Protection of Personal Information Bill: further deliberations on 7th Working Draft

Meeting report

Protection of Personal Information Bill: Seventh Working Draft: Deliberations
Mr Hendrik du Preez, State Law Advisor, Department of Justice and Constitutional Development, tabled the Seventh Working Draft of the Protection of Personal Information Bill (the Bill). He noted that the highlighted portions represented proposed amendments by the Technical Committee. The yellow highlights were included pursuant to the last meeting with the Technical Committee, whereas those marked in grey were amendments that had been presented earlier.

Mr J Jeffery (ANC) said that over the next couple of meetings, the Bill should be "cleaned up" to try to resolve as many of the options as possible, although he accepted that it may still be necessary to vote on some in the final processing.

Ms M Smuts (DA) noted that the final voting processes should take place after parties' caucuses. She too hoped that the wording of the Bill could be finalised in this week, and agreed with trying to limit the numbers of options.

Dr M Oriani-Ambrosini (IFP) agreed, but made the point that this Bill was complex and the full implications must be borne in mind. He asked if this Bill would cover logging-in processes and visitation of sites, as legitimately retained in Europe, except in Sweden. He wanted to check whether this Bill would follow a similar route.

Mr Jeffery thought that this would be addressed during the clause-by-clause deliberations.

Long Title
Mr du Preez pointed out the replacement of three terms.
 
Mr Jeffery and Ms Smuts agreed that some reference to Promotion of Access to Information Act (PAIA) should not be included in the Long Title.

Preamble
Mr du Preez noted that there were no amendments.

Enactment Clause
Mr du Preez said that Ms Smuts had questioned whether "the" should be inserted before the word "Parliament". As presently framed, this was a standard enactment clause used by this Portfolio Committee.

Ms Smuts said that she would withdraw the suggestion. Stylistically, she thought that it was preferable to refer to "the Parliament", although as a matter of branding, the term "Parliament" seemed to be used.

Mr Jeffery said that the Constitution referred to "Parliament" without the definite article.

Index
Mr du Preez indicated that he would start to remove the highlights as the Committee discussed the clauses of the Bill.  He indicated the replacement of the word "principle" with "Condition".

Clause 1: Definitions
Mr du Preez indicated some changes to the definition of "biometrics". That had been used to assist in defining "personal information".

There were options for the age of the child, being 18 years and 13 years. There was now also reference to the assistance of a competent person. Under the second option, there was a definition of "consent".

Mr Jeffery pointed out that the "consent" option also linked to the definition of a child, which was not an option proposed by Dr Oriani-Ambrosini. He was not sure why that option of "consent" would remain.
Dr Oriani-Ambrosini responded that one option related to the age of the child, and the other option was the failure to object as part of consent. He noted that this reflected the concept of "assent". Currently, in most internet or form options, a person was asked to tick certain pre-selected options. This would not apply exclusively to a child, but was collapsed as a subordinate option in respect of a child. The concept was that unless a person said no, s/he was assumed to have agreed.

The Chairperson drew an analogy to SMS notifications that required a person to SMS "Stop" if no further information was required.

Dr Oriani-Ambrosini said that the medical practice, and that in insurance companies, was that codes would be exchanged unless the person refused. He thought that the SMS as described by the Chairperson was a form of abuse, although he pondered whether, from a philosophical point of view, matters should be outlawed because of the possibility of "abuse".

Ms Smuts suggested that this be left until the final voting. International media had objected to the concept of "consent" and it was important to make it clear that "consent" was needed. Online practitioners had asked for this, so that spam would be sent only to own customers.

Mr du Preez pointed out that the definition of "automatic calling machine" was to be moved to the clause to which it applied.

Mr du Preez noted the option for a "data bank".

He pointed to minor clarifications on the term "de-identify" and technical corrections to "electronic communication".

Mr du Preez pointed out that the proposals for "filing system" were now included, following the last discussions of the technical committee, and words were to be inserted followed the definition in the draft European Union (EU) regulations and African Union (AU) Convention.

The definition of "head" was to be deleted, as there was no reference to this in the Bill. The same applied to the definition of "information term" which was included only in clauses 95 and 96.

There were technical amendments to "information officer".

The definitions of "parent" and "parental consent" were to be omitted, in view of the definitions of "child" and "competent person".

There were options for "personal information" and the definition for that was in line with the draft European Union (EU) definition, and there were also clarification in that of "online identifier". This was an open definition, and the courts would interpret other matters as included.

Mr Jeffery asked if the inclusion of the words "online identifier" took care of Dr Oriani-Ambrosini's concerns of identifier tracking.

Dr Oriani-Ambrosini thought that this did go some way to address his concerns. He was not sure whether this related also to logging-in times. He thought that perhaps it should be expanded, to address all relevant issues.

Mr Jeffery noted that the option at the top of page 11 dealt with personal information but did not mention the "online identifier". The EU regulation referred to "online identifier" and he sought clarity on what exactly Dr Oriani-Ambrosini wanted in respect of tracking. He thought that his concerns were not covered under the definition of "personal information". On the other hand, the EU directive should surely be quite well-developed, and he asked if Dr Oriani-Ambrosini would agree to the deletion of his option.

