The Portfolio Committee received a briefing from the Department of Justice and Constitutional Development (the Department) on the work done by the Technical Committee on the Protection of Personal Information Bill [B9-2009]. The Chairperson of the Technical Committee highlighted two issues which the full Committee would have to consider. The first, discussed in greater detail at the end of the meeting, was that the Financial Services Board had submitted that it should be excluded from the application of the Bill, and the Minister of Finance had written to the Chairperson of the Justice Portfolio Committee. Secondly, in the European Union proposals there was a radical change in that notification of the Regulator was being done away with. Members of the Technical Committee also indicated that that the Bill dealt primarily with the processing of information with emphasis on information that was computerised. There was a need for the Bill, as it set various minimum standards that had to be observed. The newly envisaged Regulator would also be responsible for the Promotion of Access to Information Act (PAIA) and its implementation.
The most important definitions were highlighted. The provisions that dealt with the processing of children’s information aimed to provide protection, as a child could not act independently in respect of any transaction. The definition of personal information also included juristic persons. The definition of ‘processing’ provided for the whole information cycle from collection to destruction. The definitions of ‘responsible party’ and ‘data subject’ were also important. Clause 2 provided that the purpose of the Bill was to promote the free flow of information within a legally acceptable scenario. It was noted that the legislation was difficult to read, and clauses 4 and 5 set out a “road map”. Clause 4 gave an indication of the rights of the data subject, listing all the rights available to that person, and clause 5 outlined what the lawful processing of information was about, and gave an explanation on how the mechanics of the Bill worked, and also listed the various conditions under which the lawful processing of personal information may be done. Clauses 5(3) and 5(4) were important to the extent that they dealt with a specific category of personal information.
The Technical Committee highlighted clause 34, which provided for the prohibition of the processing of personal information of a child and clause 35, which provided for the exceptions to the rule laid out under clause 34. At this stage the European Union was in favour of dropping the age of a child to 13 years. The Technical Committee tried to balance the reality of what was happening in the public sphere, and the need for protection. A Member pointed out that there were various pieces of legislation that had different age groups and this was an inconsistency on the part of the legislature. However, it was explained that since there were new technological developments in social media almost every day it was important to have the Regulator deal with cases, as opposed to having inflexible legislation. Another view was that this was not a technical issue, but a social issue that needed a policy decision. Clause 46 dealt with the appointment of staff members for the Regulator. The Technical Committee had not resolved the issue of secondment of civil servants to the Regulator and there was a disagreement as to whether this should be done in view of preserving the independence of the Regulator. It was suggested that officials from Chapter 9 Institutions could be seconded to the Regulator instead. Clause 61 dealt with the failure to notify which would become a criminal offence. A Member of the Technical Committee pointed out that the new European Union Regulations proposed that there should no longer be a requirement for general notification and the full Committee would have to consider this further.
In the afternoon session, the drafters continued to take Members through the latest version of the Bill. Members briefly discussed what would be included in “processing” information, as it seemed that entering numbers into a mobile phone directory would be included, and the regulator would have to be notified of this. The drafters pointed out that filtering mechanisms were set out in clause 59(4), but that they would consider some options. The drafters continued to explain, in brief, the content of clauses 65 to the end of the Bill. Clause 76 dealt with automated decision making and this was another issue that may be included in the filtering mechanism. In terms of clause 77, personal information could be transferred outside the Republic, to another country that had similar protection mechanisms in place. A new subclause (2) had been inserted with terms that were in line with European Union regulations. There was a definition of “binding corporate rules” and “group of undertakings”. Most of the clauses dealing with the procedures of the regulator were self-explanatory. Clause 94 was a new provision, relating to assessments. The drafters stressed that if there was any interference with personal information, a complainant could approach the regulator to resolve the matter, but could also institute civil proceedings, and clause 102(2) set out the defences against an action for damages. Members debated briefly whether it was necessary to include the defence of vis major, and also questioned why there was a need for gazetting in subclause (9). Members agreed to flag the clause for discussion later.
Chapter 11 dealt with offences and penalties and a new offence was contained in clause 108; the Technical Committee wanted debiting of accounts to be criminalised from the outset, not made subject to a complaint being laid, and Members agreed that the term “account number” was preferable to “unique identifier” and that the clause should cover not only cash being taken from an account, but false running up of credit on someone else’s store card account. Clause 111A provided for an administrative fine to be levied, but should the responsible person opt not to pay that fine, the regulator would refer the matter to the National Prosecuting Authority. Members pointed out the wide disparity between the administrative fine, to a maximum of R10 million, and an offence that justified ten years imprisonment, with an alternative fine of probably only in the region of R30 000. The drafters mooted that perhaps the clause could be re-worded, and would check similar provisions in other legislation. The power of the Minister to make regulations, as set out in clause 114, was now severely curtailed, and would relate only to the establishment of the regulator, whilst the regulator had the power to prescribe other matters. Some difficulties with interpretation of clause 116 were pointed out and this would be considered.
The drafters then took Members through the Schedule, pointing out the amendments to the National Credit Act, the Electronic Communications and Transaction Act, and the Promotion of Access to Information Act. Some options were set out for the latter. The Technical Committee also outlined a submission by the Financial Services Board, which hoped to be excluded from the operation of the Bill. The drafters would meet with that body to find out how this related to the amendments proposed also to its founding legislation.
Chairperson’s opening remarks
The Chairperson announced that the National Prosecuting Authority (NPA) as well as Adv Rodney De Kock must be congratulated for their successful appeal to the Supreme Court of Appeal (SCA) in the Prins case. In addition, the Committee must also be commended for its wisdom in moving as quickly as it did in the interest of victims of sexual offences.
Mr S Swart (ACDP) requested that the Chairperson should bring the outcome of the judgment to the attention of the Speaker of Parliament, given the remarks that he made in reference to this case on the work that the Committee had done. The judgment vindicated the Committee’s approach.
Ms M Smuts (DA) requested that in the correspondence with the Speaker the Chairperson should include that the Western Cape High Court was wrong and the SCA had said so clearly. There had been times when poor legislation had been struck down, but this was not such a case.
