Deliberations on the Protection of Personal Information Bill [B9-2009]

Meeting report

Mr Henk Du Preez, State Law Adviser from the Department of Justice and Constitutional Development (DoJ&CD) said that there was a new draft proposal that would be presented to the Committee. The proposal dealt with the clause dealing with the processing of personal information outside of the country. There had to be more provision for non-binding Memorandums of Understanding (MOU). The new sub-clause 71(3)(a) has incorporated the word ‘accountable’. In short this meant that the cross-border principle required that the transfer of personal information had to be to a country that had laws which adequately protected such information. The receiving party was also subject to specific requirements for the processing of specific information. If there was a non-binding MOU then there would be the requirement that a responsible party in South Africa (SA) would remain accountable for any processing not in line with the provisions of the Bill. 

Ms Ananda Louw, Researcher from the South African Law Reform Commission (SALRC) said that the bottom line was that the data should be protected, if the MOU was not binding then the information had to be protected in some other way and this was what was sought in the new draft of clause 71. If the MOU was enforceable even though it was non-binding then the Financial Services Board’s (FSB) accountability would not be impacted upon.

Mr J Jeffery (ANC) said that National Treasury had requested that a MOU be inserted and this has been done in the new draft clause. The problem was that MOU’s were non-binding, in such a case FSB would have to be responsible and they were under the new clause.

Ms S Smuts (DA) asked how this sat with Article 45 of the European Union’s (EU) new Regulations. 

Ms Louw said that the Regulation was still only a draft. In Article 59 the draft Article 45 was criticised and it was suggested that it should be deleted. The EU Data Protection Supervisor also said that draft Article 45 was unacceptable.

Ms D Schäfer (DA) referred to clause 71(1)(a) and asked at what point it was established that an MOU provided an adequate level of protection.

Ms Louw said that the clause would not restrict the flow of information, if there was a breach, the FSB would have to take responsibility for the breach because they would have used the non-binding MOU. It was the responsible party that determined adequate safeguards, once somebody complained the matter would be referred to the Regulator who would then make the final decision. 

Ms Schäfer asked how it was known that a MOU existed.

Ms Louw said that there had to be a complainant.

Ms Smuts said that a complainant would be somebody whose information was shared.

The Chairperson asked for National Treasury’s input.

Mr Ishmael Momoniat, Deputy Director General: Tax and Financial Sector Policy said that Treasury was driven by other legislation and this was not the only piece of legislation that had a trans-border issue attached to it. Since the financial crisis the powers of regulators were being stepped up worldwide. Financial regulators were found to be far too meek and were being “beefed up”. Some of the reforms in SA dealt with financial conduct. The problem with MOU’s was that Treasury were policy makers only; most home regulators for companies were based overseas. Such regulators did not inform SA officials whether there was a financial crisis or not, and quite frankly they did not care. Many of the MOU’s were not non-binding because SA did not have the clout or weight to enforce them against regulators from other countries. In Africa there were different challenges as SA was regarded as an advanced economy. The concern from Treasury was how to ensure that regulators worked together in a coordinated fashion where there was mutual respect amongst them. In the financial sector right now the possibility of a lead regulator in the financial sector was being mooted. The extent of how information was shared was worrying. A further concern was that those who were found to be on the other side of the law used every means possible to fight the system and the Bill should not be used for this purpose and make the job of Regulators difficult. Treasury wanted an exemption, as it would be difficult for regulators to be faced with a situation where they were liable in any way.

Ms Anna Manganyi, Senior Manager of the FSB added that the EU Directive seemed to lean towards shifting liability on a third party regulator as opposed to an EU regulator. The FSB was currently accountable and if it caused any harm then it should be responsible for that. The FSB did not want to be held liable for reckless actions of other third party regulators.

Mr Jeffery said that SA law did not have jurisdiction over third party regulators from other countries so one cannot hold them to account. The FSB was free to stop transferring information if it felt like it. The purpose of the Bill was to protect the personal information of citizens in SA. An exemption cannot be given to the FSB. The FSB could transfer information however it deemed fit however it would be responsible for the transfer of such information.

Ms Manganyi said that the impression that the FSB got from its interpretation of the provision was that it would be held accountable for the non-compliance of a third party regulator with the provisions of the Bill.

Mr Jeffery said that the FSB would be responsible if there were breaches; somebody had to be accountable. If the FSB passed on information to another body outside the country, it would have to check what security provisions were there to protect the information. The FSB may want to make input on the definition of ‘accountability’ in the Bill.

Ms Nonku Tshombe, Head of Department: Legal Service for the FSB said that the environment was highly litigious and these parties would hop from one regulator to another trying to hold them accountable where they would not have been responsible for improper conduct. It would be useful if the words ‘where the information was used for the purpose for which it was requested’ were added. This would help in terms of narrowing the definition.