Dr Oriani-Ambrosini thought that the language before the Committee did not address the issues, because the words "online identifier" covered merely the name or address, and not what was actually done on the internet. The term "location information", he thought, was the address only. His proposal on page 9 could include a reference to "including but not limited to use of the internet sites visited, login times and patterns” and other matters of that nature. If his option for "consumer purchasing preferences " on page 9 was not accepted, this could still be inserted as a sub-paragraph (i), making reference was made to website activity, login times, website traffic and sites visited.

Mr Mark Heyink, Director, Information Governance Consulting, described developments in Europe, which had arisen as a result of geographical location using technology and cookies. A cookie was not only an identifier, but could be used for behaviours and patterns. Over the last couple of years, the regulators in Europe were providing guidelines and were dealing with issues as they developed, to cover the specifics.  It was generally accepted that that technology could be used for legitimate purposes. He understood Dr Oriani-Ambrosini's points, but said that it should be recognised that if the Regulator was to deal with this in a flexible way, it should not be hampered by trying to define matters that might be relevant now but would not be, in the future. He suggested that it would be advisable to try to follow the wording in the EU as far as possible. Part of the development was to allow sufficient stability in the use or processing of personal information, but to allow flexibility enough to deal with something that may not be contemplated now. In practice, law was being made continuously.

Ms D Schäfer (DA) thought that it was important to include "personal information patterns".

Mr Jeffery thought this was already covered under subparagraph (b). 

Dr Oriani-Ambrosini pointed out that the Committee was going to great lengths to define other matters, but this lay at the heart of the problem. He explained that there was a cookie that identified first use as taking place in South Africa. Most cookies merely produced a setting that could be changed. However, other cookies sent information back, and that was stored by the receiver, and that was of concern.

Ms Ayanda Louw, Legal Advisor, South African Law Reform Commission, said that there was reference to "any information" linked to a data subject, and the definitions were linked together. The starting point had been to try to harmonise definitions with PAIA and other regulations. Almost anything would be included, but it was necessary to try to specify as far as possible.

Dr Oriani-Ambrosini said that private networks existed, which were legal in Sweden and Switzerland. People could connect to those and then move anywhere else without that traffic being detected by their own internet service provider. There were attempts to extend this, but when tested, they had not worked in Europe. He suggested that if concerns were to be addressed, they must be mentioned explicitly.

Mr du Preez proposed that then anything linked to a person's identity should be used. He agreed that the use of the internet could be inserted as a new subparagraph (i), but said that the drafters would have to check how the wording could be fitted in. There was no absolute prohibition on lawful processing and storing information.

Ms Smuts asked if Dr Oriani-Ambrosini would be amenable to an option restricted to purchasing preferences or patterns, in a new (i), and then drop his option that referred to the concept of blocked information and data banks, which she did not think was advisable.

Mr Jeffery noted the EU's move to the word "restriction" instead of "blocking". He thought the issue was consumer purchasing preferences or patterns. He was of the view that the site being visited was covered by "online identifier", as the IP address and cookie would serve to track the user. The log-on was linked to location information. He did not understand the provisos around consumer patterns - including the fact that private bodies were excluded. However, this was not merely to do with consumer or purchasing preferences. For instance, personal questions could be asked by programmes (such as SAA's Voyager programme), which were not linked to purchasing. If this clause was to be widened to include consumer patterns, then much more may need to be covered. He suggested that the drafters come up with wording for further debate by the Committee.

Ms Smuts said that the real problem was Facebook and its poor privacy settings. It was not for this Committee to discuss the phenomena, but to define the problem and write the principles. The Regulator would be seized with the matters as the matter moved on, and would have the power to make subordinate legislation to deal with developments.

Ms Louw referred to the Committee to (e), under "consumer" which already included any preferences.

Mr Jeffery said that perhaps the options of Dr Oriani-Ambrosini should remain. However, he asked again that the drafters give more consideration to this, and if "preferences" was not adequate, then other wording could be suggested.

Mr du Preez moved on, indicating that the definition for "prior investigation" had been removed, as this term was now only used in Chapter 6.

An option was included for the definition of "processing" as set out in page 10.

The definition of "professional legal advisor" was included, with an option.

The definition of "public communications network" had become redundant and should be deleted, in view of the definition of "electronic communication".

Mr Jeffery asked if it would not be more appropriate simply to refer to PAIA, if the definitions were linked, to ensure that the terms were consistent. Whilst it was desirable for the user to be able to access everything from this Bill, there might be concerns in the future if one definition was amended without corresponding definitions also being amended.

Mr du Preez said that it was possible to do this for the definition of "private body" and "public body", but it was not possible to do so with the definition of "personal information".

Mr Jeffery accepted this, and withdrew his suggestion.

Mr du Preez indicated the consequential amendments to the re-naming of the Regulator.

The definition of "subscriber" had been inserted in clause 75, so it was not necessary to include the definition in Clause 1.