The Chairperson said that he interpreted the Speaker’s reference to the case as an example and not as taking issue directly with the Committee.
Protection of Personal Information Bill [B9 – 2009]: 7th Working Draft
The Chairperson said that in this meeting the Committee would receive a briefing on the work that the Technical sub-committee had done on the Protection of Personal Information Bill (the Bill).
Mr J Jeffery (ANC, Chairperson of the Technical Committee) said that the 7th Draft of the Bill would be presented by Members and the drafters from the Department of Justice and Constitutional Development (the Department).
Mr Jeffery said that the Bill was introduced in 2009. It was a complex Bill which required a lot of extensive work. The European Union (EU) was at the forefront of setting up mechanisms for the protection of personal information, in order to open up trade between countries. The legislation was essentially regulating was a moving target. The EU had made the point that when it began with the 1995 Directive, the internet was in its infancy, but now it had evolved into something completely different to its original form. There were two issues which the Committee was going to have to consider very carefully. The first was that the Financial Services Board (FSB) had wanted to be excluded, but the Technical Committee felt that this was not necessary. FSB had, however, then appealed to the Minister of Finance, who had written to the Chairperson. The other issue was that in the EU proposals there was a radical change whereby notification of the Regulator should be done away with. If the Committee did the same thing then there some restructuring would be necessary.
Ms Smuts added that the Bill dealt primarily with the processing of information with emphasis on computerised information. As technology had progressed, the potential for infringement of people’s privacy rights had increased exponentially. There was a need for this law, as it set various minimum standards that had to be observed. Most industries operating in this field had welcomed this Bill as it would establish trust in business deals. The Regulator would also be responsible for the Promotion of Access to Information Act (PAIA) and its implementation.
Dr M Oriani-Ambrosini (IFP) said that there was consensus that the Bill had to be adopted. The law was ever-changing, as there was now another Regulation introduced in the EU. He cautioned that this Committee must ensure that it was adopting something in line with the rest of the world.
Working Draft 7
Mr Henk du Preez, State Law Adviser, Department of Justice and Constitutional Development proceeded to brief the Committee on the Bill:
Mr du Preez said that the most important definitions that had to be noted were the definitions of ‘child’, ‘competent’ ‘person’, ‘personal information’, ‘processing, ‘unique identifiers’ and ‘responsible party’. The Technical Sub-committee had done a lot of work on the definition of ‘child’. The provisions that dealt with the processing of children’s information aimed to provide protection where a child could not act independently in respect of any transaction. The definition of personal information also included juristic persons. The definition of ‘processing’ provided for the whole information cycle from collection to destruction. The definitions of ‘responsible party’ and ‘data subject’ were important.
Mr du Preez outlined the purpose of the legislation. The Bill promoted the free flow of information within a legally acceptable scenario.
Mr du Preez said that this clause dealt with the interpretation and the application of the Bill.
Mr du Preez said that clause 4 and 5 were the “road map” provisions. Clause 4 gave an indication of the rights of the data subject. This clause listed all the rights available to the data subject. This was not a provision which created data subject rights, as they were scattered elsewhere in the Bill.
Mr du Preez said that clause 5 outlined what the lawful processing of information was about. The clause provided an explanation on how the mechanics of the Bill worked, and it listed the various conditions under which the lawful processing of personal information may be done. Clauses 5(3) and 5(4) were important to the extent that they each dealt with a specific category of personal information: namely, general personal information and special personal information. The authorisation in clause 3(a) was different to the exemption that the Regulator may grant; it dealt with the circumstances under which special personal information may be dealt with. Clause 5(4) prohibited the processing of information of a child and listed the exceptions as well. Clause 5(6) was important as it provided for the requirement of the development of codes of conduct for various sectors.
Mr du Preez said that this clause dealt with exclusions, which included household or personal activity. Clause 6(1)(c) was important, the exclusion only applied to the extent that adequate safeguards had been applied in legislation for the protection of such personal information. Clause 6(1)(d) had two proposed options and dealt with literary and artistic expression.
This clause set out an exclusion based on journalistic purposes.
Mr du Preez said that this clause merely indicated that a responsible party had to ensure that there was compliance with the conditions for lawful processing. The provision was in line with the new European Union (EU) Regulation. This was the first condition for lawful processing of personal information
Mr du Preez said that this was the second condition for lawful processing.
Mr du Preez said that this dealt with minimality.
Clause 11(2) placed the burden of proof for receiving the data subject’s consent on the data processor.
This clause provided for exceptions for when information may be collected other than directly from a data subject.
Mr du Preez said that this clause provided the circumstances and time periods under which the retention of personal information may be done.
Mr du Preez said that clause 15(2) provided for a test, which provided for an assessment as to whether further processing was compatible with the process of collection.
Mr du Preez said that it was reasonable that information was updated and accurate as required by this clause.
Mr du Preez said that many of the original sub-clauses had been omitted but they were merely repeated in clause 18.
Mr du Preez said that this clause related to the notification of the data subject when collecting information. It required that responsible steps had to be taken in the collection of data, insofar as making the data subjects aware that their information was being collected.
Mr du Preez said that responsible parties were expected to look after the personal information of other people.
Mr du Preez said that in terms of this clause, if information was accessed by an unauthorised body, then there would be an obligation on the responsible party to notify the data subject. If the conditions set out in the Bill were not complied with by a responsible party, then this would be regarded as an interference with the protection of the personal information of a data subject. This would entitle a data subject to approach the Regulator, and to institute civil proceedings.
This related to the data subject’s right to access information. The content was closely related to PAIA.
Mr du Preez said that this clause also dealt with the access to information and referred to PAIA.
Mr du Preez said that this dealt with the processing of special personal information of a data subject who was not a child, as well as the processing of all personal information of children. There was also a general prohibition that provided that a responsible party may not process information that related, for instance, to a philosophical belief.
Mr du Preez said that this clause was a general authorisation. It also provided provisions dealing with specific categories, as well as the circumstances under which this type of personal information may be dealt with.
