Protection of Personal Information Bill: deliberations

Meeting report

Opening Remarks by the Chairperson
The Chairperson briefed the Committee on the progress that had been made regarding the Bill. Specific aspects of the Bill had been dealt with and finalised. The Committee had received an update on the summary of submissions from the Department. The submitants had not correctly understood the Bill. The Committee had asked the State Law Advisors to put together a redraft of the sections on the Principles. The Committee had discussed the issue of whether the Bill would be rules based or principle based. The general agreement was that it would be a broad set of rules and it would be up to the Regulator to adjudicate. The Bill in its current form had offences that related to non-compliance with orders from the Regulator. The question would be should there not be certain categories of processed personal information that should be made as offences. This would mean that one would not have to go to the Regulator for a determination as the offence would be so blatantly obvious and the conduct would be criminalised. An obvious example would be the dissemination of information relating to personal bank accounts.

Dr M Oriani-Ambrosini (IFP) said that the point being raised by the Chairperson was a preliminary one. The Committee should have a discussion on the issue of criminalising certain conduct. The Committee should note how it wanted to structure the relationship between the Regulator and the Principles that guided the Regulator as well as the norms and rules directed to the population.

The Chairperson said that the meeting should start with the presentation and then discuss the issue of whether or not specific crimes should be included in the Bill.

Mr J Sibanyoni (ANC) suggested that the Committee should first proceed with the presentation and then move on to any discussions.  

Presentation: Proposed Amendments of the Protection of Personal Information Bill
Mr Henk Du Preez, State Law Advisor, informed the Committee that the document was a general overview on the important aspects of the Bill. Sub-clause 1 was amended in view of the discussion that took place during the previous meeting where there was an indication that the clause was a bit clattered insofar as jurisdictional aspects were concerned. The Department had tried to provide a better differentiation between Sub paragraph (a) and (b). The first matter of importance would be that “this Act would apply to the processing of personal information by or for a responsible party domiciled in the Republic or not domiciled in the Republic, but makes use of automated or non-automated means that are situated in the Republic, unless those means are used only to transfer personal information through the Republic and by making use of automated or non- automated means Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof”. Sub-clause 1 was actually clause 3 in the Bill. Sub clause 2 to 7 was actually a road map aimed at assisting the Committee.

Sub-clause 2 brought the Principles within the road map by referring to the relevant sections. This was done in accordance with the Committee’s request. Sub-clause 2 provided that “The conditions for the lawful processing of personal information by or for a responsible party are, subject to subsection (3), reflected in the following general information protection principles” The principles were then stipulated and the relevant sections were referred to. This provision was subject to the provisions in sub-section 3. One should immediately consider that there were exclusions in terms of sub-section 4 and that the Regulator may grant exemptions from the one or more Principles concerned in relation to the processing of information. The provisions of sub-clause 2 were subject to sub-section 3 which indicated that “The principles, as referred to in subsection (2), are not applicable to the processing of personal information to the extent thatsuch processing is excluded, in terms of section 4, from the operation of this Act; orthe Regulator has granted an exemption, in terms of Chapter 4, from one or more of the principles concerned in relation to such processing”. Sub-clause 4 aimed to provide an indication as to what the codes of conduct were about. This section provided that “Sections 57 to 65 provide for the development, in appropriate circumstances, of codes of conduct for purposes of clarifying how the information protection principles, referred to in subsection (2), and the requirements referred to in subsection (5) are to be applied, or are to be complied with within a particular sector”. The clause indicated that the codes supplemented the general provisions of the Principles in order to clarify the application thereof in a specific sector.

