Transcripts
Andrea Hinkelmann:
:Welcome to Perspectives Fasken's Legal Voices on Business.
Emma Ali Mohammadi:
:I'm Emma Ali Mohammadi, an Associate in the Dispute Resolution and Insurance Practice
Emma Ali Mohammadi:
:groups. I'm joined by my colleague Andrea Hinkelmann, who is also an associate in
Emma Ali Mohammadi:
:Dispute Resolution.
Andrea Hinkelmann:
:Emma and I will be discussing the right of a daughter subject to institute civil action
Andrea Hinkelmann:
:against a responsible party for damages as a result of a bridge.
Andrea Hinkelmann:
:In terms of the Protection of Personal Information Act four of 2013, which is also
Andrea Hinkelmann:
:otherwise known as Poppy or Papaya.
Emma Ali Mohammadi:
:Andy, did you know that the act is correctly referred to as Papaya and not Poppy in order
Emma Ali Mohammadi:
:to keep it close to its sister Act Papaya?
Andrea Hinkelmann:
:That actually makes sense, Emma, since both acts have to do with information, which is
Andrea Hinkelmann:
:interesting. Papaya is about freedom of information, while Papaya is about privacy.
Andrea Hinkelmann:
:Papaya has obviously taken the center stage and is definitely here to stay.
Emma Ali Mohammadi:
:I'd say there's been widespread panic with the build-up and commencement of Papaya
Emma Ali Mohammadi:
:starting from the 1st of July 2021.
Emma Ali Mohammadi:
:The panic is mainly due to the somewhat onerous compliance requirements imposed by
Emma Ali Mohammadi:
:Papaya, which is a comprehensive data protection legislation and its accompanying
Emma Ali Mohammadi:
:regulations. In short, these requirements mainly include the establishment of
Emma Ali Mohammadi:
:compliance frameworks, compilation of personal information, impact assessments,
Emma Ali Mohammadi:
:drafting of prior manuals and conducting extensive training sessions.
Emma Ali Mohammadi:
:Andy I've enjoyed giving extensive training sessions across industries over the last
Emma Ali Mohammadi:
:couple of months.
Emma Ali Mohammadi:
:This is a really important part of an organization's Papaya compliance.
Emma Ali Mohammadi:
:I digress. However, today our focus will not be on achieving practical compliance of
Emma Ali Mohammadi:
:Papaya, but rather the enforcement and consequences of non-compliance of the act.
Andrea Hinkelmann:
:Before we jump into things, Emma, I'd like to clarify a few terms for our listeners.
Andrea Hinkelmann:
:A daughter subject is defined in Poppy as any natural or juristic person, so that would
Andrea Hinkelmann:
:be a person like myself or you or even a company or a partnership.
Andrea Hinkelmann:
:It's interesting because the European Union General Data Protection regulations, which is
Andrea Hinkelmann:
:basically the equivalent of Poppy in South Africa, does not actually cover juristic
Andrea Hinkelmann:
:persons, which is a responsible party, private or public body that determines the
Andrea Hinkelmann:
:purpose and means of processing of personal information.
Andrea Hinkelmann:
:So it would be somebody like your employer, for example, or a company.
Emma Ali Mohammadi:
:Just to touch on briefly, what personal information is Andy.
Emma Ali Mohammadi:
:Personal information is basically any information that can identify a natural or
Emma Ali Mohammadi:
:juristic person.
Emma Ali Mohammadi:
:It's broadly defined by the Act and includes race, gender, pregnancy, marital status,
Emma Ali Mohammadi:
:employment and financial history.
Emma Ali Mohammadi:
:It also includes contact details and even the views and opinions of a person.
Andrea Hinkelmann:
:Now that we've got the basics sorted, the enforcement of Poppy is dealt with.
Andrea Hinkelmann:
:In terms of chapter ten of Poppy.
Andrea Hinkelmann:
:This chapter sets out the sanctions imposed on a responsible party for non-compliance
Andrea Hinkelmann:
:with certain provisions of Poppy.
Andrea Hinkelmann:
:And it also deals with complaints by data subjects to the information regulator, who is
Andrea Hinkelmann:
:the watchdog authority, who ensures the enforcement of the Act.
Andrea Hinkelmann:
:So in a nutshell, I'll take us through some of the sanctions that may result due to the
Andrea Hinkelmann:
:breaches of the Act.
Andrea Hinkelmann:
:First of all, the regulator can impose a fine on a responsible party who is in
Andrea Hinkelmann:
:contravention of Poppy, not exceeding the amount of 10 million rand.
Emma Ali Mohammadi:
:That's a pretty hefty fine.
Emma Ali Mohammadi:
:Do you think it's likely to be enforced by the information regulator?
