Wednesday, 20 June 2018

Civil and criminal liability for comments posted on social media

South African model and television presenter Shashi Naidoo has come under fire for comments made on Instagram.  Naidoo referred to Gaza as a “sh%$ hole”.  The posts were swiftly deleted, and Naidoo has apologised.

Although every person has the right to freedom of expression, this right is weighed up and measured against other competing rights – such as the right to dignity and the right to privacy.  Free speech is certainly not absolute.

A person may be both criminally and civilly liable for posts made on social media.  From a criminal perspective, in terms of crimen injuria, to be found guilty, a court must be satisfied beyond reasonable doubt that the perpetrator intentionally and unlawfully seriously impaired the dignity of another.   

Further, the offence of criminal defamation, although criticised as chilling free speech, still operates in South Africa.  In the 2008 matter of Hoho v The State, a bench of five judges on the Supreme Court of Appeal (SCA) was asked to consider the relevance of criminal defamation.  Ultimately, after weighing up freedom of expression versus human dignity, the SCA decided that criminal defamation has not been abrogated by disuse and is still relevant. More recently, in Motsepe v S, the North Gauteng High Court in Pretoria confirmed that in its view, the “crime of defamation is not inconsistent with the constitution” and that “even though the defamation crime undoubtedly limits the right to freedom of expression, such limitation is reasonable and justified in an open and democratic society and consistent with the criteria laid down in Section 36 of the Constitution”.

From a civil perspective, in order to have a valid cause of action, a plaintiff must show that the defendant, (a) published, (b) defamatory matter, (c) referring to the plaintiff.  Once the plaintiff has proved the existence of these elements, three presumptions arise.  Firstly, that the publication was unlawful.  Secondly, fault or intention on the part of the plaintiff, and thirdly that the plaintiff suffered damage.  
In the ordinary course, a defendant in a defamation case has several defences open to it.  These are truth for the public benefit (published material must be true and in the publics’ interest to receive this material), fair comment (i.e.: editorial comment or a satirical piece) and privilege (i.e.: where there is a 
moral or social duty to publish the defamatory matter, and the recipient has a similar interest or duty in receiving it). 

In Naidoo’s case, it is unlikely any person will have a civil defamation claim against her given that the posts referred to a place in a derogatory fashion, and not a particular person. Moreover, from a criminal perspective, criminal defamation will not apply because it is unlikely any person's reputation will be impaired enough to satisfy the requirements for this offence. In terms of crimen injuria, the offence is typically in relation to the impairment of a particular person’s dignity in a serious way – for example, a racist outburst directed at a person (i.e.: Penny Sparrow).  In my view, even though the post is ill-conceived, it is unlikely to cause the serious impairment of dignity required to an individual (or group of persons) for this offence.

Often, the excuse is used “I didn’t post the offensive material”, or “my Instagram account was hacked” or something similar.  This is akin, at times, to a person saying to his high school science teacher – “the dog ate my homework”.  Unless there is evidence to support this type of defence, it will usually fail.

Consequently, in my view, it is unlikely that Naidoo’s social media post will result in anything more than negative publicity (or is all publicity good publicity?) – however, and hypothetically, if the matter went to court and the defence was that “someone else posted it”, then evidence must support that contention. The onus will be on the person alleging the defence to show it is reasonably possible.  If a "someone else did it" version is accepted, the person who is responsible for the social media account will likely be able to wriggle free of criminal action (lacking the required intention), but may not escape all action, as negligent publication of defamatory material may still result in civil action.

Thursday, 24 May 2018

General Data Protection Regulation (GDPR) and POPIA

In case you have been under a rock, or out since the 90’s, after years of preparation and debate, the General Data Protection Regulation(GDPR), which was passed by the EU Parliament in April 2016, comes into full force and effect from 25 May 2018.

What does this mean for South African businesses? Short answer: the GDPR is only relevantif a business processes the personal information of an EU resident.  

Does a South African business that is compliant with the Protection of Personal Information Act (POPIA) need to do anything different to comply with the GDPR?  Yes – but potentially not too much.  As others have noted, POPIA and GDPR are different shades of the same colour – in basic terms, they both attempt to achieve the same thing.

Key with POPIA and GDPR is on-going compliance and having privacy as a core concern.  Compliance is not a once off exercise or a static target and will be an on-going process.

As with all forms of data protection laws, POPIA and the GDPR require opt-inconsent: an expression of will to indicate that the person agrees with his/her data being processed.  In the past, businesses relied on an “opt-out” (tell us to stop if it annoys you, but we will use your information as we please) – this is no longer the case, although communication should still include some form of opt-out mechanism, even after express consent. Further, it must be clear why data is being collected; how it is being collected; why it is being processed; how long it is retained; and finally, if and how it is being shared with other parties.  

In any business – from small to listed entity – documented policies must exist setting out how personal information is collected, processed and used.  This is not rocket science.  But it takes some preparation, thought and plenty administration… 

Monday, 23 April 2018

Protection of Personal Information Act (POPIA) for Small Businesses

I often get asked: does POPIA apply to my small business?  The answer is definitely yes. POPIA gives effect to section 14 of the Constitution, which provides that everyonehas the right to privacy – the right to privacy includes a right to protection against the unlawful use of personal information. 

POPIA sets out data protection principles and provides guidelines on how to deal with personal information.  It follows international trends and puts South African on par with global best-practice in so far as data protection is concerned.  An Information Regulator has already been established, and this body will have the ability to impose significant fines and investigate non-compliance.  Although the Act was signed into law in 2013, it only commenced partial operation in 2014, and has yet to commence full operation: we expect this will happen during 2018, and once the POPIA is fully operative, all businesses will have one year to comply – or face severe sanctions.

Does your business collect, store or process any personal information? Personal information is any data relating to an identifiable living or juristic personand includes: contact details, demographic information, personal history, product preferences, or any other information that can be used to identify a person.   

It is highly likely most small to medium businesses will answer “yes” – in that most – if not all – businesses process some personal information. POPIA requires you to ensure data is processed in accordance with eight ‘conditions’: the conditions oblige you to only collect information with a specific purpose; store it safely; ensure the information is relevant and accurate; only collect what is required; and allow the “subject” to inspect any information you hold.

Importantly, personal information can only be collected if the person has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

How can you comply with POPIA?  Ensure you have a brief, written policy outlining how you process personal information. Think carefully about how your business uses data, and why – is the use of personal information necessary?  If so, document it carefully and ensure you are familiar with POPIA.