Previous legislation and regulations prior to the arrival of the Protection of Personal Information Act (POPIA) in 2013 required organisations undertaking electronic direct marketing in South Africa to provide the opportunity for recipients to unsubscribe from further communications (commonly referred to as opt-out). According to the Internet Service Provers Association (ISPA), an authoritative industry source, “this was true under section 45 of the Electronic Communications and Transactions Act (ECTA, #25 of 2002), but this will be repealed by section 69 of the POPIA once it is in force [expected to start with a transition period that comes into effect late in 2017 or early 2018].” Section 11 of the Consumer Protection Act (CPA, #68 of 2008) follows in the footsteps of the ECTA by providing that you may refuse to accept, request the discontinuation of (opt-out) or pre-emptively block direct marketing communications, and that any opt-out or pre-emptive block must be respected by marketers, have their receipt confirmed in writing and that the exercise of these right must be performed free of charge.
POPI Act definitions
POPIA defines direct marketing as approaching a data subject (which could be an individual or organisation) either in person or by mail or electronic communications, for the purpose of promoting or offering to supply goods or services to the data subject, or asking them to make a donation. Electronic communication covers a wide variety of methods, including text, voice, sound, image over an electronic network. So this covers use of all the popular methods used today and probably some we are not yet familiar with.
Records of consent and withdrawal of consent for electronic direct marketing
Section 11 of POPIA makes it clear that the Responsible Party (the body doing the direct marketing) must keep adequate records to prove informed consent has been voluntarily given. Records should also be maintained where consent has been denied or is later withdrawn. Consent may be obtained via verbal or written means. The interpretation of voluntary consent in other countries suggests poor practice is to pre-tick or pre-select opt-in choices. Rather the data subject should be presented with an open option to provide consent (e.g. an empty, not pre-ticked, box).
“Section 69 of the POPIA [Direct marketing by means of unsolicited electronic communications] places significant limitations on the circumstances in which a party may engage in direct marketing by means of unsolicited communications by requiring individuals to have either consented to the use of their personal information (opt-in) or for there to be an existing relationship between the parties. An existing relationship between the parties is itself subject to additional limitations and does not result in a freedom to make repeated advances” says ISPA (for more on ISPA visit www.ispa.org.za ).
A request for consent may only be submitted to the data subject once (section 69(2)(a)(ii). However it is not clear whether this “one time opportunity” applies where the data subject moves to a new or different organisation and therefore could be deemed to have a different set of marketing needs. If this is interpreted as one-time-ever then a unique identifier would be required to ensure compliance. It is not sufficient to ask for general consent for marketing. Section 13 requires that “personal information must be collected for a specific, explicitly defined and lawful purpose”.
Section 11(3)(b) of POPIA makes it clear that a data subject may object to any form of direct marketing, not necessarily electronic; section 11(4) clearly states once the data subject (which may be an organisation or juristic entity to use the legal term) has objected, the Responsible Party may no longer process the personal information, by implication for direct marketing, whilst by implication processing may continue for other specific purposes.
Records of consent and withdrawal of consent for non-electronic direct marketing
The rules for opt-out seem to be common and clearly stipulated, whether for electronic or traditional mail. When it comes to consent traditional mail does not merit a specific mention under opt-in. By default permission (consent) should be obtained at the first contact, which may be a first mailer. It is tricky to see how the refusal of consent can be achieved at no cost to the data subject. There also appears to be no limit to the number of mailers that can be sent before consent is denied as the “only once” clause only applies to electronic communication. In summary, some careful wording of your invitation to give consent or withdraw consent would appear to allow an unlimited number of postal mailers to be sent so long as no objection is received.
Role of the Direct Marketing Association South Africa (DMASA)
For any organisation that is engaged in direct marketing activities in South Africa it is recommended that consideration is given to adhering to the DMASA Code of Ethics and Standards of Practice. The DMASA is also known to be developing a Code of Conduct under the POPIA. The DMASA also manages the National Opt Out Database. Registering on this database will mean that individuals will not be contacted by members of the DMASA.
We are in the early days of understanding the full implications of the impact of the POPIA on direct marketing activities by whatever means. Organisations that take action now to review their policies and procedures will give themselves a competitive advantage by being better prepared to anticipate how to better address the rights of their key stakeholders, such as future and current customers, and demonstrate both legal compliance and good governance, all of which will lead to enhancement of their reputation in the marketplace.