Professor G Ndabandaba (ANC) asked if there was any association of national or international regulators.

Ms Schäfer said that she agreed nobody should have blanket exclusion. The FSB could not just say that there should be a stipulation that the information should be used for the purpose for which it was requested for, it had to also ensure that there were adequate safeguards for the protection of that information.  Accountability cannot be rendered meaningless it cannot only be to the extent of information used for the purpose for which it was requested there had to be something extra.

Mr S Swart (ACDP) asked to what degree at the moment there were checks and balances where the FSB was sharing information. Why was there such an emphasis on accountability at the moment? What was the concern of the FSB? Was it criminal sanctions maybe?

Mr Jeffery added that a breach of the provision would result in an appearance before the Information Regulator and not the High Court. This might take care of the concerns around litigation for the FSB. If the FSB had a binding agreement with another party from another country and it happened to be breached by that third party then the FSB would not be responsible. However if there was just a non-binding MOU and it was breached then the FSB would be responsible. One could say that it was not fair however one the one hand it was not enough to say that reasonable steps were taken. 

Ms Louw referred to clause 71(3) and said that accountability arose if the information was processed in a manner that constituted interference with the privacy of a data subject in terms of the Bill. The ambit of the Bill was very narrow; it was only concerned with the protection of information in accordance with the eight imposed conditions. 

Mr Momoniat said that there were a whole lot of codes and international agreements and some were more binding then others. Most MOU’s were non-binding - they were there to get regulators talking. The Act was another issue. Many criminals defrauded people in SA and then ran to countries like Australia and Switzerland; if the MOU’s were binding then they would have probably been deported. Countries like Australia and Switzerland might comply with the provisions of the Bill but they did not take ideal action. Even if the MOU’s were non-binding, SA regulators would act. Treasury would want for all regulators and ombuds in the financial services sector to work together.

Mr Jeffery said that there seemed to be consensus and the Committee should move to finalise it as it has been two years since its introduction.

New Clause 38
Mr Du Preez said that the proposal in the clause was an automatic exemption from certain conditions. If Treasury agreed to this provision then the only outstanding issue would be to look at those conditions which they would want to insert.

Ms Tshombe said that the FSB appreciated the new proposed provisions of clause 38. The FSB was not looking for broad exemptions. The FSB would appreciate consideration of the proposed amendments to previous sections that have been put before the Committee.

Mr Jeffery said that there was a possible exemption from some of the specific exemptions which was wider than what the FSB asked for in the proposed amendments. It was surprising that the FSB was not so keen on this.

Ms Tshombe said that it was only to the extent that there was an expression of concern on these exemptions. The FSB had not necessarily rejected the proposal, it had only operated under the assumption that it would no longer be exempted and the Bill would be an enabler.

Ms Manganyi said that the FSB was happy with clause 38 insofar as the proposed amendments for clauses 11, 12 and 18 were concerned. This would be in line with the law in the United Kingdom (UK).

Ms Smuts said that she was happy with clause 23. The essential question was whether the FSB was not already covered in other sections of the Bill.

Ms Louw said that the reference to clauses 18 and 23 was to show what the exemptions were for in the UK Act.

Mr Jeffery said that the FSB had wanted a more specific exemption in clause 11, 12, 15 and 18. The function being performed insofar as what the FSB was doing would be in Clause 38(2). There were two options, the one was for the references that excluded third parties and the other was clause 38 which was more general.

Ms Tshombe said that the amendment to clause 71 might be consequential to clause 62.

Mr Jeffery said that there was a cross-reference and it would still be there.

Ms Manganyi said that clause 56 had two sub-clauses labelled (d). If the Committee accepted the first (d) then the FSB would be happy with this.

Mr Jeffery said that footnote 92 specified that this was one Member of the Committee’s proposal.

The Chairperson added that this was for the Committee to consider. 

Mr Jeffery said that the proposal was not being finalised today, the FSB would want exemption from the conditions and it would be clauses 11, 12, 15 and 18.

Mr Du Preez said that with regards to clause 23 the Committee should not forget about the Promotion of Access to Information Act (PAIA) where the FSB was currently subject to granting access to personal information. Granting the FSB exemption would have to carefully considered. 

Mr Jeffery said that the legislature always had to consider impacts by new law on existing law. The concern with clause 23 was that it fell under PAIA which was existing law and which afforded a right for requests to be made to the FSB.

Dr M Oriani-Ambrosini (IFP) said that the test as it was covered everything; more exemptions should not be given.

Mr Jeffery said that the Committee should accept the amendment of clause 38 with the provisions of clause 11, 12, 15 and 18. Clause 23 could be considered again however the PAIA exemptions should cover the FSB.

The Chairperson said that the drafters should take the Committee through the highlights in the rest of the Bill.

