We all know that data protection laws around the world exist to protect the privacy rights of human beings. But some jurisdictions go further – extending privacy rights to juristic persons and other non-human entities. At some point in the future, this may even lay the groundwork for the protection of the personal data of robots or artificial intelligence (AI).
The majority of data protection laws around the world, including the General Data Protection Regulation (GDPR) in the EU, do not extend privacy rights to juristic persons. Some countries, including Austria and Switzerland, have recognised the privacy rights of juristic persons in certain cases.
However, South Africa’s Protection of Personal Information Act (POPIA) is one-of-a-kind insofar as it applies specifically to existing juristic persons as well as living human beings. In terms of POPIA, personal data (personal information in South Africa) is any information about any identifiable juristic person that still exists.
Why do we need to protect a juristic person’s personal information?
We need to protect a natural person’s personal data in order to protect them from harm. Juristic persons require this protection too. There are various types of harm a person can suffer, but not all types of harm apply to juristic persons. One area where a juristic person is likely to suffer harm is financial harm.
Plus, phishing emails are on the rise and likely to cause severe financial harm. Cybercriminals are just as likely to target juristic persons as natural persons, if not even more likely. Protecting a juristic person from this type of financial harm is important and demonstrates why juristic persons can benefit from the privacy rights that POPIA affords them.
When does juristic personality begin and end?
Normally, a juristic person’s legal personality starts when it’s registered on a jurisdiction’s company registration database. We can usually prove that a juristic person exists by checking its registration number and listing. In ZA, our law considers a company ‘dead’ when the CIPC deregisters it from their database.
Further, once juristic personality starts, the entity can hold rights and incur duties. This ability flows from what is known as legal capacity, i.e. the capacity to have rights and duties.
And, some of these rights are personality rights. An example of a personality right is the right to privacy. But once juristic personality ends, the entity is no longer a legal person. So the effect is that the rights attached to their legal personality, like privacy, fall away.
Similarly, data privacy laws like POPIA only apply to living juristic persons. So, the protections in these laws don’t extend to their demise.
Intriguingly, when juristic personality ends, it’s unclear whether the company becomes a common-law association or another type of entity. However, there’s scope for company stakeholders to claim confidentiality and privacy rights for the information that the company had held on the basis that the information is connected to another data subject.
How do we protect a juristic person’s personal data?
Well, how do you protect a natural person’s personal data? We believe that you should treat a juristic person’s personal data the same way as a natural person’s. This is the most cost-effective approach to your compliance strategy.
But for you to protect it, you need to know what it is that you are protecting. Currently, we do not know exactly what the personal data of a juristic person is. The Information Regulator and the courts will need to confirm and determine this in time.
We’ve already highlighted the fact that South Africa is different in its protection of juristic persons’ personal data. But what does that mean for you when dealing with data controllers or processors in other countries that don’t protect it? How will others protect the personal data of juristic persons that you share with them? This introduces more questions around transferring personal data abroad, countries adequacy levels and how to address processing of juristic persons’ personal data in a DPA.
Conclusion
It’s clear that South African data protection law differs from other countries because it specifically applies to juristic persons and protects their personal data. It’s arguably important to protect the personal data of juristic persons in the same way that the law protects the personal data of human beings because juristic persons can also suffer harm if their personal data falls into the wrong hands.