* This article does not constitute legal advice but is based on a practical interpretation of the requirements of the POPI Act.
By Dr Peter Tobin
Several local and international banks have been slapped with administrative fines by the South African Reserve Bank, for weak anti-money laundering and combating of financing terrorism controls.
The banks include Investec, Absa, Standard Chartered, as well as Habib Overseas Bank.
Overall, banks were fined a total of R46.5-million.
Absa was fined R10-million for weaknesses related to their transaction monitoring. Investec received the largest fine of R20-million. This was due to their failure to implement adequate processes to screen the related parties of customers.
Meanwhile, Habib bank was fined R1-million for “inadequate controls and working methods pertaining to the reporting of suspicious and unusual transactions”, the Reserve Bank said in its banking supervision report released on Friday.
The decision to pose the penalties was not as a result of evidence that any of the banks had facilitated illegal activity the SARB said, but rather because of the weakness of their control measures.
These banks have been issued with a directive to take remedial action.
Habib Overseas Bank was the target of a fraught acquisition bid by a company with links to Gupta family associate Salim Essa.
In March, Vardospan went to court to try and force the Reserve Bank, the registrar of banks and the finance minister to clear its purchase of Habib.
Vardospan accused the regulators and treasury of dragging their feet in authorising the purchase.
The Mail & Guardian has previously reported how Vardospan concluded a share purchase deal to become the majority shareholder in Habib Bank in August last year.
The deal came shortly after the country’s four major banks closed the accounts of the Gupta family and their related companies.
Vardospan is owned by CINQ Holdings and Pearl Capital Holdings. Vardospan director Hamza Farooqui owns 100% of the shares in Pearl Capital, which has a 33.33% stake in Vardospan. Essa owns 100% of CINQ, which holds the other 66.67% in Vardospan.
The court struck down Vardospan’s attempts to force the authorities hand. Incidentally, the court’s decision came hours after President Jacob Zuma axed former finance minister Pravin Gordhan in a major Cabinet reshuffle late on March 30.
The decision on the application now rests with new finance minister Malusi Gigaba.
By Lynley Donnelly for www.mg.co.za
Employers constantly complain that labour law does not allow them to fire employees for breaking the rules. However, employers need to understand that:
• Labour law definitely does allow employers to dismiss employees.
• The CCMA has frequently upheld the dismissal of employees fired for misconduct. We have been directly involved in a great many cases where employees have been fired and, after appealing to the CCMA, have remained fired.
• It is not the firing of employees that the law has a problem with. Instead, it is unfair dismissals that result in the employer being forced to reinstate the employee and/or being forced to pay the employee exorbitant amounts of money in compensation.
• In order to be free to fire employees who deserve dismissal employers need to understand and accept the difference between fair and unfair dismissal. This is because, if the employer has an employee who is causing mayhem or is costing the employer money or is otherwise undesirable, the employer cannot afford for the employee to be reinstated. The reason for this is that it is exceptionally difficult later to dismiss or discipline an employee who has been reinstated by the CCMA or other tribunal.
So while the law does allow dismissals it also requires the employer to be able to prove that the dismissal was both procedurally and substantively fair.
“Procedurally fair” relates to whether the employee was given a fair hearing.
Whether a dismissal is “substantively fair” relates to the fairness of the dismissal decision itself rather than to the disciplinary procedures. Specifically the employer would have to show that:
• The employee really did break the rule
• The rule was a fair one
• The penalty of dismissal was a fitting one in the light of the severity of the offence. AND
• The employee knew or should have known the rule.
Properly trained CCMA arbitrators consider all the above factors together with the circumstances of each individual case in deciding if a dismissal was fair and whether the employee should stay dismissed or should be reinstated.
In the case of Mundell vs Caledon Casino, Hotel and Spa (Sunday Times 15 May 2005) the employee was dismissed for two reasons. Viz:
• She distributed a R15000 tip amongst her colleagues
• She allowed a colleague to take home five cans of cool drink
It was reported that:
• The rule requiring employees to hand in tips to management to go into a monthly kitty had not been given to Mundell
• Mundell had no way of knowing that she was not allowed to distribute the tip money herself
• The tip had been given by the client at an open gathering
• A number of managers were involved in sharing out the tip
• The cool drinks had been intended by the client for consumption by the staff
• Giving the cool drinks to the employee was not serious enough to merit dismissal
• The employer’s failure to prove that the employee knew of this rule rendered the dismissal unfair
• The employer was required to pay the employee six months remuneration in compensation.