Sub-clauses 5 and 6 dealt with the processing of special information. Sub-clause 5 provided that “The additional requirements for the lawful processing of special personal information by or for a responsible party are, in addition to the principles referred to in subsection (2), but subject to subsection (6), set out in sections 25 to 32”. It was important to note that when special personal information was being processed, one should not lose the idea that there was still a need to comply with all the provisions in Part A. Sub-clause 6 provided that “The principles, as referred to in subsection (2), and the additional requirements referred to in subsection (5), are not applicable to the processing of special personal information such processing is excluded, in terms of section 4, from the operation of this Act; orthe Regulator has granted an exemption”. The final sub-clause was on the provisions that dealt with direct marketing and provided that “The conditions for the lawful processing of personal information by or for a responsible party for the purpose of direct marketing are reflectedin the principles referred to in subsection (2) (a) to (h) andinsofar as marketing by means of unsolicited electronic communications are concerned, in the provisions of section 66”

Clause 4 was the exclusions clause. The first proposed amendment was in Clause 4(c) where the Department indicated that the term state should be replaced with public bodies. The remainder of the options in the document related to journalists. Paragraph (d) was reflected exactly as it was in the Bill itself. There were two options. Option 1 aimed for exclusion in total and was similar to option 3 to the extent that they were loosely based on the provisions of the Australian Act.

Discussion
Dr Oriani-Ambrosini interrupted and asked if it would not be better to take things one at a time. If the Committee had a discussion on the application of the Bill then other issues would come to light depending on the course that would be taken by the Chairperson.

The Chairperson pointed out that Mr Du Preez had concluded his presentation in any case.

Mr Du Preez informed the Committee that there were proposed amendments to chapter 5 and the Department would proceed as per the Chairperson’s guidance.

The Chairperson decided that the document, referred to as the road map, would be discussed.

Dr Oriani-Ambrosini asked if there was anything new in the document from a legislative and normative viewpoint. It seemed as if the answer to both questions would be no, the only exceptions were clauses 3(b) and 6(b). The Committee had to decide whom it wanted the Bill to apply and what the relationship was between the Bill and the Codes. If the Codes were issued subject to the Principles then there would be one aspect of application, if the Bill applied to everyone and the Codes were a supplement then there would be a second aspect of application. A third aspect of application would be if the Bill applied to everyone and the Codes were a supplement and the Regulator could decide on exclusions.

Ms M Smuts (DA) asked Mr Henk to respond to the issue raised by Dr Oriani-Ambrosini. The way that the Bill had been structured was unusual but it was not unheard of. The Committee would have to address to what degree the codes could depart from the Bill.

The Chairperson said his understanding was that the legislation was one of general application, it was principle based as it was legislating for a sector that was perpetually in movement. It set out the Principles that applied to the protection of personal information. The Regulator adjudicated where there were complaints; therefore there were no offences in the Bill. The Regulator investigated complaints and made prohibitive orders. The Regulator was empowered to develop Codes for specific sectors in accordance with the broad Principles. This was still consistent with the original intentions of the Bill when it was introduced.

Dr Oriani-Ambrosini replied that the Chairperson’s comments were acceptable, however they were not consistent with what was in the Bill.

Ms Ananda Louw, State Law Advisor, said it was important to note that the Bill was immediately applicable to everybody. If one was collecting information via a file or if such information was automated then the Bill was applicable. The notification was relevant insofar as the Regulator was concerned, as he/she had to know what was going on in a specific sector. It also empowered the Regulator to know about problems in specific sectors. Even if there were no complaints, the Regulator could investigate a specific sector through his/her own initiative. The Regulator could also initiate a code of conduct for a specific industry.

The Chairperson said that the Bill would apply to all citizens who processed information.
Ms Louw agreed with the Chairperson and added that the Bill was also about the balancing of the rights to privacy and freedom of expression. It should be noted that the Bill was trying to protect anybody whose personal information is processed (data subjects) and the focus should shift away from the responsible parties.

Dr Oriani-Ambrosini commented that before one became a criminal, a certain act had to be criminalised to begin with. The Committee had to decide how the Bill should operate. The legal consequences of the Bill had to be determined. The vast number of Small Medium Micro Enterprises (SMME) that were meant to be protected by the government would not be compliant with the Bill. Guidance was needed from the Chairperson on the gaps of the Bill.

