Protection of Personal Information Bill [B9-2009] briefing

Meeting report

Ms Ananda Louw, Principal State Law Adviser: South African Law Reform Commission, and Mr Henk Du Preez, Senior State Law Advisor: Department of Justice and Constitutional Development, briefed the Committee on the Protection of Personal Information Bill.

Ms Louw emphasised the international origins of the ethos of the Bill and how the international legal instruments had been interpreted in national legislation elsewhere in the world. She listed the information protection principles on which the Bill was based:
Information must be -
• Obtained fairly and lawfully
• Used only for the original specified purpose
• Further processed in compatible fashion
• Accurate and up to date
• Adequate, relevant and not excessive to purpose
• Processed openly
• Accessible to subject
• Kept secure
• Destroyed after its purpose is completed
• [Transferred to countries with adequate information protection only]
The responsible party had to ensure compliance


She told the Committee that the protection of information was not a domestic policy issue because the matter was of worldwide concern. She showed a map of the world showing where data protection laws had been enacted and where they were pending. The only other developing countries that had laws pertaining to the protection of information were: Senegal, Morocco, Benin and Burkino Faso. The United States was the only country that had protection of information laws that were rules based.

In drafting the Bill, besides looking at best practice, they had aimed for a Bill that was principle based, rather than rules based. Thus it looked at outcomes rather than process, provided an overarching framework, was flexible and complied with the spirit of the law.

Ms Louw concluded by saying that Bill was a hybrid piece of legislation incorporating the human rights perspective while providing for economic expediencies.
It was principled based rather than rules based and the Bill together with other sector specific legislation, regulations, codes of conduct and guidelines formed a unique privacy framework for SA.
It emphasised the “do the right thing” approach and promoted compliance with the spirit of the law.
Although it was possible to learn from the experiences in other jurisdictions, the Bill should primarily be interpreted with reference to the international instruments from which it originated.  

Mr Du Preez then took the Committee through the Bill, reading each clause.

Discussion
Ms M Smuts (DA) stated that Ms Louw had stipulated eight information protection principles that were universally applicable. She asked to what degree the Department had stuck to the eight principles of the EU Directive when drafting the Bill.

Ms Louw said that the principles adopted by countries in protection of information legislation was the same, despite the fact that they were influenced by differing viewpoints. The US dealt with the principles in the same ways in which they were dealt with in Europe. There was one universal way of interpreting the eight principles. It was important for all countries to harmonise “the set of rules” to avoid conflict in laws. If the country had to follow the American way of doing things, then the South Africa would need to have sector specific Acts. That would create loopholes, one Act was needed to cover everything.

Prof L Ndabandaba (ANC) asked how many law faculties were consulted when doing research to formulate the Bill and how many other people were consulted in the research process.

Ms Louw said that the Department had different ways in which they consulted people. One of the major ways of consultation used by the Department was to invite people to make written submissions. That invitation was sent to every faculty and Department. The Department of Justice and Constitutional Development had a very large distribution list. With regards to the workshops that were run prior to formulating the Bill, an invitation had been extended to all universities. If there were specific academics that had an interest on the subject, they were also invited to comment on the Bill.

Mr M Gungubele (ANC) noted that it was mentioned during the briefing that the Department had faced difficulties with “a particular sector” during the consultations prior to concluding the formulation of the Bill. He asked what institution or sector was it that gave problems.

Ms Louw replied that the group that gave the Department problems was the Direct Marketing Council. This was because they dealt with Spam mail.

Mr Gungubele asked to what extent did the Department take into consideration cultural sensitivities when drafting the Bill.

Ms Louw said that each person had a conception of what privacy was. Some people would argue that one had no privacy. If a person signed up for Facebook, then one had no privacy. What the department found in all the different cultures was that if one had a lovely face, one did not mind having a picture of one’s face taken, but if one had ugly legs then one would not want a person to take a picture of those legs. Something was private if the person concerned regarded it as being private. The law was there to protect those who indicated that they want their privacy protected.

Mr S Holomisa (ANC) said that the presentation stated that the European Union privacy laws were influenced by the human rights culture in the region and the OECD was guided by economic imperatives. He asked what influenced the privacy laws in the African countries that had adopted them.

