Does the Protection of Personal Information Act (POPI) protect consumers? Consumers in South Africa are currently protected by the Consumer Protection Act. Will POPI add to those protections? How does POPI protect consumers? We frequently get asked questions about this, so we decided to publish our answers.
What are the effects of POPI on businesses?
In future, everyone in South African has to try to protect the personal information they process. POPI sets conditions that any person who processes personal information must comply with. POPI aims to protect the personal information of people (like consumers and employees) so that they do not become victims of things like identity theft, which can have very serious consequences. However, POPI does not aim to stop the free flow of information. It recognises that there needs to be a balance
Is anyone exempt from complying with POPI?
POPI applies to virtually everyone who processes. But, the more personal information a business processes, the more they will be impacted. There are some exclusions where POPI does not apply. For example:
- Sending holiday cards.
- Processing any personal information that has been de-identified.
- The SAPS investigating crime.
- Journalists, authors and artists freely expressing themselves.
POPI and consumer rights
POPI aims to protect the data privacy of consumers – their privacy regards their personal information. It does not cover other aspects of privacy, like the privacy of communications.
How does POPI regulate businesses that buy and sell personal information?
As a general statement, it is not unlawful to buy and sell personal information. But companies that do it will have to comply with the conditions for lawful processing in future. Companies that do it badly will struggle and their activities will probably become unlawful. But those that do it well, in many cases, already comply with most of the conditions. Consumers will also have a lot more access to information, power and control over their personal information. There are significant consequences for non-compliance, including:
- Suffer reputational damage
- Lose customers and fail to attract new ones
- Pay out millions in damages to a civil class action
- Be fined up to R10 million or face 10 years in jail
Are companies obliged to tell consumers where they got their personal information?
Yes, currently under section 45 of the ECT Act companies must tell consumers where they got their information. POPI will repeal section 45, but POPI also requires responsible parties to be open about their processing and allow the data subject to participate in how their personal information gets processed. Consumers will have various remedies, like complaining to the Information Regulator and suing for damages in a civil action.
How behind the rest of the world is South Africa regarding the protection of personal information?
Much of the rest of the world have had data protection laws (like POPI) for 15 years or so. They have been protecting personal information in accordance with their laws for a long time. We are only now getting an umbrella data protection law, but many organisations in South Africa have been protecting personal information in any case, because it is the right thing to do, not because they were required by law to do it. South Africa should follow the rest of the world and learn from them, rather than to lead the way, when it comes to data protection.
Will it cost companies a lot to comply?
The cost of POPI compliance varies greatly between different types of organisations. The challenge for practical privacy legal advisers is to reduce the overall cost of compliance.
Are companies ready for the law?
Some are, but many are not. It will probably only commence in mid 2014 and anyone who processes personal information will have one year from the commencement date to comply. So, we have about 18 months from now to make sure that all our processing of personal information complies. There is time and there is no need to panic, but responsible parties need to take action now. This is why we are running public POPI seminars at the moment. We give people an overview of this complex law and help them to know what practical action to take. We fast track their compliance efforts. We are also providing legal services to many organisations.
How will POPI affect hospitals?
Hospitals process a lot of information concerning the health of people. POPI only authorises the processing of that personal information in certain circumstances, so the impact of POPI on hospitals is high.
How will POPI affect businesses that run competitions and gather personal information?
Promotional competitions are really regulated by the Consumer Protection Act. Retailers process a lot of personal information to market their goods to consumers. POPI has a big impact on especially direct marketing by email and SMS.
Will POPI protect consumers from people selling their information without permission?
Retailers will have to limit their processing to a specific purpose and must limit further processing. They must be open about what they are doing and allow you to control what gets done with your personal information.
Will companies who collect information without consent need to destroy it when POPI comes into force?
No, they do not have to destroy it. Consent is only one of the justifications for processing. If a company does not have consent, there are many other justifications they can rely on for continuing to process.
How can consumers protect their personal information and remove it from lists?
There are various things consumers can do right now:
- Only give your personal information to companies you trust
- Put your name on the Do Not Contact register
- Read Privacy Policies
- Ask organisations to tell them what personal information of their they have and ask for it to be deleted
- Unsubscribe from newsletters
- Complain to the organisation itself. And to the Information Regulator once established.
Can a person still copy an email address off a website and send spam? Are there any implications for spammers situated in other countries?
POPI will have a big impact on email and SMS marketing. Anyone can currently email market on an opt-out basis. This means they can send anyone email until the person says stop. After POPI, people will only be able to email market on an opt-in basis – they can email you once to get your consent to send you more emails. No, POPI does not reach other countries. If a company if in Swaziland and does not use equipment that is in South Africa to processes personal information, POPI does not apply. They can send you as much email as they like and they will not be in breach of POPI. They may however be in breach of the data protection laws of Swaziland. This is why there is a push for all countries to have data protection laws.
Are there any concerning provisions in POPI?
Not really. But in some respects POPI is already out-dated – it does not really protect the personal information of consumers from risks associated with things like cloud-based services, tablets and smart phones.
What is your view regarding the law and the need for protection personal data in the information age?
I think the law is good and necessary. The protection of personal information is definitely needed now, more than ever. With the rise of computing power and devices like tablets and smart watches, personal information is at greater risk than ever before. POPI will enable personal information to be transferred to South Africa, which will bring economic benefits for the country.