For Human Rights Day 2020, the IAB SA is shining a spotlight on the importance of the right to data privacy for our members and the industry more broadly.
This is a constitutional right, enshrined in the Constitution of the Republic of South Africa, 1996 (the Constitution), as well as through the common law and legislation, including the Protection of Personal Information Act 4 of 2013 (POPIA). The right to privacy is of fundamental importance – both as a self-standing right and as an enabler of the full range of fundamental rights.
As noted by the Constitutional Court, the right to privacy is central to identity, dignity, personal integrity and autonomy. In the current data-driven era, the importance of the right to data privacy has gained increasing recognition. This is given effect through comprehensive data protection frameworks, such as POPIA.
As explained by Privacy International:
Every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal data. Even without your knowledge, data and information about you is being generated and captured by companies and agencies that you are likely to have never knowingly interacted with. The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimise state and corporate surveillance and data exploitation.In South Africa, at present, the substantive provisions of POPIA are not yet in force, and the enforcement date remains unclear.
The IAB SA recognises the challenges that this poses to the industry and commends the proactive measures that have already been taken by various organisations to give effect to the data privacy rights of the persons with whom they engage.
POPIA provides that a data subject – this being the person to whom the personal information pertains – has the right the have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information.
Furthermore, subject to certain exceptions, data subjects are entitled to the following rights:
POPIA also deals specifically with the use of personal information for the purposes of direct marketing. As a general position, section 69(1) of POPIA provides that the processing of personal information for the purpose of direct marketing by means of any form of electronic communication – including automatic calling machines, SMSes or emails – is prohibited, unless the data subject has consented to such processing or is a customer of the responsible party.
In respect of direct marketing, data subjects have the right to object to the processing of their personal information for the purposes of direct marketing, as well as the right not to have their personal information processed for the purposes of direct marketing by means of unsolicited electronic communications.
While these requirements are subject to certain exceptions, it is important to pay close attention to these provisions, as a ‘business-as-usual’ approach can no longer be followed.
Privacy authorities are taking the issue of direct marketing seriously: for example, earlier this month, the Information Commissioner’s Office (ICO) in the United Kingdom issued a £500,000 fine to a Scottish company for its non-compliant practices regarding automated nuisance calls.
As explained by the ICO: “This company affected the lives of millions of people, causing them disruption, annoyance and distress. The volume of calls was immense and to add to people’s frustrations attempting to opt-out of those calls simply compounded their receipt of further calls.
The directors of CRDNN knowingly operated their business with a complete disregard for the law. They did all they could to evade detection, from changing and not updating address details to transferring their operation abroad and attempting to go into liquidation. That’s why their conduct called for the maximum fine possible under the law.
But through the cooperation of the public who brought their complaints to us, we were able to identify those responsible and take action against them.”
Realising data privacy
It is clear that privacy authorities and the public alike are demanding the safeguarding and realisation of data privacy rights.
While this may seem daunting, it also presents exciting opportunities for the industry.
As noted in a Google blog post: “We can do a better job of creating an ecosystem that works for everyone. Users should be able to access free, ad-supported content in full faith that their online privacy will be respected. Publishers should get fair compensation for their work. And marketers should be able to connect with people who are interested in what they have to offer.”
The post goes on to advise the following three-step approach:
This Human Rights Day, it should be remembered that data privacy is so much more than a compliance issue: it is a constitutional requirement; a public demand; and a business imperative.
Going forward, the IAB SA will be working with members of the industry to find effective and rights-based ways to give meaningful effect to the data privacy rights contained in POPIA.
We will be publishing guidance notes, holding workshops, and providing ad hoc assistance as may be needed. It should also be remembered that, in order to get this right, it cannot be the sole responsibility of one executive or department – it requires an organisational and industry shift in order to hold each other to account.
*Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.