The first concern of the FSB was that, as opposed to the Bill, non-compliance did not always constitute an offence thus criminal charges were not always the best option. Instead the best option was usually mitigation and prevention. The second concern was that the Protection of Personal Information Bill in a number of places used the following wording: ‘complies with an obligation imposed by law on the responsible party’, this was problematic in the sense that the wording might be so wide that it was inclusive of when the Financial Services Board was exercising a right or power afforded in terms of legislation when dealing with information. The third concern was that the Protection of Personal Information Bill used the words ‘to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences’. It was not clear if this would include supervision and enforcement of legislation. It was also not clear if this would include the exercise of authority. The fourth concern was that the proposed legislation requirement for the notifications to/approvals by the Regulator might seriously prejudice the ability of the Board to supervise and enforce legislation and to act swiftly and decisively in crisis situations. The sixth concern entailed the transfer of personal information outside of the Republic. Regulators in most developed countries were subject to data protection legislation however this was not always the case in developing countries.
The Financial Intelligence Centre noted it was also a creature of statute and was thus part of the public framework. Its work was to identify the proceeds of unlawful activities. The information gathered by the Financial Intelligence Centre had to then be forwarded to the relevant law enforcement agencies that had the necessary investigative capacities which it did not have. It received information from non-financial institutions as well which they in turn obtained from their clients on the basis of their business relationship. The Financial Intelligence Centre then collected, analysed and compared this information and put together a clear picture of the flow of transactions. The finished product then became leads for the necessary law enforcement agencies. The Financial Intelligence Centre had a dual function, it was a quasi law enforcement agency as it worked very closely with law enforcement agencies; it was also a quasi supervisory body as it interacted very closely with regulatory bodies, however it did not carry out supervisory functions. The concern regarding the Protection of Personal Information Bill was that it did not have clear wording that accommodated the functions of the Financial Intelligence Centre. The FIC would have to be able to delve into the records of customers of financial institutions whilst it was investigating them. It may be the case that the particular client of the financial institution would be enabled to raise an objection under the Bill which would halt the work of the FIC whilst the matter was being resolved. If the wording of the Bill was clear then the FIC would be in a better position to negotiate with the counsel of the other party before the matter reached litigation. The aspect of the proposed legislation that dealt with the purpose for which the data was collected was of concern as the information would be collected from the data subject by the institution in order to provide a financial service. When the Regulator had access to that information it would no longer be for that purpose.
The Committee was of the opinion that the Financial Services Board should not be excluded under Clause 4 of the Protection of Personal Information Bill and that, to the contrary, its concerns were covered under the provisions of the legislation. The Committee noted the concerns of the Financial Intelligence Centre and said that it would consider them. The Chairperson was quite baffled with the concerns raised by the Financial Intelligence Centre as its quasi law enforcement functions were already excluded under Clause 4 and its concerns were previously incorporated in the legislation at its own behest via amendments.
The Special Investigating Unit (SIU) had, in response to a request, noted that its functions would generally reside under clause 4, but it had requested that it be specifically named as exempt in the Bill. The drafters pointed out that although the SIU had correctly identified the legal position, they would be reluctant to start naming bodies that were exempt. A proposal had also been made to change the wording relating to “public body” but the drafters also expressed the view that it would be sufficient to say that adequate safeguards should be provided, without specifying how this should be done. The Bill could not be delayed while the legislation of all bodies was amended. The Committee was generally agreed that it would be preferable to state that all institutions would be covered, unless they had sought exemptions from the Regulator, who would then monitor and supervise the terms of exemption. The drafters then noted that they had prepared a redraft of Chapter 5, and briefly took the Committee through the changes to the wording. New wording was provided for clause 36, specifying that two full-time members would be appointed, in addition to a full-time Chairperson of the Regulator, and other part-time members may be appointed full time if necessary. However, full time members would not be able to undertake other remunerative work during the period of holding full-time office. The full-time members would split their functions. The DA member indicated that she would not pursue the suggestion in relation to the Tribunal, since the Regulator was in fact acting similar to a tribunal. The language would be discussed in more detail at another meeting.
Members discussed the principle of levying administrative fines and gave some indications to the drafters as to their preferences, to allow them to formulate optional wording. The DA was in favour of fines being imposed in respect of privacy matters, and non-payment being regarded as an offence. Members agreed that any fines would have to be paid to the National Revenue Fund. The IFP still needed time to consider whether it would support administrative fines. The ANC was concerned about the infrastructure implications, should fines be allowed. Various options were also noted in respect of Promotion of Access to Information Act (PAIA) enforcement. The Open Democracy Advice Centre noted that in practice, although Magistrate’s Courts were now able to determine PAIA disputes, they were not doing so because it was difficult to determine whether magistrates had been properly trained, and the training was not currently being conducted by any body. The South African Law Reform Commission noted that section 91 of PAIA set out an impractical process, and that budget constraints had been cited as the reason for not offering training. It was noted that it was unlikely that the Regulator would be burdened with many PAIA requests. Members agreed that some options should be suggested for alternative dispute resolution, or granting the Regulator some interventionist powers, and discussed the options used in other countries.
