The Committee deliberated on the Protection of Personal Information Bill. A Member had raised the issue of desirability of the Bill, expressing his concern about possible unintended consequences of the Bill because of its universal approach which cast the net wide and threatened personal privacy. Other Members expressed their concern that the Bill’s wide ambit would make it unenforceable. It was proposed, and generally accepted by Members, that the Committee should take an approach whereby the Bill should essentially set out a framework of broad principles and general exemptions, as had been the approach in other countries, most notably the United Kingdom, and the Regulator would then produce the codes that would be effective and enforceable.
The Committee deliberated on the Bill’s impact on the right to privacy and questions around juristic personality vis-à-vis protection of information and personal privacy. One Member cautioned against excessive State interference with the right to personal privacy and the right to information. Freedom was the principle and restriction was the exception.
A Member also proposed that the Committee seize the opportunity to enunciate the Constitutional right to privacy through legislation.
The Committee then agreed that the Bill should be restructured, and dealt firstly with Clause 43. It was agreed that the powers and functions of the Regulator should be set out. Members discussed whether the Regulator should report to Parliament or the Minister, and Members were generally in agreement that independent bodies should ideally report to Parliament, who should, however, be sensitive to executive functions. Suggestions were made to re-order the sub-clauses and group similar items together and it was agreed that sub-clauses (g) and (u) of Clause 43 be collapsed into one. Members briefly discussed whether there should be a review of the Promotion of Access to Information Act, and whether that review should affect the drafting of this Bill, and agreed also that the legislation should contain a provision that would enable the Regulator to report to and request intervention by Parliament if technological advances were to threaten the rights to privacy.
Protection of Personal Information Bill: Deliberations
The Chairperson noted that the Committee would be addressing the Bill, clause by clause.
Dr M Oriani-Ambrosini (IFP) requested to address the Committee on the issue of desirability as a preliminary issue before the Committee proceeded to a clause-by clause examination of the Bill. He tabled a 12 page document in support of his contention (see attached document). He noted that all the provisions of the Bill applied to all people, and required the keeping of information in respect of the Rolodex, and each cell phone of each person, unless that person was not economically active irrespective of registration. The Bill noted that a wide range of people were obliged to comply – from all the Small to Medium Enterprises (SMEs), Cooperative Societies (co-ops) and vendors on the street corners, for instance. Failure to do so could lead to incarceration.
Dr Oriani-Ambrosini warned of enormous unintended consequences as a result of the universal approach to the Bill. This approach only worked when there was selective enforcement. He found it very problematic and urged Members to apply their mind to whether they really wanted this universal approach, or if they should not ask for a sectoral approach by adding sectoral laws.
Mr J Jeffery (ANC) commented that Dr Oriani-Ambrosini had put this as an issue of desirability of the Bill. He had sympathy for this view and also had concerns about a Bill that cast the net so wide and could become unenforceable. However, the approach he would favour would be one that effectively dealt with principles, and then set up a Regulator. The communication of the law essentially would be done by the Regulator through the codes. The legislation would then be setting up a framework of broad principles and general exemptions, within which the Regulator could produce the codes which were effectively enforceable. His problem with the Bill was that although it claimed to be a principle-based Bill, he felt that it went further than principles.
Ms M Smuts (DA) suggested that the Committee should take the approach taken in the United Kingdom of Britain (UK) Act. In the UK Act there was a simple statement of principles, and then the relevant conditions were listed in separate schedules. The first set of conditions that were relevant were that ones that applied to all the principles on the protection of personal information.
Mr S Swart (ACDP) commented that there seemed to be concurrence on that particular issue. He wanted to support what had been said by the previous speakers on the broad ambit of the Bill. He suggested that there had to be a more streamlined version.
The Chairperson suggested that the Committee could follow the suggestions made and see if Members could come to an agreement on what had to go in and what had to stay out of the Bill.
Mr Henk Du Preez, Senior State Law Adviser, Department of Justice and Constitutional Development (DOJ) commented that what had been suggested by Mr Jeffery was the closest to what the version contained at the moment. The DOJ had emphasised in its briefing that there was a need for framework legislation and that the role of the Regulator was extremely important. The universal approach had been questioned in discussions on the Promotion to Access of Information Act (PAIA). Certain things would have to be monitored to see how they happened in practice. Some of the concerns were exactly the same as those raised about the PAIA, and those had been addressed in certain ways. However the Department would be guided by the Committee on how to proceed with the current Bill.
