As everyone knows by now, the Protection of Personal Information Act came into effect on 1 July 2021, although a few minor aspects were postponed including mandatory registration of Information Officers (IOs) on the Information Regulator’s website due to technical issues experienced by that website. However, bar the shouting, the law is now in effect and we are all subject to it. EFSA has produced a number of “Fireside Chats”, moderated by Warrick Kernes, with Rieka van Wyk (Chair of the EFSA Legal Committee) and Thomas Reisenberger (of Legalese) as the two legal experts. These Fireside chats are on our website (www.ecomafrica.org). We will be continuing with that format but will also be holding some face-to-face seminars once the present COVID levels decrease (hopefully in September).
As a privacy expert with a few years under my belt (I started studying data protection regulation way back in 1989!!), I have been surprised by the flurry of privacy notices I have received over the last week or so. Here’s been a real panic from business, some of it quite unwarranted and frankly due to the very low level of legal understanding of the law. Probably it is good that even those who do not need to ask permission (opt in) are doing so, but I can’t help wondering what would happen if people either refuse permission or don’t respond to some of these unnecessary requests for opt in? As an example, the insurance company that covers our house and contents asked my permission for continuing to process my data – completely unnecessary as that processing is covered by a contract. But suppose I refused or just ignored the request?
For ecommerce, as you, dear readers, know, data collected in the process of an online sale does NOT require a specific opt in to be used to sell similar products (Section 69 of POPIA). Although at all times the opt out must be offered. This means that if a consumer (or business) approaches you and completes their details online, even if the sale falls through at the check-out, you can use that data to approach the consumer/business to sell similar products without the need for informed consent. This is called the soft opt in and is a very precious right given to ecommerce. Don’t abuse it, but do use it.
We are fortunate that the POPIA is pretty clear (lawyers are advised to read the whole law and use their common sense to interpret it holistically), and is placed firmly as a human right (as guaranteed by the great South African Constitution). Not all privacy law is independent of the government of the day – the Nigerian regulator, for example, is a branch of the Nigerian political powers which makes it subject to undue inference. You will also have seen that the DIDI Rider app has been closed down in China using the Chinese data privacy law. DIDI is, of course, being punished by the Chinese authorities for daring to do an IPO on the New York Stock Exchange, rather than launching itself on the Chinese equivalent. Furious NY stock brokers are now suing DIDI for failing to warn them that the company hadn’t cleared their plans with the Chinese authorities. Just an example of how data privacy law can be abused by political interests if the regulator is not independent. In SA we need to resist any attempts to take the Information Regulator’s independence away – as was proposed in the recent Department of Communications and Digital Technologies’ Draft National Policy on Cloud and Data.
Become a member
Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.
Sign up to newsletter
Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.