Loopholes spotted in POPI Bill
Though the Protection of Personal Information (POPI) Bill has been touted as the most comprehensive data protection law, the imminent piece of legislation has its fair share of loopholes.
So say legal experts, who point out that the increased volume of information spread over the Internet, the popularity of social media, increasing identity theft, and suchlike, have seen many governments worldwide become increasingly concerned with the purposes for which organisations collect personal information, and how they protect it.
Daniella Kafouris, manager, risk advisory and legal, at Deloitte, says, in unregulated markets, there is a constant flow of personal information across borders and this is a major concern for individuals and businesses alike.
“In response to alarming increases in the volume of 'negative' incidents, many countries have adopted and executed personal information protection laws at the domestic level,” she says.
SA is set to enact the POPI Bill this year. The Bill was submitted to the justice minister in February 2009 and aims to protect personal information processed by public and private bodies.
According to Paul Jacobson, director of web.tech.law and a Web and digital media lawyer, regarding trans-border data flows, the Bill is vague enough to leave room for some interpretation as to what it means to comply fully with its requirements that third parties be bound by comparable data protection laws.
“There is also scope to transfer data based on contractual requirements and in some circumstances where consent cannot be reasonably, practicably obtained,” he notes.
Consultancy firm PwC concurs, saying that, in a number of key areas, strongly subjective terminology is used in the Bill, such as 'reasonable', 'unnecessarily', 'legitimate interests', and 'reasonably practicable'.
Given that privacy is such an inherently subjective notion, and that one cannot predict how the regulator will interpret these subjective terms, it is difficult for organisations to establish policies and train their staff, PwC notes.
PwC urges organisations to determine for themselves what the terminology means and how it will impact them, and look to the purposes of the Bill for guidance.
Although section 71(1) prohibits using electronic communications for direct marketing unless the data subject has given his/her consent or is a customer of the responsible party, section 71(2) permits an organisation to approach data subjects once in order to obtain their consent.
This may be interpreted by organisations as being allowed to add data subjects' contact information to mailing lists, and only removing that information if the customer chooses to “opt out”, says PwC.
Kafouris says most legal experts will be better suited to advise on the gaps in the law as it reaches its final version.
However, she notes the Bill contains more compliance duties than any other piece of data privacy legislation globally.
In most European Union (EU) countries, legislation regarding the regulation of personal information is strict, while emerging economies have nothing in place, she says.
Kafouris says, upon the promulgation of the POPI Bill in SA, organisations will need to be compliant with the legislation, and in alignment with international privacy legislation(s), to avoid losing out on trading opportunities.