A submission had been received from MXit on the changes proposed to clause 25. It was noted that even if a lowered age of consent to processing of the information of a child was inserted, this would not answer concerns that MXit might be contracting illegally with minors. The IFP proposed that an age of 13 be inserted in the Bill, but other parties were not in favour of this, noting that there was uncertainty internationally on an appropriate age. However, they were concerned that the current wording did not reflect what was happening in practice. There seemed to be a lacuna in the law, but this might need to be addressed by amendments to the Electronic Communications legislation. It was suggested that the Regulator should investigate the position and report back to Parliament, alternatively that the problematic wording simply be removed, as it was not capable of being implemented. Another submission had been received from Pieter Streicher, but was not discussed, as it concerned spam.
The FSB supervised and enforced the law through the withdrawing of licences, issuing of directives, imposing administrative penalties and initiating the public disclosure of non-compliant entities. The second concern was that the Bill in a number of places used the following wording: ‘complies with an obligation imposed by law on the responsible party’, this was problematic in the sense that the wording might be so wide that it was inclusive of when the FSB was exercising a right or power afforded in terms of legislation when dealing with information. The third concern was that the Bill used the words ‘to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences’. It was not clear if this would include supervision and enforcement of legislation. It was also not clear if this would include the exercise of authority. The fourth concern was that the Bill’s requirement for the notifications to/approvals by the Regulator may seriously prejudice the ability of the FSB to supervise and enforce legislation and to act swiftly and decisively in crisis situations. The fifth concern was that the Bill provided for the prohibition on processing of criminal behaviour and exemption. For the FSB the sharing of information of criminal behaviour was critical in, amongst others, establishing if a person was fit and proper to be a director of a financial institution or to deal with another person’s funds. The sixth concern entailed the transfer of personal information outside of the Republic. Regulators in most developed countries were subject to data protection legislation however this was not always the case in developing countries. It was also not clear if the Bill would include the transfer of information in compliance with international standards and obligations.
Adv Nonkumbulo Tshombe, Advocate at the FSB, said that the FSB was also a supervisory body in terms of the Financial Intelligence Act (FICA). It was also responsible for ensuring that there was compliance towards international standards. The FSB had in the past discovered information that related to fraudulent activity and it had to be shared with law enforcement agencies such as the National Prosecuting Authority (NPA). This sharing of information was provided for in the Inspections Act. What was an issue for the FSB was where there was no clear guidance in law on the sharing of information and this was what was of concern in relation to some of the provisions in the Bill. There were many constitutional challenges arising from the regulatory function of the FSB. The Bill would be problematic for the FSB were it not to be exempted from its application.
Ms D Smuts (DA) said that the Committee was open to receiving new concerns and the FSB was welcome in providing drafted amendments. The issue was the relationship between regulators and how the Bill might affect this. It would be useful to receive an opinion on the concerns raised by FSB from the State Law Advisers.
Dr M Oriani-Ambrosini (IFP) asked if the first concern would be addressed if the principle of a violation of law was referred to. The second concern was understandable. It would seem that the language used in the Bill addressed the third concern, it was already as wide as one could possibly make it; how could the FSB make the provisions in the Bill wider than they already were to address its concerns? The fourth concern was noted however if it applied to all other entities why should the FSB not be treated in the same way, could it not just adjust the way it conducted its functions? The fifth concern may not be an issue as it fell under the ambit of the gathering of information for purposes of criminal investigations; this was exempted under the Bill. The sixth concern was noted.
Ms Ananda Louw, South African Law Reform Commission (SALRC), said that the FSB has been part of the SALRC’s process for quite some time. The general drift of the FSB’s submission was that they were afraid that the Bill would prevent them from the work they were currently doing. The fears were unfounded as the whole point of the Bill was not to stop the free flow of information but to regulate it. In other countries where there was similar legislation, institutions such as the FSB were not hampered in the execution of their duties. The part of the work of institutions such as the FSB that fell under the ambit of Clause 4 would be exempted and not the FSB as an institution. The Bill would not impede any core functions of the FSB. Things such as the FSB’s personnel files would always be subject to the PPI Bill.
Mr Henk Du Preez, DoJ&CD State Law Adviser, said that it should be remembered that the exclusion in Clause 4 was subject to the requirement for adequate safeguards to be in place for that governing legislation. This route of exclusion would be quite cumbersome as the FSB would most likely have to appear before Parliament to justify why for example only five of the eight conditions for the lawful processing of information should apply to it.
Ms Louw added that the FSB was requesting to be excluded because it was an enforcer of legislation. If one had to exclude the FSB on the basis that it was an enforcer of legislation, then the whole of government would have to be excluded.
Mr Mark Heyink, Director at IT Governance Consulting, said that insofar as criminal enforcement was concerned, there was a worldwide shift towards things like the European Convention on Cyber Crime where the whole intention was for there to be greater sharing of information. The movement was away from exclusions. There was a necessity for the financial sector to work together on issues that related to codes of conduct.
Ms Ferreira said that some of the wording in the Bill was unclear. The FSB was requesting for the Bill to be clearer in some clauses. The wording should better reflect the intention of the legislature. It was not the intention of the FSB to not be subject to a Regulator, it was already subject to the Promotion of Access to Information Act (PAIA). It should be noted that at times the FSB had to act swiftly and it was imperative that the FSB be enabled to do this under the provisions of the Bill. The FSB was not requesting to be excluded as an institution but rather the exclusion should be where its work might be impeded. The issues raised by the FSB were of concern throughout the financial and banking sectors. The Committee should be aware that within the environment that the FSB functioned, there were entities that did not act with the best of intentions. The FSB would want to be involved in the drafting of a code of conduct together with the Financial Intelligence Centre (FIC). The FSB would want to comply with the principles in the Bill and remain effective. The standards in the financial industries sector were stricter.