Clauses 28 to 33
Mr du Preez said that these clauses dealt with the various aspects of special information. The processing of the personal information of children was a difficult area.
Mr du Preez said that this clause provided for the prohibition of the processing of personal information of a child.
Mr du Preez said that this clause provided the exceptions to the rule set out in clause 34.
Mr Jeffery pointed out that this clause had occupied the Technical Committee to a considerable extent. The Bill would not deal with issues relating to Facebook. MXit was a South African application and the point had been raised that it was used by a lot of school children and it was not possible to know whether the requisite consent from their parents would have been acquired. MXit would have to apply to the Regulator. Another possible option was provided by Dr Oriani-Ambrosini, namely to drop the age, in the definition of a child, to 13. The difficulty then was that a 14-year old may not be responsible in giving out his or her personal information. The EU was in favour of dropping the age of a child. The Technical Committee tried to balance the reality of what was happening on the ground, with the need for protection.
Dr Oriani-Ambrosini added that, in relation to the question of capacity, a transaction was not deemed illegal, or prohibited, but was voidable. However the provisions in the Bill were prohibitory.
Mr Jeffery said that the EU had dropped the age to 13 in its Regulations. The Committee would have to consider this further.
Ms Ananda Louw, Principal State Law Advisor, South African Law Reform Commission (SALRC), said that the position as explained by Dr Oriani-Ambrosini was correct in terms of South African law. The problem of age was being addressed, and there were at least eight different studies that were currently being undertaken. In America, the age used was 13. A child was defined as a child under 18 years. The position for 14 to 18 year olds was in limbo there, and this was also the position proposed in the EU Regulations. The problems referred to by Dr Oriani-Ambrosini were very real.
Mr Swart said that this clause seemed to relate to the cognitive abilities of a child, and whether a child would be able to take the correct decision regarding the processing of his or her personal information. Regrettably, Parliament has passed various pieces of legislation setting out different ages and there was inconsistency. One example was the Choice on Termination of Pregnancy Act, where the age was 12 years, yet if there were complications then parental consent was required for an operation, and this might be something that could be considered. Courts also sentenced differently for 16, 17, and 18 year old children. The age debate was also central to the Sexual Offences Act.
Ms Smuts said that she was sympathetic to the view expressed by Mr Swart. The whole point of having a Regulator was to have a competent rule-making body that could take decisions. Children were vulnerable and in need of protection. MXit’s problems should be handed over to a Regulator.
Mr Jeffery addressed the issue raised by Mr Swart, referring the Committee to clause 35, which gave the responsibility of the age issue to the Regulator, who would police, monitor and set the necessary conditions.
Dr Oriani-Ambrosini said that these were decisions that Parliament had to make and these should not be passed on to someone else. This was not a technical issue, but a social issue that needed a policy decision, depending on what sort of society was envisaged by the legislature. The empowerment of the youth was important, and there had to be inter-connections between various societies, which social networking promoted. It was very damaging and disempowering to prohibit children from these things.
Prof G Ndabandaba (ANC) said that it would be ideal to have a psychologist advise the Committee as to what the appropriate age would be.
Mr Mark Heyink, Director, Information Governance Consulting, said that when it came to children there were two perspectives. Internationally, he agreed that this was a burning issue. A matter that was being considered carefully was the abuse of the rights of 13 to 18 year olds, a new phenomenon, when using social media networks. Children of 16 to 18 years old tended to do silly things, which could come back to haunt them - for example, Facebook was being used to screen employees. There was a case in the North Gauteng High Court where a prosecutor was using postings on Facebook to try to paint a picture of a deceased person involved in the case. There was merit in what Dr Oriani-Ambrosini was saying, but the reality was that the youth was not being educated on these things. It was a misconception to assume that the Committee could make law that would stand up in three or four years time, as the nature of the new technology then available could not be guessed. He stressed that the move was to have flexible mechanisms as opposed to legislation.
Mr du Preez said that this dealt with the power of the Regulator to grant exemptions.
Mr du Preez said that this dealt with the powers, duties and functions of the Regulator. The Regulator would have many functions such as an educative role, enforcement role and would also be responsible for PAIA.
Mr du Preez said that this clause dealt with the removal and appointment of staff in the Regulator’s office. Provision was made for the appointments of two members on a full time basis. The one member would be responsible for this Bill and the other for PAIA. Two additional members would be appointed on a part time basis. Clause 40(1)(g) provided for civil servants to be appointed, but this issue had to be discussed further by the full Committee.
Mr du Preez said that this clause dealt with the powers and duties of the Chairperson and the other members.
Mr du Preez said that this clause once again highlighted the balancing of rights.
Mr du Preez said that a member appointed by the Regulator would be under an obligation to disclose conflicts of interest.
Mr du Preez said that Parliament would determine the remuneration of the Regulator.
Mr du Preez said that this clause dealt with the appointment of staff members for the Regulator. There was a provision for the secondment of civil servants, but he pointed out again that this was a contentious issue amongst members of the Technical Committee. There was a proposed new option on page 37 under clause 6A. Clause 6A could be viewed as a “sunset clause” where the Regulator could be assisted by civil servants, for an initial period, in order for the Regulator to establish itself.
Ms Smuts asked how this had been set up in the Bill. She said that if the sunset clause would be adopted, then the other previous sub-sections could not remain as they were.
Mr du Preez said that if the option was accepted, then the provisions should remain as they were, but 6A would become (a) and sub-clause 7 would remain as it was. This was a technical issue.
Mr Jeffery said that his concern was about the practical difficulties, particularly in the establishment of the Regulator. It was quite possible that people should be seconded from government departments. It should be remembered that the Chief Financial Officer of the Department had been seconded to the NPA for a while now, so this had to be dealt with under secondment in general.
Ms Smuts said that the NPA had prosecutorial independence and not institutional independence. A Regulator had to be independent. It could not be assumed that people seconded from government would ensure that public bodies observed the conditions for the processing of information, and this was why it was so important that appointees should be independent. The “sunset” was a sort of compromise. The concession took into consideration the current economic climate, as well as the need to set up the Regulator.