Ms Louw told the Committee that the major influence of privacy laws in the African countries was Europe. Whether one was in the European Union or was influenced by another perspective did not mean that the rules differed. All the countries were guided by the eight principles. The principles remained the same and the difference was in the implementation. The Act was flexible as it was principle based, it was composed of principles that could be applied anywhere in the world. It was possible to apply the principles anywhere in the world.

Mr J Jeffrey (ANC) said that different countries classified aspects of information differently, and that related to the conditions at a particular time. He raised an example of how in South Africa and in other countries the penalties for transgressing certain laws differed.  In South Africa the right to privacy was protected in common law and in the Constitution.  He asked if principles recognised particular categorisations of information that a particular country might find more interesting.

Ms Louw said that there was a general consensus in the world about what personal information was. Anything that one could think of as personal information was recognised by countries as personal information.

Mr Jeffrey asked if there was a difference in the international community when it came to penalties for the incorrect use of personal information. Not having penalties would mean that the law could be broken.

Ms Louw replied that penalties differed widely amongst countries. The European Union did not give a directive as far as penalties were concerned. The EU Directive focused on the principles. This was because the implementation had to be in line with the culture and the conditions of the country. So there was a leeway with regard to the issue of penalties amongst countries.

Mr Jeffrey said that the SA Law Reform Commission report focused on first world countries such as the USA, Britain, Canada and Australia. It was a pity that there was no developing country mentioned in the report with regard to privacy laws.

Ms Louw said that one should not look at the countries in particular, although one could look at the example of what was happening in other countries, the Bill was based on international instruments and that is what they had to comply with to get the adequacy rating. The examples used were made because the countries mentioned had legislation already. South Africa did not necessarily copy their implementation. It was following the international instruments. The countries in Africa had only implemented their laws recently. Senegal was the first to implement in 2006. The other three countries had only adopted their privacy legislation in 2009. They were also following the European Union instruments.

Mr Gungubele asked what was meant by ‘personal information’.

Mr Henk Du Preez referred the Committee back to the definitions section of the Bill. ‘Personal information’ was all the type of information that related to a person as an individual. It was an individual’s identity number, blood type details, but the exclusions were important, as the Act applied to the processing of personal information for economic purposes. An individual in their personal capacity could process information for personal use. People who processed information in their private capacity were excluded from the Act.

Ms Louw gave an illustration saying that if one was organising a party, and collected all one’s friends’ phone numbers so that one could send them invitations fitted well with the definition of processing information. This personal act was excluded from being governed by the law because the information was being processed for personal use and not for commercial use.

Mr Du Preez said that personal information was not limited to the examples given in the definition section. An individual’s IQ could also be seen as personal information.

Clause 4
Mr Jeffery asked what would happen if the information was stolen from the person who was using it for personal use and the person who stole it used it for commercial purposes.

Ms Louw replied that the use of the information would then be governed by the Act, as it was no longer used by the person who stole it for private reasons. Immediately when the information was not being used for private reasons, it fell within the Act.

Mr Gungubele asked how the Bill affected tracing agents?

Mr Du Preez replied that tracing agents would also be subject to the provisions of the proposed legislation, but he would get to the points in the Bill that directly dealt with the tracing agents.

Mr Jeffery referred to Clause 4(d) and asked if the clause meant that journalists were excluded from the Act because they were governed by a code of ethics under the Press Council.

Mr Du Preez replied that journalists were excluded from the Bill if they were part of a body that had a code of ethics that provided adequate safeguards for the protection of personal information.

Mr Jeffery asked why journalists were excluded?

Ms Louw replied that everyone had been asking to be excluded from the Act. And people gave many reasons for wanting to be excluded. However it was not good to be excluded from the Act, as it merely enforced good business practice. It was beneficial for one to be included in the Act. The Act provided a framework, which could be used by institutions, and individuals who were in the business of collecting personal information. In the initial draft of the Bill, journalists were not excluded, as it was very difficult to tell which individuals were journalists. This was because anybody could publish on the Internet. The Department however received a large number of submissions explaining why it would be difficult for journalists to do their work if they were governed by the Act. The exclusion of journalists from the Act gave them the opportunity to regulate themselves. If one was excluded from the Act then one did not need to look at the Act. Each principle in the Bill had exceptions, but every responsible party should try and act within the principles.