Ms Smuts said the Bill applied to everybody but the consequences kicked in when a complaint was lodged or a code was drafted by a certain sector with their own adjudicator. It should not be assumed that SMME’s would not transgress on the privacy of individuals.

The Chairperson reiterated that the Bill did not create crimes. There was no unlawfulness if the Principles were not followed and the Regulator could effectively make certain conduct a crime.

Dr Oriani-Ambrosini argued that there was a provision in the Bill that required a data processor to inform data subjects that they had their contact details. This provision was rules based. Non-compliance was unlawful conduct.

The Chairperson agreed with Dr Oriani-Ambrosini, however the Bill was principle based and did not create offences if one did not follow the Principles. It was up to the Regulator either through a complaint or through his/her own initiative to decide on unlawful conduct through issuing an order. The Regulator could create offences through the application of the Principles. This could also happen through the codes, as they would have wider application.

Ms Smuts agreed with the formulation by the Chairperson except for the fact that there was the option of a civil claim that could be instituted by a complainant. 

Mr Mark Heyink, Attorney for Information Governance Consulting, agreed with the Chairperson and added that the secret to understanding the Bill its title, in this case it was the protection of personal information. The intention was for the protection of personal information and there were Principles that had to be abided by and failure to comply would result in the mechanisms of the Bill kicking in. The sector, which was being regulated, was a moving target and because of this there were various adaptations that were being developed around the world to deal with its ever-changing nature.

Mr Sissa Makabane, State Law Advisor, said that the Bill explained what needed to be done when one was processing information. The Regulator functioned as an enforcement mechanism and failure to comply with any order issued by the Regulator would result in sanctions. Section 94 allowed a data subject to sue for damages.

The Chairperson suggested that the term legal effect should be replaced with criminal effect as the former term was too wide.

Ms Louw pointed out that the whole point of the Bill was to be proactive in nature. The powers that had been granted to the Regulator included assisting and advising data processors. The fact that a code had been put in place did not have the same effect as a complaint being lodged. A complaint can be lodged in terms of the codes.

Dr Oriani-Ambrosini said that there had to be clarity on whether the Bill created legal obligations or not. It was not a proper way of legislating where there were legal obligations but no sanctions until the Regulator issued one with a notice. This issue had to be sorted out as it was very fundamental.

Mr Heyink said that there should be an expectation from the data subject that their information would be handled legitimately. The Principles needed interpretation; the way the Bill was structured had worked in other jurisdictions. There was a need for either rules based legislation or principle based legislation. The latter was the only solution in this instance.

The Chairperson said that the difficulty with rules based legislation was that it would provide a situation where the majority of citizens would not comply with the legislation.

Ms Louw pointed out that there were exceptions for compliance with the Principles. The exceptions were embedded within each Principle. Section 17(6) of the Bill held that it was not necessary to comply with the specific Principle in that section; if that non-compliance did not prejudice the data subject. There were exceptions for small businesses that found it overly burdensome to comply with the Bill.

Dr Oriani-Ambrosini said he did not know if what had just been said by Ms Louw meant that someone who had contact numbers of others was obliged to inform them that they did in fact had their numbers. Citizens could not be obliged to abide by the Principles, only organs of state. Only rules based legislation was applicable to citizens.

The Chairperson noted that Dr Oriani-Ambrosini kept on raising this point; however it was not a correct assessment. The Bill had been through an extensive consultation process through the South African Law Commission (SALC) and then through public submissions. Were there any complaints from any persons regarding the non-applicability of principle-based legislation for citizens?

Dr Oriani-Ambrosini responded that the Bill was fine the way it was from a technical perspective. However it was not principle based, it did have obligations. The definition for the nature of the obligation was difficult to grasp.

The Chairperson suggested that the Committee should move away from this matter as it was confusing and not helping. The Committee wanted the Bill to apply to everybody; the Regulator would determine the consequences of non-compliance. The Committee had to be mindful of the fact that it should not prohibit conduct that one could not prohibit.

