Watering Down POPI

Technical amendments to the Protection of Personal Information Bill (POPI) were approved by the Portfolio Committee on Justice and Constitutional Development (National Council of Provinces) in July. POPI now awaits approval by the National Assembly before being sent to the President for his assent.

In its previous considerations of POPI, the primary matters that required the Committee's deliberation related to:

  • consent, justification and objection, as set out in clause 11(3)(a) of POPI
  • time limits applicable to the retention of records and correction of personal information
  • additional wording regarding categories of persons to whom exemptions are extended and whether principle recognition of the need to exempt companies that may be able to profit from information at a later stage under clause 32(1) is required
  • the need to review POPI against updated European Union (EU) regulations

The last point is of particular interest in view of the developments in Europe in respect of online data privacy regulation rules.

More than a year ago, the EU's top justice official proposed a tough set of measures for protecting the privacy of personal data online. At the beginning of June 2013, justice ministers from the EU's 27 member states agreed to a business friendly proposal stipulating that what companies do with personal data would be scrutinised by regulators only if there were "risks" to individuals (where such risks include identity theft or discrimination).

The justice ministers debated a proposal that would no longer require companies to obtain "explicit" consent from users whose personal data they collect and process, rather allowing the companies to obtain "unambiguous" consent, which is considered to be a lower legal threshold. A proposal on balancing an individual's right to data protection with other rights, including the freedom to do business was also discussed.

The UK's Information Commissioner has been quoted as saying that concerns have been raised regarding the ability of regulators to "uphold information rights" in light of the burdensome requirements placed on them by planned reforms to the EU data protection laws.

The Commissioner has raised concerns that data protection authorities (DPAs) will not be sufficiently resourced to regulate the general data protection regulations that have been proposed by the European Commission, "As things currently stand I see real problems ahead with the practical delivery of a regulation that is still so detailed and specific as to the processes DPA shall undertake in almost all circumstances."

The Commissioner raised particular concerns about any new Rules that would require businesses to notify DPAs of all breaches of personal data they suffer and about how a new mechanism for regulatory co-operation would work in practice.

In addition, over the past year American technology companies have despatched representatives to Brussels and have issued papers through industry associations arguing that stringent privacy regulations would cripple businesses already suffering from the recession in Europe. The industry association arguments are all pointing to a less restrictive approach to data privacy.

As with POPI in South Africa, the European Rules would affect all companies that deal in personal information and any Rules enacted would serve as the applicable privacy law in every country in the EU. In addition these Rules would potentially have a bearing on other countries drafting data protection laws of their own.

The amendments approved by the Committee were technical in nature and do not appear to have taken into consideration the necessary review of POPI in light of updated EU Rules and regulations surrounding data privacy properly. The issues in respect of regulation, application and implementation of complicated privacy laws in Europe should be taken into account in considering the application of POPI, which will be sought to be enforced in a less sophisticated environment.


Download PDF Share Back To Listing
Loading data