The outcome of this case proves that the inability of employers to make dismissals stick is not primarily because of the law but rather because of the lack of labour law expertise of many employers.
By lvan lsraelstam, Chief Executive of Labour Law Management Consulting
The Deputy Minister of Justice and Constitutional Development, John Jeffery, said the country’s new Cybercrimes and Cybersecurity Bill will be tabled in Parliament soon.
The Bill has already been approved by Cabinet.
“The Bill aims to put in place a coherent and integrated cybersecurity statutory framework to address various shortcomings which exist in dealing with cybercrime and cybersecurity in the country,” stated the SA Government website.
The purpose of the Cybercrimes and Cybersecurity Bill is to:
- Create offences and prescribe penalties;
- Further regulate jurisdiction;
- Further regulate the powers to investigate, search and gain access to or seize items;
- Further regulate aspects of international cooperation in respect of the investigation of cybercrime;
- Provide for the establishment of a 24/7 point of contact;
- Provide for the establishment of various structures to deal with cybersecurity;
- Regulate the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
- Further regulate aspects relating to evidence;
- Impose obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
- Provide that the President may enter into agreements with foreign States to promote cybersecurity; and
- Repeal and amend certain laws.
How it will affect you
Michalsons law firm has published an overview of the Cybercrimes and Cybersecurity Bill, explaining why we need it and who will be affected by it. The bill is aimed at keeping South Africans safe from cybercrime and consolidates the country’s cybercrime laws into one place.
People who will be affected by the new bill include “everyone who uses a computer or the Internet”, along with:
- People involved with IT or POPI compliance;
- Electronic Communications Service Providers;
- Providers of software or hardware tools that could be used to commit offences;
- Financial services providers;
- Owners of copyrights and pirates;
- Information Security experts; and
- Anyone who owns an Information Infrastructure that Government could declare as critical.
What the bill deals with
The bill creates around 50 new offences, which are related to data, messages, computers, and networks, said Michalsons.
These offences include:
- Using personal information or financial information to commit an offence;
- Unlawful interception of data;
- Computer-related forgery and uttering; and
- Extortion or terrorist activity.
The penalties for these offences range from 1-10 years in prison or up to a R10-million fine.
The bill also aims to protect critical infrastructure of a strategic nature from interference and disruption.
This infrastructure includes that which aids in keeping the country’s security, defence, and law enforcement operational; and provides essential services.
Powers to investigate
“The Cybercrimes and Cybersecurity Bill gives the South African Police and the State Security Agency extensive powers to investigate, search, access, and seize just about anything – like a computer, database, or network,” said Michalsons.
As part of the requirements of the bill, the Minister of Police must establish a National Cybercrime Centre and a Cyber Response Committee, of which the chairperson will be the Director-General: State Security.
The Minister of Defence must also establish and operate a Cyber Command, while the Minister of Telecommunications and Postal Services must establish a Cyber Security Hub.
The functions of the Information Regulator include:
- to provide education about the Protection of Personal Information Act, for example, giving advice to data
- subjects in the exercise of their rights;
- to monitor and enforce compliance with POPI;
- to consult with interested parties;
- to handle complaints;
- to conduct research and to report to Parliament;
- to issue codes of conduct and make guidelines to assist bodies to develop codes of conduct; and
- to facilitate cross-border cooperation in the enforcement of privacy laws.
The Information Regulator will have the power to conduct investigations, order publicity of data breaches, and issue administrative fines of up to R10-million.
Regulations must be promulgated under POPI, for example, including regulations setting out the cost of making a subject access request and the prescribed standards for codes of conduct.
The announcement of a commencement date. Organisations will not be liable for fines or non-compliance for a period of 12 months from the commencement date.
If you haven’t started yet, now is the time for organisations to start or ramp up their POPI implementation efforts. Our virtual privacy lawyer, POPI Counsel, can assist with your privacy law questions and provide practical guidance through your implementation process. POPI Counsel produces legal opinions for you on demand, anytime and anywhere. Contact us for more information.
The chairperson, Pansy Tlakula, full-time members, Lebogang Stroom and Johannes Weapond, and part-time members, Tana Pistorius and Sizwe Snail, have been appointed to the Information Regulator with effect from 1 December 2016 and will serve for a period of five years.
By Nerushka Bowan for www.financialinstitutionslegalsnapshot.com