Mr Swart added that it was very important also to bear in mind that the Regulator would be overseeing PAIA. The option of seconding persons from Chapter 9 Institutions was also worth considering. Those who had, in the past, dealt with PAIA, from the South African Human Rights Commission), might be perfectly eligible for assisting with the setting-up of the Regulator.
Mr du Preez said that this clause dealt with the powers of the Chief Executive Officer (CEO), who would be the head of the administration as well as the accounting officer.
Mr du Preez pointed out that this concerned the establishment of committees.
Mr du Preez said that the Enforcement Committee was a new addition in the Bill. It would be responsible for considering complaints. It would advise the Regulator on decision-making. A person who served on that Committee had to be a fit and proper person.
Mr du Preez said that the funds would be appropriated annually by Parliament.
This clause dealt with the protection of the Regulator.
The promotion of the Bill was stipulated here.
This clause dealt with the notification of processing of personal information.
Mr du Preez said that this clause dealt with specific particulars that had to be reflected when the Regulator was notified.
This provided for exemptions that the Regulator may grant. It was important to note clause 59(4).
This provided for the Regulator to keep an updated register.
This clause dealt with the failure to notify, which would become a criminal offence, and there were prescribed penalties.
Mr Jeffery said that the new EU Regulations proposed that there should no longer be a requirement for general notification. The Committee needed to consider whether there should a requirement for notification.
Ms Smuts said that her starting position was that there should be a requirement for general notification; as influenced by the submission from MIH. However, there was then a shift in that point because there was a lot of abuse of information that had to be handled. The cost savings were enormous and she stressed that the Bill should not set out a lot of unnecessary regulatory burdens.
Dr Francis Cronje, Adjudicator, Wireless Application Service Providers’ Association (WASPA) and Internet Service Providers’ Association of South Africa (ISPA), said that the notification to the Regulator was important. It may not be ideal to do away with this, from a monetary perspective, and perhaps a middle approach could be to include this in PAIA manuals, as this was already a requirement.
Mr Jeffery said that this was precisely the point. Nobody looked at PAIA manuals. The SAHRC had said that if everybody submitted their manuals, it would be hugely over-burdened and not be able to store them. Clause 61 set out a criminal offence for failure to notify; the other crimes related to non-compliance with the Regulator’s decisions, following an investigation. The question was whether this would be too burdensome and onerous for the Regulator.
Dr Cronje clarified his position, saying that information had to be inserted in the PAIA manuals, so that the Regulator had access to it, rather than those manuals having to be submitted to the Regulator as a matter of course.
Ms Louw said that this issue was currently being dealt with either through licensing, registration or notification. There had been a move away from the strict rules of licensing and registration. Notification was not a pre-requisite for processing a data subject’s information, and it was also less intrusive. Article 28 of the EU Regulations related to the documentation that had to be kept at hand in case the Regulator requested it. It should be also noted that impact assessments had been introduced in the EU Regulations. There were now three steps, firstly documentation, then an impact assessment and finally the prior authorisation. There were also impact assessment provisions in the Bill.
Mr Heyink said that the Regulator should be enabled to do its job properly. At the end of the day people should be able to understand where their information was being processed.
Mr du Preez said that this clause required that a responsible party had to notify the Regulator if the processing was subject to prior authorisation.
Mr Jeffery wanted to debate the question of what was included in “processing”. It was widely defined, but processing of personal or household activity was excluded (and Dr M Oriani-Ambrosini (IFP) had asked that this exclusion be extended to non-governmental and non-commercial activity also). However, it could be argued that compiling a list of cellphone numbers amounted to “processing”, which required that the regulator be notified, and this, to his mind, was absurd. This could be tackled either by narrowing the net (which he did not support), or by excluding from the Bill the crime of failure to give prior notification to the Registrar. He was not sure if there was a sanction for not producing manuals in terms of the Promotion of Access to Information Act (PAIA). The regulator was not pro-active, and he was unconvinced that it was crucial for the Registrar to know who was processing information. He suggested that this point be flagged for future consideration.
Ms D Schäfer (DA) said that the reason was probably that it would help to know which bodies were processing information, in case it disappeared into other hands. In principle, however, the new bodies created should not have to check that there was compliance with laws.
The Chairperson said that if he asked for the cellphone numbers of all Committee Members, this would be in breach of the Bill as currently framed, if the regulator was not informed.
Mr Jeffery agreed that the reason this was included was probably to get an idea of what was going on, but the difficulty lay in the criminal sanction being attached. Even if Dr Oriani-Ambrosini’s request to exclude non-commercial organisations was accepted, these organisations still held databases, and there was no reason not to protect them. He did not agree with the restriction to non-governmental and non-household use.
Ms M Smuts (DA) also did not agree with this. She thought the Chairperson’s example might be covered by the phrase “in the course of personal activity”.
The Chairperson said that whilst this would apply to his social contacts, Members' numbers were directly linked to Parliamentary business, and reiterated that not only would Members’ consent by required, but the regulator would need to be notified.
Mr Henk du Preez, State Law Advisor, Department of Justice and Constitutional Development, said that the drafters had already considered a filtering mechanism, and had tried to identify the types of mechanisms most at risk, if notification was to be given. He agreed that the Chairperson’s example was a good one, and reminded Members that any employer with more than ten employees would also be “processing” personal information. He added that annual administration fees were connected with the notification, and that would have an effect.
Mr Jeffery pointed out that the fees were optional.
Ms Schäfer wondered if the reference to “information in the same organisation” might cover this adequately.
Ms Ananda Louw, Principal State Law Advisor, South African Law Reform Commission (SALRC), said that it was important to ensure that all responsible parties to put their systems in place in advance. A reactive system would mean that every separate actions would be taken in response to separate complaints.
Mr Jeffery said that it was not a question of cutting out the proactive approach but, as a matter of principle, it had to be considered whether it was desirable for thousands of people to have to notify the regulator.
