The Protection of Personal Information (POPI) Bill is at serious risk of being watered down to such an extent that it is rendered ineffective and meaningless when it comes to preventing consumers from receiving email and SMS spam.
The Bill, which has been under discussion since 2009, sets out to establish the minimum requirements for the lawful processing of personal information, ie how it is captured, processed and stored by organisations, and gives citizens legal recourse should their personal information be abused.
Key to the efficiency of the POPI Bill is that it is established on a customer opting in to receive direct marketing communications from companies, rather than opting out of communications, as is currently the law under the ECT Act and the Consumer Protection Act. Unfortunately, careful study of the latest draft of the Bill and a comparison with the equivalent 1995 European Union (EU) Data Protection Directive shows that the implementation of the opt-in principle in the POPI Bill is not nearly as strong as it needs to be. The EU Directive is clearly the basis for the South African Bill, with word-for-word copy-and-paste similarities, so any differences between the two documents are extremely revealing about the intentions behind POPI.
I am specifically concerned with the wording of section 10(1) in the 2011 draft POPI Bill and sub-section 10(1)(f) in particular. This section details the circumstances under which personal information may be processed. In the POPI Bill it reads as follows:
Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
The equivalent sub-section (f) of the 1995 EU Directive provides that personal data may only be processed if:
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1.
Section 10(1)(f) of the POPI Bill has quite clearly been materially copied from the EU Directive, but with a significant omission. The EU law balances the legitimate interests of an organisation with the fundamental rights of the individual — in this case article one refers to their right to privacy with respect to the processing of personal information. The South African draft does not balance the rights of the company with individual rights.
This is problematic as it sets a far lower barrier for companies capturing personal information. It is likely that direct marketers will regard the collection of consumer data as a legitimate business interest, especially since section 66(2) gives them the right to contact any consumer at least once. This potentially opens the door for companies to scrape the internet for any personal details — irrespective of the reason the details were published by the individual in the first place. So, the classified advert you placed to sell your car that included a cell number and email address could result in your details being added to a direct marketing list.
In 2009, the South African Law Commission produced an 860-page report on the draft Bill in which it states that it should be considered illegal to collect personal information from the internet without the individual knowing. Unfortunately, if the revised 2011 wording of the Bill stands, those original intentions are now going to be of little value when the Bill becomes law.
This is especially alarming when one looks at another dilution of the POPI Bill that I have mentioned above and highlighted previously. Possibly as a result of lobbying by direct marketers, an additional clause was added to the Bill that allows companies to approach non-clients via an unsolicited email or SMS, and ask them if they would like to receive future marketing communications, thus building an opted-in database.
This is concerning because it begs the question where the company got the contact details in the first place. Also, it would be very easy to include a marketing message in the initial communication. Finally, what is to stop a company changing its identity and simply sending the message again in another guise? If the customer gives consent in the first place, then the original wording of the Bill — before this addition was made — is enough to both protect consumers and allow business to continue with legitimate direct marketing to non-customers.
Around the world it is considered best practice to base direct marketing on robust opt-in principles. In my opinion the EU Directive hits the nail on the head, and both the UK and Australian Direct Marketing Associations’ guidelines support opt-in principles. Spam simply does not make sense. At best, your message will be ignored, but more than likely your business will be named and shamed publicly thanks to the rise of social media.
I’d urge those drafting the POPI Bill to revisit the law commission report, remind themselves of the original intentions of the Bill, and redraft the relevant sections accordingly. Businesses and consumers need to become aware of the implications of the latest changes to the Bill as it winds its way towards becoming law.