A great deal of attention has been given to juristic entities' compliance with Protection of Personal Information Act No. 4 of 2013 ("POPIA"). With the pending full commencement of POPIA on 1 July 2021, juristic entities are in the final stages of ensuring compliance with POPIA.
In this article, we discuss a lesser explored subject, being the implications of POPIA on natural persons taking into account the processing of personal information on social media platforms.
POPIA aims to protect an individual's right to privacy by offering protection against the unlawful collection, retention, dissemination and use of personal information. The question that we explore, is whether or not the protection afforded by POPIA also extends to photos of, and pictures including "memes", of "data subjects", as defined in POPIA, which are posted on social media platforms.
In the event that an individual discovers a "post", on a social media platform disclosing certain of his/ her "personal information", as defined in POPIA, including a photograph, on a prima facia reading of POPIA, the subject of the post may be considered a data subject and the person who posted the photograph may be considered a "responsible party", as defined in POPIA.
Posting the personal information on social media would also, arguably amount to the dissemination of personal information, as contemplated in the definition of "processing" in POPA. Thus, the responsible party may be obliged to comply with the provisions of POPIA.
The consequences of being considered a "responsible party", in terms POPIA are substantial and include the requirement for a responsible party , inter alia, to comply with the eight conditions of lawful processing of personal information, as prescribed in POPIA. The conditions include a requirement to obtain the consent of the data subject prior to posting a photograph or the views of that data subject on a social media platform. The responsible party would also be required to appoint an information officer and publish and comply with a POPIA manual as read with section 51 of the Promotion of Access to Information Act No. 2 of 2000.
Arguably, the application of POPIA in the above circumstances would lead to an absurd result where every individual who posts photos, memes, videos or the views of another person, is considered a responsible party who must comply with onerous conditions.
To prevent the abovementioned situation from arising, section 6(1)(a) of POPIA states that POPIA does not apply to the processing of personal information in the course of a purely personal or household activity.
The repercussions of section 6(1)(a) of POPIA, quoted above are, arguably, that -
- POPIA applies only to business or professional activities; and
- in so far as any pictures or video taken or views shared are disseminated on social media or any other platform in a personal capacity, POPIA arguably does not apply.
POPIA does not define the terms "personal activity" or "household activity". The aforementioned terms may have to be interpreted not only by the ordinary grammatical meaning of the words but also by taking into account, on a case-by-case basis, what contemplates work as opposed to personal use in respect of the relevant social media user.
Disgruntled individuals who find their personal information posted on social media platforms without their consent are, however, not without legal remedy.
Our common law, as codified in the Constitution of the Republic of South Africa, 1996, protects individual's right to privacy on a professional and personal basis. Thus, social media users who post what may be considered as personal information, should do so, keeping in mind that the subject of the posts, although falling out of the ambit of POPIA, are still protected by the common law in the event that the post breaches the privacy of the subject.
Written by Zamathiyane Mthiyane, Senior Associate, Healthcare and Lifesciences at Werksmans Attorneys