Mr du Preez said that there was already a filtering mechanism, in clause 59(4). The South African Human Rights Commission (SAHRC) was faced with a similar problem, in that it received hundreds of manuals. He said that clauses 58(1)(a) to (f) were general provisions. However subclause (1)(e) mentioned trans-border flows, and if the regulator had not taken a decision on how this should be handled, in advance, it could negatively influence what was regarded as “adequate”. He was not opposed to taking the direction that the Committee suggested, but there would be some difficulties.
Mr Mark Heyink, Director, Information Governance Consulting, asked if there would be any merit in providing for voluntary notification. Worldwide, there was increasing awareness of processing of personal information, and although it might take time for the concept to take hold, people may, particularly if the regulator had done sufficient advocacy, be more interested in checking whether others, with whom they intended to do business, had given notification. Market forces might, in time, dictate that people would be unwilling to do business with others who did not have privacy policies to protect their information correctly. However, he agreed that it could be useful to have a filtering mechanism to allow for notification, and also provide that if people did process information, in contravention of the security requirements, without notifying the Registrar, this could be regarded as an aggravating factor when fixing penalties.
Mr Jeffery thought that this was something that could be considered. He asked that the drafters look at the options. One was to have filtering mechanisms for trans-border flows, and another was that commercial information also required prior notification, and criminal sanctions would apply if this was not done. He was still dubious about the benefit of prior notification. Nothing should stop the regulator putting systems in place and doing advocacy on the needs. He did not think the point could be taken further at this point, and suggested it be flagged.
Mr du Preez took Members through the following clauses, briefly pointing out the main features:
Chapter 7: Clause 65
Mr du Preez said that codes of conduct could be issued by the regulator. Clause 65(2) set out what must be incorporated, and clause 65(3) specified what bodies or activities could be covered, while subclause (4) set out what would provided for. He noted that automated decision-making might be risky, and this was something else that might be added to the filtering mechanism. The regulator may review codes and there was also provision for expiry.
Mr du Preez explained that this clause set out how the regulator must issue a code of conduct; it was a procedural clause.
The Code must be published once issued, and the notice must stated where it would be available for inspection. As long as the Code remained in force, copies must be on the regulator's website for inspection by the public. The Code would come into force 28 days after notification in the Gazette.
The Code must provide a procedure for dealing with complaints and an adjudicator would be appointed, responsible for resolving disputes that may arise.
This clause dealt with amendment to and revocation of the Code.
This clause gave the regulator the power to provide written guidelines to develop codes of conduct.
This stated that the regulator was required to have a register available for inspection of all proved codes of conduct.
This provided that the regulator, on own initiative, may review a code and consider the process for making and dealing with complaints. The regulator may also inspect or adjudicate, interview and adjudicate and appoint experts to review any provisions of the Code that, in the regulator’s opinion, required expert evaluation. The regulator must constantly monitor the application of the Codes, so the job did not end with the issuing of the Code.
This clause dealt with the effect of the failure to comply with the Code, and essentially this failure would be deemed as a breach of the conditions for lawful processing, and was dealt with under Chapter 10 of the Bill. The complainant could approach the regulator to lay a complaint, or institute civil proceedings.
Mr du Preez noted that Chapter 8 dealt with the rights of data subjects regarding unsolicited electronic communication.
Mr du Preez pointed out that processing of personal information by means of any form of electronic communication, including automatic calling machines, SMS or e-mail, was prohibited unless the data subject had given consent. This principle necessitated the inclusion of subclause (2), which stated that a responsible party who made use of unsolicited information may approach a data subject only once, for the purpose of obtaining his / her consent.
A definition of “automatic calling machine” was included in clause 74.
This clause dealt with directories, and it was noted that a data subject who was a subscriber must be informed, free of charge, about the purpose of the directory, and any further uses to which the directory may possibly be put. The other provisions were clear. There was a definition included for “subscriber”.
This clause dealt with automated decision making. Mr du Preez suggested that this was another issue that could be included in the filtering mechanism. The clause provided that the data subject may not be subject to a decision resulting in legal consequences, which was based on automated processing that was intended to provide a profile of such person. The automated processing procedures included information on performance at work, credit worthiness, reliability, location, health, personal preferences and conduct.
He pointed out, however, that in terms of subclause (2) this would not apply where the automated decision making was required for compliance with a contract, or where it was governed by a law or code in which measures were specified that were in the interest of data subjects, or for failure to provide core information around the requirements in set out in subclause 2 (1)(ii)
This clause dealt with the transfer of personal information outside the Republic, and basically set out that it was not possible to transfer information unless there was, in the foreign country, a binding contract or corporate rule or agreement which provided an adequate level of protection, because it effectively upheld principles for reasonable processing similar to this section. Mr du Preez explained that what was contained in this cause was found in many other countries, in order to create “data havens”. In short, he said that personal information could be transferred to other countries that had similar regimes for protection of personal information. This would ensure that the personal information, whether it was in the first or transferred country, would be processed only in a certain way. This provision would make it easier, for example, for South African companies, to promote themselves in England, and would provide investors with the opportunity to invest in promotion companies, provided that they were also subject to these requirements. A practical example of this would be airlines that would have Advanced Passenger Processing in place, allowing the destination country to know who the passengers were, in advance, so that they could, if necessary, take steps to prevent undesirable travellers entering the country.
Ms Schäfer asked if the reverse requirements were already in place, so that a country transferring information to South Africa would have assurances.
Mr du Preez said this was already covered and it was not necessary to include it in this Bill.
Ms Schäfer said that South Africa could still become an information haven if a country who was not part of that directive transferred information to South Africa.
Mr du Preez said that this would happen, because even if the information was transferred free of restrictions by the transferring country, South Africa would be subject to the requirements of the Bill for use of that information and would still be required to process it in line with the Bill.
Mr Heyink commented that one of the motivations for the change in Europe, from having directives to regulations, was that some countries had incorporated data control legislation and privacy control, but were not policing and enforcing it to protect the information throughout Europe. Countries in Europe now not only to put similar legislation in place, but ensure that they acted in accordance with it.
