"Open any newspaper or news website, and the chances are that you will find a report on someone’s right to personal privacy being infringed, or yet another intrusion through an organisation’s security systems with credit card or other financial information being stolen. With the rise of free flow of information over the internet, the popularity of social media, increasing ID theft and other intrusions...governments worldwide have become increasingly concerned with the purposes for which organisations collect personal information, why they keep it, and how they protect it. The position in SA is no different, and consumers in SA should be welcoming the impending Protection of Personal Information Bill.”
I am quoting from the findings of a study undertaken by Pricewaterhouse Coopers of the Bill we bring to the House today. The Bill has been a long time in the making. This House requested the Law Reform Commission at the conclusion of the writing of the PAIA in 2000 to undertake work on privacy. Their work was long since done but many factors have delayed the completion of this Bill. We were fortunate in having the advice of two people who have travelled the entire road from the Law Commission Report through to our tenth and final version of this Bill, that is Ms Ananda Louw and Mr Mark Heyink, and the Bill has greatly benefited from the expertise and drafting skill of Mr Henk du Preez. We believe we have produced a law that will serve South Africans well. I quote Pricewaterhouse Coopers again:
“Although there are some disadvantages in lagging behind other countries in adopting privacy legislation, one major advantage is that the SA legislators have been able to draw on the models developed and experience acquired in other countries, selecting the best of the best for our privacy legislation. The challenge for organisations, however, is that complying with the requirements of the PPI is going to have a significant impact on the way they do business”.
I am afraid that a significant impact is what is called for, on businesses both big and small. Our e-mail addresses, cellphone numbers, transactional history and financial details are constantly offered for sale. One seller of lists told prospective buyers: “remember you own the data once purchased, so you can even resell it to get your money back once you have used it”. That is why we constantly receive unsolicited calls and electronic messages which someone, somewhere has matched to a profile which should only be created on the basis of information given with your knowledge and consent.
This Bill will be welcomed by everyone who is drowning in the daily tide of spam that washes into our inboxes. We have finally done what internet service providers and e-commerce entities encouraged us to do even in 2002, when the Electronic Communication and Transaction Act was written: we have moved away from the opt-out position under which you have to refuse a direct marketing offer, or suffer the incoming spam, to an opt-in regime. That means that unless you are already a customer of an enterprise, you specifically have to say yes before a direct marketer can send you its offers. That marketer can approach you only once, and has to identify itself with contact details.
We have seen just one consumer case too many, covered by journalists like Independent’s Wendy Knowler, where unsuspecting consumers, often poor ones, suddenly find debit orders running off the bank accounts whose details they never supplied, for services or products which they did not order, or were duped into signing up for. Knowler’s readers were frequently told when they managed to track down the source that banking details had been obtained from the “national consumer database”, a thing which, as she says, does not exist. Account details are stolen. We have therefore criminalised the obtaining, procurement, disclosure and sale of account numbers, an offence that will carry a maximum ten years or commensurate fine.
We want all the benefits of computerisation to be realised in South Africa, including e-commerce. Trust is the ingredient that makes it work. That is why a company like Deloitte has spelled out the business benefits, including return on investment, that adherence to privacy rules hold out. PPI value for a brand is incalculable, just as its opposite incurs reputational and monetary loss (as when R41 million was stolen from the Postbank by infiltrating an insecure database).
It is important to note that the Bill gives effect to the Constitutional right to privacy while giving copious recognition to all other rights and social interests that compete with privacy, such as the free flow of information. It sets minimum conditions for the processing of information. Each condition is qualified by exceptions. So for example, personal information may only be processed if you consent or if it is necessary to carry out a contract OR processing complies with an obligation imposed by law on the processor OR it protects a legitimate interest of either the data subject or the processor, and so forth. Over and above the exceptions, there are exclusions and scope for exceptions.
The Information Regulator which we create under the Bill will help consumers by taking their complaints and, failing resolution, helping them sue for damages when the conditions for processing have been infringed. The independent Regulator will also assist, assess and if necessary investigate and adjudicate upon information processors in both the public and private sector. An enforcement notice will tell a processor to take certain steps or stop processing. Offences occur only when processors obstruct the Regulator or ignore an enforcement notice. The emphasis is on helping them comply, but there are also eventual sanctions.
The Regulator will have functions, and dedicated regulators, under both the PPI and PAIA. We hope that the failure of access to information to date will be cured. The Regulator will be able to assess PAIA practices, take complaints for conciliation – and also for action. Appeals against refusals will be able to be taken to the Regulator.
To quote Trevor Manuel in the NDP:
The PPI that is being discussed in Parliament seeks to establish an information regulator covering certain aspects of information and personal data. This body should be equipped with the necessary resources to do its job properly and independently. The body should strike the right balance between its responsibilities to protect personal data, while providing recourse to those claiming their right of access to information”.