There was an option for the definition of "restriction" which made reference to what was meant by "blocked".

Clause 2
Mr du Preez indicated that there were now consequential amendments, and pointed to the option for subclause (e).

Mr Jeffery asked why "liberty" was used in the option, as the South African law tended to speak of "freedom".

Ms Smuts referred to the option, and said that whilst the language in the rest of the Bill referred to matters in the positive sense, this option was phrased in a negative way, and, from a stylistic viewpoint, the purpose of the Bill should not be "not to infringe…" There was a general authorisation in clause 27(b), concerning special information, that provided a background to everything else, and she suggested that there was little purpose in repeating this in various places.

Dr Oriani-Ambrosini responded that clause 2 set out the parameters for interpretation of what the Bill tried to do, and tried not to do. It was legitimate for the purpose to be worded both in the affirmative and in the negative. Clause 27(b) contained an exception to a specific prohibition on processing information, and this contemplated the establishment of a right in law, which was not as wide as this, and did not give the interpretative guidelines as set out in clause 2. He thought that there was no harm in retaining both. He also agreed that the word "freedom" could be substituted for "liberty".

Ms Schäfer said that it should not be necessary to state that the law should not infringe upon the Constitution.

Dr Oriani-Ambrosini thought that "infringe" might attract concern, but the same would not apply to "detract from". This clarified that this Bill was not purporting to detract from any rights. It would assist interpretation to state that the intention was not to limit rights.

Ms Smuts maintained that this was already covered by clause 2(1)(a).

Mr S Holomisa (ANC) noted that it was also covered in the Preamble, which stated that the State must respect, promote and fulfil the rights" and he thought it was not necessary to repeat this, and agreed that there were problems if this was couched in the negative.

The majority of Members suggested that this option not be retained.

Clause 3
Mr du Preez said that the drafters had picked up some issues that they wished to bring to the Committee's attention. The first was in clause 3. He pointed out the heading change to "Application and interpretation of the Act". Clause 3(1) set out the jurisdiction, and he read through the wording of (a) and (b). That was in line with other jurisdictions, but there was some concern about 3(2)(b)(i). He explained what the wording of subclauses (2) to (4) contained.

Ms Louw gave some background to subclause (2), and explained that this issue had arisen after the last meeting of the technical committee. The concern related to cloud computing. The Bill as originally submitted contained the words only "as domiciled in the Republic" but, after discussion, the Committee had included the words "and the information is processed in the Republic". However, there could be instances where a Head Office outside RSA could make use of other people, for instance, to advertise posts. Although applicants could apply for a job in South Africa, the vetting would be done in another country, so the information would never be "processed" in South Africa, and if the Bill was not applicable to the responsible party, then this would not assist. The drafters suggested that perhaps the words "and the information in processed in the Republic" should be left out.

Mr Francis Cronje, Founder, Franciscronje.com, explained that data subjects would have their details captured in the overseas platform, and these details would stay there. In the USA, several states had protection of personal information but this was not a federal law.

Mr Jeffery could not recall why there was a decision to change the wording initially, but in view of the submissions now made, it made sense not to limit the domicile. He wondered if the location of the processing should be an additional condition. If a foreign employment agency were to recruit in South Africa, via a representative who was not domiciled in South Africa, but collected information from applicants, that would not be covered in the Bill as it stood at the moment.

Dr Oriani-Ambrosini said that the advantage of the Bill was that everything was covered, but the problem related to when enforcement would occur. The Regulator would probably issue an enforcement notice if somebody were to complain.

Mr Cronje agreed that what Mr Jeffery had set out would not be covered under (b)(ii).

Mr Jeffery thought the question was what the effect would be. He agreed that the Bill was reactive, and complaints to the Regulator took time. He pondered if the suggestion that the processing should take place in the Republic might be incapable of being implemented.

Dr Oriani-Ambrosini thought that the notion of processing was captured by "automated or not automated". The collection of information brought matters into the scope of the application of the Bill. He did not think there was a danger of issues not being covered.

Ms Louw agreed that the situation Mr Jeffery had outlined was probably covered by (b)(ii). She took the point that it would be difficult to enforce but suggested that it made sense to keep the Bill as wide as possible.

Mr Cronje thought that the word "situated" could cause confusion, and suggested that another word be found - such as "conducted" or "processing".

Mr du Preez suggested that the deletion, from (b)(ii) of the words "that are situated in the Republic", and the addition of "unless those means are situated only in the Republic and are used only to forward personal information through the Republic".

Mr Sisa Makabeni, State Law Advisor, Office of the Chief State Law Advisor, thought that there was a problem, because this clause was trying to deal with two situations; one where the responsible person was domiciled in the Republic, and the other where the person was not domiciled, but was making use of those means. The latter would in any event be covered.

Mr Cronje suggested that the words "to process personal information in the Republic" could be used in (ii).

