Legitimate interest concept discussed at data protection seminar

February 21st, 2019

By Kgomotso Ramotsho

Werksmans Attorneys hosted a Data Protection Seminar on 14 February in Johannesburg. Members of the panel discussed various issues with regard to data processing and legitimate interest concepts concerning data. Part time member of the Information Regulator and member of the Cybersecurity Advisory Council, Professor Tana Pistorius, said that the issue of legitimate interest is a tricky one. She gave an example about insurance companies that keep information of previously insured persons (client), with the excuse that they keep the information to protect other insurers in the event that the client submits false information to the new insurer they are with. She pointed out that the regulator does not think that it is a legitimate interest for insurers to keep the information after the client has asked the previous insurer to remove their information.

Part time member of the Information Regulator and member of the Cybersecurity Advisory Council, Professor Tana Pistorius, spoke at the Werksmans Attorneys Data Protection Seminar in Johannesburg.

Prof Pistorius said that even though it is ‘industry practice’ to keep information of their previously insured clients, the regulator does not think that reason would suffice as a legitimate interest. She added if the insured person submitted false information it would not be an issue for the South African Police Service, because it is not a fraud issue but rather an issue of a non-disclosure.

Partner at McDermott Will and Emery, Romain Perray, added on about legitimate interest in the European context, is not fully clear. He said there was a time when Data Protection Authorities in Europe considered that there was no legitimate interest, however, they changed their opinion because processing activities do not remain the same, as there is a constant evolution.

Mr Perray said that with personal data processing General Data Protection Regulation (GDPR) applies and the next step would be to determine what the legal ground would be and if consent should be given. He added that one can rely on consent, when consent is valid and when the prerequisite is strong. He pointed out that the European Data Protection Authority does not consider that consent applies all the time and there is not always a valid legal ground for processing. He added that when one would like to rely on legitimate interest, there is always a balancing test that deals with proportionality, meaning how long the company or business can store data, what will the retention period be, and whether the scope of processing activity, is going to be massive. He said those are the key issues.

Partner at McDermott Will and Emery, Romain Perray, spoke about legitimate interest in the European context.

Mr Perray said the Data Protection Authority in Europe, are reluctant to consider commercial legitimate interest, but then progressively changed their view. He said it looked at whether there was a legitimate interest to send e-mails to existing clients and it found that there was no need to have consent to do so. However, he pointed out that there are additional safeguards and that data subjects must be informed that their data can be combined and that they have the right to oppose such combination of data. He noted that initially it was intrusive to have massive processing of personal data even for statistical purposes, but because data protection under the GDPR is a balance between the right to privacy and the need for free movement of data, then the data authorities can no longer say there is no need for commercial legitimate interest.

Director at Werksmans Attorneys, Ahmore Burger-Smidt, posed a question to the panel about retention of information in terms of the Protection of Personal Information Act 4 of 2013 (POPI). Director at Werksmans Attorneys, Neil Kirby, said that if a group of people in the same industry recognised an interest or particular approach to information, conceivably the legitimate interest will warp itself into a provision of a code, which once accepted by the regulator becomes a part of POPI. He added that it may shift depending on how the codes develop in the industry where safety is concerned.

Mr Kirby pointed out that the codes are going to be the important aspect of the entire process of how POPI develops. He said under the Consumer Protection Act 68 of 2008, several industries have taken steps to put codes in place to deal with how they will enforce and deal with consumers under POPI. He added that it is a preferable position to be in under POPI, at least as an industry they would try to select the most relevant portions of POPI in the context of both prohibitions and exceptions and regulate themselves. He noted that POPI can be made bespoke to a particular sector or industry, which might make it more effective, because ultimately there will be people who can see both sides of the story, both participants in that industry and the regulator from the point of view of what can be the ideal situation.

Prof Pistorius added that the regulators views are that there are two types of codes, namely the industry code and the recognised code. She pointed out that industry codes, whereby people conform to certain norms and the regulator encourages that because it will enhance compliance with POPI, however, she said if one is talking about a recognised code, which is a code that is issued by the regulator, which would be a completely different thing. She pointed out that the only circumstance companies can get is by showing that the regulator cannot comply with certain conditions, because of specific difficulties. She said unfortunately self-regulation does not come to play, because if you have a recognised code, that code will become a part of law, she noted that it is legislative and the regulator will still regulate it.

Kgomotso Ramotsho Cert Journ (Boston) Cert Photography (Vega) is the news reporter at De Rebus.