The Chairperson added that any institution or professional body that failed to regulate itself would then be governed by the Act.

Ms Smuts asked how the law would affect the fingerprint database of Home Affairs that would be open to the police. The police were being given access to all personal information databases by the state.

Ms Smuts asked the Department to address the Caster Semenya case in relation to the Bill.

Mr Jeffrey asked if someone could explain the Caster Semenya issue.

Mr Du Preez said that the issue of privacy was covered under common law and the Bill of Rights in the Constitution. In assessing the case it was also necessary to determine if it was a public or private body that processed the information. The remedy that was available would be a civil claim. And in order for the claim to be successful, one had to prove that there was a breach in law.

Ms Louw added that there was a distinction between ordinary personal information and special personal information. She referred the Committee to Clause 25 of the Bill on the prohibition on processing of special personal information, which read as follows:

“Unless specifically permitted by this Part, a responsible party may not process personal information concerning a—
(a) child who is subject to parental control in terms of the law; or
(b) data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.”

Ms Louw said that there were other exemptions that applied to Caster Sememya and she referred them to Section 30 (Exemption concerning data subject’s health or sexual life). However it did not make provision for the manner in which the press dealt with personal information.

The Chairperson referred to the clause on the sectors that were exempt from adhering to the Bill. He noted that the legislature was not exempt, but the executive was exempt.

Ms Louw said that the same exemptions were also found in the Protection of Information Act as they were trying to harmonise the two Acts.

Clause 5
Mr S Holomisa (ANC) asked what would happen if there was another law in conflict with the Bill. Which one of the two laws would be upheld over the other? He referred to Clause 5 which stated that: “This Act does not affect the operation of any other legislation that regulates the processing of personal information and is capable of operating concurrently with this Act”.

Mr Du Preez replied that if the subject matter was purely for the protection of information, the most extensive Act would prevail. However it was something that the Department would look at as the clause did not clearly express that.

Clause 10
Mr Jeffery asked if Clause 10(3) meant that the data subject had to be informed before the personal information was processed.

Mr Du Preez agreed that a person had to be informed before their personal information was processed. It was stipulated in the Bill and was one of the principles.

Mr Gungubele asked what the meaning of “only” in Clause 10(1).

The Chairperson said that “ only” referred to the conditions raised under 10(1). Mr Du Preez said that the whole paragraph had to be read together.

Mr Jeffery asked what happened if a person’s parole information was leaked to a journalist and the journalist argued that it was in their interest to publish that information?

Ms Louw said that in order for one to truly understand the Act, one had to read the whole Act, as the Act was like a hurdle race. If one complied with one aspect of the Act, that did not mean one had complied with the Act as a whole.

Ms Smuts said that in her view ‘processing’ did not include publication, and thus to what extent would ‘processing’ apply to publication of information.

Mr Jeffrey said that in his view the term ‘processing’ did include publishing.

Ms Louw said that the term “processing” was very broad and publication was included. If it did not accommodate that, “it would mean journalists were home free”. There were also other laws pertaining to the defamation of character, which could be applied when a journalist was viewed as having violated a person’s rights.

Clause 20
Mr Holomisa asked what would happen if no protection of information law applied in the county from where the operator conducted business. Clause 20(3) said; “If the operator is not domiciled in the Republic, the responsible party must take reasonably practicable steps to ensure that the operator complies with the laws, if any, relating to the protection of personal information of the territory in which the operator is domiciled.”

Ms Louw explained that if the country in which the operator resided had data protection laws, then the operator had to comply with those laws. If the country did not have laws that protected personal information, then one was not allowed to transfer data to those countries.

Mr Jeffrey said that not many countries had protection of information laws and thus Clause 20(3) should be redrafted.

Ms Smuts asked if there were any jurisdictions that had comparable laws without a regulator? The Promotion of Access to Information Act was faced with the unwillingness of government departments to comply. The whole point of the Promotion of Access to Information Act was ensuring that people had access to information.