Andrea Hinkelmann:
:It is also a form of revenue for the government, so I think it is likely to be
Andrea Hinkelmann:
:enforced. Another consequence of non-compliance includes imprisonment in terms
Andrea Hinkelmann:
:of Section 107 of the Act.
Andrea Hinkelmann:
:So for serious offences, the responsible party and Information Officer may be
Andrea Hinkelmann:
:imprisoned for a period not exceeding ten years or to both a fine and imprisonment.
Andrea Hinkelmann:
:So serious offences, examples such as obstructing the regulator and failing to
Andrea Hinkelmann:
:comply with poppy enforcement notices for less serious offences, for example, hindering
Andrea Hinkelmann:
:an official in the execution of a search or seizure warrant.
Andrea Hinkelmann:
:The maximum penalty would be a fine or imprisonment for a period not exceeding 12
Andrea Hinkelmann:
:months or even both a fine and imprisonment.
Emma Ali Mohammadi:
:Who would face imprisonment, though?
Andrea Hinkelmann:
:That would be the organization's Information Officer.
Andrea Hinkelmann:
:The Information Officer plays a critical role in an organization and has a
Andrea Hinkelmann:
:responsibility to ensure an organization's overall compliance with the Act.
Andrea Hinkelmann:
:So the Information Officer is the one who will be responsible for any non-compliance
Andrea Hinkelmann:
:with the Act. So when the Information Officer or regulator comes knocking at your
Andrea Hinkelmann:
:door, you know.
Emma Ali Mohammadi:
:Not sure if I'd like to be an Information Officer, then.
Andrea Hinkelmann:
:It's quite a hefty penalty there.
Andrea Hinkelmann:
:But before we get carried away, Emma, our focus for this podcast is that a data subject
Andrea Hinkelmann:
:may institute civil action against a responsible party for damages.
Andrea Hinkelmann:
:And this is as a result of a breach in terms of Section 99 of the Act.
Andrea Hinkelmann:
:Now, this section states that a data subject or the regulator acting on behalf of the data
Andrea Hinkelmann:
:subject may institute civil proceedings for patrimonial or non patrimonial damages
Andrea Hinkelmann:
:whether or not there is an intent.
Andrea Hinkelmann:
:Or negligence on the part of the responsible party.
Emma Ali Mohammadi:
:Patrimonial damages relate to the reduction in a person's financial position.
Emma Ali Mohammadi:
:Say, for example, due to the leak of the data subject's personal information by the
Emma Ali Mohammadi:
:responsible party.
Emma Ali Mohammadi:
:Non-patrimonial loss, on the other hand, does not really have a monetary value.
Emma Ali Mohammadi:
:So here examples would include in our context, perhaps pain and suffering or
Emma Ali Mohammadi:
:emotional shock due to the leak of the data subject's personal info.
Andrea Hinkelmann:
:For the purposes of this section, are we now talking about any kind of breach of any of
Andrea Hinkelmann:
:the provisions of Poppy?
Emma Ali Mohammadi:
:No. So Andy here, we're only talking about the breaches referred to in section 73 of
Emma Ali Mohammadi:
:Poppy. For example, any breach of the conditions for the lawful processing of
Emma Ali Mohammadi:
:personal information as referred to in chapter three.
Emma Ali Mohammadi:
:For example, if a data subject is a minor and the consent of a competent person
Emma Ali Mohammadi:
:required in terms of section 11-1A is not obtained, this would be a breach of condition
Emma Ali Mohammadi:
:two which deals with processing limitation.
Emma Ali Mohammadi:
:And so this breach would accordingly fall under section 99.
Andrea Hinkelmann:
:Section 22 of Poppy deals with responsible parties, obligation to notify data, subjects
Andrea Hinkelmann:
:of security compromises, and may also result in civil action to be taken against the
Andrea Hinkelmann:
:responsible party.
Andrea Hinkelmann:
:Now thus, for example, would be non-compliance with the section and may
Andrea Hinkelmann:
:include instances where an unauthorised person accesses or acquires the personal
Andrea Hinkelmann:
:information of a data subject and the responsible party fails to notify the data
Andrea Hinkelmann:
:subject and the information regulator accordingly.
Emma Ali Mohammadi:
:You mentioned that a data subject can sue a responsible party, even in instances where
Emma Ali Mohammadi:
:the responsible party has been negligent.
Emma Ali Mohammadi:
:I find this really interesting.
Andrea Hinkelmann:
:This is a really strict form of liability.
Emma Ali Mohammadi:
:Are there any defences that can be raised by the responsible party in defending this type
Emma Ali Mohammadi:
:of action?