Mr du Preez reiterated that this was one of the ways to transfer information outside a country. However, he drew attention to subclause (e) which stated exceptions to when consent would be required, essentially if it was not practicable, or if the transfer was necessary for the performance of a contract. However, these exclusions also required either involvement on the part of the data subject, or that the transfer must be in the exclusive interest of the data subject.
A new subclause (2) had been inserted with terms that were in line with European Union (EU) regulations. There was a definition of “binding corporate rules” and “group of undertakings”. Mr du Preez explained that “binding corporate rules” would apply to multinational companies operating in the UK and South Africa, whose protection of personal information (PPI) policy might be formulated in England, but would apply also to any South African counterparts.
Mr du Preez indicated that this dealt with the consequences of interference with protection of personal information, breach of conditions, non-compliance with certain sections, and breaches of the provisions of a code of conduct issued under section 65.
This clause stated that any person could submit a compliant, in the prescribed manner and form, alleging interference. Subclause (2) said that it was also possible to submit a further complaint if the person was aggrieved by the determination of an adjudicator.
Mr du Preez said that this clause set out that the regulator would have to give the necessary assistance to a person to formulate a complaint.
Mr du Preez said that former clauses 73 and 74 were now combined in a new clause 81, which indicated what the regulator may do, or what processes would be followed in order to decide on a complaint. Clause 81(1)(a ) set out that there may be pre-investigation, and the further sub clauses set out that the regulator could act as conciliator, or take no action, or conduct a full investigation, or refer the complainant to the Enforcement Committee, for further action. Subclause (2) required the regulator to advise the complainant and responsible party on the course of action taken.
This was a straightforward clause, and it was one of the few provisions that still remained in its original form. It set out the circumstances when the regulator may decide to take no further action.
If the regulator received a complaint and realised that it fell within the jurisdiction of another regulator, and would be best dealt with by the latter, the complaint could be referred on.
This clause dealt with pre-investigating procedures, and set out that the complainant and responsible party, to whom the investigation related, must be informed of the details of the compliant, or the subject matter of the investigation, and the responsible party must be informed of the right to submit a written response.
This clause gave the regulator the power to settle complaints if s/he could do so. The clause was aimed at identifying those matters where it might be easy to reach a settlement, to prevent over-burdening the regulator.
Mr du Preez pointed out that the investigation procedures were similar to those in other legislation. The regulator may, in terms of this clause, summon and enforce appearance of persons and compel them to give oral or written evidence on oath, and produce any record that the regulator considered necessary. S/he may administer oaths, receive and accept evidence, enter and search premises, conduct a private interview with any person on the premises, or carry out inquires in terms of section 87. He noted that other optional wording was given also, for this clause.
The requirements for issuing of warrants were set out in clause 87, and were self-explanatory.
Clauses 88 and 89
This clause set out the requirements for issuing a warrant, and execution of warrants was set out in clause 89. The wording used was fairly standard and similar to other legislation.
Mr Jeffery added that the Technical Committee had not changed anything.
Clauses 90 to 93
Clause 90 set out the matters exempt from search and seizure. Clause 91 said that the regulator may not seize anything that was subject to an exemption already granted. Mr du Preez indicated that professional legal advisor and client communication remained privileged. Clause 92 set out the manner in which a person may object to the search and seizure and clause 93 dealt with the requirements for warrants.
Mr du Preez indicated that this was a new provision, relating to the assessments. The regulator must check whether matters appeared to have been appropriately handled, unless the regulator had not been supplied with such information. The matters to which the regulator may pay regard would include the extent to which the complaint appeared to raise a matter of substance, any undue delay in making the required information available, and whether the person making the request was entitled to make an application in terms of section 23 or 24.
This clause set out the requirements of an information notice. The responsible party must furnish the regulator with a report indicating that the processes taking place were in compliance with the provisions of the Act. This was done if the regulator had received a request under clause 94, or required any information to determine whether the responsible party has interfered with personal information. The remainder of the provisions dealt with procedure, such as the right of appeal and periods to be complied with. In short, the regulator was empowered, when there was a suspicion that a person was not acting in compliance with the Bill, to issue a notice calling for hard evidence of compliance.
This clause required that parties be informed of the result of an assessment. Originally, the wording had been included under clause 95, but it was felt more appropriate to separate out the provisions dealing with the notification of the results.
This new clause set out that the regulator may refer a complaint to the Enforcement Committee, prescribing the procedure, the manner in which submissions should be made, the period within which a finding must be made, and the manner in which the Enforcement Committee may finalise urgent matters.
This clause set out that the parties must be advised continuously of developments during an investigation as well as the result.
Mr du Preez indicated that if the regulator was satisfied that the responsible party was interfering with the protection of the personal information, s/he would serve an enforcement notice. The regulator would then require the responsible party to take steps, within the time frame set out in that notice, or to stop processing the personal information specified in the notice, within the period specified. There was provision made for appeals.
This clause said that cancellation of an enforcement notice would occur if there was full compliance and interference with personal information was corrected.
This set out the right of appeal, and an option suggested by Dr Oriani-Ambrosini was included.
Mr du Preez said that this clause was self-explanatory, and dealt with consideration of the appeal.
Mr du Preez indicated that if there was any interference with personal information, a complainant could approach the regulator to resolve the matter, but could also, as he had indicated earlier, institute civil proceedings, as set out. Clause 102(2) set out the defences against an action for damages.
The Chairperson asked what “vis major” meant, and in response to Ms Smuts’ comment that it was the same as “force majeure”, said that it was still not clear.
Mr Jeffery indicated that there had been a long discussion on this, and he personally did not like the term “vis major”, but there was legal certainty about it, whereas there was no other plain language wording that expressed quite the same.
Mr du Preez quipped that he could write a thesis on this, but essentially “vis major” referred to an act of nature that was beyond the control of any individual, and that no individual could have prevented or for which he could be held responsible. In the insurance industry, it was referred to as “an act of God”.
Mr du Preez also wanted to point out that vis major was an absolute defence in common law, always available to a defendant, and he was not sure why the legislature wanted to include it in a statute.
Mr Landers responded that some judicial officers may need reference to it.