Clauses 4 and 5
Mr du Preez pointed out that it may be more appropriate to switch the two clauses around, and begin with the clause dealing with lawful processing of personal information, and then to list the rights of data subjects as clause 5. He reminded the Committee that on 19 June, the drafters had indicated that these provisions aimed to explain how conditions for lawful processing of information worked, and the rights of data subjects in terms of the Bill.

In respect of clause 4(a), he noted that the reference to section 11 was to be amended, by referring to 11(3). He also asked that clause 11(e) be flagged, as discussions later may have an impact on it.

Mr Holomisa thought that the purpose of clause 4 was to give rights to the responsible party. The rights set out in (a) to (h) seemed to be rights of the data subject. The processing of personal information seemed to relate more to the responsible party.

Ms Smuts said that the data subject had the right to have information processed was a right to have this done in accordance with the conditions. She agreed that perhaps better wording needed to be found, and she suggested that the words "by or for a responsible party" should be deleted.

Mr Holomisa agreed that this would clarify the position.

Mr du Preez said that there were two primary parties; the responsible party could be held responsible for not processing the information correctly, and the data subject's rights were stipulated in line with those of the responsible party. The deletion of those words "by or for a responsible party" would not assist the meaning. It was important to highlight both important players in the clause, as well as the processing by the responsible party. He respectfully proposed that the words remain. He thought that the answer lay in the fact that the Bill set out the right to have information processed in accordance with the conditions for lawful processing.

Mr Jeffery said that these two clauses were not setting out anything new. Clause 4 was inserted so that the public could see what the rights were, and the idea was that this should be easy to read. It would make the wording less complicated to remove the words. Although he suggested that perhaps the issue of "by or for a responsible party" should be flagged for further discussion, Members shortly afterwards agreed that these words be removed. The drafters, if they felt particularly strongly about the issue, could raise it again.

Mr Jeffery agreed that clause 5 was the "roadmap" or explanation to the Bill and he agreed with the switching of the order of the two clauses.

Dr Oriani-Ambrosini wanted to raise an issue that would also come to the fore later. Rights of data subjects included the rights to object in terms of clause 11. That clause said that one of the grounds on which a person could object was that the processing was not necessary to carry out performance of a contract to which the data subject was a party. He gave the example that hotels would not provide a room unless the guest provided a home address and phone number. He thought it was important to have a declaration of a right to privacy, which was a consumer right. He would raise this issue again under clause 10.

Mr Jeffery raised a point under clause 4(e). The right was essentially the right not to be subject to direct marketing without consent. Instead of waiting for a person to refuse - which was the current system of SMSes that required a person to SMS the word "stop" (without knowing the costs or other implications) - the new system would be that a person would actually have to agree. The right was not the right of refusal, but the right not to be subject to unsolicited information. He was not sure whether 4(e) reflected what was in clause 74.

Mr du Preez agreed, and said that the drafters would proposed an amendment, which would be along the lines of "to: - (i) on request by a responsible party, consent to the processing of personal information…" and then to make reference to the existing client position in a new (ii).

Mr Jeffery thought that the principle was that the rights of the data subject was not to be subject to direct marketing, without express consent.

Ms Louw agreed, but stressed that there were two issues around direct marketing. The decision of the Committee would impact on (e).

Members noted that a draft amendment to (e) would be drawn by the drafters.

Mr du Preez noted that clause 5(3) referred to the processing of "special personal information". That wording was used only in the heading to that Chapter, and he proposed that these words be omitted, and a re-draft of the introductory words would be provided. The meaning would be the same.

Mr Jeffery wondered if the term "special personal information" should be defined as information referred to in clause 26.

The Chairperson asked why the term "except if" was used, in subclauses (3) and (4), suggesting that the word "unless" was more appropriate.

The drafters agreed to look at both suggestions.

During the afternoon session, Mr Holomisa questioned the inclusion of clause 5, pointing out that it essentially was a list of matters, that did not seem to differ much from the index, and asked why the decision had been taken to use this very different type of drafting.

Ms Smuts said that this Bill was a very unusual and different kind of legislation. She had suggested, in the Technical Committee, that the rights of data subjects or consumers should be stated up front, to clarify what the legislation was about, and to summarise the rights in one clause, as the original draft “dispersed” the rights across the whole Bill. Clauses 4 and 5 essentially set out a "roadmap.

Mr Jeffery confirmed that this guideline, as set out in clause 5, were inserted at the request of the Technical Committee. The clauses could be deleted without affecting the rest of the Bill, but were inserted to aid its understanding.

Dr Oriani-Ambrosini disagreed that clause 4 could be deleted. Mr Holomisa had essentially asked why clause 5 was setting out what amounted to an index. Originally, principles had been set out to guide the Regulator. Not only had the word "principles" been changed to "conditions", but the conditions now were a parameter of legality. The processing of information, other than in accordance with this Bill, would be unlawful. However, there would not be any criminal liability unless the Regulator had demanded that this conduct stopped, and the person failed to do so. Originally there was a list of principles, which were not legally binding, but the conditions were now stated as legal provisions, using the term "must", and specifying what would happen in the event of failure to comply.

