Why POPIA is about rights – not just compliance
- On 22 June 2020, President Ramaphosa announced that the Protection of Personal Information Act 4 of 2013 will come into effect on 1 July 2021.
- As responsible parties begin to take steps to meet their compliance obligations, it is equally important for the public to be aware of the rights to which they are entitled.
- All members of the public have a critical role to play in strengthening the constitutional underpinning of POPIA, and the time is ripe for data privacy to be at the top of the agenda.
Data protection as a constitutional imperative
At its core, data protection is a constitutional imperative that seeks to give effect to fundamental rights, particularly the right to privacy. While, for many, it is a necessary regulatory compliance exercise that must be undertaken – which indeed it is – it is also about meaningfully realising the right to privacy in the digital era, and ensuring that the personal information of data subjects is treated in a lawful and responsible manner. The right to privacy is inextricably linked to human dignity, equality and autonomy of the person, and deserving of being appropriately safeguarded.
Data protection is likely at the top of the agenda of many businesses across the country, following the announcement by President Ramaphosa that the substantive provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) will commence on 1 July 2020. Responsible parties that process personal information will have a one-year grace period until 1 July 2021 to ensure compliance. POPIA applies to all entities, including state authorities, public institutions, large corporations, start-ups and civil society organisations.
The road to get to the enforcement of POPIA has been a long one. The law was originally signed in 2013, with the Information Regulator having been appointed in 2016. There have been a number of delays in implementation, which makes it a particularly welcome development that there is finally clarity on the implementation date.
As responsible parties begin to take steps to meet their compliance obligations, it is equally important for the public to be aware of the rights to which they are entitled. As set out in the preamble to POPIA, the constitutional premise is a simple one: section 14 of the Constitution provides that everyone has the right to privacy; this right includes a right to protection against the unlawful collection, retention, dissemination and use of personal information; and the state must respect, protect, promote and fulfil the rights in the Bill of Rights. Importantly, the Bill of Rights also binds non-state actors, including natural and juristic persons.
What rights does the public have in terms of POPIA?
Section 5 of POPIA lists the rights that data subjects enjoy in terms of the law. In sum, all data subjects have the right to have their personal information processed in accordance with the conditions for the lawful processing of personal information.
This includes the right to be notified when personal information is being collected about you. You are entitled to be informed of, for instance, what information is being collected, who it’s being collected by, why it’s being collected and the consequences of not providing the information. This right is central to the principle of openness that POPIA seeks to enforce. Even in circumstances where you consent to the collection of your personal information, there are requirements for this consent to be valid. POPIA requires that consent must be voluntary, specific and informed. Guidance from other jurisdictions teaches us that, in order for consent to be valid, it should be clear, unbundled from other terms and conditions, require an active opt-in (no pre-ticked boxes), and should be easy to withdraw.
Linked to this is the right to establish whether a responsible party holds personal information about you, and to be able to access that information. Responsible parties are required to confirm, free of charge, whether they hold personal information about you. You are also entitled to request the responsible party to provide you with the record or a description of the personal information held about you by the responsible party, including information about all third parties who have or have had, access to that information.
If you have concerns about the personal information that a responsible party holds about you, you have the right to object to the processing or request the correction, destruction or deletion of the personal information. In particular, data subjects are entitled to request the correction or deletion of personal information in the possession or under the control of a responsible party if that information is irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
Members of the public also have the right to object, at any time, to personal information being used for direct marketing, including in respect of direct marketing by means on unsolicited electronic communications. In this regard, electronic communications include automatic calling machines, SMSes or emails. POPIA makes clear that direct marketing is prohibited unless the data subject has consented to the processing or is a customer of the responsible party. Even in these circumstances, every communication must include the identity and contact details of the sender to enable the data subject to request the marketing communications to cease. Responsible parties should enable data subjects to object to marketing communications free of charge and free of unnecessary formality.
With regard to automated decision-making, data subjects have the right not to be subject to a decision that is based solely on the automated processing of personal information. Specifically, POPIA provides that such automated decision-making is not permitted where the decision results in legal consequences for data subjects that affect them to a substantial degree, which is based solely on the automated processing of personal information intended to provide a profile of those persons. This includes in respect of performance at work, creditworthiness, reliability, location, health, personal preferences or conduct.
You also have the right to be notified if your personal information has been accessed or acquired by an unauthorised person. POPIA requires responsible parties to secure the integrity and confidentiality of the personal information in its possession or under its control. This requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent the loss, damage, destruction or unauthorised access of personal information, in line with generally accepted information security practices and procedures. In the event of a data breach, responsible parties are required to notify the Information Regulator and affected data subjects as soon as reasonably possible. This notification should include a description of the possible consequences of the security compromise, a description of the measures taken by the responsible party, a recommendation on what measures the data subject should take, and the identity of the unauthorised person if known.
Importantly, you have the right to seek recourse if your data privacy rights have been violated. POPIA provides different mechanisms that can be used. The first is that you can submit a complaint to the Information Regulator regarding the alleged interference with the protection of personal information. The complaints process is a relatively simple one, and the Information Regulator has broad powers in terms of POPIA to investigate a complaint and issue fines of up to R10 million for non-compliance with POPIA. Additionally, you can approach the courts to seek to vindicate your privacy rights under the law.
Where to next?
From 1 July 2021, members of the public can effectively begin to vindicate their data privacy rights in terms of POPIA. Notably, members of the public should be encouraged in this regard, as it is only through meaningful engagement with the rights contained in POPIA that the legal framework can have the anticipated effect. It is also hoped that the Information Regulator will be an effective mechanism for complaints to be submitted, and must be given the appropriate resources and independence to be able to fulfil its mandate.
For entities that are currently working on their POPIA processes, it is important to look at this exercise as more than just regulatory compliance. By understanding data protection through a rights-based framework, it is apparent that all members of the public – both data subjects and responsible parties alike – have a critical role to play in strengthening the constitutional underpinning of POPIA. As members of the public increasingly and rightly demand agency over their data, the time is ripe for data privacy to be at the top of everyone’s agenda
Avani Singh is a Director and Co-founder of ALT Advisory and Power Singh Inc. Avani writes in her personal capacity.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].