Ms Smuts pointed out that all submitants understood the Bill and its consequences hence the estimate that it would cost R200 million for the re-establishment of their data storage facilities. Did section B of the document suggest that the Bill applied to automated information as well?

Mr Du Preez clarified that the Bill applied to automated and non-automated information; however it was difficult to draw a distinction between the two.

Dr Oriani-Ambrosini asked what was being excluded under the term automated.

The Chairperson responded that unstructured filing systems were excluded.

Dr Oriani-Ambrosini asked what this entailed.

The Chairperson replied that information on bits of paper that were scattered around was excluded. There was difficulty in understanding the B draft of the document presented and the UK Act was just as difficult to follow. The definition for automated and non-automated information had to be as wide as possible. It would have been best if the Principles had been listed in the document.

Dr Oriani-Ambrosini said that the way the Department had compiled the document was correct. The Principles should be eliminated completely as they were already in the Directives.

Mr Du Preez agreed with Dr Oriani-Ambrosini.

Ms Smuts added that the Principles would have to be set out nicely so that the public would be able to better understand them. In addition, accountability was a clause but not a principle.

Mr Heyink did not have any difficulties with the way the Bill was set out.

The Chairperson asked if much could still be done with the document.

Dr Oriani-Ambrosini said that the document, which was supposed to be a roadmap, had not been very helpful.

The Chairperson said the listing of the eight Principles did assist in interpreting the Bill.

Dr Oriani-Ambrosini noted that the discussion on the Principles centred on whether they added or detracted from the Bill and were therefore dangerous; or they did not and were useless. If the European Union (EU) had decided to legislate through regulations rather than directives then the Committee would not be stuck at this point. The Principles should be done away with unless there were compelling reasons for them to remain.

Ms Louw said that the Organisation for Economic Cooperation and Development (OECD) countries made use of Principles e.g. Australia and Canada. EU countries did not make use of Principles e.g. Germany and Italy.

The Chairperson suggested that the Committee should go through the Bill from clause seven to the end. The sticking point was that there had to be a Principle as well as the application or implementation of that Principle. This was why there was a desire to separate the two as opposed to the current position where they were together. If separation was possible then this would be fine, if not then the question would be what value the Principles added to the legislation.

Ms Louw suggested that the Committee could move on from the document but there was a need for a road map.

The Chairperson said the next issue would be that despite the Bill being principle based, should there be an inclusion of criminal conduct? Was certain conduct so obviously wrong that it should be criminalised? Conduct that would fall under this category would be the dissemination of banking details.

Dr Oriani-Ambrosini replied that an action, which was potentially harmless, could give rise to potentially harmful consequences. Once certain actions were criminalised, then the offender would be stuck with the sanctions.

The Chairperson said that a lack of consent from a data subject would be a requirement for the criminalisation of a particular conduct. The Committee should criminalise the dissemination of bank account details.

Ms Smuts fully agreed with the Chairperson and added that it was unconscionable that there were debit orders running on people’s account that they had no knowledge of or charges against their cell phone accounts that they did not subscribe to. The sale of personal data without the consent of the data subject should be criminalised.

Mr Du Preez said that the end result of such action constituted theft.

Mr Heyink said that the correct approach would be to criminalise the sale of information. The Committee could also consider criminalising the dissemination of children’s information.

The Chairperson asked what kind of children’s information Mr Heyink was referring to.

Mr Heyink replied that the abuse of children’s information was already a problem. The information being referred to was personal information in general. Children were constantly online and were unwittingly providing information unaware of the consequences of such conduct.

Ms Louw cautioned that the persons who were referred to by the Committee were those who knowingly and recklessly disseminated information. Criminalisation should apply mostly to direct marketers. The UK Act was far stricter as there was a requirement for proof that the reckless dissemination of information resulted in direct loss or harm.