Page 2
Mr Du Preez referred to the Long Title and said that the Committee had requested that reference to PAIA had to be included.

Page 7
Mr Du Preez said that the definition of consent has been accordingly adapted. The amendment was
Technical and the Committee had to decide whether the definition would be kept as it was.

Page 10
Mr Du Preez referred to the definition of special personal information and said that there was reference to the section that covered this. The definition for unique identifier has the words ‘and is used’ added to it.

Page 11
Mr Du Preez referred to clause 4(3) and said that the words ‘except if’ were replaced with ‘unless’. In clause 5 the amendments were effected and shifted accordingly.

The Chairperson said that there was still an ‘except if’ in clause 4(4) that still had to be removed.

Page 12
Mr D Preez said that the provisions in clause 5 have been re-arranged a bit.

Page 14
Mr Du Preez referred to clause 9 and said that the Committee still had to decide whether to retain ‘unnecessarily’.

Page 15
Mr Du Preez said that clause 11(3) was a re-draft to capture the Committee’s intention regarding direct marketing.

Page 17
Mr Du Preez said in clause 14(7) the words 'or with the consent of a competent person in respect of a child’ have been added in order to align this with the definition of consent.

Page 18
Mr Du Preez said that the requirement for notification has been removed from the Bill as per the Committee’s request.

Page 19
Mr Du Preez said that clause 21(1) and clause 21(2) could be collapsed into one clause simply by adding the words ‘by means of a written contract’. Clauses 21(3) could also be removed.

Mr Jeffery asked who would be the parties to the contract.

Mr Du Preez replied that it would be the responsible party and the operator.

Mr Jeffery said that he was not happy with ‘by means of’.

Mr Du Preez said that the words would be removed then.

Page 22
Mr Du Preez referred to Part B and said that there was a cross-reference in clause 26 to clause 27. Four options on criminal behavior were included. In clause 27(d)(ii) the word ‘express’ has been removed.

Page 24
Mr Du Preez referred to clause 32(d) and said that the drafters would come back to the Committee as the Children’s Act had to be considered further in more detail. It would seem that ‘designated’ might have to be deleted.

Mr Jeffery said that a child protection organization would be in terms of the relevant sections of the Child Justice Act. Childline was an abuse line; they were not managing anything so they were not covered. This, it would seem, would apply to Lifeline as well. Childline and Lifeline would have to be included as well.

The Chairperson said that this should be flagged.

Page 25
Mr Du Preez said that clause 34 was amended as requested by the Committee.

Page 26
Mr Du Preez said that in clause 35(1)(d)(ii) the word ‘express’ had been omitted.

 Page 27
Mr Du Preez referred to clause 39(1)(b)(i) and said that there was a language proposal from the drafters as an amendment.

Page 29
Mr Du Preez said that in clause 39(5) there was a reminder to ensure that the clause was still in line with other amendments for when the Regulator was finalised.

Page 30
Mr Du Preez said that the Committee had to be mindful of the footnote as there was a requirement there for the Committee to make a final decision.  Clause 40(2)(a) had to be amended to include ‘which recommendation must also indicate which ordinary members must be appointed in a full-time or part-time capacity’.

Page 32
Mr Du Preez said that in clause 45 the original wording of the introduced Bill has been reverted to as per the Committee’s instructions.

Page 33
Mr Du Preez said that in clause 46(6) the words ‘and subject to sub-section (7)’ have been inserted.

Mr Jeffery requested that this should revert to being an option as the Committee had not agreed.

Mr Du Preez said yes. In clause 47(b) the provisions of clause 46(b) has been inserted so that the two clauses correlate.

Page 34
Mr Du Preez said that clause 49 has been moved and inserted as clause 92. The request from the Committee that three members of the Regulator shall constitute a quorum has been captured in clause 50(2).

Page 36
Mr Du Preez said that the whole of notification has been removed. Clause 56 was a cross reference and clause 56(1)(a)(ii) would be omitted. Clause 56(1)(d) was a technical correction.

Page 41
Mr Du Preez said that in clause 61(2) it was proposed by the drafters that the words ‘whether
that responsible party intends to market different products or services or not’ should be included.

Mr Jeffery said that he was worried about the proposal. What if a company in insurance offers a product to a consumer in one year and then if they move to another sector next year the provision would prohibit them from offering new products to the same customers again. The provision was a bit too heavy on direct marketers.

Ms Schäfer said that direct marketers should not obtain consumer’s information for one purpose and then offer several other products that were not wanted.

Dr Oriani-Ambrosini said that this was exactly the problem, trade and commerce were being impaired by such provisions and times have changed unlike back in the old days.

The Chairperson said that he was not in favour of the opt out option.

