?

Not necessarily, Alec. I think that it really depends. Different pieces of legislation have taken different lengths of time. Undoubtedly, this has been one of the longest. I think that the reason why it’s taken so long is a combination of the bureaucracy surrounding the attempt to set up the office of the Information Regulator and to capacitate that office at a time when, as we all know, South Africa has been going through financial challenges and setting up a new regulatory body has massive financial implications – if you want it to be effective.

Some would argue that there’s still a question about whether the government has sufficient capacity that the office of the Information Regulator to deal with the deluge that might come once people start getting to grips with what this information, this Act, really means for them. Also, one of the things we’ve seen is that even once a piece of legislation is in force – it takes years for the Regulator to really get to grips with what it is supposed to do for the public. We think of the National Credit Act and how fundamentally it changed the way in which credit providers do business. It took years to get off the ground. And some would argue that the National Credit Regulator is still not as fully functional as many members of the public and consumers would like it to be.

Would there have been any vested interests that would have tried to have held this up? Is there anybody who’s going to lose, either their business or lose part of their business, or have to change the way that they do business in such a way that it’s going to wipe out the profits?

Basically, what this new data protection law says is that historically – we have what we call an opt-out mechanism for direct marketing. So, emails that you get advertising something say unsubscribe at the bottom. Going forward, you’re going to have to opt into that communication, which is a big change, and it’s going to affect the way that businesses operate. Not just that; for a lot of companies to become compliant with this onerous law (which I do think should have come into force years and years ago – I feel like I’ve been writing opinions for the last 10 years) have a year for compliance.

It’s an important point, but even though it comes into force next week, there is one year for companies to get themselves in order to start complying properly – which is crucial. Okyerebea, I’m sure, will tell us what a big job it is, because she does a lot more of this data protection audit type work, but it’s not something that we can wait until June next year and then a couple of weeks before say, ‘okay well – we better just do something’. It really is going to require a huge overhaul. Direct marketing, there’s been a huge issue, a big push from the industry, because, as I say, it’s going to change everything. You have to opt in and the only time that there is an exception is if that person is an existing customer – then you can contact them. If they ever tell you not to – you can never contact them again, and you can only contact them once to ask them. You can never ask them again. 

Before the Credit Act came in, many of the credit granters went wild and just offered lots and lots of credit because they knew that was going to change. On the point that you made a moment ago, if they’re already an existing client, in other words, if I’m on some spam list at the moment, which I’ve never opted into, does it mean that I’m going to stay on that spam list because it’s there, or is there any kind of a clause that is going to prevent the spammers from doing that?

So a spam list is a tricky thing, because they shouldn’t be contacting you anyway. A spam list is something that almost gets distributed between companies. If you’re an existing client of that specific company, then that company is allowed to directly market to you. Again, you have to have this option where you can unsubscribe or stop to opt-out or whatever it is. That’s crucial.

I should just say, this data protection law governs electronic direct marketing where you’re dealing with telemarketing. We all get these irritating phone calls all day. The are 2 tips that I’d like to tell you about; the first is that you should go to the national direct marketing opt-out database. If you go to the website – nationaloptout.org – and register yourself as a do not contact person, that’s a highly, highly useful tool – which a lot of people don’t know about. It sometimes takes a little time to filter through the system, but then any members of the Direct Marketing Association of South Africa cannot contact you if you’ve listed yourself on nationaloptout.org. Then there’s an app called Truecaller, which I’m sure a lot of the viewers today have downloaded. It’s a really important one; download it and then you get a notification that something is spam before you answer, which can be useful.

Are you going to cover POPI and data colonialism

I’m not sure exactly what she is referring to around data colonialism. She might be talking about the fact that what has been going on with many, especially if you look at some of the bigger social media players, is that there’s been a dumping of the ugly side of dealing with that sort of thing in jurisdictions which do not have good enough laws to deal with that. So, you see situations where, for example, you’ve got massive call centres based in places like India and some places like South Africa and other places where the laws aren’t as great; where people then have to deal with, for example, your vetting and flagging of inappropriate content that is coming out of social media platforms all over the world. I’ve heard of the sort of tech dumped – tech nuclear waste colonialism in that sense. But I’m not sure what she’s referring to as data colonialism. 