The Chairperson preferred criminalising the dissemination of banking details. It was not favourable to shut down direct marketers. Did the Department consider the issue of criminalisation together with the SALC?

Ms Louw replied that the Department did not consider criminalisation as it was looking at proactive things rather than crimes. This was a new concept and the Department preferred to research this further.

Mr Du Preez said the UK clause was simple and more preferable.

The Chairperson made it clear that the Committee did not want unforeseen consequences for direct marketers and things that were not intended to be criminalised should not be.

Clause-by-Clause Deliberations
The Chairperson informed the Committee that they would go through the Bill clause by clause.

Clause 1
The Committee was happy with Clause 1, as it was straightforward.

Clause 2
The Chairperson said Clause 2 was an interpretive clause, which defined the purpose of the Act. The clause also set out to ensure that the Regulations should be of international standards.

Dr Oriani-Ambrosini asked which standards were being referred to.

They Chairperson replied that there would be obvious grey areas but the Regulations would still be of a similar standard to those found in EU and OECD countries.

Mr Heyink was unsure as to whether Dr Oriani-Ambrosini was objecting to the international standards since they did indeed exist. International standards for the processing of personal information had been developed.

Dr Oriani-Ambrosini proposed an amendment to Clause 2(c), which read as follows “does not infringe upon or detract from any right or liberty granted under the constitution or any other law”. The criterion for interpreting the Bill was critical as it had the potential to override other pieces of legislation.

The Chairperson made sure that the Department captured the proposed amendment and then asked if the Department had any issues with Ms Smut’s proposal on the adequate safeguards?

Mr Du Preez replied that the Department did not have any issues with the proposal. The Department proposed to insert a reference to clause 5 in the existing clause 2(2)(b). This was a technical amendment and would be explained via a footnote.

The Chairperson asked when the Department would like to brief the Committee on the Financial Intelligence Centre Act (FICA) issues.

Mr Du Preez said that this was an opportune time for the Department to brief the Committee. The FICA issue fell under the exclusions.

Clause 3
The Committee had decided to revisit this clause 3 at a later stage.

Clause 4
The Chairperson suggested that the Committee could therefore also deal with the exclusions at this point, which were under clause 4. Household activities were already excluded. Judicial functions as well as Cabinet, provincial and local executive councils were exempted.

Dr Oriani-Ambrosini said there had to be finality on the issue of exclusions. The Committee should not be debating the exclusion of household activities as it was a personal matter. The use of the term non-commercial for distinguishing what could be excluded had to be considered

Mr Du Preez said that the Department did not engage in commercial activities and would therefore be excluded if the term non-commercial were to be used in the Bill.

The Chairperson expressed satisfaction with the clause as it was.

Mr Du Preez outlined the differences between the Bill and FICA. These were the functions, which amounted to the processing of personal information as well as the existence of institutions that reported suspicious transactions. These institutions had a few concerns and they also had a few proposals. The Department was able to sit down with the institutions that had requested to be exempted.

Dr Oriani-Ambrosini asked if the institutions were requesting to be exempted when they gathered information, which went beyond their functions?

The Chairperson felt that their request was legitimate.

Mr Du Preez agreed with the Chairperson. The concern for the institutions was that they did not investigate crimes but they gathered and processed information, which they then forwarded to the South African Police Services (SAPS). The Department had also asked the same question as Dr Oriani-Ambrosini but the FIC institutions had insisted that their activities insofar as processing information for the purposes of reporting suspicious transactions had to be excluded.

Dr Oriani-Ambrosini asked why these institutions had to be exempted from the provisions of the Bill. Exemptions insofar as providing SAPS with information were acceptable but not for any other reason.

The Chairperson suggested that the institutions were probably trying to avoid a conflict of laws, as there would be adequate safeguards in FICA. He was not sure whether he would be in agreement with Dr Oriani-Ambrosini and suggested that his argument should be put down as an option for later consideration when the Bill would be tabled before the full Committee. The Committee should move on to the issue of the exclusion of journalists.

