The Protection of Personal Information Act 4 of 2013 (“POPIA” or the “Act”) regulates the right of privacy in a specific context of data protection. It does not cover other aspects of privacy, like the privacy of communications.

The purpose of the Act is to:

“… give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—

            (a)

(i) balancing the right to privacy against other rights, particularly the right of access to information;

(ii) protecting important interests, including the free flow of information within the Republic and across international borders;

(b) regulate the manner in which personal information may be processed, by establishing principles, in harmony with international standards, that prescribe the minimum threshold requirements for lawful processing of personal information;

(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and

(d) establish voluntary and compulsory measures, including an Information Protection Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act…”

Thus, POPIA sets conditions for how one can process the private information of persons that is in their possession. 

Personal information is defined in the Act as:

“…means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

(d) the blood type or any other biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f)  correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;….”

POPIA requires responsible parties to be open about their processing and allow the data subject to participate in how their personal information gets processed.

Consumers have various remedies, like complaining to the Information Regulator and suing for damages in a civil action. In order for the latter, damages will depend on a case by case basis.

Over and above your and your business’s obligations, Consumers should:

• Only give personal information to companies they trust;
• Put their name on the “Do Not Contact” register (in terms of the CPA);
• Read Privacy Policies;
• Ask organisations to tell them what personal information they have and ask for it to be deleted;
• Unsubscribe from newsletters;
• Complain to the organisation itself first;

In terms of the Consumer Protection Act 68 of 2008 (the “CPA”) as amended anyone can currently email marketing on an opt-out basis. In terms of POPIA, email marketing can only occur on an opt-in basis.

What could happen to you or your business if you do not comply?

• Suffer reputational damage;
• Pay out millions in damages to a civil action; and
• Be fined up to R10 million or face 10 years in jail.

Conclusion

We recommend that businesses revise their policies and ensure that they align all facets of their businesses. Contact SchoemanLaw today.

Submitted by Schoeman Law