Ms Tshombe said that there was already a legal framework that governed the collection of information by the FSB. The FSB did not share information except with other responsible bodies such as the NPA.
Mr Sisa Makabeni, DoJ&CD State Law Adviser, referred to clause 2(2) of the PPI and asked whether the concerns of the FSB were not already covered in this clause.
The Chairperson said that to have the FSB excluded under clause 4 was a non-starter. The FSB dealt with large amounts of personal information and this had to be regulated properly.
The Chairperson proposed that the exemption under Clause 4 should be rejected.
Ms Smuts said that there was a real need to have the Bill passed in order to protect the citizenry.
Financial Intelligence Centre (FIC) submission
Mr Pieter Smit, FIC Senior Manager: Legal Services, said that at this stage it was not clear how the Bill would be interpreted by opposing counsel once matters reached court level. To mitigate this, it would be useful for the Bill to be as clear as possible. The FIC was created by statute and was thus part of the public framework. The work of the FIC was to identify the proceeds of unlawful activities. The information gathered by the FIC had to then be forwarded to the relevant law enforcement agencies that had the necessary investigative capacities which FIC did not have. The FIC had to receive information from non-financial institutions as well which they in turn obtained from their customers and clients on the basis of their business relationship. The FIC then collected, analysed and compared this information and put together a clear picture of the flow of transactions. The finished product then became leads for the necessary law enforcement agencies. The FIC had a dual function, it was a quasi law enforcement agency as it worked very closely with law enforcement agencies; it was also a quasi supervisory body as it interacted very closely with regulatory bodies, however it did not carry out supervisory functions. The concern regarding the PPI Bill was that it did not have clear wording that accommodated the functions of the FIC. The FIC would have to be able to delve into the records of customers of financial institutions whilst it was investigating them. It may be the case that the particular client of the financial institution would be enabled to raise an objection under the Bill which would halt the work of the FIC whilst the matter was being resolved. If the wording of the Bill was clear then the FIC would be in a better position to negotiate with the counsel of the other party before the matter reached litigation.
The aspect of the Bill that dealt with the purpose for which the data was collected was of concern as that the information would be collected from the data subject by the institution in order to provide a financial service. When the Regulator had access to that information it would no longer be for that purpose. The data subjects may also not be aware that their data was being collected by a regulatory authority. The FIC was unclear as to how Part B of Chapter 6 would affect its processing of information for purposes of inspection by the proposed Regulator. It was a source of concern as to whom or what the Regulator would be like and what its stance would be on various issues.
The Chairperson said that the FIC was exempted under Clause 4 for activity that related to criminal investigations as it had requested. Clause 10(2) of the PPI also specified that data subjects could object to the processing of their information unless it was provided for by legislation. Surely this clause addressed some of the FIC’s concerns. Furthermore Clause 11 provided that it was not necessary to comply with the requirement for collection of information to be from the data subject if the collection of the information from another source was necessary to comply with an obligation imposed by law. The footnote in the Working Draft stated that this was proposed by the FIC. Clause 15 had a similar provision which also had a footnote stating the amendment was proposed by the FIC. Was the FIC stating that it was not happy with its amendments, had it had a re-think?
Dr Oriani-Ambrosini asked if the amendments proposed by the FIC in the Working Draft adequately captured its concerns.
Mr Smit replied that the proposed amendments did capture the FIC’s concerns insofar as law enforcement was concerned.
The Chairperson said that the law enforcement aspect was excluded so there was no need to refer to it, the question was the FIC changing its mind with regards to clauses for which it had proposed amendments.
Mr Smit said that perhaps the FIC had not properly understood what the implications of the amendments would be. If the quasi criminal and quasi regulatory functions of the FIC were adequately covered then there would be no further concerns. At the time when this was discussed with the FSB, the FIC had viewed the provisions in the Bill from a regulatory perspective. It had felt that the amendments may not have adequately covered the FIC’s concerns. The FIC was satisfied with the way it was accommodated for its quasi law enforcement functions.
Dr Oriani-Ambrosini asked if the concerns of the FIC were not something that the Regulator (once established) should discuss with the FIC. The concern now with the exemptions - that the Chairperson had pointed out - was that had the Committee not gone too far in depriving the Regulator of its role in resolving such issues via the courts, negotiations and exemptions?
Ms Smuts said that the concerns were noted and the Committee should now deal with them. It was an important point to take note of that the Committee has perhaps gone too far in protecting the FIC’s interests.
The Chairperson said that there had to be certainty regarding the exclusions under clause 4. The courts would ultimately decide if an institution was excluded from the application of the Bill but should the Regulator not have the first bite in this regard? In addition who would determine whether there were adequate safeguards in the legislation of a particular entity seeking exclusion?
Mr Du Preez said that the answer to the questions raised by the Chairperson would all depend on timing. A complaint may be raised against a body that claimed that it was excluded, to the Regulator before the Regulator had exercised his/her powers. At that stage the Regulator would have to determine if the body was excluded under Clause 4 or not.
The Chairperson said that it seemed that the FIC was adequately covered. It should be noted that where a proposal was drafted in the Bill it was supported and where it was put as an option, then it meant that there was a lack of clarity on the proposal.
Special Investigating Unit (SIU) request: Response by Department
Mr Henk du Preez, DoJ&CD Senior State Law Advisor, said that the Special Investigating Unit (SIU) had made a submission on the Protection of Personal Information Bill, specifically in relation to its own position. This was an acknowledgment that SIU functions would reside under clause 4 (the exclusions clause). However, in the event that the SIU did not qualify for that exclusion, then it outlined the other clauses that may impact on the functions. In short, the SIU had summarised its own position correctly, and he did not think that it was necessary to go through the whole submission.
