The Panama Papers leak has become one of the most widely covered data protection issues in the news. But the one question no one probably asked yet is: what connection is there between the Panama Papers and the law?

What is the Panama Papers leak?

For those of you who have not been lucky enough to hear or read about it somewhere, the saga can be summed up as follows:

  • Eleven million confidential documents belonging to the Panamanian law firm, Mossack Fonseca have been anonymously leaked.
  • The documents relate to the firm’s clients, who include ministers, business persons and other prominent figures.
  • According to the Panama Papers leak, the firm has a 40-year history of bending and breaking the law for the benefit of its clients, including laundering money and evading taxes.

Why is this even a big issue?

People reading about the Panama Papers leak may be tempted to say that the papers were leaked to expose law-breaking by the firm and its clients and that all those implicated should now just be punished, end of story. But the truth is that, as a data protection issue, this whole saga raises far more interesting questions both internationally and in the South African context.

What are some of the global laws around this issue?

The international context is specifically interesting to us because, as international data protection experts, we are not just focused on South African law, but in how other countries on a global scale also regulate data protection. In the European Union (EU), for example, the General Data Protection Regulation (GDPR) and how it will replace not only the 95 Directive on data protection, but also the laws enacted by EU member states to comply with that directive, is something we have looked into with a keen eye. This is because it created an interesting new development for anyone wanting to do business involving the personal data of European citizens. Coming into operation in mid-2016, the GDPR seems to re-affirm the EU’s status as the world-leader in data protection and is a noteworthy law for anyone with questions about global data protection.

What is the connection with South African Law?

When we bring this whole saga home and look at it in the South African context, we see not only some of the similarities between the Protection of Personal Information Act (POPI) and the GDPR, but that the Cybercrimes and Cybersecurity Bill (CAC) makes the discussion a bit more interesting (when we consider what effect it would have if it was already law). Some of these similarities include how the two laws make a distinction between:

  • data subjects (persons or entities whose personal data is being processed),
  • responsible parties or controllers (persons or entities determining when, why and perhaps even how data is to be processed),
  • and processors or operators (persons or entities processing on behalf of responsible parties),
  • the requirement that responsible parties must process data for a lawful purpose (which can include processing the data for the benefit of the data subject or in terms of a contract between the parties), or
  • and the requirement that the responsible parties must safe-guard the data with measures designed to protect against breaches.

So what are some of the interesting questions that the leak raises?

The questions include:

  • whether the law firm breached its data protection obligations or not (which comes back to the issue of safe-guards and whether the firm had any against theft, damage or unlawful access),
  • and whether the person who leaked the data committed a crime or not.

The Cybercrimes Bill and its provisions on unlawful and intentional access or use of personal information certainly makes things interesting. For one, it makes such unlawful and intentional access an offence with a sentence of either a hefty fine, imprisonment or both. Secondly, we have no way of knowing whether or not the anonymous leaker of the information was an employee of the firm who was entitled to have access to the leaked data, or whether they obtained it through hacking. And, if the person was an employee, does the fact that they leaked it to the media instead of the authorities make a difference?

How we answer these questions for you?

These questions are definitely complex, but with our experience and skill we are well-placed to answer them for you. We specialise in looking into these issues in order to provide you with simplified solutions that meet your needs. This is done through a range of methods, including:

  • workshops and presentations,
  • executive briefings,
  • and even data protection impact assessments to further help you understand your compliance needs.


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.