The Great Privacy Bake-off
Whisk, bake at 180°C for 20 minutes and hey presto, you get a traditional matzo pudding which recognises the threats, understands the need for security, embraces constitutional rights, hates any breach of privacy, any manipulation of people and in all of that struggles to find a compromise position. The cherry on the top is that you were almost certainly directed to this article by some form of targeted marketing, based on the harvesting of your personal information and internet behaviour.
If you now have indigestion, chew on this legislative antacid but beware its side effects. The Protection of Personal Information Act 4 of 2013 (POPIA) gives effect to the right to privacy by safeguarding personal information when processed by a responsible party. To monitor and enforce compliance with POPIA and information laws generally, POPIA creates the Information Regulator who issues binding codes of conduct for the lawful processing of personal information. These codes must regulate the use of personal information in specific sectors and as a first step in the process, the Information Regulator has published proposed Guidelines on Drafting Codes of Conduct.
Unfortunately, the complaints process in the Guidelines, focussed on alternative dispute resolution (ADR), can cause mild schizophrenia when read with the regulations to POPIA, which require complaints to be adjudicated by the Information Regulator who can levy administrative fines for breaches of POPIA. The Guidelines by contrast prescribe a mandatory ADR process, with no power to levy fines, where the complaint “must first be raised with the party that you believe has compromised your personal information. This party must be afforded the opportunity to respond to the complaint”. Then an independent adjudicator must be assigned to address the complaint. If either party is aggrieved by the outcome, that party must refer the matter to “a certified alternate dispute resolution entity that is competent to handle the complaint”. The guidelines provide for different types of ADR, such as mediation/conciliation leading to arbitration or, coming full circle, that the Information Regulator itself determines the dispute. It isn’t clear if the Information Regulator can participate in the ADR proceedings or whether it has some type of appellate jurisdiction over decisions from ADR proceedings. Before the Guidelines were published for comment we had POPIA and the Information Regulator. After the Guidelines, the answer is not so clear anymore. But these are draft Guidelines and hopefully in final form, there will be more clarity.
Ultimately though, there is still a balance to be found. The Constitution, POPIA and other means of protecting personal information will always be juxtaposed with national and international security, clever computing and the massive power of greed.
Suggest you find a way to enjoy that matzo pudding as you’re going to be chewing on it for generations to come.
The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.
Subscribe
We support our clients’ strategic and operational needs by offering innovative, integrated and high quality thought leadership. To stay up to date on the latest legal developments that may potentially impact your business, subscribe to our alerts, seminar and webinar invitations.
Subscribe