Andrea Hinkelmann:
:Yes, there are few defences and these are recorded in terms of section 99, subsection
Andrea Hinkelmann:
:two of the Act. They also include majors, acts of God, consent of a data subject, a
Andrea Hinkelmann:
:fault on the part of the plaintiff, compliance where it was not reasonably
Andrea Hinkelmann:
:practicable in the circumstances of that particular case, or in instances where the
Andrea Hinkelmann:
:regulator has granted an exemption in terms of Section 37 of the Act.
Emma Ali Mohammadi:
:You mentioned earlier that civil action can be instituted by the regulator on behalf of
Emma Ali Mohammadi:
:the data subject.
Emma Ali Mohammadi:
:It's my understanding that this would naturally be the more preferable option given
Emma Ali Mohammadi:
:the high cost of litigation.
Andrea Hinkelmann:
:Absolutely. And although we can take guidance from foreign jurisprudence, we're more likely
Andrea Hinkelmann:
:to see the institution of class actions in South Africa, especially in instances of a
Andrea Hinkelmann:
:wide scale data breach.
Andrea Hinkelmann:
:For example, Canada is one of the countries that has seen a growing number of class
Andrea Hinkelmann:
:actions in courts and have adopted the approach of a round table discussion as
Andrea Hinkelmann:
:opposed to costly and lengthy litigation.
Emma Ali Mohammadi:
:What happens if the data subject is successful in bringing the civil action
Emma Ali Mohammadi:
:against the responsible party?
Andrea Hinkelmann:
:So Section 99, Subsection three of the Act regulates this in terms of which a court may
Andrea Hinkelmann:
:award an amount that is just and equitable, and this amount may include the payment of
Andrea Hinkelmann:
:damages as compensation for patrimonial and non-patrimonial loss suffered by data
Andrea Hinkelmann:
:subject. And this would be as a result of the breach of the provisions in terms of this
Andrea Hinkelmann:
:Act. An example of a ruling on compensation was recently handed down in the High Court in
Andrea Hinkelmann:
:London, where judgement in terms of a data protection case was linked to President
Andrea Hinkelmann:
:Trump's involvement in Russia and the so-called Russia Dossier, or Steele Report in
Andrea Hinkelmann:
:the case of Avon Fridman and Khan versus Orbis Business Intelligence, the High Court
Andrea Hinkelmann:
:awarded £18,000 to two individuals of Russian or Ukrainian origin as compensation
Andrea Hinkelmann:
:for breaches of data protection law, and this was for the distress caused to them by
Andrea Hinkelmann:
:the processing of inaccurate data about them.
Emma Ali Mohammadi:
:In another case, TLT versus Secretary of State for the Home Department and Home
Emma Ali Mohammadi:
:Office. It's a 2016 judgement.
Emma Ali Mohammadi:
:The Home Office wrongly published personal information or details of around 1,600
Emma Ali Mohammadi:
:applicants for asylum or leave to remain.
Emma Ali Mohammadi:
:The claimants claim for misuse of private information and breach of the DPA, which is
Emma Ali Mohammadi:
:somewhat similar to our Poppy Act for causing them distress.
Emma Ali Mohammadi:
:The court in this instance found it appropriate to cross refer to compensation
Emma Ali Mohammadi:
:for psychological injury in circumstances where the claimants were put in shock and
Emma Ali Mohammadi:
:fear as a result of the disclosure of their personal data.
Emma Ali Mohammadi:
:So in comparison to the case that you mentioned a moment ago here, the court
Emma Ali Mohammadi:
:awarded the claimants awards of between £2,500 to £12,500.
Andrea Hinkelmann:
:That's quite interesting, Emma.
Andrea Hinkelmann:
:So how would you then go about mitigating the quantum of damages?
Emma Ali Mohammadi:
:It's really important that the responsible party is able to prove that they have taken
Emma Ali Mohammadi:
:adequate technical and reasonable security measures to have prevented the breach.
Emma Ali Mohammadi:
:So this is where an organizations prepare policies, risk assessments, compliance
Emma Ali Mohammadi:
:frameworks and the like will become very important.
Emma Ali Mohammadi:
:In conclusion, our Dispute Resolution and Litigation practice is fully equipped and and
Emma Ali Mohammadi:
:skilled to deal with this type of litigation.
Emma Ali Mohammadi:
:The Fasken team has extensive experience in navigating Papaya compliance for
Emma Ali Mohammadi:
:organizations across industries, litigating in courts and aiding clients in navigating
Emma Ali Mohammadi:
:crisis, especially when a difficult or important decision must be made.
Emma Ali Mohammadi:
:I am Emma Ali Mohammadi.
Andrea Hinkelmann:
:I'm Andrea Sheinkman.
Emma Ali Mohammadi:
:Thank you for listening to Fasken Perspectives.