Ms Louw referred to the submissions that were made concerning this exclusion. They were made without taking into account the Principles of the Bill and were hence incorrect. As a result, a lot of unintended consequences had been incorrectly identified. It was important to distinguish between the ordinary business activities of institutions engaged in journalistic activities and the professional work conducted by journalists. The former would always be subjected to the Bill whilst the latter would be excluded. The exclusion applied to individuals governed by codes of conduct within a structured sector by virtue of office, employment or profession. Bloggers engaged in journalistic activities were not excluded under the Bill. The Department was not trying to make the provisions more stringent for journalists. The Department had acknowledged the fact that there had to be a balance between the right to Freedom of Expression and Privacy and had taken into consideration all developments in this field of law. A further issue that had been raised was that journalists were being censored, as they would have to ask the Regulator for permission when processing information. This was not the case. The option for journalists to draw up their own codes was an attempt to allow the sector to self-regulate. Most countries provided for the exclusion of journalists but in no instance were there blanket exemptions in legislation that had received EU adequacy status. The Bill mirrored the Australian Act, which seemed to work well in practice. The Australian Law Commission had criticised it for being too broad and had suggested that the exclusion should be amended to make provision for the development and publication of criteria for adequate media privacy standards. The regulation of whistle blowers was not included under journalists as the two had different agendas. The options were either an unqualified exclusion, exclusion subject to codes of conduct, an exemption from certain data protection Principles or an exclusion amounting to self-regulation but subject to the development of criteria but subject to the ambit of the safeguards provided in the exclusion. A discussion on the options would be that a blanket exclusion would be contrary to the provisions in the EU directives and complicate South Africa’s adequacy status. It was also not in accordance with international best practice. Making journalists subject to the ordinary provisions of the Bill regarding codes of conduct may send the message that freedom of expression was not adequately protected in the Bill. An exemption from certain data protection principles would be in accordance with the position of most countries.

Dr Oriani-Ambrosini wished that all journalists could have a transcription of the summary from Ms Louw. What was the Chairperson’s position on this?

Ms Smuts acknowledged that the EU Directives did give exemptions and derogations through Article 9 for journalistic purposes. South Africa had constitutionalised media freedom to a degree matched only by Germany. It was not wise to try and regulate content through the Regulator. There was enough constitutional case law and development of the common law and therefore the exclusion should be complete.

Dr Oriani-Ambrosini asked what the Chairperson’s position was; he himself did not want to be seen as the person who infringed on media freedom.

The Chairperson responded that there was no ANC position at the moment. The worry with total exclusion was that anybody could use it to his or her benefit and not just journalists since it was difficult to define what was journalistic.

Ms Smuts responded by saying that the Chairperson ought not to worry because the Bill was ill suited for the media.

The Chairperson interjected and said the issue was not about the media but any person using this exclusion for other purposes. The intention was for the provisions to apply to the media but they could apply to anybody.

Dr Oriani-Ambrosini said the Bill did not cover persons but activities. Journalists would not be covered but journalistic activity would. A possible phrasing of the exclusion could be as follows “an exclusion for any purposes embodying the exercise of a right protected under the constitution including but not limited to journalistic purposes”.

The Chairperson said the problem with this formulation was that it did not take into account the limitations clause in the Constitution.

Ms Louw said the Department had tried to make the Bill applicable to a responsible party who was by virtue of office, employment or profession subject to a code of ethics. The Act was not meant to stop the flow of information or stop journalists from doing their work. If journalists had a code of ethics with adequate safeguards then the Bill would not apply to them at all.

The Chairperson was not happy with Ms Smuts approach as it was too wide and he was not in agreement with Ms Smuts and Dr Oriani-Ambrosini. Perhaps there should be further engagement with the South African National Editor’s Forum (SANEF).

Ms Smuts said that a person could rely on the common law if they wanted to defend their rights to privacy. The common law would be developed further; in light of this the Bill would not be the right vehicle.

