Thursday, 24 May 2018

General Data Protection Regulation (GDPR) and POPIA

In case you have been under a rock, or out since the 90’s, after years of preparation and debate, the General Data Protection Regulation(GDPR), which was passed by the EU Parliament in April 2016, comes into full force and effect from 25 May 2018.

What does this mean for South African businesses? Short answer: the GDPR is only relevantif a business processes the personal information of an EU resident.  

Does a South African business that is compliant with the Protection of Personal Information Act (POPIA) need to do anything different to comply with the GDPR?  Yes – but potentially not too much.  As others have noted, POPIA and GDPR are different shades of the same colour – in basic terms, they both attempt to achieve the same thing.

Key with POPIA and GDPR is on-going compliance and having privacy as a core concern.  Compliance is not a once off exercise or a static target and will be an on-going process.

As with all forms of data protection laws, POPIA and the GDPR require opt-inconsent: an expression of will to indicate that the person agrees with his/her data being processed.  In the past, businesses relied on an “opt-out” (tell us to stop if it annoys you, but we will use your information as we please) – this is no longer the case, although communication should still include some form of opt-out mechanism, even after express consent. Further, it must be clear why data is being collected; how it is being collected; why it is being processed; how long it is retained; and finally, if and how it is being shared with other parties.  

In any business – from small to listed entity – documented policies must exist setting out how personal information is collected, processed and used.  This is not rocket science.  But it takes some preparation, thought and plenty administration… 

Monday, 23 April 2018

Protection of Personal Information Act (POPIA) for Small Businesses

I often get asked: does POPIA apply to my small business?  The answer is definitely yes. POPIA gives effect to section 14 of the Constitution, which provides that everyonehas the right to privacy – the right to privacy includes a right to protection against the unlawful use of personal information. 

POPIA sets out data protection principles and provides guidelines on how to deal with personal information.  It follows international trends and puts South African on par with global best-practice in so far as data protection is concerned.  An Information Regulator has already been established, and this body will have the ability to impose significant fines and investigate non-compliance.  Although the Act was signed into law in 2013, it only commenced partial operation in 2014, and has yet to commence full operation: we expect this will happen during 2018, and once the POPIA is fully operative, all businesses will have one year to comply – or face severe sanctions.

Does your business collect, store or process any personal information? Personal information is any data relating to an identifiable living or juristic personand includes: contact details, demographic information, personal history, product preferences, or any other information that can be used to identify a person.   

It is highly likely most small to medium businesses will answer “yes” – in that most – if not all – businesses process some personal information. POPIA requires you to ensure data is processed in accordance with eight ‘conditions’: the conditions oblige you to only collect information with a specific purpose; store it safely; ensure the information is relevant and accurate; only collect what is required; and allow the “subject” to inspect any information you hold.

Importantly, personal information can only be collected if the person has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

How can you comply with POPIA?  Ensure you have a brief, written policy outlining how you process personal information. Think carefully about how your business uses data, and why – is the use of personal information necessary?  If so, document it carefully and ensure you are familiar with POPIA.  

Monday, 20 November 2017

No Monkey Business – who owns a selfie taken by an animal?

No Monkey Business – who owns a selfie taken by an animal?

Naruto – a Macaque in Indonesia.  The animal took this selfie with a photographer’s camera.  David Slater via Wikimedia Commons

Many of us see animals – and particularly domestic pets – as more than just “things”.  However, in South African law, an animal is regarded as an object – akin to a mobile phone or motor vehicle.  A person cannot murder an animal, regardless of how cruel or despicable their conduct; and while this issue is certainly a conversation we should be having as an advanced, modern society, it is certain, sadly, that animals enjoy very little legal protection and little in the way of legal rights.

Moreover, in terms of the Copyright Act 1978, copyright ownership is conferred on works of which the author is a person – either a natural person or a juristic person (like a company).  Consequently, in terms of our law as it stands, it would seem that animals cannot own the copyright to any images taken (whether taken intentionally – via training even, or by accident).

This is the backdrop to the interesting story involving Naruto, an Indonesian monkey.  In 2011, photographer David Slater travelled to Indonesia to document a troop of crested black macaques.  A six-year-old male took a series of selfies with Slater’s camera – this was the start of a complicated (and no doubt costly) legal fight to determine ownership of copyright.
In about 2014, Wikipedia and Techdirt were asked by the photographer to take the photo down – both refused, essentially claiming the photo did not have any copyright as a non-human took the photo.   Subsequently, in 2015, the People for the Ethical Treatment of Animals (PETA) filed a suit against Slater claiming that the monkey was the correct owner.

Ultimately, the parties reached settlement in September 2017 – Slater has agreed to donate 25% of any future income from the photo to charities dedicated to protecting crested macaques in Indonesia.  Further, the parties (PETA and Slater) asked the 9th US circuit court of appeals to dismiss the case and throw out a lower court decision that said animals cannot own copyrights.

Some feel that this settlement is nonsensical – the law is clear in the United States (via B Wassom): “Copyrights are owned by human creators. And since this photo resulted from an entirely non-human process, it belongs in the public domain.”