Dr Oriani-Ambrosini commented that information was free and individuals had every right to use it in any way they liked. Information belonged to mankind, and there must be a good reason for it to be restricted. The principle was freedom, while restriction was the exception, so information was permitted unless expressly prohibited. Members should apply their minds philosophically to whether they shared the approach the Department had proposed. He preferred the approach suggested by Mr Jeffery, to take out the prescriptive part of the Bill and leave it as simply principles, so that the 12 pages would simply state the principles. The Regulator would then implement them through codes applying on a sectoral basis. This would ensure that the Bill would be focused exactly on the problems that needed to be addressed. The approach suggested by Mr Jeffery was a very meritorious one.
Mr Jeffery commented that he disagreed with the Department on one point. Whilst on broad principles the PAIA should apply, it was not necessarily desirable that it should, for instance, apply to information acquired by a trader who was selling apples at a bus stop. The difference with this Bill was that it was not providing a person with access to information, but was restricting it. There was a fundamental problem with making something illegal or restricting it when it was unnecessary to do so. He therefore had sympathy for Dr Ambrosini’s viewpoint. The Bill, as drafted, was saying that a person could not release information and that it could be illegal to do so. Generally speaking, the principles could be retained, but then they should be stated as principles and no further. At the moment it seemed, as had been raised in discussions, that there was confusion between the principle and the implementation of that principle. There were general exclusions and specific exclusions and there was the Regulator and the process. There was need for a clause at the beginning explaining up front how this would work, rather than having to search through the Bill. It would, for instance, need to be stated clearly that there would be a Regulator, who would introduce codes, describe the process of how these would be introduced, and the principles to which the codes had to conform, subject to general exclusions and specific exclusions. This, in his view, would be the preferred framework. There were points within that, such as the whole debate about natural and juristic persons and the debate around the media. These were some of the kinds of matters that the Committee would still need to resolve. Members seemed to be in agreement, and were not really proposing a complete overhaul, but rather a restructuring.
Ms Smuts commented on juristic persons as bearers of the right to privacy. Dr Oriani-Ambrosini had first made the argument that the Committee had no choice because of what the Constitution stated. However she wanted to argue that the Constitutional provisions bound juristic persons to the extent applicable, taking into consideration the nature of the right. Juristic persons were bound, as in PAIA, insofar as they compiled data about persons, but they were not themselves bearers in terms of the right to personal privacy. If this was right then she would see a difficulty in that, and would suggest that this be removed from the Bill.
She commented on the issue of the Constitutional right to privacy, especially with the type of known cases of unauthorised access to information by businesses, who debited people’s accounts without their knowledge and approval. It appeared that it was possible to buy data of people’s banking details and other information. It was important therefore to protect the right of the data-subject, and for this to be stated upfront in the Bill. The Bill was supposed to protect people against automated decision-making about their lives. The complaints mechanism through which ordinary people could access the Regulator when a right had been breached also needed to be spelt out.
Ms Smuts commented that she was concerned that the Bill was not clear enough about the consequences of computerisation and automation of information. She referred to Clause 3. The application clause was really about the territorial application, but the reference to automated and non-automated was also contained in it. She wondered if the Committee should not consider inserting a statement upfront about exactly what it was that the Bill was dealing with. Part of the reason why she felt the Bill was too wide was that it had missed the computerisation justification. The UK Act, in its very first basic interpretative provision, provided a comprehensive definition of “data”: namely, information that was processed by means of equipment operating in response to instructions given. She suggested that there was much that could be achieved by splitting the Bill’s Clause 3 into separate sections, and by cleaning up a few of the definitions. For example, the Committee should consider exactly what needed to be included under “records”. She questioned whether the vastly expansive definition, which had been taken from PAIA, was necessary.
Ms Ananda Louw, Principal State Law Adviser, South African Law Reform Commission, commented that it would not make any difference to the Bill if the format were to be changed. The problem was that there had been a lot of superficial discussion on the Bill, without any concrete suggestions being contained in the submissions by members of the public. This was why the Department had thought that a clause-by-clause analysis of the Bill would assist understanding of what each clause was saying, to be able to determine if reformatting the Bill would make it clearer.
Ms Louw commented on the points made about unnecessary criminalisation and the overly-wide application of the Bill. In actual fact, the principles stated here should be being applied already, and some institutions, such as banks, were already implementing what the Bill contained. She did not really think that the conditions were that draconian. If the responsible party did not comply with the principles, then that party would receive notice that there was a complaint being investigated against them. The party would have the opportunity to appeal to a court of law if he or she did not agree with the notice. The Regulator would try to solve any dispute by way of mediation and conciliation. If that was not possible, then the Regulator would issue a notice of enforcement to compel a party to do something, or forbid a party from doing something. It was not correct that every person who failed to comply with the law would be sent to jail.