Ms Schäfer said that there was no absolute liability, and that was why the exclusions were listed.
Mr du Preez took the point, but asked if it was ever possible for the legislature to exclude the defence.
Mr S Swart (ACDP) felt that this was possible, if there was strict no-fault liability.
Mr du Preez continued that subclause (3) provided an indication for quantum. It also provided that the regulator could step into the shoes of and prosecute the claim on behalf of an aggrieved subject. There was a provision for reimbursement to the regulator for the expenses incurred on an aggrieved person’s account.
Mr Swart asked why there was provision for gazetting in subclause (9), as this would have a huge cost implication.
Mr Jeffery said that other people would also have lost their information.
Ms Schäfer said that people were unlikely to read the Gazette.
Members agreed that this issue be flagged for later discussion.
Mr du Preez pointed out that this chapter set out the offences and penalties. This included obstruction of the regulator, obstruction of the execution of a warrant, breach of confidentiality, failure to comply with enforcement of information notices, and offences by a witness. A new offence was contained in clause 108, for unlawful acts by the responsible party in connection with a “unique identifier” and unlawful acts by third parties in connection with a unique identifier were contained in clause 109.
Mr Jeffery pointed out that this referred to sale of bank account details that resulted in bank accounts being debited without knowledge of the owner. The sub-committee had been concerned to criminalise this conduct from the outset, rather than requiring that unlawful debiting be dealt with as a complaint to the regulator. This issue had been under debate for some time.
Mr du Preez also said that a definition of the “account number” was needed. He pointed out that the example given related to cash being debited, but equally there could be misuse of details that ran up credit, such as one person debiting another’s clothing store account. That was why clause 108(5) referred to joint numbers as well as single, and also referred to “a financial or other institution”.
Mr Swart asked, and received confirmation, that a “unique identifier” was defined, in clause 1.
Mr du Preez added that the term “account number” was defined in subclause 108(5), although the heading of the clause referred to “unique identifier”. He asked if the Committee preferred to use the words “account number”.
Members agreed that this was preferable as a “unique identifier” could also imply something related to a personal appearance.
Clauses 110 and 111
Mr du Preez had no comment, but the Chairperson quipped that clause 111, with only a few words, was very clear.
Mr du Preez explained that the wording of this clause matched the Firearms Control Act. In respect of all offences mentioned, the regulator could issue an administrative fine. The responsible person could either pay the fine, or opt not to pay the fine but be subject to possible prosecution. The regulator would, in the latter case, hand the matter over to the National Prosecuting Authority (NPA) for a decision on whether a prosecution would be instituted.
Mr Swart suggested that a person facing an administrative fine of R10 million would surely opt for prosecution.
Mr du Preez agreed. The maximum administrative penalty was R10 million, as set out in clause 111A(2)(c). However, clause 110 set out the penalties for imprisonment and fines, and an offence could carry a period of ten years imprisonment, with an equivalent fine of around R300 000. He would check up on these again, but he confirmed that the criminal penalties for fines were certainly far less than R10 million. Most legal advisors would probably advise a person who was even facing a fine of R1 million rather to refuse to pay. The NPA would still need to decide whether to institute a prosecution. He noted that there was a possible alternative, although he would still need to discuss it with the State Law Advisors. That was to leave the penalties as they were currently stated. A person prosecuted directly, and found guilty, would pay that fine. However, if a person was ordered to pay an administrative fine by the regulator, and opted to ignore that administrative fine, leading to a subsequent prosecution, the court should, if the person was found guilty, be permitted to impose a penalty of twice or three times more than the fine stated for a direct prosecution.
Mr Swart said that it would be necessary to look at how this was dealt with in the Firearms Control Act. Another benefit of an administrative fine was that it would not create a criminal record. He asked if the test, in both instances, was “beyond all reasonable doubt” and that whether there were other considerations that would be taken into account when advising a client. He added that similar provisions applied in the South African Revenue Services legislation.
Mr Jeffery added that other examples could be found also in the traffic legislation where an offender often ha the option of paying an admission of guilt fine or going to court. The decision would largely depend on the weight of evidence against the offender. He pointed out that it was far easier for the regulator to impose an administrative fine than to follow the court process.
Ms Smuts agreed that the idea was to shorten the procedure, but she wondered if it was not taking matters too far to say that the regulator may cause an infringement notice to be delivered (in subclause 1), and, failing further representations, an amount would be imposed (in subclause 5), without giving the responsible party the right to make any representations.
The Chairperson thought this was desirable to avoid too many delaying tactics being used. However, this point could be discussed further.
Mr du Preez said that the positioning of this clause would be further considered and he would report back.
Mr du Preez noted that Chapter 12 dealt with general provisions. Clause 113 dealt with the fees, and the fees to be paid in respect of the different categories.
Mr du Preez wanted to highlight the substantial changes that had been made to the power to make regulations, since the Bill was first introduced. The Minister would, in terms of the current draft, be limited to making regulations on the establishment of the regulator, and the fees. For everything else, there was a reference to “in the prescribed manner” or “prescribed form” and this was essentially what the regulator must prescribe, as set out in subclause (2)(a) to (m).
Mr du Preez stated that this set out the procedures for making regulations.
Mr du Preez said that this was the transitional provision The processing that had already commenced must, within one year of the Bill becoming operational, be brought into compliance, and notification must be made to the regulator in terms of clause 17(1). That period of one year could be extended by the Minister either on initiative, or on request, in respect of different classes, but for a period no longer than three years.
Mr Heyink pointed out that there had been some difficulties in relation to clause 116. It had been interpreted to mean that if any processing took place prior to commencement of the Act, it had to be brought in line with the new framework, but anything being processed afterwards would immediately have to be in line. It was necessary to specify more clearly what would happen around the gathering of information.
The Chairperson took note of the comment.
Mr du Preez also noted this, and said he would check whether the SALRC had considered that issue.
Mr du Preez noted that this contained the short title and commencement details.
Mr du Preez noted the importance of the schedules, particularly the amendments that were to be made to PAIA.
