Protection of Personal Information Bill: Parliamentary Research Unit, National Treasury submission, Departmental submissions

Meeting report

Protection of Personal Information Bill
Parliamentary Research Unit / Content Advisor submission
Mr Irvin Kinnes, Content Advisor, Parliament, gave a brief presentation on the Protection of Personal Information Bill (the Bill). He noted that more than fifty countries had legislation protecting the processing of personal information in one or another form. The need for this Bill was related to the vast amount of information that was held by companies, not only in South Africa, but globally, which was often a source of contention. Electronic databases could be sold to the highest bidder and companies made profits from this. This Bill, first introduced in 2009, as a development upon the Open Democracy Bill of 1996, was essentially data protection legislation, which conformed to global best practices, and noted that personal information must be processed with the privacy of the data subject in mind, to ensure fairness and the necessary legislative protection.

Mr Kinnes noted that this Bill must be distinguished from the Promotion of Access to Information Act (PAIA), which proposed free flow of information, whereas this Bill regulated the flow of personal information. He gave a brief history of the Bill, and indicated that the provisions had been drafted after substantial research.

Mr Kinnes summarised the objects of the Bill and said that essentially it would promote protection of personal information processed by public and private bodies, and establish minimum requirements around such processing. An Information Regulator would exercise certain powers, and perform duties and functions both in terms of this Bill and the PAIA, and would issue codes of conduct. It was important to note how duties and functions were to be performed. The Bill further would provide for regulation of information across borders.

Mr Kinnes summarised the definition of “personal information” (see attached presentation), noted that the information related to a wide range of personal characteristics, educational, medical, financial, criminal and employment histories, included identifying numbers or symbols and contact details, opinion information, private or confidential personal correspondence and, in some cases, the name of the person. “Processing” was defined as covering all aspects of the information cycle, including collection, dissemination and destruction. A “record” was defined as any recorded information, regardless of the medium, in the possession of the responsible party.

Mr Kinnes then set out what he regarded as some of the key issues that needed consideration by the Committee. The first related to consent, justification and objection, as set out in clause 11(3)(a). There was no definition in the Bill of what would constitute "reasonable grounds", and not only did this open the way for discretion, but he questioned the necessity of including the phrase at all, as an objection by a data subject should be sufficient. In relation to records, as set out in Chapter 3, he suggested that the Committee may wish to consider time limits for retention of records.
 
In relation to the correction of personal information, covered in clauses 24(2)(a to c), Mr Kinnes noted that there was no provision for time limits on information that ought to be corrected, and suggested that the Committee should consider whether this was necessary.

Exemptions were proposed for certain categories of people. There were ethics involved in health and insurance and child protection issues, but the Committee may want to consider placing a qualification on this clause so that exemptions fell within constitutional boundaries.

Mr Kinnes pointed out that the Bill already had exemptions for certain categories of people, such as medical professionals, insurance companies and probation or child protection institutions, in relation to health and sexual life issues, in terms of clause 32(1). Relevant ministers and pension fund administrators were also excluded. He posed the question whether it was necessary to give an exemption to companies who, in the longer term, could benefit or profit from information held by data subjects. In addition, in relation to data subjects’ criminal behaviour, covered under clause 33(1), he noted that processing of information by law enforcement agencies was exempted, but questioned whether clause 33(2) might not be too wide-ranging, as it allowed pre-emptive data processing to “protect a legitimate interest” of a processing party. He suggested that this be qualified by ensuring that the exemption was within constitutional boundaries.

In relation to exemption from information protection principles, in clauses 36 and 37, Mr Kinnes noted that the Regulator could grant exemptions allowing a responsible party to process information even if this breached the principles of information protection. He suggested that the Committee needed to consider and weigh this clause up against the right to privacy.

The Bill made proposals for penalties as listed (see attached presentation), all of which were important, because of the speed at which information exchange was growing. This emphasized the serious consequences around sale of information. He concluded that the Bill did provide protection for data subjects in the processing of their information, and suggested that the Committee focus on its positive aspects and consider supporting the Bill, after satisfying itself that all areas were suitably clarified.

Mr Kinnes said that this Bill was a complex piece of legislation, and had some serious consequences for National Treasury (NT) and the Financial Services Board (FSB), who had proposed that clauses 38(2) and 72(3)(a) needed to be amended. That proposal had been considered by, but had not found support, at the Portfolio Committee on Justice and Constitutional Development. This Committee may wish to consider following the Portfolio Committee’s lead.