The Chairperson commented that the Committee was agreed on the need for a Regulator. The next thing to consider was what the Regulator would need to do.
Mr Jeffrey asked to respond to Ms Louw. He had a problem with the comments. The Law Commission was essentially to do research for a particular department, so that the Minister could then present the legislation to Parliament. Once the Bill was before Parliament, then it belonged to Parliament. He wanted to make it clear that it was not that the Committee and the Law Commission had to agree on issues. Whilst the Committee appreciated the enormous amount of work had been put into this by the Law Commission, he did not believe that the Committee had to listen to a lengthy defence of what was contained in the Bill, and indeed the Committee was probably more open to alternatives than the Law Commission, who had sat with the Bill for years. It was necessary to look at the process issue. The Members were the elected representatives of the nation. They could hear input and be assisted with drafting, but he though that they had to be careful about people who were effectively “married to” the content.
Dr Oriani-Ambrosini also made a comment related to the issue of process. Earlier on, an issue had been raised on the application to legal entities. He proposed a two-fold suggestion. Firstly, he wanted to record that the Committee was in agreement to limit the application of protection of legal entities, if permissible in terms of the Constitution. The legal and constitutional points needed some discussion. He suggested that the Chairperson could task two or more people within the Committee to look at this from a legal perspective and report back, on whether the Committee had the latitude to take matters away from legal entities.
Secondly, he said that the issue of government was also foundational to these discussions. In his own view, the greatest threat to an individual’s privacy came from the misguided action of government. In most countries, government was prevented from collecting data of all types. This was another area of general concern on the scope of the Bill.
Dr Oriani-Ambrosini remarked that the Committee should not pass up this opportunity to give a statutory enunciation of the right of privacy. This would enable the Constitutional right to be implemented through legislation. The Constitutional right could expanded only up to a fixed point. With respect to the collection of information, it was important that provision be made for the right of people to refuse to give information when it was sought. Only information that was germane to a particular commercial transaction, which a person was about to enter into, had to be authorised. It was common for people to be requested for all types of information that had nothing to do with the transaction being entering into.
The Chairperson asked the Committee to confirm if all Members agreed on the Bill being stated as a set of principles.
Mr Jeffery replied that the Committee would have to look quite carefully at the wording of the nine principles, to ensure the Bill was principle-based and was not too specific.
The Chairperson asked what would be the procedure for making the codes.
Ms Smuts replied that, in principle, it was good that subordinate legislation should be brought to the Committee, but there was a limit to what Members could do. The Bill required the Regulator to go through a goodly number of procedural fairness steps every time the codes were to be made. The Committee was giving the Regulator the power to make those codes, and could use what was already in the Bill around the relevant people to be consulted.
Mr Jeffery suggested that the issue of the Regulator and the codes could be touched on later, in terms of the detail, when restructuring of the Bill.
Dr Oriani-Ambrosini responded that he agreed with both Mr Jeffery and Ms Smuts. The issue of the Regulator was a cornerstone discussion. South Africa was moving away from the old style of secondary legislation, when the Minister provided input for anything that was pertinent to the implementation of the Act, to what was done internationally, where there must be notice of and comment on secondary legislation that was of substance. This was necessary because, as society developed, laws became more and more generic and were effectively just an enunciation of principle. The actual substance of what controlled the rights of citizens was contained in the regulations. He was concerned that the regulations should therefore not be left to the unfettered discretion of a Minister to do as he or she wished, provided only that it was not ultra vires.
Ms Smuts suggested that the Committee look at the clauses of the Bill on the powers and duties of the Regulator.
The Chairperson responded that he was happy for the Committee to focus on the Regulator, as this might well reduce the workload in respect of the other clauses.
Dr Oriani-Ambrosini commented that, in light of the comments by Mr Jeffery and Ms Smuts, Clause 43 would stay, save for the fact that the main power and function of the Regulator would change, to that of implementing the principles into codes of conduct. The Regulator needed to adopt codes of conduct that implemented the principles.
Ms Smuts replied that this was a useful suggestion. However, she thought the Committee had to go further. It would be desirable also for the Regulator to monitor and enforce compliance. The UK had established an Information Commissioner to inspect and assess what was happening.
Dr Oriani-Ambrosini clarified that he had said that Clause 43 was fine, and the issue that had to be raised was about exclusion. Once the exclusion clause was fixed, then Clause 43(d) would take care of that. The implementation of the principles was the main function. Additional items could be added in respect of additional functions. This would not alter how the Regulator exercised the function ,irrespective of the protection of private information and the structure of the Bill.