At the outset, he stressed that the SAHRC would no longer act as “watchdog” over PAIA implementation. It was also necessary to ensure that the Bill and PAIA were aligned as far as personal information was concerned. Thirdly, a new system was being created, in terms of which a person aggrieved by a refusal to give information under PAIA would have a choice of channel for enforcement of rights. He informed Members that currently, when a public body was involved, an aggrieved requestor must firstly note an appeal to the relevant Minister of that public body, on a national level. Failing satisfaction through that channel, the requestor could approach the court for relief. When the request involved a private body, the requestor could approach the court directly. In the Bill, the regulator would play a similar role to the Minister, but the aggrieved requestor would have a choice of forum – and, when refused access by an information officer, could either approach the relevant authority and then the court, or could approach the regulator for appropriate relief, and, if still not satisfied, finally the court.
Mr du Preez said that this involved amendments to section 1 of PAIA. Although the existing definitions were already fairly close to those in the Bill, the drafters thought it appropriate to align them directly, and he pointed out that amendments appeared on pages 66 and 67 of the document. He also pointed out the new definition of “regulator” that was to be inserted into PAIA, but, rather than repeating the whole definition, this referred to the regulator as established by section 38 of the Bill.
A number of other consequential amendments were necessary as a result of the new approach, and these were set out in item 3. Item 4 was aimed at aligning the Bill and PAIA in regard to personal information. Further consequential amendments were listed from pages 68 to 72.
Item 13 of the schedule, on page 72 of the document, set out the new section 77A of PAIA, which stipulated the choice of forum as well as making provision for third parties. The new section 77B was a duplication of the provisions of the Bill. The new section 77C(1)(b) made reference to the Enforcement Committee, but, once again, the functions and establishment of that Committee were not repeated in PAIA. The new section 77D set out that the regulator may decide to take no action. The new section 77E set out the pre-investigation proceedings of the regulator, and the new section 77F provided for the settlement of complaints. The new section 77G would deal with the investigation proceedings of the regulator, whilst the new section 77H provided the regulator with the power to do assessments. Section 77I set out the requirements for the Information Notice. The new section 77J said that the regulator may make a recommendation notice.
Mr du Preez indicated that there was an option set out on page 77. The recommendation notice, on page 76, referred to the recommendation to the head of a public body that that body should have taken a different approach. However, there was also an option to have an enforcement notice, and if this option was selected, then non-compliance with the enforcement notice would lead to a criminal sanction, and this would be set out in a new section 77K.
Consequential amendments would also be needed to Chapter 2 of PAIA as a result of the choice of mechanisms, and these were set out on pages 78 and 79 of the document.
Items 14 and 15 of the Schedule were also consequential amendments, replacing the reference to the SAHRC with a reference to the information regulator.
Item 16 of the schedule proposed the repeal of section 78 of PAIA, which dealt with the correction of personal information, and which had led to the request, by Parliament, for this Bill.
Item 17 also contained an option, which might be covered by the option for the enforcement notice described earlier. Alternatively, if the Committee felt that this could be dealt with here, then the section 77K provisions would not be needed.
Amendments would also be needed to the Electronic Communications and Transaction Act, and these were set out on page 80. The amendments to the National Credit Act aimed to remove from that Act the provisions around processing of information, since this body was not expert in privacy of personal information.
Ms Smuts said that the option for the new section 77J of PAIA was excellent and she noted that the two options represented, variously, a suggestion from herself and one from Mr Jeffery.
Mr Jeffery said that the Committee would, in the third term, need to go through the Bill, clause by clause, to finalise outstanding issues.
Mr Jeffery noted his concerns that the Financial Services Board (FSB) had appealed to the Minister of Finance, who had then written to the Chairperson. The FSB had addressed the technical committee, and claimed to be acting also on behalf of the Financial Intelligence Centre, who had raised some concerns previously, which were taken on board. FIC had requested exclusion of activities that were linked with the investigation of unlawful activities and combating of terrorist-linked crimes, since the FIC clearly did not want to reveal what it was busy investigating. However, the FSB had gone further and contended that the Bill would negatively affect the ability of the financial sector to investigate matters, and share information freely with other financial regulators, including international regulators, would hinder its compliance with international standards, its participation in G20 and regional and international commitments. Mr Jeffery thought that this was bizarre, given that the Bill matched other legislation. FSB conceded that other countries mostly the developed countries, had data protection legislation but pointed out that this was not true of developing nations. Mr Jeffery pointed out that there was already a draft Code in the African Union, there was movement to establish an African continental protection regime, and about eight countries in Africa already had data protection in place. The Technical Committee had not been particularly impressed with the submission and felt that FSB must comply with the safeguards. He was not sure whether the FSB had engaged also with Mr du Preez, and he suggested that perhaps Mr du Preez could contact Mr Ismael Momoniat, Deputy Director General, National Treasury.
He added that the Special Investigating Unit (SIU) had also approached the Technical Committee, when encouraged to do so by Ms Smuts, but had not pursued its issues.
The Committee Secretary confirmed, on a request from Ms Schäfer, that copies of the submission by FSB would be circulated.
Mr du Preez asked for clarity on the date of the letter, and said that it was also necessary to bear in mind that there were pending amendments to the FSB’s own legislation. He had not had the opportunity to look at the final draft of those amendments, but it seemed that the FSB was trying to get an exemption from being bound by the Bill.
Ms Louw added that the Bill did not refer specifically to FSB, or any other institution; instead it referred to actions, such as public safety, and defence. The original draft from the SALRC had said that institutions would be exempt to the extent that they engaged in these activities, but any other actions not linked to this would not be exempt. No other institution, including the National Intelligence Agency, was excluded, and she did not believe it was correct for the FSB to be excluded. The proposed amendments to the FSB Act sought to make the FSB the overarching legislation, which would be very difficult if it was a responsible party under this Bill.
The Chairperson thought it was not possible for FSB to be excluded.
Mr du Preez said that he would request a meeting with the FSB, and Ms Smuts suggested that he may advise FSB that he was meeting with them on behalf of the Technical Committee.
The meeting was adjourned.
- We don't have attendance info for this committee meeting