Mr Holomisa pointed out that the mention of "accountability, as set out in section 8" really added very little. He was not entirely in agreement with the Technical Committee.

Mr Jeffery added that prior to clause 5 being inserted, there was confusion around the conditions, and how they fitted in. Another intention of clause 5 was to put Chapter 3 in context.

Mr du Preez added that subclauses (2) to (6) further intended to explain what the possible impact of the following provisions would be on the conditions. There was also an attempt to explain how "special personal information" would be processed, and that, for instance, a person had to comply with sections 26 to 33, but this also had to be done subject to general conditions. The clause summarised how the various components of the Bill impacted on each other. The subclauses set out the conditions that would apply for, for instance, children, or personal information, and the difference between direct marketing and direct marketing by means of electronic communication. He said that in its original wording, it was quite difficult to understand how the various provisions and parts fitted together.

Ms Louw agreed that the Bill was quite technical and difficult to understand. There was another example of this kind of drafting in the UK's Data Protection Act, section 4, which set out data protection principles in a schedule, and stated how they were to be interpreted, and so forth.

Mr Holomisa said that he would accept this.

Clause 6
Mr Du Preez suggested the omission of the phrase "activities aimed at" from clause 6(1)(c)(i).

Mr Jeffery said that the Financial Services Board's (FSB) concerns related to these issues. He asked if Mr du Preez could give a report back on the interactions with National Treasury and the FSB.

Mr du Preez noted that there were two concerns. A new Financial Services General Laws Amendment Bill (the FS Bill) was being drafted. The one concern was the FS Bill would have removed the FSB from the jurisdiction of the Information Regulator. However, this had been highlighted during his meeting with the drafters of the FS Bill, and that was now likely to be amended, and copies would be provided to the Committee. Final feedback could be given to the Committee in the following week.

Ms Smuts asked if the new FS Bill was likely to affect anything other than the "proceeds of unlawful activities".

Mr du Preez said that it might.

The Chairperson asked the drafters to make it clear that this Bill had been ongoing since 2009, and the finalisation was quite urgent.

Ms Louw said that draft suggestions would be provided during this week.

Mr Jeffery asked what the FSB's requests in relation to exemption covered.

Mr du Preez said that the issues had not changed since the Technical Committee meeting discussing this in October 2011. The FSB now accepted that it would not be able to be excluded from operation of the legislation, but had made reference to several clauses of the Bill, including clauses 11, 12(2), 15 and 18. The main concern was the processing of criminal information. However, since he was still in the middle of the discussions with the FS Bill drafters, he felt a little uncomfortable with trying to speak on behalf of the FSB.

Ms Louw clarified that the gist of the suggestions went to the exceptions, and many of them were not that problematic yet clarification was needed. The FS Bill was more problematic, as it affected the position of the Regulator, since, as the FS Bill was currently drafted, the Information Regulator, (like other regulators, such as those of the Pension Fund, Competition Commission and similar bodies) would have to get permission from the Financial Services Regulator and act in conjunction with the latter. That clause had been highlighted as problematic, and the drafters of the FS Bill were looking at amending it.

Ms Smuts said that this process should continue.

Mr Jeffery noted that all the Technical Committee members had agreed that there was no need for the FSB's concerns to be accommodated in this Bill. He agreed that it was necessary to convey the deadline for this Bill to drafters of the FS Bill, and emphasise the urgency of the matter.

Mr du Preez continued that subclause (d) dealt with a new exclusion, solely for the purpose of literary or artistic expression. There were two options, as set out on page 14. The deletion of "a Municipal Council of a municipality" would make this align with PAIA.

Subclause 6(2) was a definition to clarify what was meant by "terrorist and related activities".

Clause 7
Clause 7 was now a separate exclusion dealing with journalistic purposes. In the event that a dispute might arise as to whether adequate safeguards were provided for, there was a list of issues in subparagraphs (a) to (e). This primarily emphasised the need to balance protection of personal information with the need to provide that information where necessary to give effect to matters such as contracts. An option was proposed for clause 7, set out on page 15.

Ms Smuts summarised the views of South African National Editors Forum (SANEF) that they accepted and wanted a provision under which the media would be excluded, provided they were members of a professional body with a code of conduct close to the provisions contained in this Bill.

Ms Louw confirmed this, and said that this was included in the wording of clause 7.

Clause 8
Ms Louw outlined that Chapter 3 contained all lawful conditions for the processing of personal information.

Mr du Preez indicated an option for the heading of clause 8, and then pointed to consequential amendments, and the addition of words to indicate when the responsible party must comply.

Clause 9
Mr du Preez noted that personal information must be processed in a reasonable manner, and drew the Committee's attention to footnote 32. He noted the option on page 16.

Mr Holomisa questioned the use of the word "unnecessarily". He thought that if there was a reasonable action, then it did not add anything to include "unnecessarily".

Ms Smuts said that the Technical Committee had been concerned with not restricting the commercial information.

Mr Jeffery said that a "reasonable manner" related to how the information was processed. The word "unnecessarily" related to the infringement. There were thus two concepts, and he did not think that there was any tautology.