Mr Jeffery commented on the issue of the overlap with PAIA, specifically the submission that the Committee had received from the Open Democracy Advice Centre (ODAC). He was concerned that PAIA had been in operation for a substantial period, and he felt that it needed to be looked at with respect to areas for improvement. He was not sure whether inserting new provisions in respect of protecting information into the Bill, thus giving the Regulator a new function, was wise at this stage because it was uncertain whether and how the protection aspects would work. Although he was sympathetic to ODAC’s position, he would prefer that, for the moment, the Bill should focus on the role of the Regulator in protecting information. The Committee could subsequently compile a Committee Report calling for a review of PAIA. By the time the review was completed, the Regulator under this Bill should have been up and running for a while, and consideration could then be given to adding other functions. The bottom line was that when there was a dispute about access to information, then it would be particularly easy to resolve it.
The Chairperson commented that the idea of a Regulator was acceptable.
Dr Oriani-Ambrosini expressed the concern that it would be difficult for the legislators to get a “second bite of the legislative cherry”, and pointed out also that it may not be the current Committee who might be attending to the amendments. Perhaps consideration could be given to a sunrise provision, in terms of which the Bill would provide for the transfer of functions from the Human Rights Commission to the Regulator, although this would only come into operation at a later date, after certain conditions had been met.
Ms Smuts submitted that she did not think that there would be access to information unless the Bill empowered the Regulator to make binding decisions.
Ms Smuts also commented that she saw nothing wrong with Clauses 43(a), (b) or (c). She suggested that wherever there were references to the Minister, there had to be references to Parliament. The Regulator had to report to Parliament, and not to the Minister. It was also a really good idea that the Regulator should look at the other laws. She made further comments on how she envisaged the nature of the duties and powers of the Regulator.
Dr Oriani-Ambrosini submitted that the Committee must take into account the world trends, and the fact that this piece of legislation would be in place for a long time. It was obvious that there were strengths in identifying people in new ways, including new image-recognition technology.
Ms Smuts replied that in technology there were frequent and regular changes and it would be futile to check if everything was included in the legislation.
Dr Oriani-Ambrosini submitted that the Regulator should be required to report to Parliament, because this would allow for notification of any new technological development that might pose a threat to the protection of privacy and personal information. This would effectively allow for Parliament to later exercise control over a threat that might not be apparent at the moment.
Ms Smuts replied that all that was needed was wording that provided that the Regulatory body should monitor developments in information processing and computer technology that constituted a threat to personal privacy. The Regulator could make regular updates through new regulations.
The Chairperson commented that whilst it was important to give the Regulator autonomy, the Regulator also had to report to somebody. This was very critical and there would be a major problem if this was not included.
Mr Jeffery commented on a general structuring problem. He did not think that Clause 43 was user-friendly. It was a long list, running from (a) through to (z) and even including (aa), (bb) kind of numbering. He thought it would be more useful to group these powers and duties together. This would ensure that the advisory items were read together, then the enforcement matters, and so forth.
Mr Jeffery expressed his concern about Clause 43(k), saying that whilst this clause was important, there would have to be some time limits if it was going to work properly. If not, then a Bill might be published, the Regulator might not know about it, and Parliament could process that Bill before the Regulator had time to respond.
Mr Jeffery took note of what had been said about reporting to Parliament and not the Minister. The Committee needed to distinguish between an executive function and a legislative function, and be careful about matters that actually required executive attention being reported to Parliament. It was important to be sensitive about issues.
Ms Smuts commented on the point about the Regulator reporting to Parliament. It was up to the Regulator to be up to date with legislation and to submit views to Parliament or the Minister.
Mr Jeffrey replied that the Bill stated that the “powers and duties of the Regulator are to…”
Ms Smuts conceded that they were in agreement on this issue. She argued that in order to safeguard the Regulator’s independence reports had to be made to Parliament. There could possibly be some Executive functions where it would be appropriate for the Regulator to report to the Minister and these could be identified. However, it was not ideal for an independent body to report to a Minister.
Ms Christine Silkstone, Parliamentary Researcher, asked the Chairperson to combine 43(g) and 43(u) into one sub-clause, as they were almost similar.
Dr Oriani-Ambrosini proposed formally that these provisions could be collapsed into one clause.
Ms Smuts proposed that the Committee study the impact of recent judgments on their deliberations on the right to privacy and protection of personal information.
The Chairperson noted that deliberations would continue in the following week.
The meeting was adjourned.
- We don't have attendance info for this committee meeting