The Chairperson stressed that he was in agreement with Ms Smuts on the media exemption; the problem was who else would be exempted together with the media. 

Dr Oriani-Ambrosini commented that the persistent problem with the Bill was the scope of application. 

The Chairperson said he was unsure if the issue of the exclusion of journalists could be taken further.

Ms Louw drew the Committee’s attention to the Independent Communication Authority of South Africa (ICASA) and the South African Press Code’s (SAPS) position on the matter. ICASA believed that insofar as both news and comment were concerned; “broadcasting shall exercise exceptional care and consideration in matters involving private concerns of individuals”. The SAPC’s position was that care and consideration would be considered in matters involving the private lives and concerns of individuals.

The Chairperson moved on to clause 4(e), which excluded the executive council of a province and municipality. The executive council of municipalities should be removed and only the executive council of provinces should remain excluded because it had the same status as Cabinet.

Dr Oriani-Ambrosini asked why there should be exclusions for provincial councils.

The Chairperson replied that Cabinet and provincial executives should be allowed to process personal information in the course of their meetings.

Dr Oriani-Ambrosini reiterated that he did not see the rationale for excluding provincial councils and Cabinet.

Ms Smuts felt that the question by Dr Oriani-Ambrosini was valid.

Mr Makabane explained that the main reason why Cabinet would be excluded was because in some instance, it would deal with issues involving state intelligence or sensitive investigations.

The Chairperson said he felt quite strongly about leaving this section as it was but municipal councils should be removed.

Ms Christine Silkstone, Content Advisor for the Committee, commented that the Committee had not discussed the exclusion of Parliament.

The Chairperson asked why Parliament should be excluded.

Dr Oriani-Ambrosini said that entities were not being excluded only functions. The function of legislating could only be excluded via the rules of the Assembly.

Ms Smuts agreed with Dr Oriani-Ambrosini.

Clause 5
The Chairperson reminded the Department that it had suggested that this clause should be moved to clause 3 which would then become application and interpretation.

Clause 6
The Chairperson asked if there were any comments.

Ms Smuts suggested that the Bill should bind all public and private bodies as she failed to see why a juristic person would be allowed to become a bearer of private rights.

The Chairperson said he had accepted the argument for the inclusion of juristic persons and he did not have any problems with the clause.

Mr Du Preez agreed with the Chairperson and pointed out that in prior judgments it had been deemed acceptable that juristic persons had the right to privacy. The concern was that if juristic persons were excluded, would the Bill be deemed unconstitutional on the basis of inequality, as the juristic person would enforce its privacy right via the common law whereas it could have done so via the Bill.

Dr Oriani-Ambrosini pointed out that in terms of South African law juristic persons were entitled to protection against defamation. The defamation of one’s character was within the area of privacy rights. Juristic persons were entitled to the Bill of Rights in so far as their functionality was concerned. Mr Du Preez’s concern was correct. 

Mr Makabane did not think that the exclusion of juristic persons would constitute unfair discrimination, as a court would look at whether or not it was rational to do so. The juristic person would still be entitled to their rights under the Constitution.

Dr Oriani-Ambrosini asked how the Committee would deal with the fact that juristic persons were entitled to the rights in the Constitution.

Mr Makabane referred to the Constitutional Court judgment in Prinsloo vs Van der Linde, where the court held that it would not be unfair discrimination to exclude juristic persons as long as it was rational.

The Chairperson explained that the issue was whether the Committee should exclude juristic persons. The solution could be the one suggested by Ms Louw which would be to take this issue out of the definitions section and put it in a clause so that the President would determine when it would come into affect on the advice of the Regulator or Minister. The Minister through regulations could determine the categories of juristic persons. This would allow the possibility for differential implementation.