One of the other points that I thought was quite important to make (that Emma did touch on, I just wanted to flesh it out) is that the whole issue of compliance with POPI is going to fundamentally change the way your organisation does business. That’s a really important starting point to the conversation as we go into all the questions that people are going to ask. It’s not about, oh, if I get this right or if I sort that out or if I do this tick box, then I can be sure that my business is protected and that I’ve done what I need to do. It’s actually a complete overhaul of the way you do business. It’s not just about your external stakeholders, your customers.

It’s also internal facing because you need to think about your HR processes as well. How you deal with recruitment, how you deal with your existing employees, etc.. It’s really important for organisations to understand POPI compliance as a Journey. It’s not a journey where there’s a final destination. It’s an ongoing, permanent journey of how you become more and more compliant and more effective. As a lawyer, we’ve got to say, please, please, POPI compliance is not something that you just shift onto legal or regulatory or that you just bring in a consultant like myself or Emma to sort it out and then it’s over for the rest of your life because it has to become part of the DNA of your organisation. You do need people to help you to get on top of the technicalities. Your organisation, your employees; they need to get to understand the basic aspects of this themselves, how it changes the day to day ways in which they deal with your customers and so forth. Otherwise, you’re heading for a fine. 

It’s like GDPR in Europe, which changed the world for companies over there. Similarly, we’ve got a year to really get our acts together. What are the risks and benefits of the new legislation?

The risks, I think, is that people leave trying to become compliant too late. That is going to be a very big risk that the corporations face. That it’s going to feel like it’s been such an airy fairy thing, this POPI act. People have been talking about POPI for years and years, even now, just talking about it today – we can’t give a line by line analysis of the Act in a one hour webinar, but it’s so important that everybody gets to grips with it. I’ll give you an illustration, Alec.

There was just a case in the Netherlands where a grandmother was forced by her daughter to delete pictures of her grandchild from her Facebook account. It was dealt with there under the GDPR legislation, by the equivalent of our information regulator. The grandmother who said that she didn’t want to delete these photos of her own grandchildren and has been fined for every day that those photos are on after the date of the ruling, has to pay 50 euros a day as a fine. We’re not just dealing with huge multinational organisations here and what they’re doing with data. It’s absolutely everybody.

From my point of view, I like to try and make law as digestible as possible, the easiest way of doing that is to give illustrations. Now, until we start getting a huge body of case law in South Africa, that’s gonna be tricky. So we are going to have to take our lead, in education particularly in the European Union, because our law is so closely based on the GDPR. That is the biggest risk is just the fact that this is going to affect everyone. As you know my focus is on social media and I always used to say, when I was a media law before social media erupted, that I was so happy I was a media law because you go to a dinner party and people ask you, what do you do? Then unless they were journalists responsible for writing the front page of the Sunday Times, the conversation stopped.

I always said I felt so sorry for my friends who were either divorce lawyers or labour lawyers. They just get abused at dinner parties and everybody wants free advice. Then with social media, the media law became so mainstream and absolutely everybody needs to know what the risks are on social media. That’s the same thing with data protection. It’s all about processing. When I give webinars at the moment and the school kids are saying to me, can I refuse to turn on my webcam while I’m in a class? Now, that’s something that’s going to be affected by POPI. Absolutely Everything is going to be affected by POPI. Now, what it looks like and how strict the Information Regulator is going to be, we don’t really know until it starts. Is it going to be as effective as the Competition Commission or it’s going to be yet another ineffective government organisation. Because of how serious the sanctions are when people mess up, I think it’s going to be a fairly fearsome body and I hope that they do a good job at it because it’s going to affect everybody so significantly. I would imagine they’re going to be completely overwhelmed.

On the benefits. It’s important to not just see this as a burden. I’m glad that someone did ask about the benefits of it. The benefits are actually to you and I as an individual. If you take your business hat off and stop thinking about how awful the compliance obligation is. For you and I as individuals, the benefit of this is that you’re going to see a fundamental shift in our ability to control the destination of our own data. Our ability to ensure that if you do not want your personal information used in a particular way, then it basically can’t be used in that way for the most part. That’s really important for where we are going. I really don’t like the term for AR, because it’s abused all the time but the reality is that we are going into a new era of the world where data is power and your ability to control your data is going to be key in the future we’re all going to live in. So this type of legislation is absolutely necessary to give you the rights that you need to have. What we’re going to understand eventually, as we all get on board with this, is that data protection is part of human rights. Actually, it’s operationalising your rights to privacy in the new digital world. It has that kind of benefit.

  • This transcription is part one of a series. Look out for the next instalments here on BizNews premium.