The Chairperson noted that the SIU had asked for a specific exclusion, by name, in the Bill.
Ms M Smuts (DA) said that the purpose of the request was to allow the SIU to perform certain functions. It had also suggested that the words “by the public body” be used, rather than referring to specific legislation, and wondered about the reason for this, as there was a statute under which the SIU operated.
Ms Ananda Louw, Principal State Law Adviser, South African Law Reform Commission, said that the SIU had shown that it was already covered by the exclusion, but had wanted the SIU to be named specifically. However, this was not desirable, as if one body were named, so must all the others, such as the Financial Intelligence Centre (FIC), South African Police Service (SAPS), and it was possible that some might be left out. The functions performed by such bodies were already covered in the Bill.
She said that the request to change the wording in relation to the founding legislation of the bodies merited further thought, although she did not wish to give a specific answer now.
Mr du Preez said that the duties, functions and powers of a creature of statute were derived directly from the statute. If this Bill gave a public body a general power to provide addition safeguards by administrative means, this ran the risk of being ultra vires. He suggested that it would probably be sufficient to say that adequate safeguards must be provided, without saying how this must be done.
The Chairperson said that safeguards applied to specific legislation. The SIU had requested insertion of the words “by the public body”. There were, however, other provisions covering this. He asked why this request had been made.
Ms Smuts noted that she had asked the SIU to comment upon whether this Bill would impact on its work.
Dr M Oriani-Ambrosini (IFP) said that the core issue was what was meant by “adequate”. This Bill was setting up a statutory framework of obligations to be implemented by the supervisory actions of the Regulator. Whether the safeguards for protection of personal information were “adequate” would be a value judgment that took into account such issues as sufficient firewalls on computers to protect theft of information, and how often that needed to be reviewed. None of those details would be in the legislation, so it was not a question of comparing one body’s legislation with another. Different institutions could have the same legislation, but one might utilise systems that were not effective. He suggested that it might be preferable for the Bill to specify that everyone would be covered, unless they had sought exemptions from the Regulator, who would then be able to monitor and supervise the terms of the exemption, and withdraw that exemption if there was not sufficient compliance.
Mr du Preez said that he appreciated the concern about implementation. However, it was necessary to remember how the exclusion was worded. The Bill would not apply to the processing of personal information, but if that processing was done “by or on behalf of a public body” then it required that adequate safeguards be established. If there were adequate safeguards in the founding legislation, there was no responsibility to implement them, unless processing of information was required, in which case it would have to be done in line with those “adequate safeguards”.
Dr Oriani-Ambrosini asked what was meant by the phrase “specific legislation for the protection of personal information”.
Mr du Preez said that this was a technical point that the drafters could address. If the Committee was not satisfied with the word “specific” then it could be omitted, or adequate safeguards could be added in to the legislation creating powers, functions and duties. He indicated that SAPS operated in terms of many pieces of legislation, yet the safeguards may be provided for in only one.
The Chairperson asked why this would have to be in legislation. He had earlier raised the question as to who would determine what was adequate, suggesting that this should be either the court or the Regulator. The question was whether safeguards must be legislated, or whether they merely had to be in place.
Mr du Preez said that the implementation of this Bill could not be delayed until every statutory body that may qualify for an exclusion in terms of clause 4 had amended its legislation.
The Chairperson pointed out that the current wording seemed to state that the exclusion would not apply unless the entities had these safeguards in their legislation. That was not the intention.
Mr Mark Heyink, Director, Information Governance Consulting, said that a test of adequate security was dependent on the nature of information and how it was processed. For instance, the draft security standards were dependent upon other legislation being enacted. In the private sector the Companies Act, underpinned by King III codes, said that there was a need to assess risk and put in appropriate protection. The codes or practices of standards would assess whether adequate or reasonable protection had been put in. From an information security perspective, there was no way that information protection could be put in place, but that was the reason for using “generally accepted security practices”.
Ms Smuts noted that people were vetted at various levels, and personal information would be taken in this process, yet there was no protection in place. If government departments were to be excluded, then protection must be in place.
The Chairperson agreed, and said that he was also not aware of any provisions in the National Prosecuting Authority Act relating to protection of personal information.
Dr Oriani-Ambrosini said that these points seemed to confirm that no other legislation covered protection of information, and he could not see that this legislation was likely to be amended in future. The Regulator would have to issue codes, and make an assessment of adequacy for each entity, so he said that everyone should be covered, unless exempted either on the basis of threshold (a suggestion he had made earlier), or once the Regulator was satisfied with the adequacy of protection.
The Chairperson summarised that the drafters should ensure that they captured that notion, and should consider whether this would need to be in legislation, or whether the Regulator’s overall function of looking at the monitoring of the Bill was sufficient.
Mr Heyink said that the Information Commissioner in the United Kingdom (UK) was increasingly undertaking adequacy assessments. He cited a recent ruling against the District of Hertfordshire, who had lost information.
Dr Oriani-Ambrosini said that the assessment of adequacy was not an abstract but was an additional element that pointed to an administrative function rather than a legal comparison.