Department of Justice and SA Law Reform Commission submission
Mr Henk du Preez, Principal State Law Advisor, Department of Justice and Constitutional Development, noted that he had only received the presentation of Mr Kinnes that morning, and asked for some time to study it in depth and respond.

The Department of Justice and Constitutional Development (the Department) had prepared a list of the proposed amendments to the Bill, many of which were very technical, such as correction of spelling mistakes. He suggested that he not go through this in detail today, but that he instead give a general introduction on the matters of contention between the Department and National Treasury.

Mr du Preez confirmed that this was indeed quite a complex piece of legislation. It did protect the right to privacy, but was not primarily concerned with restricting the flow of information. The conditions proposed for protection of personal information were based on international best practice, including the European Directive, which gave guidance to EU countries on the content of their legislation. The question had been asked why South Africa should follow international legislation. The answer to that was partially based on the speed with which information could flow across borders. Many countries had already had similar legislation in place for many years. Globally, there was a move to try to harmonise legislation on protection of personal information, to protect data subjects, and ensure that if information was provided to a responsible party who operated in several countries, all regimes in all countries should offer similar protection to the data subject. South Africa would be asked to prove to other countries that it had adequate protection for processing of information. If information was to be processed in a country where there was no legislation in place, South Africa would need to conclude binding agreements to ensure that the information was processed correctly, although the best option, for the data subject, was to have a guarantee by way of legislation that data protection regimes would apply in similar ways across the world.

Ms Ananda Louw, Researcher, SA Law Reform Commission, noted that data protection could be said to be only as strong as the weakest link in the chain. If strong legislation around personal information was in place, South Africa would obtain a good adequacy rating from other countries, and ensure that South Africa could more easily do business with other countries. A number of conditions must be complied with, to achieve that adequacy rating. Legislatures all over the world had recognised that there might be instances where it was impossible to comply - for instance, if security of the country was at stake, or criminal investigations were pending, where it would be clearly be counter-productive to inform the data subject that information was being processed. That was another reason why it was so important to try to achieve harmonisation. The restrictions were dealt with in Article 13 of the EU Directive, and were linked to the clause 38 proposals by the FSB, who wanted to be exempted from certain conditions.

Ms Louw expanded that the current EU Directives dated back to 1995, but that in the last few years the international community had been considering amendments and drafting new regulations. The current EU Directive was, as suggested by its name, an indication of what countries should do, whilst each country had its own legislation. However, the intention was that the new EU Regulations would effectively create one law for all countries in the EU. Article 21 of the Regulations would replace, but be similar in content, to the Directive’s Article 13. When the Portfolio Committee had been considering the Bill, the Regulations had not been finalised, and so there was some debate as to what needed to be taken into consideration. The drafters had suggested – and the Portfolio Committee had accepted – that it would be useful to incorporate the provisions from the draft Regulations that were likely to enhance protection of information. She reiterated that because information was exchanged globally, it made no sense for South Africa to lag behind processes elsewhere. The first reading of the Regulations had taken place on 17 December 2012, and the report on those had been made available in January 2013. A number of the changes would impact on the Select Committee’s deliberations, and it was important to note that some of the issues discussed by the Portfolio Committee had been changed from the first draft of the Regulations to the current thinking. It seemed that the Bill may actually have gone too far in accommodating the FSB proposals, and she thought that it may not be possible to accommodate any further requests, and that the position in South Africa may still need to be tightened further. She emphasized that although the EU Regulations would be binding on the EU, they would equally be complied with in other countries outside the EU, and reiterated that it was vital for South Africa to be in line with those prescripts.

Ms Louw said that it was important to consider how the Bill would be enforced. Firstly, express permission from the data subject was not always required. If, for instance, a data subject was signing an agreement to purchase a car, the dealer had the right to call for personal information in terms of, and as part of the contract, without seeking specific permission for this information from the data subject. The Bill itself would effectively come into play only once a complaint was lodged. The first step would be to hold mediation proceedings, assisted by the Regulator, who would try to ensure that similar problems would not again arise. If the responsible party was not willing to cooperate and comply, this would become a criminal offence, irrespective of the merits of the dispute. Civil action could also be instituted. She noted, however, that an exemption was included for the FSB, who could raise a defence around provision of information, and there was a distinction between liability and accountability.

