28 January 2022
When President Jacob Zuma signed the Protection of Personal Information Act (POPIA) into law in 2013, I gave the typical South African sigh. Yet another piece of unnecessary legislation, already well covered by common law, I thought. Another costly regulator. I also gave a little sigh of relief - its commencement was postponed. There was a limited implementation in 2014; full implementation on 1 July 2020, with a year for businesses to become compliant. I could look at it later. Now I have.
New regulation creates confusion, irritation, misapprehension, and opportunists looking for a quick buck off the overwhelmed and uninformed. POPIA achieved all that.
But, POPIA has a history.
Regulation seems to have become overwhelming. Libertarians and free-marketeers want it gone. But ordinary people are prone to abuse in today’s world of fast movements of money and information.
In 1890, Warren and Brandeis wrote in the Harvard Law Review: “The intensity and complexity of life, attending upon advancing civilisation, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”
In 1890, data was kept in vaults – on paper. Now it is on hard drives, memory sticks and in the cloud. Storing and selling personal data is an industry.
Leading South African academics have called for personal data protection regulation since the 1970s. Government had other priorities. In Europe, Germany, Sweden and France passed data protection laws in the 1970s. In 1981, the Council of Europe passed a convention on the issue which was binding on its members. The Paris-based Organisation for Economic Development issued similar guidelines. In 1995, the European Parliament issued data protection directives, prohibiting data sharing with countries which had inadequate data protection regulation. The United Nations also published guidelines encouraging member states to adopt legislation.
In 2000, the South African Law Commission investigated the matter, and a few years later, recommended legislation. POPIA came nearly a decade later.
Without POPIA, South Africa could be grey-listed by the EU and other countries - bad news for banks and the financial industry, and the country. Hopefully POPIA will comply with the international requirements. POPIA does not re-define privacy. It deals with data.
The definition of privacy and the invasion of privacy will remain in the common law as developed in terms of section 14 of the Constitution. The concept of privacy and intrusions into privacy remains amorphous and elusive (as described by Judge Laurie Ackermann in 1995). It is a sliding scale of facts about oneself that deserve protection from publication. It differs from one person to another and is determined by the prevailing public policy, as interpreted by the courts.
Privacy law does not provide a blanket prohibition against releasing private data. Private data can be obtained if another law allows and it can be requested in terms of the Promotion of Access to Information Act (PAIA).
POPIA does not apply to the media, provided the media is independently regulated. Nor does it deal with the data of organisations or the state.
POPIA regulates the data that private persons (called data subjects) disseminate to data receivers (called responsible parties). It regulates what the responsible party may do with that data, how it must secure the data, and under what circumstances it may trade in or disseminate the data. It links to PAIA on how third parties may obtain the data and it removes the management of PAIA from the Human Rights Commission to the Information Regulator.
The Information Regulator also, without substituting for the courts, now provides an administrative appeal to people who requested, or whose information was requested from responsible persons in term of PAIA, where a request was granted or refused.
POPIA has been criticised. Some of the criticism is fair and some is not. Fair criticism is that it is long, that the definition of personal information is perhaps too wide, and that it places an administrative burden on small business.
Perhaps the criticism should not be directed at the law, but at the interpreters of the law. I have heard the most ridiculous claims about POPIA – too many to repeat. POPIA is wrongly invoked by all who confuse the Act with privacy laws.
Having read the Act and understanding the history, I have changed my view. I can no longer stand with the anti-POPIA chorus. POPIA is there to ensure that the data that I give to another to be kept in custody remains in custody – and if it does not, I will have a remedy. After all, it is a measure that the intensity and complexity of an advancing civilisation has imposed on us.