Ms Louw said that there would generally be a negotiated settlement between the Regulator and the entity. There were various different options, although very few countries had blanket exemptions. Other options currently used included authorisation at Cabinet level, which may be combined with authorisation from the Information Commission (as in France) or an appeal to a Tribunal, or reference to specific legislation. It was intended, generally, that any sectoral Act should be in harmony with protection of personal information. When the South African Law Reform Commission (SALRC) issued its first Discussion Paper, it had asked that all bodies should try to harmonise their legislation with the Bill, but the bodies had responded that this as unlikely to happen soon, so the other option was selected by the drafters.
The Chairperson said that the difficulty was that there was an exclusion conditional upon safeguards in legislation, but this did not always exist.
Ms Louw pointed out that this was really a “belts and braces” approach.
The Chairperson said that another option could be considered, along the lines of a clause requiring “that broader safeguards are in place to protect personal information”.
Ms Louw said that this Bill would serve until other safeguards were introduced into sectoral legislation.
Ms Smuts said that another option would be to state that the Bill would apply unless operational safeguards were in place, and the Regulator would then grant an exemption to a body that was in compliance. This would ensure that bodies would have to look carefully at their systems.
Mr du Preez asked if the Committee felt that Parliamentary intervention was required; for instance in approval of any national instructions.
Ms Smuts and the Chairperson thought that this would be the job of the Regulator.
The Chairperson said that the Committee also needed to discuss the media exemption in clause 4, as Ms Smuts had asked Ms Louw to give an indication of the preferred stance.
Ms Louw responded that she had done so, and the last proposal, reflected as option 4, showed a separation.
Ms Smuts agreed that this was covered for the moment.
Annexures and Redraft of Chapter 5
The Chairperson asked the Committee to move on to the Annexures. He asked if the drafters needed guidance on any points. Annexure A set out the enforcement mechanisms and Annexure B referred to the Information Regulator’s structure.
Mr du Preez tabled a redrafted version of Chapter 5, and said the new amendments were indicated in italics and highlighted. On page 2, the index and contents were aligned. On page 3, some definitions were duplicated that may apply to this Chapter, for ease of reference. The first substantive amendment was on page 4, for clause 36(1). Subclause (c) now specified that the Chairperson of the Regulator must be appointed in a full-time capacity, and may not perform other remunerative work. Subclause (d) reflected the Committee’s request that two full-time members be appointed, in addition to the Chairperson. The drafters also proposed that the two remaining members may be appointed part-time, or, if necessary, that one or more may be appointed in a full-time capacity. If one or both were appointed full-time, then they may not do any other remunerative work during the period in which they held office.
Ms Smuts questioned the wording of (d).
The Chairperson said that it might be necessary to put the proviso at the end.
Mr du Preez agreed that he could look at the wording, but said that this prohibition on other remunerative work would apply to those acting full-time.
Dr Oriani-Ambrosini suggested that the wording “mentally ill” needed to be corrected, at a later stage.
Mr du Preez referred to clause 36A(a), noting that there were consequential changes. The Chairperson must exercise duties, functions and powers conferred under this Bill and in terms of the Promotion of Access to Information Act (PAIA). The Chairperson was accountable to the Regulator. In subclause (2), it was specified that the full-time members would split their functions, with one exercising functions in terms of this Bill and the other exercising functions under PAIA.
The Chairperson noted that although the Committee had intended to discuss the annexures, in order to give instructions to the drafters, the drafters had already prepared a draft, and he suggested that they should merely point out the changes, so that they could be included in Version 5 of the Bill.
Mr du Preez noted that as far as enforcement was concerned, there was now reference to the provisions of the Independent Communication Authority of South Africa (ICASA) Act. The Committee would need to consider whether this needed to be expanded further.
The Chairperson said that the question of the Tribunal may need to be discussed.
Ms Smuts said that she would concede on the issue of the Tribunal, because, on giving further consideration to this, she agreed that the Regulator became a de facto internal tribunal. Appeals could be lodged with the Regulator.
The Chairperson said that at the next meeting, the Committee would go through Version 5.
Dr Oriani-Ambrosini questioned clause 39B.
Ms Smuts said that the Committee had discussed this during a meeting when Dr Oriani-Ambrosini was not present.
Dr Oriani-Ambrosini wanted to comment on the language of clauses 39A and 39B.
The Chairperson said he would prefer this discussion to stand over until the following meeting, when the new Version of the Bill, incorporating all changes, would be tabled.
The Chairperson then noted that Annexure C dealt with the administrative fines.
Dr Oriani-Ambrosini asked to speak on an issue arising from this, and said that everything in Chapter 5 was predicated on whether the Regulator would be dealing with the PAIA issues.
Ms Smuts said that the Committee could take note of this point.
The Chairperson said that options could be referred to the full Committee.
Ms Smuts asked if the Chairperson was suggesting that administrative fines should be imposed in lieu of other actions, or in addition to it.
The Chairperson said that it was necessary to consider whether an enabling provision should allow for fines.
Ms Louw asked for clarity on what the Committee wanted in respect of page 13, on Annexure C.
Ms Smuts said that it was necessary to consider whether fines would be imposed in respect of privacy matters.
The Chairperson pointed out that the alternative was to have no administrative fines, and suggested that one solution might be a shorter enabling provision allowing the Regulator to deal with that area.
Ms Smuts suggested that any imposition of fines should be confined to privacy breaches, and suggested that the option under (b)(ii) was preferable. She thought that non-payment should constitute an offence, and it should be regarded as a transgression. She suggested that the fine could be paid to the National Revenue Fund, or the Regulator, but in the latter case, it would be necessary then to consider for what purposes the income from fines could be used.
