A suggested change to the definition of consent in the Protection of Personal Information Bill (PPI) would nullify all the data protection provisions in the law that aimed to cut down information sharing and spam.
The current version of the Bill - the seventh since drafting began several years ago - includes an option that consent to process personal information can be deemed to have been granted, if people simply do not opt out when given an undefined reasonable opportunity.
SA's privacy Bill - which is not the same as the Protection of State Information Bill - aims to protect personal information processed by public and private bodies. One of its benefits was that it should have cut down on spam as it used to set down strict parameters around how information can be collected and used.
However, if the definition of consent is widened, all privacy protections in the proposed law will become meaningless. The Bill is expected to be enacted this year.
Inkatha Freedom Party MP Mario Oriani-Ambrosini, a member of the technical sub-committee, has suggested that consent be widened to include the failure of a data subject or competent person to opt out or object to their data being processed when given a reasonable opportunity to do so.
The alternative definition specifies that people should agree to their data being given. Both options also refer to a competent person in the case of a child.
Slippery slope
Paul Jacobson, of Jacobson's Attorneys, says if the alternative option, which makes the concept of opting in meaningless, becomes part of the Bill that eventually becomes law, all the protections in the Bill go out the window.
Jacobson explains that the alternative option suggested by Oriani-Ambrosini means that people's personal information can be collected for marketing purposes if they do not opt out. Although someone may object at a later stage, this could be too late as the data could have been shared with a third party, he notes.
The law, in its current form, allows marketers to contact people once to get their permission to send them information. However, because this is linked to the definition of consent, people will have deemed to have agreed to contact unless they have opted out, says Jacobson.
In addition, Oriani-Ambrosini has proposed dropping the age for the definition of a child to 13, points out Jacobson. He says these two issues together spell disaster for children as they may receive an SMS, not understand it and ignore it, allowing their information to be processed and retained.
Jacobson says the suggested alterations put the burden on the end-user to opt out and will mean that they will have to be more vigilant with SMSes and e-mails, for example. He says the move would change the underlying basis of the Bill and how it works.
Harming business
Pieter Streicher, MD of BulkSMS.com, is concerned that the suggestions may come into law, which could hamper South African companies' business opportunities in Europe. He points out that the latest European version of its privacy law is tightening up the definition of consent.
The recently-published proposed changes to the European Data Directive “would tighten up the existing framework, not least by including a definition of consent that specifically excludes imputation of consent by inaction”, says Streicher.
Laws should ideally be similar across different jurisdictions because it aids companies in doing business across borders, he says.
Streicher points out that the definition of consent is used six times in the PPI. For example, information can only be processed if a data subject has given consent, or it is necessary for a deal to be done, is in the legitimate interest of the person, or complies with an obligation imposed by law on the responsible party.
Changing the definition of consent “is a speedy way of making the law meaningless”, says Streicher. He points out that people do not have time to opt out of everything.
Share