Ms Schäfer agreed that there were two concepts, but thought that the word "unnecessarily" was too broad. She suggested that "subject to the provisions of this Act" could be used instead.

Mr Jeffery pointed out that processing of information took place all the time and could include such matters as entering a name into a diary, or writing an e-mail address.

Dr Oriani-Ambrosini said that there was a lot of unlawful conduct ongoing, but it would not be criminalised unless the Regulator said so.

The Chairperson noted that there was not agreement on this issue.

Dr Oriani-Ambrosini suggested that "necessity" had to be tied to something, as had been done in clause 10."

Mr Cronje gave his opinion that "unnecessarily" was not relevant in clause 9, as it was captured in clause 10, which gave a better indication.

Members said that they would think about this suggestion.

Clause 11
Mr du Preez pointed out additional provisions in subclause (2), following the wording of the draft EU Regulation, in regard to who bore the burden of proof. In relation to clause 11(2)(b) he suggested that the phrase "or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected" must be inserted after the words "before such withdrawal". He explained that there were six alternatives set out in clause 11(1), but clause 11(2) was only concerned with the consent of the data subject, and provided that the responsible party bore the responsibility of proving the data subject's consent. However, if the consent was withdrawn, the lawfulness of processing prior to withdrawal of that consent should not be affected, and processing under 11(1)(b) to (f) should also not be affected.

Mr du Preez also noted that alternative wording would be proposed for subclause 11(3).

Ms Louw expanded on the reasons for this. This Bill was based on a combination of the New Zealand and Netherlands legislation wording. The Data Protection Working Party had recently evaluated the New Zealand legislation and had given a certification that it was adequate, although there were two points on which some criticism was expressed; direct marketing and cross-border transfers. The South African Bill treated cross border transfers in a different way. However, the wording of the clause 11(3) of the Bill, in relation to the opting out from direct marketing, was the same as the New Zealand Bill, (although New Zealand dealt with electronic marketing in a separate piece of legislation), and there was a requirement of reasonableness, and “unless the legislation provided for such processing”. Article 14 of the EU Directive, on the other hand allowed for two instances when the data subject may raise objections to direct marketing, and that wording conferred stronger rights, because it did not have the limitations of reasonableness and current legislation. A person would simply be able to request that his/her information not be processed for purposes of direct marketing, and have the right to object, free of charge. The drafters therefore proposed that clause 11(3) be brought in line with the EU Directive, rather than the New Zealand legislation, as the latter was likely to change.

The Chairperson asked who determined the adequacy rating, and on receiving confirmation from Ms Louw that it was the EU, he noted that there was nothing in the long title or the objectives referring to the EU Directives, so a reader of the Bill was not being apprised of the fact that European rules were being applied.

Ms Smuts said that this Bill was giving effect to the Constitution.

The Chairperson said that this was not enough; there should also be reference to the outside people deciding on this.

Ms Louw clarified that this Bill was not in fact a direct “copy” of the EU Directives, but comprised a combination of wording in line with various provisions. Protection of personal information was not a national, but a global, problem, because the technological revolution had allowed for information to be sent around the world in seconds. Although the right to privacy was contained in the South African Constitution, which was seen by other countries as an advantage, it was in fact the international position that had to be addressed in this Bill. It was not so much a case that South Africa was being “dictated to” by the EU, as to recognise that in order for the free flow of information to be unimpeded, it was necessary to harmonise legislation.

She added that the EU Convention was drawn, as a human rights instrument, covering the right to privacy. The Organisation for Economic Cooperation and Development (OECD), an economic conglomeration, simultaneously came up with principles around protection of personal information, but related to trade aspects of the flow of information. The current Bill was not in fact a mirror image of the EU position, as the eight principles came from the OECD, whilst those on sensitive information mirrored the EU. The main reason why the EU Directive was important was that the EU had stipulated that nobody in the EU could send personal information of EU citizens to countries that lacked an adequacy rating, and a second country to whom that information was sent could not send through the information to a third country if it did not have an adequacy rating. The USA had been unhappy that the EU was trying to rule the position, and had compiled its own safe harbour principles, although in February a new data protection framework was issued. It was recognised there that it was useful if data protection principles in the world were harmonised. There was also the AU/Pacific Framework, and all countries were buying into the concept of protection of personal information, so she disputed that this could be described as an EU issue.

The Chairperson said that it must be remembered that the adequacy rating was still determined by the EU.

Ms C Pilane-Majake (ANC) was concerned that various blocs were coming up with their own legislation. There was no United Nations treaty as yet, and that would have served as a useful protocol.

Ms Louw said that there was a UN Protocol and Guidelines and the Directive applied in relation to EU citizens, although it must be recognised that it would be impossible for South Africa to trade with EU countries if the information was not allowed to be sent to South Africa. The huge impact of the Directive on the rest of the world had encouraged other countries to introduce similar principles.

