With many organisations handling personal data, the risks of this data being breached and released is increasing, as in the recent incidents of the South African insurer Liberty and Facebook globally. Governments and policymakers have established the need for new data protection laws and regulations such as the General Data Protection Regulation and the ePrivacy Regulation in the EU.
But this creates a challenge for South African legislation in the Protection of Personal Information Act.
On May 25, 2018, the GDPR came into effect. Although it is an EU regulation, it has become applicable for all countries, including South Africa, that may have any part of their business operations located in Europe. This is inclusive of companies that offer goods or services to EU citizens, and/or are involved in the monitoring of their citizens behaviour.
The GDPR has severe administrative penalties for non-compliance, which include two levels of fines, determined by the severity of the infringement. The first can reach a maximum of 10million (R159.5m) or alternatively 2% of the company’s annual turnover, depending on the higher amount. The second level of fine can reach a maximum of 20m or 4% of the company’s turnover, depending on whichever is higher.
The soon to come ePrivacy Regulation is yet another EU privacy regulation that will affect countries outside the EU. This regulation concerns all electronic communications. The ePrivacy Regulation has been approved by the European Parliament and is awaiting finalisation from the European Commission and member states.
Although the main discussion on the ePrivacy Regulation remains around the web, email and other electronic communications channels, it also clearly mentions new electronic communication technology, including the internet of things (IoT), voice over IP (VoIP), and instant messaging apps like WhatsApp and Facebook Messenger.
The GDPR addresses the issue of “consent”, but in a wide-ranging context the ePrivacy Regulation was designed to address “consent” in a more practical, easier to understand manner to ensure that individuals have the ability to control their personal data and privacy. The ePrivacy Regulation is considered lex specialis or principe lex specialis derogat legi generali to the GDPR. This simply means that the ePrivacy Regulation will take precedence over the GDPR.
South Africa has been in the process of fully implementing its own privacy legislation - the Protection of Personal Information Act (Popi). It was developed to protect any personal information. This includes information processed by both private and public bodies and is inclusive of government entities. Although there are some exceptions, every individual who collects, stores, modifies or uses information or is involved in the information process is responsible under Popi.
Therefore, they remain obligated to comply with the conditions required for the lawful processing of personal information. Although Popi was drafted into the South African legal system in November 2013, it currently remains ineffective in most part, as its full implementation has not been finalised.
Once Popi is fully implemented, companies will have 12 months to achieve full compliance.
Popi and the ePrivacy Regulation are similar, with specific reference to the obtaining of “consent” from the “data subject” in the dissemination of their personal information.
However, the Privacy Regulation provides more details regarding communications technologies, for example, IoT. Popi does not explicitly state various communication technologies that may be used, but remains implied.
The key differences between Popi and the GDPR are, first, the penalties, in which Popi’s maximum monetary penalty shall not exceed R10m. With the failure to comply with the GDPR, the monetary penalty is set at a percentage of the infringing company’s turnover, which means the higher the turnover, the greater the monetary penalty. Second, Popi includes possible jail term for severe infringements, while the GDPR does not.
Non-compliance to the GDPR and Popi will ultimately have a greater impact on offending companies in terms of reputational and financial damage. This is due to the requirement as per both legislations that the offending company publicly disclose the nature and occurrence of the breach.
While there remains uncertainty as to when Popi will come into full effect, the EU’s GDPR regulation is fully implemented, with a large number of companies already facing huge penalties for failure to comply, such as Google and Facebook.
South Africa has developed a strong partnership with the EU. And the GDPR can enhance co-operation between the two as Popi was designed along similar lines, and may complement the GDPR; but experts say since the EU is one of South Africa’s biggest trade partners, SA is going to have to bring Popi in line with the GDPR.
Trishana Ramluckan is an academic and researcher in the IT field.