The SA Privacy Law
Adv Pansy Tlakula, the Chair of the Information Regulator, issued a press statement announcing that the President is poised to implement the Protection of Personal Information Act (POPIA) on 1 April. Bits of POPIA have been implemented since the Act was signed by President Zuma in 2013, but the key elements of the law have not been applied, including the rules on marketing. So what should ecommerce look out for? One of the key principles is transparency – the need to show what is being collected, how it is being stored, updated and used. This part of the law is already in place, but we should keep in mind that once the whole Act is applied the Regulator will have the ability to fine organisations that fail to apply the rules – for example, companies that have been hacked but did not inform the Regulator timeously. A key part of marketing is the requirement to always offer an opt-out.
Ecommerce is considered to have the “opt-in” from its customers but still must always offer an opt-out. Other marketers, on the other hand, must get an opt-in before approaching consumers or companies (the Act considers both individuals and companies the same) by electronic means (emails, etc). Some commentators, unfortunately, fail to make this very important difference between data collected by ecommerce and data collected by other means.
Depending on demand, EFSA is planning some teach-ins on the POPIA. If you would be interested please let me know ([email protected]).
SA is one of 24 African countries with privacy regulations. In 2014 the AU agreed to the Manobo Convention on privacy and cybersecurity. Unfortunately few countries adopted that Convention – meaning that many national privacy laws differ, which will create non-tariff trade barriers unless regulators are careful.
Meanwhile, in the EU, Canada, Australia, and to a lesser degree the USA, last year was a landmark for online privacy in many ways, with a consensus emerging that consumers deserve protection from the companies that sell their online behaviour patterns for profit. The debate now is largely around how to regulate the major internet players which generate and sell personal data, and the adtech and data broker industry which buy the data, not whether it needs to happen. Amnesty International published a report in November 2019, which pointed out that democratic institutions were increasingly under attack by trolls and other forms of cyber users (known as “ event nation-state-sponsored threat actors”) who want to influence politics and the democratic processes, and that international action was urgently required to prevent this. Amnesty pointed out that self-regulation by the major players was no longer plausible.
Become a member
Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.
Sign up to newsletter
Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.