Mr Du Preez did not like this approach as it was too complex and it would take only one juristic person to approach the Minister to make it part of the Bill. There was also a possibility that the Minister would take too long or refuse and there would be a dispute. The correct approach would be to let the clause remain as it was but also leave enough room for the Regulator and the courts to decide what type of personal information applied. Clause 6 was not necessary at all. In the definitions clause there was a definition of a public and private body and that was the application of the Bill.

The Bill applied to both bodies; this could go to sub-clause (3). The definition of responsible parties would remain. Would it be a problem if the Bill said that it would apply to both parties?

Mr Du Preez replied in the negative and added that natural and juristic persons would have to be defined as either responsible parties or data subjects.

The Chairperson requested Mr Du Preez to consider his suggestion further.

Clause 7
The Chairperson said the Committee was not clear on this clause, the suggestion had been that the Principles could be taken away in short form and then put the guidelines for the interpretation of the Principles elsewhere. The question then was what benefit did listing the Principles have. From clause 7 to 24, the Committee would look at whether there were any Principles that had interpretive value, which did not offer any guidance. This clause was irrelevant as it did not have any Principles.

Dr Oriani-Ambrosini was unsure as to what a data subject was expected to do under this section, it was not clear what the obligations were.

Mr Heyink said that the issue of accountability was resolved by the definition of the Bill, which stated that a data processor would be held accountable. The point with the chain of information was that different people could control it. This clause tried to make it clear who would be responsible and held accountable for the processing of information.

The Chairperson agreed that to some extent it was a data processor. Clauses 8 to 24 applied to responsible parties and they should apply with the requirements.

Dr Oriani-Ambrosini asked what these requirements were.

The Chairperson replied that they were in clauses 8 to 24.

Dr Oriani-Ambrosini said in that instance all that the clause should say was “a responsible party must ensure compliance in a measure that gave effect to the Bill”, this would be the obligation. Clause 8 had to be removed as it was the Bill that brought the non-infringement of the privacy of the data subject. The Bill set the parameters of legality. Clause 7 and 8 did not have a further meaning other than to say that a data processor was responsible with complying with the Bill.

The Chairperson said clause 7 was directed at the responsible party, the Principles were not necessary and this was where the confusion lay. What clause 7 should say was that the responsible party had to comply with clauses 8 to 24.

Ms Louw said there were different responsible parties throughout the information cycle. The definition included everybody who processed information within an entire cycle.

Clause 8
The Chairperson pointed out that Dr Oriani-Ambrosini felt this clause did not say anything. The issue was that was there any harm in it. Clause 7 stated that there should be compliance with the rest of the clauses below it.

Dr Oriani-Ambrosini asked to whom clause 8 referred.

The Chairperson replied the responsible party.

Dr Oriani-Ambrosini disagreed; clause 8 was an order that was given regarding personal information.

Mr Makabane said clause 7 created obligations for the responsible party. It ensured that whoever processed information in the information chain complied with it.

The Chairperson asked Dr Oriani-Ambrosini to allow others to speak and added that he did not understand what he was saying.

Ms Louw said clause 7 explained who was responsible and clause 8 spelt out how the responsible person should process information. Strictly speaking clause 8 was not necessary as the rest that followed after gave flesh to it. However in all the pieces of legislation around the world clause 8 was actually the first Principle.

The Chairperson suggested that the two clauses could be put together. The problem was that clause 8 was a principle but not clause 7.

Ms Louw suggested that the Committee should go through the rest and leave this clause for later consideration.

The Chairperson asked if minimality was a Principle.

Ms Louw replied that it was not.

Clause 9
The Chairperson said he did not have a problem with this clause; it was just a question of how it fitted in. Should it be in the implementation section or the Principle section?

Mr Heyink said the Bill was not intended to restrict flows of information, it intended to regulate information. There was an age old right to privacy which had always been protected. It was dangerous to say that there could be as much information as possible and then decide how it would be used after the fact. If information would be processed around a minimality principle and then incorporated with a purpose principle, the proliferation of information would be protected.


PMG could not attend the deliberations concerning clauses 10 to 34.