Ms Schäfer conceded that the world has changed and if a consumer wanted something then they could research it for themselves instead of having several different products being offered to them. 

Ms Smuts said that one did not want to intrude on people’s rights to trade and engage in commercial activity. The proposal was from Ms Adams and the thinking behind it was to prevent subterfuge.

Mr Jeffery said that the provision was not about saying no, the provision was about a consumer saying yes they want to carry on receiving marketing information. This was new law and it would be developed, there probably would be subterfuge.

Ms Louw said that the insertion might be refined to only include compatible products.

Mr Jeffery agreed. In clause 58, Mr Mark Heyink, the Director at Information Governance Consulting (IGC), had suggested that the information officer should be personally responsible. The information officer has responsibility in terms of the Bill but not necessarily for the rest of the processing. This might be a bit heavy.

Ms Smuts said that the job of information officers was not carefully circumscribed in terms of the Bill, the proposal was a bit imbalanced and I am not comfortable with it.

Mr Heyink added that regulators should have greater power; on a number of occasions the attitude of larger processes was to look at loopholes to circumvent the legislation. This was exactly why the Regulator in the United Kingdom was seeking heavier penalties. Many organisations were going to process information that should be referred to the Regulator for prior authorisation and say it was a mistake and they would have already built in whatever penalty into their profits. In SA, direct marketers were not as well regulated as in other jurisdictions and there was widespread abuse. If direct marketers were also subject to prior authorisation then a lot of difficulties that consumers faced would be properly dealt with.

Mr Jeffery said that this was a new provision and coming at the end of the Bill was a bit too much at this stage.

Ms Smuts said that she understood the background to the proposal but agreed with Mr Jeffery.

Page 42
Mr Du Preez said that in clause 72 there was a technical amendment.

Page 47
Mr Du Preez said that in clause 84 the drafters were concerned with the wording as it may prevent the Regulator from conducting search and seizure in relation to Condition 6.

Ms Smuts said that this was fine.

Page 52
Mr Du Preez said that in the heading the words ‘administrative fines’ were added.

Mr Jeffery asked why there was a limit on administrative fines; this would be a limit on what the Regulator may fine.

Dr Oriani-Ambrosini said that this was because only the legislature may set the limits to fines.

Mr Du Preez said that the Committee may still set another limit. A percentage of annual turnover might be an option for purposes of a deterrent. The legislature has to have a limit. Annual turnover would have to be defined.

Page 56
Mr Du Preez said that the Committee had requested the insertion of a new sub-clause (l). There was a new proposal in clause 113(1), this was approved by the Committee.

Page 57
Mr Du Preez said that in clause 113(7) here was a proposal for a transitional provision insofar as the transfer of functions from the South African Human Rights Commission (SAHRC) to the Information Regulator were concerned.

Mr Jeffery said that seeing as the Committee was finished with the Bill. Mr Du Preez should be keeping up with the costing of the Bill and informing the Department of Justice.

Ms Smuts said that there was a costing document handed over to the Committee.

Mr Jeffery said that he was worried about the high figures in the costing document.

Ms Smuts said that she was referring to the costing document on regulatory impact, this study was conducted.

Mr Du Preez said that the costing was derived from the perspective of having the whole regime kick started with a contribution from the Department. The Regulator was going to be very expensive.

Schedule
Mr Du Preez said that the definition of ‘biometrics’ has been included on page 1. Item 2 was a new matter, the question was should the same approach be followed in respect of PAIA as opposed to the approach followed in the manuals. In Item 4 there was a need to draw a distinction between matters that were dealt with in the manuals which were of a general nature and matters specifically linked to PAIA. Item 7 to 10 were existing provisions. Item 11 had the amendment to section 51. The remainder of the provisions in the Schedule have already been pointed out to the Committee. There may be a need for a transitional provision for the Regulator and the courts where internal appeals were concerned.

Mr Du Preez said that the drafters have considered the question raised by the Chairperson last week regarding the information of dead persons. Having looked at the EU Directive as well as other foreign jurisdictions it transpired that it was possible to extend the definition of personal information to include people who were dead.

Mr Jeffery asked who would make the complaint.

Mr Du Preez said that this concerned the right to privacy which was only enforceable by a living person. There was a solution, if a dead persons information was processed and the data processor was identified then the right may be enforced. Other countries have limited the information to health issues because this may be used to make certain predictions on the health of those still alive. The definition for personal information would also include the following wording then: ‘...or a deceased person where such processing would reveal personal information about a living person’. The current definition in the Bill for personal information was very open.

Mr Jeffery said that this was at the tail end of the Bill and the Committee should look after the living and come back to the dead later.

The Chairperson said okay.

Ms Smuts said that dead persons have a right to privacy in their own right.

The Chairperson said that week after next the Committee would vote on the Bill.

Meeting adjourned.