Dr Oriani-Ambrosini noted that these initiatives started in Europe in 1981. The EU was South Africa's largest trading partner, yet the lack of legislation in South Africa had not prevented trade to date. Since there was no federal American law, that country followed a consumer-based approach, and companies would issue privacy policies and be sued for damages if they did not comply. He did not agree with legislating “under the threat” of EU. The implementation of this Bill would be an expensive exercise, and he wondered if South Africa had the skills to implement it.

Mr Jeffery clarified that although this was a law for South Africa, dealing with standards and processes for protection of personal information, it must be recognised that at the same time other economic blocs were looking at systems within which the exchange of information would take place. One of the initial reasons given for this Bill was to have legislation in place, prior to the World Cup, to allow for sending of airline passenger lists, although that had been overcome in other ways. If countries set up minimum standards around protection of personal information, this would facilitate exchange of information, and that was likely to be the way in which the AU would move to try to standardise data protection. The purpose of the Act was set out in 2(1)(b) on page 11. There were two options; the first to draw the Bill only for South Africa only, and the second to try also to achieve international conformity, to ensure that flow of information took place more readily.

Mr Heyink said that privacy legislation around the world was a first response, in most jurisdictions, to the abuses that had resulted from the information revolution. In South Africa, the Electronic Communications and Transaction Act had been drawn, although it was not addressing the current abuses. He agreed that whilst it would be possible to draw legislation for South Africa only, this was a narrow view and might disqualify South Africa from recognition internationally. However, even if the narrow approach were to be followed, the conditions for processing would be very close to the current wording of the Bill. America had had a lot of privacy legislation at sectorial level, but there was now a proposal for federal law, supported by the Federal Trade Commission. South Africa was not “on a frolic of its own”. Section 233 of the Constitution, endorsed by the Constitutional Court, required South Africa to have regard to developments of international law. The Companies Act had been underpinned by King III, and that said that non-binding principles, such as ISA standards, should also be taken into account, and those standards had themselves derived from privacy legislation in Europe. He urged that instead of the EU being seen as attempting to “rule” other countries, there should be recognition that South Africa should take full cognisance of what was happening in the information society.

Ms Smuts reminded Members that the trigger for the drafting of the Bill was the request by Parliament in 2000 to the Law Commission (as it was then named) to draft a privacy statute. The report set out all reasons why the legislation was needed. Abuses of private information were rife in South Africa, particularly financial information. In relation to trade and international laws, if other countries or blocs created rules, which were largely similar, it made perfect sense for South Africa to comply.

Ms Pilane-Majaka thought that these points could be inserted in the Preamble, as well as the fact that South Africa also needed this law to protect its own citizens. It was important that countries agree how to share information, and South Africa’s legislation should take international relations into account.

Mr Cronje urged that it was important for South Africa to conform with adequacy requirements in order to promote businesses, such as call centres, in South Africa, which was a prime possible destination because of the close time-zones and fluency in English. It must also be recognised that the EU Adequacy List had nothing to do with South Africa's own data subjects and citizens.

Dr Oriani-Ambrosini said that this was an important debate. South Africa was currently trading with Europe because adequacy requirements were able to be fulfilled through contractual arrangements, as well as in legislation. No public submissions had suggested that this Bill would allow South Africa to do business with Europe. The sectorial approach was also relevant and this concerned the application of the Act. Extended European regulation existed, where there was need for it. This Bill contained general provisions and noted that the Regulator would enforce Codes on specific sectors. Dr Oriani-Ambrosini had earlier proposed that the Bill should only be applicable to situations where the Codes applied. This Bill would make it more difficult for people to steal information, but it was not the response to those crimes or abuse. The Bill sought to regulate use, not merely to outlaw abuse of personal information.

Mr du Preez agreed that if South Africa did not have an adequacy rating, then outside companies would insist upon model contracts. However, the difficulty with this was that these types of contracts invariable required that the responsible party agree to jurisdiction of a foreign court, and that implied major costs in defending any abuses. If South Africa could get an adequacy rating, through this legislation, such contracts would be unnecessary.

Dr Oriani-Ambrosini argued that whether or not an adequacy rating was applied, contracts may still e used, and different options around jurisdiction could be negotiated. 

Mr Jeffery said that these points should really have been covered earlier, and he pointed out that the Technical Committee had been dealing with this Bill for months. He did not agree with Dr Oriani-Ambrosini that extreme freedoms should be allowed, or that there was no reason to have the Bill. He reiterated that this Bill had been drawn following a request from Parliament in 2001, and in addition South Africa had a clear interest in conforming with international standards, which were changing all the time. The Directives of the EU were now being tightened into Regulations. South Africa could say that it did not wish to be beholden to Europe, but it must be borne in mind that Europe insisted that, at certain levels, in order to engage in trade, protection must be given. Even if South Africa took this view, he agreed that it could probably still learn from what was being done elsewhere.

Dr Oriani-Ambrosini pleaded that the merits of his argument, and not his character, should be addressed by other Members, and said that his arguments did not deserve "hysterical" reactions.