Ms Louw submitted that the Bill was not unduly onerous, was compliant with good business practice and gave the opportunity to responsible parties to get their house in order and their systems in place. The Bill emphasized cooperation rather than penalties, although it was possible that, as matters developed, the requirements might become more onerous, as had happened in other countries.

Mr du Preez said, in relation to concerns raised by the FSB to this Committee previously, that many meetings had been held between the Department and the FSB. Many of the latter’s concerns had already been addressed, but there were still differences of opinion in relation to clauses 38 and 72.

National Treasury / Financial Services Board submissions
Ms Jeannine Bednar Giyose, Director: Financial Sector Regulation and Legislation, National Treasury, said that NT still felt that some issues had not been thoroughly addressed by the Portfolio Committee.

Ms Nonku Tshombe, Head of Legal Department, FSB, stressed that the FSB had a full understanding of the processes and had maintained a consistent stance. She agreed that the areas of contention had been reduced already through very constructive discussion with the Department. Those areas on which FSB still had concerns did not, in her contention, detract from the international position. She reminded the Committee that the FSB did not only regulate in the interests of the public, but operated also in conjunction with other regulators, such as SARS. She said the FSB proposals were suggesting the need to make accommodation in the Bill for certain regulatory activities, which would not detract from overall protection of personal information that the Bill aimed to achieve.

FSB noted that South Africa had to be able to honour its obligations under bilateral agreements with other countries. FSB was well aware of the developments at the EU and was not suggesting that any of the Regulations be departed from or breached. Where information was shared with foreign regulators, it must be in terms of binding corporate rules or MOUs, which were signed at a high level after bilateral discussions with other countries. FSB would not share information unless there were protective provisions in the Memorandums of Understanding (MOUs) around protection of personal data. Currently, the Bill was worded so that where FSB shared its information with a foreign operator who then breached data protection rules, this would be deemed to be a breach by the FSB and render it liable to civil suits. Although the FSB could raise, as a defence, the fact that information was shared under an MOU, that did not cure the problem. Ms Tshombe stressed that this was a very litigious environment, and FSB was concerned that the door would be opened to numerous actions. FSB was not proposing that it should not bear accountability, but wished to stress that it would not share information without strictly controlled and tight MOUs. In addition to this, she also noted that FSB would follow up on how the information provided in terms of the MOU was being used, and would immediately restrict the sharing of information in future should there be any breaches. However, if it was not permitted to share information in the way it proposed, the FSB would be in breach of the many MOUs that were already in place with foreign regulators. 

The argument had been raised that the problem was that MOUs were not seen as binding agreements. She stressed that they were taken very seriously and were respected as they constituted a vital part of international relations between South Africa and other countries.

Ms Bednar-Giyose commented that these were very important issues that impacted significantly on the functioning of the FSB and other regulators. The proposals by NT and the FSB were a serious effort to find an appropriate balance between the protection of personal information and the needs of South Africa, particularly in relation to financial obligations. She requested the Committee to give careful consideration to the proposals.

Ms Tshombe concluded that the impact of the commercial crisis had raised a number of issues. Regulators should be able to deal with information and regulation, whilst also taking cognisance of the broader perspective. She particularly stressed that clause 38(2) needed careful consideration by the Committee.

Discussion
Mr Kinnes commented that a recent court ruling around the use of DNA databases in the United Kingdom had similar implications, as would the holding of information about individuals’ credit cards, particularly in view of the propensity of credit card fraud. He stressed that this showed that wherever databases may be held, they posed the risk of impacting upon consumers in South Africa.

The Chairperson questioned whether it was not possible for the Department and FSB to engage further and attempt to reach agreement on the disputed clauses, so that the Committee would not be forced to make a judgment call on which version it preferred.

Ms Bednar-Giyose indicated willingness on the part of NT to engage again and attempt to resolve the issues.

Mr D Bloem (COPE, Free State) agreed that this would be the preferable route to follow, but if the concerns could not be resolved, then the Committee must consider both options. He urged the Department also to give serious consideration to the points raised.

Mr M Mokgobi (ANC, Limpopo) commented that the Bill required careful consideration, particularly in view of the global dynamics. It would also be important to bear in mind the views of the Portfolio Committee during its processing of the Bill.

Ms Louw noted that whilst the Department had, at this meeting, tried to give only an overview to the Committee, these, and other issues, could be addressed in more detail to assist Members in their understanding of the Bill.

The Chairperson agreed that a session would be arranged where the drafters could take the Committee through the Bill in more detail.

The meeting was adjourned.