Mr du Preez said that this was his concern around public bodies. He suggested that it would be preferable to have the funds accrue to the Regulator.
Ms Smuts asked if, in this case, the purpose for which the fines would be used would be circumscribed, as otherwise there might be a tendency to impose fines to raise revenue.
Dr Oriani-Ambrosini was of the view that fines could not be paid anywhere other than the National Revenue Fund, as the Constitution only allowed for a departure from this in “exceptional circumstances”.
Ms Smuts agreed that he was correct.
Dr Oriani-Ambrosini said he would still revert to the Committee with his view on whether administrative fines should be imposed -
The Chairperson asked the drafters now to draft some options. He noted that he was concerned that the imposition of administrative fines would mean the setting up of infrastructure, and it was necessary to avoid the costs of a plethora of tribunals. He did not think it was fair that officials could levy fines. A failure to comply with a notice was potentially a criminal offence, and so he did not think it was appropriate also to provide for a fine for this failure. Although he had heard the submissions about the tendency to have administrative fines, he was worried that a tribunal system would be needed for this.
Ms Smuts reminded the Committee that there were numerous other laws that allowed for administrative fines.
Dr Oriani-Ambrosini raised another point, saying that if the civil remedies were strengthened, and other consumer protection measures were put in place, this might aid enforcement, by creating self-motivated enforcers.
The Chairperson asked him to raise this point again when Version 5 of the Bill was discussed in full.
Ms Smuts said that much would turn on whether it was possible to effect fines without a tribunal.
Mr du Preez said that he would draft some options. The SAPS had provisions for administrative fines that would avoid appeals and reviews, leaving the discretion to the individual whether to pay or not. If s/he chose not to pay, the matter would proceed to a prosecution.
Dr Oriani-Ambrosini thought that if the person did not want to pay, and a prosecution was then instituted, this was problematic. Traffic fines, for instance, were payable when an offence had already been committed, and the payment of the fine would extinguish the procedure already instituted. If a citizen did not pay a traffic fine, the Court could confirm the fine or have an additional sanction.
Mr Jeffery noted that here, the fine operated in lieu of instituting a court case. If administrative fines were to be allowed in this Bill, they would operate in the same way.
Dr Oriani-Ambrosini noted that the procedure began when the fine was imposed. The whole thrust of this Bill was to prompt compliance, and an administrative fine could act as a warning.
The Chairperson said that there might be a problem with the “public bodies” aspect.
The Chairperson then asked Members to move on to Annexure D, relating to PAIA enforcement. He noted that different options were set out from page 4 onwards. He noted that regulations had come into effect last year, but asked the Open Democracy Advice Centre (ODAC) to comment on the extent to which the Magistrate’s Courts were being used to deal with PAIA disputes.
Ms Alison Tilley, Executive Director: Open Democracy Advice Centre, reported that for practical purposes, ODAC had not been in a position to use those courts, despite the introduction of the Rules. Magistrate’s Courts had been designated, but magistrates still needed to undergo “approved” training. The Department of Justice and Constitutional Development (the Department) had stopped the designated training in around 2005, so there was currently a significant obstacle as it was unknown whether the magistrate before whom a matter was called had been trained on PAIA.
The Chairperson said that there were concerns about over-burdening the Regulator. It was useful that this issue had been raised now, as it would enable the Committee to ask questions of the Department later in the week. There clearly needed to be a body to attend to PAIA adjudications, and the reason why the Magistrate’s Courts were designated was because they should be more accessible.
Ms Louw said that it was difficult to find out exactly what was happening in this regard. Section 91(a) of PAIA set out a process, but this was very difficult to implement, because eight different entities, in different sections of government, would have to work together to ensure that magistrates were trained, and that was one of the major problems. Some training had initially been done by Justice College, but it was later realised that this training did not comply with the PAIA provisions, and the training was then supposed to be taken over by the South African Judicial Education Institute. However, the Magistrates’ Commission reported that this body was not funded and could do nothing, and Justice College had not resumed the training. Budget constraints also hindered the training. This did not appear to be treated as a priority.
Ms Smuts noted that in this case, another mechanism would then need to be found for citizens who met with mute refusals.
The Chairperson said that if budgetary constraints were the real problem, then it was unlikely that any other body would be attending to the training. He asked the Committee Content Advisor, in consultation with ODAC, to formulate a list of the problems that bodies were experiencing with the current legislation.
Ms Tilley said that if the section requiring the specific training was removed, for practical purposes, it was unlikely that the Regulator would be called upon to deal with a flood of access to information requests. The international experience was that the majority of questions to the Regulator related to personal data protection. 80% of South Africans knew they had the right to access to information, but only about 20% were aware of PAIA, so the caseload of PAIA requests was likely to be slow. She thought it would be useful for the Regulator to have jurisdiction, even if the Magistrate’s Courts were to have unfettered jurisdiction on PAIA issues.
Ms Smuts pointed out that anyone had the right to get access to information in the hands of the State. It would be counter-productive if a person was denied access because it was too expensive to pursue the request.
The Chairperson said that the right of access was not excluded but at present only the High Courts were adjudicating on these requests, and adjudication by the Magistrate’s Courts would be cheaper. He asked if there had been a proper study on whether the existing systems were working properly, or what might be needed to address the issues. There were other options on Annexure D, and he thought that the issues of costs and implementation needed to be examined.
Dr Oriani-Ambrosini said that, in light of the difficulties cited by ODAC and the drafters, it might be necessary to consider including provisions for alternative dispute resolution, to allow the State to engage in this process.