Mr Du Preez replied that the central point of enforcing the Bill would be the Information Protection Regulator. There was no doubt that an enforcement mechanism was needed. The Bill brought with it many tasks and responsibilities for those who would be enforcing it. There were going to be problems if there was no regulator.

Mr Jeffrey said that he did not see in the SA Law Reform Commission Report a set of eight principles, and it seemed as if the Department extracted the principles from the European Union Directive. He also believed that there was a contradiction in the manner in which the Bill was laid out and what it was aimed at achieving. This was because each principle was followed by rules yet the Bill was supposed to be principle based. He asked why the Department chose to construct the Bill in this manner.

Mr Jeffrey said that his understanding of a principle was that it was broad and it had no detail. For example accountability was a principle, and there was no need to offer detail on what accountability was. What the Department had done was to make the principle headings. He had a problem with the fact that the principles were combined with rules.

Ms Louw said that the Bill was principle based because it was flexible. Had it been rules based then there would be a set of rules for each sector. There would be a section dealing with education, health etc. However the Department had included some rules in the Bill.

The Chairperson asked if this was not caused by the various ways in which principles could be viewed. There were instances that one could deliver a sentence as a principle. He saw the rules as guidelines on how to implement the principle.

Ms Smuts said that the Committee was probably confusing matters by calling the headings in the Bill principles. She said that it did make sense to follow international instruments as the information was shared trans-nationally.

Ms Louw said that principle based legislation did not mean that the legislation was principle based. The information protection principles were something that had a meaning of its own internationally. They were not meant to fit into the ordinary meaning of principles. Principle legislation was something different. It was not necessary to have any principles in legislation for it to be called principle based. The Bill could have been called anything else. Principle based meant that the Act was a framework, which could be applicable to many sectors.

Clause 26
Mr Holomisa asked why cultural beliefs were excluded from the list of beliefs stated in 26(b).

Ms Smuts asked why traded union membership was in the list in Clause 26.

Mr Du Preez replied the definition of personal information involved many categories. Ms Louw told the Committee that there would be no problem in including “ cultural beliefs” in Clause 26, because philosophical beliefs could include cultural beliefs.

Ms Louw said that the section on trade union membership had been taken out and replaced many times. There was a lot of uncertainty on whether it should be included in the clause. However it was in the European Union Directive.

Clause 31
Mr Jeffrey asked what was meant by criminal behaviour in Clause 31. Did it mean someone who was arrested many times, or did it include someone who was only alleged to have stolen something?

Ms Louw replied that criminal behaviour applied to a person even though they had never been arrested. Even if a person was alleged to having stolen something, but not arrested, it still applied.

Mr Jeffrey asked if the number of times that a person had been arrested fell under the definition of criminal behaviour. According to him that was not criminal behaviour.

Ms Louw explained that what they were trying to address with regards to that clause was very wide.

The Chairperson said that the matter would be flagged and the Committee would re-look at it when they were drafting the Act.

Clause 36
The Chairperson referred to Clause 36, which focused on the constitution and term of office for the Regulator. He asked how the regulator would be appointed and who would appoint the regulator.

Ms Smuts said that it was clear that the Department had in mind a fully independent regulator, as they used the same terminology in the Bill as the one that was used in appointments for the courts. However, the Bill was silent on who selected the regulator.

Mr Du Preez said that they would like to get guidance on the matter from the Committee, as they had a problem with deciding which strategy to propose for the appointment of the regulator.

The Chairperson asked the Committee to move on the matter as it was important to decide on who appoints. The role of the regulator was very powerful, as the person would at times need to hold the President accountable. It was thus good that the Department was asking for the Committee to assist on the matter.

Mr Du Preez said that it would be good if the Regulator was appointed by the highest authority with the Committee’s discretion. However there were going to be urgent matters that the Regulator would need to address while performing its duties. He requested that the Minister be involved in appointing the Regulator.

The Chairperson said that Committee was also capable of appointing the Regulator as they had facilitated many appointment processes before.

Ms Smuts asked if the Information Protection Officers would exist alongside the Information Officers.

Mr Du Preez replied that in many instances it would be the same official who was the Information Protection Officer and the Information Officer.

The Chairperson requested that the meeting be adjourned. The members agreed that they would continue with the meeting the following day.

The meeting was adjourned.