Mr du Preez summarised that, in relation to clause 11(3), the drafters would bring revised wording to the Committee, along the lines of:  "The data subject may object at any time to the processing of personal information -
(a) in terms of subsections (1)(d) to (f) in the prescribed manner, on reasonable grounds, to the processing of personal information unless legislation provides for such processing; or
(b) for purposes of direct marketing, other than direct marketing by means of electronic communications, referred to in section 74".

Clause 12
Mr du Preez noted that most of the proposals were straightforward, and drew the Committee’s attention to the two options set out in the document.

Clauses 13 and 14
Mr du Preez noted that clause 13 now combined wording of the original clauses 12 and 13. Clause 14 dealt with when information could be retained. There was a reference now to "restriction", in line with the draft EU Regulation. There were options for new subclauses, whose wording also mirrored the draft EU Regulations. There were special provisions dealing with processing of personal information of children.

He asked whether, on page 19, the Committee thought that subclause (7) was correctly drafted. He also asked the Committee to consider whether "the consent of a competent person, in respect of a child" might need to be included.

Mr Jeffery said that the definition of "consent" was consent of the data subject “or a competent person”, as set out on page 7. He thought that this was therefore already covered. He would, however, have some doubts as to whether these words should be removed from this clause. Whilst there was greater legal certainty in specifying this in the definitions, it was easier to read in the body of the Bill.

Mr du Preez said that this would also affect other provisions and he would report back to the Committee on this point.

Ms Schäfer said that the "data subject", if that person was a minor, could not consent. Therefore she would be happier to see the words "the required consent" or "consent in terms of this Act".

Mr du Preez noted that "consent" could be qualified in regard to data subjects. He undertook again to consider this point and report back.

Clause 15
Mr du Preez said that the amendments were self-explanatory.

Clause 16
There were no amendments.

Clause 17
Mr du Preez noted that the original wording had been divided, so that clause 17 dealt with notification to the Regulator, and clause 18 with notification to the data subject. The drafters wanted to flag clause 17(2) for discussion when the Committee considered Chapter 6. He would be making a recommendation that this subclause should be inserted into Chapter 6.

Mr Jeffery said that he had been persuaded by the arguments proposed in the EU Directive, that full notification was an unnecessary burden. This clause already contained a cross-reference, so he thought it would be appropriate to deal with it under Chapter 6. Prior notification should be limited to special conditions around processing personal information, or cross-border transfers.

Ms Smuts added that developments in Europe supported the submission received from MIH, and she agreed that the Committee should look at a way of restricting the notification requirements. However, she would prefer to use the principle outlined in PAIA in relation to manuals, and explained that bodies required to file manuals under PAIA were only public bodies, as defined, and private bodies, as defined. She then recommended amending sections 14 and 51 of PAIA, to include the sort of detail to be provided to the Information Regulator.

Mr du Preez pointed out that the Minister currently granted the exemption in terms of PAIA. The Minister also issued regulations under PAIA. However, this Bill was looking to assign regulatory power to the Regulator. The Committee would be asked to consider whether this was contradictory, but he would raise this again when discussing Chapter 6.

Dr Oriani-Ambrosini thought that subclause 4 had set out an elegant compromise. He said that he was concerned that an incorrect approach was followed in the UK, where the Regulator, when it was running out of money, would extend the scope of application to increase its revenues.

Ms Smuts pointed out that the fees would fall away if her suggestion were to be followed.

Clause 18
Mr du Preez noted that this clause set out when the data subject must be notified, what notification was required, and exceptions to that, in subclauses (4)(a) to (f).

Clauses 19 to 22
Mr du Preez said that further conditions for security safeguards, were set out in clauses 19 to 22. Clause 21(4) required the operator to notify the responsible party where there were reasonable grounds to believe that personal information of a data subject had been accessed by an unauthorised person. This was based upon something similar in the proposed EU Regulation. There was another option that subclause (3) be deleted.

The Chairperson asked what would happen if the territory where the operator was domiciled had no laws relating to the protection of personal information.

Ms Louw responded that the position would be covered by a contract.

Mr du Preez expanded that if information was to be transmitted across a border to a country that did not have adequate protection of information, there was a requirement that the responsible party insist upon a contract.

In relation to clause 22, Mr du Preez pointed out that the responsible party was responsible for notifying the Regulator, as well as the data subject, if unauthorised persons had accessed data under the control of the responsible party.

Clauses 23, 24 and 25
These clauses aimed to regulate the way in which the data subject may request access to his or her personal information and the correction of personal information.

Part B
Mr du Preez outlined the process around special personal information. When the Bill was first introduced, it had included information on children, but after further debate, the Bill had been divided, and Part B now dealt with special data processing of information that did not relate to children, and Part C now dealt with the requirements around the processing of personal information of children (clauses 34 and 35). Clause 1 included a definition of "child" for purposes of this Bill.

Clause 26
Mr du Preez noted that (a) and (b) provided an indication of what this information comprised. He drew attention to the footnote, indicating that the Technical Committee wanted to outline what the ambit of criminal behaviour would be.

Mr Jeffery said that he would, on the following day, expand upon the question of whether orders of court would apply, and expunging of convictions.

The meeting was adjourned.