Mr Heyink said that it was true that some requests for access to information had been refused. However, if the Regulator were to be given sufficient enforcement powers to ensure that requests were at least dealt with properly, that might negate the need for citizens to approach the courts.
The Chairperson noted that in some cases, government may have information that it did not want to release, and these cases were likely to be referred to Court. However, it was more likely that disputes would arise where information officers had not applied their minds properly to the release of information. He suggested that perhaps the “adjudication” should be left to the Courts, as a substantial infrastructure was needed to support the quasi-judicial function. However, he wondered if there might be a way to give the Regulator some kind of interventionist powers, rather than the adjudication options already outlined.
Ms Smuts noted that something stronger than “mediation” or “conciliation” was needed.
Dr Oriani-Ambrosini thought that “adjudication” could take place only in a Court, and was not a procedure that would apply to the Regulator. Mediations or conciliations might not help, but arbitration might be the correct basis.
The Chairperson pointed out that arbitration was also time-consuming and costly. Most of the issues involved matters where there was simply no response from the information officers, so he thought it was necessary to find a way for the Regulator to intervene in these cases, without actually becoming an adjudicator.
Ms Tilley said that in Canada, a retiring Regulator had expressed the view that the Canadian system, which allowed for recommendation powers only, was not sufficient, because in practice the recommendations would be ignored and no other mechanism existed to make structures accountable to the Regulator. It could be argued that some kind of mediation powers could be considered, including right to call for, view or give an opinion on the documents. In Western Australia, many of the issues were resolved simply through the Regulator getting access to and studying the documents, and issuing a draft opinion on what might result from arbitration. Such steps were often useful in resolving the dispute. Officials were looking for some kind of risk management policy from their side. In South Africa, they would be keen to get some document that would tell them when to release the information, to absolve them of final responsibility. If there was a serious dispute about information, the matter would no doubt go to Court, and this was recognised. However, it was likely, following the experience of the Scottish Information Commissioner, that once there had been some working through the issues, a Regulator may be able to persuade the parties that no harm would in fact result from the release of information. Powers of recommendation only were too weak and could be ignored.
The Chairperson said that ombuds generally made recommendations. The Information Officers in Ireland and United Kingdom would have directive powers. There were also tribunals and courts in the UK. He asked how the Information Officer would make a decision.
Ms Louw referred to page 24 of the document, and said the systems would work in much the same way.
Ms Smuts asked why Dr Oriani-Ambrosini had suggested that a Regulator could not make binding decisions.
Dr Oriani-Ambrosini agreed that, eventually, the final decision would rest with a Court.
The Chairperson said that he would like to explore the possibility of the Regulator not arbitrating or adjudicating but playing an interventionist role. The provisions of the Magistrate’s courts would then need to be strengthened. He asked the drafters and other interested parties to think about what wording could be used to achieve this.
Ms Smuts noted that the DA would prefer option 1 or option 2. She thought that the PAIA functions should be spliced, but wondered whether it might not be more useful to have separate provisions.
Ms Louw referred the Committee to page 20 of the document, and said that the Bill made reference to Chapter 5 of PAIA. Whatever was included in one piece of legislation would be mirrored in the other. Option 2 contained the new powers, which would be similar to internal appeals processes. Schedule 3 would be included. However, she pointed out that there were a number of other options and variations, including a voluntary system, where the Regulator would be added.
The Chairperson noted that Schedule B3 would be redrafted to follow Option 3.
Ms Smuts reminded Members that the Chairperson of the Portfolio Committee on Justice had noted that an instruction had been issued to all government departments not to give any information, following an (unspecified) Court judgment.
Ms Louw noted that the whole idea of the “notices” system amounted to “soft law”. Somebody would have to remind institutions of their obligations.
Mr Heyink said that some of the powers relating to infringement would be apposite to requests for access to information as well. As had been indicated already, unnecessary court actions could often be avoided by having a legally-recognised institution that could explain and give advice on the issues.
Ms Louw commented on the Chairperson’s concerns about over-burdening the Regulator, and said that however the matters were addressed, they were likely to take the same amount of time.
Ms Smuts suggested that perhaps PAIA would need to be amended.
Ms Louw noted that section 77A would be inserted into PAIA, and the two pieces of legislation would mirror each other, in respect of access to information (through PAIA) and protection of personal information (through the Bill).
The Chairperson asked that the members of the sub-committee should convey their preferred options to the drafters.
Mr du Preez noted that a submission had been made from the attorneys for MXit. The Committee had proposed an amendment to clause 25, requiring permission of a “competent person” before the information of a child could be processed. A child was regarded as one under 18, in terms of current law. This was of concern to MXit, who said that any person under 18 would then not be able to contract with or participate on MXit, and who proposed that the age should be reduced, similar to other countries. For instance, the USA had reduced the age for processing of personal information to 13 years, so that a person older than 13 would be able to transact, without parental consent. MXit further argued that a requirement for consent to information being processed would not in fact protect the information of a child, and suggested that other special measures should be introduced instead.
Mr du Preez pointed out that MXit had not addressed the issue of whether it was contracting legally with minors. He pointed out that the Bill had not amended the substantive law in relation to minors, merely confirmed the position around contractual capacity.
