By Daniël Eloff
At the beginning of 2012 the European Commission started with the process to reform the data protection framework in the European Union (EU). As part of these reforms the General Data Protection Regulation (GDPR) was introduced. The GDPR took effect at the end of May.
The GDPR enables Internet users to control their own personal data more effectively through various legislated rights. The framework also increases potential fines that organisations could face should they not comply with best practice regarding data privacy. At its core, the new regulations aim to bring transparency to people about what data various data controllers collect about them. How those data collectors use the collected data, as well as equipping Internet users with the ability to prevent unwanted, as well as unnecessary data collection.
The GDPR introduces two principles with regard to its applicability. Firstly, that the regulation applies to establishments within the EU regardless of where the actual processing is conducted. In terms of art 3(1) of GDPR:
‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.’ Secondly, the GDPR applies to the personal data of any person within the EU borders. In terms of art 3(2) of GDPR:
‘This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.’
In short, if an Internet user is in Europe, regardless of whether an EU citizen or not, and that user visits a website or service outside Europe, the website that is visited has to comply with the provisions of GDPR as if it is operating from Europe. The GDPR is, in many aspects, the most far-reaching privacy regulation in history.
In South Africa, the GDPR is as important. Even if companies do not have any website visitors from within the EU, the GDPR will likely become best practice throughout the world, as it is seen as the international gold standard for protecting personal information.
The ground-breaking regulations set out eight Internet user rights, many of which are by default included in older privacy policies. The Protection of Personal Information Act 4 of 2013 (POPI), which by and large is yet to come into full effect, was legislated close to five years ago and already covers many if not all of the newly adopted rights under GDPR. The eight rights are discussed below and compared to current South African provisions and protection under POPI.
Right to be informed
Condition 6 of the GDPR requires data controllers to be completely transparent on how they make use of the personal data that they collect. This must be provided in a concise, easily accessible and intelligible manner. This prescribed right does fit neatly into the ambit of s 18 of POPI, which stipulates that when information is being collected, data subjects as defined in POPI, must be made aware of what information is being collected, what the source of the personal data is and how it will be used.
Right to access
Section 23 of POPI specifically empowers users to have access to their own personal data records. Condition 8 of the GDPR now provides for the same right. Both POPI and GDPR allows for a request, by the user, to be informed on whether or not any personal data of theirs is being held by the data collector and if so, to receive a summary of what personal data is held.
Right to rectification and right to erasure
The GDPR in ch 3 s 3 states that individuals are entitled to have their personal data rectified and or erased if inaccurate or incomplete and data controllers must respond to a rectification request within one month subject to certain exceptions that the request is complex in nature. This right gives Internet users more control over their own personal data and how accurately it may be used. This right relates to the relatively new concept of the so called ‘right to be forgotten’, which in the case of the GDPR provides that in certain circumstances, an individual may request to have personal data held by data collectors erased or to prevent further processing of their data. POPI already directly provides for both these rights through s 24, but the GDPR deals with it more extensively and gives more explicit power to the users.
Right to restrict data processing
Under the GDPR regime individuals have the right to ‘block’ or restrict processing of personal data, in circumstances where a user contests the accuracy of the personal data or where a user objects to the processing of their own personal data. Once again this right has been provided for through POPI. In terms of s 14(6) of the act the processing of personal information is restricted when the user objects thereto or when the user questions the accuracy of records in terms of the right to rectification and erasure.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data across different services for their own purposes. In terms of this right users may request personal data that was provided for by the individual, through consent or the performance of a contact and when the processing is automated. Internet users should, for example, be easily able to download their account transactions or data that is collected. The data has to be provided for in a computer readable formation that is commonly used. This right gives ownership of personal information to each user. This is a new addition to the series of data privacy rights. As it stands POPI does not expressly give this right as the GDPR does.
Right to object
In terms of the GDPR users may object to specific use of their personal data, which includes but is not limited to it being used for –
POPI does touch on this subject and to a certain extent protect users in this regard. In terms of s 68 of POPI, users are protected against the processing of personal information for the purpose of direct marketing if the user has not given consent. This means that direct marketing is prohibited unless the subject’s consent is obtained, or if the subject is already a customer. POPI is, therefore, limited to direct marketing and it may become necessary to cover the other areas of use, as the GDPR does.
Rights related to automated decision making and profiling
Under the GDPR certain safeguards have been put into place to protect individuals against the risk involved with decisions being made without any human intervention. POPI provides the same protection in s 71 of the Act.
Applicability of the GDPR and POPI
One major difference and area where POPI is seen to be ahead of the GDPR is the applicability of the regulation to juristic persons. The scope of the GDPR is limited to natural persons who are EU citizens or who are in the EU at the time of visiting a website. POPI expressly protects the information of juristic persons, as well.
Privacy impact assessments
The final major difference between POPI and the GDPR is that the last mentioned regulation provides for privacy impact assessments. These assessments are required where the processing of data is considered to be of high risk to the users’ rights and data freedoms. In order to comply with the GDPR these assessments should involve identifying threats to the protection of personal data and taking the necessary mitigating measures to prevent personal data loss. Although POPI does minimally touch on these measures, more direct provisions and guidance are needed to align our domestic policy with that of the leading international framework.
Conclusion
It remains clear that POPI, which is roughly based on similar United Kingdom legislation does – to a very large extent – embrace the new GDPR provisions, especially when it comes to the rights of data subjects. The biggest difference might only be limited to different naming conventions. As a matter of fact, the GDPR could look at POPI when it comes to the legislation also protecting the information of juristic persons. The only rights that need direct attention are the rights of data portability and the right to object to specific uses of personal data.
POPI remains a great stepping-stone for our country to ensure that they keep up to date with international best practice. POPI as an embodiment of our s 14 constitutional right to privacy is by most accounts successful in the principle of upholding data sovereignty.
Daniël Eloff LLB (UP) is a candidate attorney at Hurter Spies Inc in Pretoria.
This article was first published in De Rebus in 2018 (Aug) DR 32.