Dr Oriani-Ambrosini said that he had already made a submission on this point and had also conducted some additional research. He believed that a separate category of teenagers (those aged between 13 and 18) should be created for the purposes of this Bill. There were a huge number of educational opportunities, as well as social networks, in which teenagers should be participating, and all of these sites collected personal information. It would be absurd to prohibit a child from interacting with this sites, without parental consent. He added that there was increasing recognition that privacy of teenagers could be enforced against their own parents, and it was unreasonable to expect a parent to consent to matters that might fall within this ambit. He suggested that legal capacity and protection of privacy for the purposes of this Bill should be stated as applicable from age 13.
Ms Louw said that this might be problematic. Some MXit sites were not sure whether they were already contracting legally with those under 18, although contracts that conferred rights but did not impose obligations were valid for under-18s. In practice, MXit had no direct contact with the person engaging in the user contact, so lowering the age would not answer MXit’s concerns. MXit was more concerned with protection of children for sensitive information, and had referred to various studies. She did not think that there was any problem with the current wording of the clause. If consent from parents was needed, this Bill would be consistent. She pointed out that the Children’s Institute had published a useful guideline to legal age thresholds in a number of instances. However, she agreed that there might well be a lacuna in the law relating to how children’s information was dealt with, and this might need to be addressed separately, not through this Bill, but perhaps in the Electronic Communications legislation. In future, the Regulator would only regulate a very small portion of the transactions online.
Dr Oriani-Ambrosini said that in practice, teenagers were contracting all the time, whether by ordering takeaways, or buying cinema tickets. The law should be adjusted in line with the realities. This Bill was intended to protect privacy, not to regulate everything.
Ms Smuts said that another option might be to leave the position as currently worded, and ask the Regulator to report back to Parliament within a specified timeframe.
Mr Heyink said that MXit was a South African company. It offered an instant messaging service, and was predominantly used by schoolchildren. It was not just the South African Regulator that would be involved, and other contracts online would not be subject to the Regulator’s powers. In some countries, the age had not been lowered, and there was no consistency across different jurisdictions, so the mechanics of protection had not yet been resolved. Initially, this point was not within the remit of the SALRC. He agreed that in time the Regulator may make recommendations to Parliament to deal with this in a different way.
Ms Louw noted that Scotland protected data of those aged 12 and up, whereas Australia had named an age of 13. However, she stressed that this was for the purposes of consenting to processing under this Act. The drafters of this Bill had not wanted to opt for any particular age, but merely to confirm the existing law.
Ms Smuts reminded Members that this had been discussed before, when there was agreement that no age should be specified.
Mr Alastair Tempest, President, Institute of Interactive and Direct Marketing, said that this was still subject to debate in the European Union. In Spain, the age of consent to processing was only 11 years. There were essentially two questions. The first related to the age at which consent to processing of data could be given, and he noted that perhaps parents, guardians and teachers could give consent. The second question related to the age at which there could be consent to purchasing. He pointed out that many children knew their parents’ credit card details.
Mr du Preez said that legally speaking, a “child” would be allowed to open a bank account at 16 years of age, although, for general purposes a “child” was one below the age of 18. That was why the drafters had proposed that the clause should specify that wherever any other law stipulated a lower age than 18 for a child to transact, then permission from a competent person would not be required for that instance. Other examples may be the abortion legislation, where no age limit was prescribed.
Dr Oriani-Ambrosini said that in all countries, there seemed to be a residual or default age of consent, but there were other ages for other situations. He argued that it was therefore possible to specify an age of consent for administering personal data. If nothing was said in this Bill, then the consent of a parent would be required for those under 18. He reminded Members that they had the power to write the Bill in any way that they thought appropriate.
Ms Louw stressed that the rule that a child under 18 may not contract was not being made by the drafters, who were merely applying what existing law said.
The Chairperson said that the effect of the wording was that a child under 18 could not contract under this Bill, although the reality was that this was being done all the time.
Dr Oriani-Ambrosini said again that the Bill should specify the age at which consent was relevant.
Ms Louw said that even if this section was removed from the Bill, MXit would be contracting illegally.
The Chairperson agreed, but said that the lacuna was being created because the age of contractual capacity was being applied to the processing of information. The simple solution would be to leave out that wording, because it was not capable of being implemented. Alternatively, if the restriction were kept, the Committee could add a clause requiring the Regulator to investigate and be given some flexibility in deciding how to handle the matter, perhaps by specifying social networking sites, in determining whether there had been a breach. He did not agree that any age should be specified in this Bill, in light of the confusion internationally about what might be a suitable age. He did caution that if the matter was left as it was, certain actions may not be regulated for a year or so, until the Regulator formulated recommendations to Parliament.
Mr Heyink said that this debate reflected the problems faced globally. There were about 800 million users of Facebook. The issue of enforcement and policing would be difficult without cooperation of the social networking agencies. The Bill was trying to prevent use of personal information and identity theft, which occurred through the process of collating various portions of data. The collection of histories was in fact more of a problem. It was necessary to give the Regulator the power to investigate continuously what was happening and what protective measures were proposed in other jurisdictions. He also stressed that education was vital; in Australia, the Information Commissioners had been very proactive and most citizens were now well aware of their right to protection.
The Chairperson reiterated that this clause should not be removed, but he was concerned about the practicalities.
Submission from Pieter Streicher
The Chairperson noted that another submission had been received from Mr Peter Streicher, which could not be addressed at this meeting in view of the shortage of time.
Ms Louw said that this submission was concerned with spam and did not directly affect the Bill.
The Chairperson asked Members to formulate their views on Version 5, which would be submitted to them directly.
The meeting was adjourned.
- We don't have attendance info for this committee meeting