Friday, 7 September 2018

Human Trafficking & Social Media Safety

Over the past few weeks, a series of child abductions, kidnapping attempts, and missing children cases have dominated the South African media. Human trafficking has suddenly become a hot topic of conversation, and a very real concern.
Several fake WhatsApp messages, voice notes, hoax calls to SAPS, and numerous social media posts are causing mass hysteria.
A recent voice note circulating on social media, claims that SAPS have confirmed that human traffickers are scouting WhatsApp profile pictures and social media networks, to identify and track children, who are then sold via a bidding process. I have noticed several panic-stricken parents, rushing to remove pictures of their children off all social media platforms.
While some of these messages might be fake, human trafficking is indeed very real and we can never be too careful. I therefore strongly encourage parents to take these precautionary steps on all their social media platforms:
1. Ensure that all of your contacts and friends, on social media platforms, are personally known to you.
2. Utilise the highest possible privacy settings, so that the content you share is only visible to people on your friends list.
3. Disable GPS services, so that where and when your photographs were taken, cannot be tracked (unless there is a specific reason for a geo location service to be enabled).
4. Limit what your share, and never share sensitive, private information that could enable an individual to ascertain exactly where you live, or where your kiddies go to school.
5. Qualify what you share - try verify that the content is true before you pass along. Fake news causes unnecessary panic, and is a waste of valuable crime fighting resources.
Remember you should always act the same online as you would in the real-world, so be sure to take similar precautions online that you would in real-life.

Monday, 16 July 2018

Copyright: the basics for small business owners and app developers

I’m regularly asked by developers and small business owners – who owns the copyright in my new app? The answer, as with most legal questions is: ‘it depends’. South Africa’s Supreme Court of Appeal in 2008 noted that copyright cases relating to computer programs are notoriously difficult.  

In South Africa, copyright is regulated by the Copyright Act 98 of 1978. In order for copyright law to protect an app, it must meet a few basic requirements.   The app must:

1) be original

2) take some material form (no copyright protection for ideas or concepts); 

3) be created by a qualified author (this means the creator of the app, if an individual, is a South African citizen or is domiciled or resident in South Africa).

Importantly, copyright vests automatically and no formalities exist – therefore, there is no copyright registration for the creation of a new app.   

Remember: authorship of work that enjoys copyright, and ownership of work that enjoys copyright are two separate considerations.  Who is the author?  Usually, the person who created the work (developed or created the app).  South Africa uses the terminology ‘exercised control’ over the creation of the app – in simple terms, this is typically the person who developed or created it.

Who is the owner? Generally, the owner of the copyright is the author of the work – but not always, particularly where an employee creates an app during the course of his or her employment, or where an app developer is commissioned to develop an app and assigns the copyright in writing to the person who paid for its development (a standard term in a contract of this nature).

From the perspective of an app developer, it is important to ensure that you consider whether it is fair in the circumstances to assign the copyright to the person paying for the development.  Is the payment enough? From the perspective of a person commissioning an app or any development – crucially – you must sign an agreement with the developer whereby you specifically agree to pass ownership of the copyright, or ownership will remain with the author. 

In addition, if the work created does not qualify as a computer program – for example, the look and feel of a certain app, or code created that may not qualify as a complete app, that work may still be protected as a literary work or an artistic work.  

Ultimately, with a business on the line, or a potentially valuable copyright to protect, it is in the interests of both parties to carefully consider copyright ownership, agree on a fair, mutually satisfactory position, and then record this in written, clear agreement.  

Wednesday, 20 June 2018

Civil and criminal liability for comments posted on social media

South African model and television presenter Shashi Naidoo has come under fire for comments made on Instagram.  Naidoo referred to Gaza as a “sh%$ hole”.  The posts were swiftly deleted, and Naidoo has apologised.

Although every person has the right to freedom of expression, this right is weighed up and measured against other competing rights – such as the right to dignity and the right to privacy.  Free speech is certainly not absolute.

A person may be both criminally and civilly liable for posts made on social media.  From a criminal perspective, in terms of crimen injuria, to be found guilty, a court must be satisfied beyond reasonable doubt that the perpetrator intentionally and unlawfully seriously impaired the dignity of another.   

Further, the offence of criminal defamation, although criticised as chilling free speech, still operates in South Africa.  In the 2008 matter of Hoho v The State, a bench of five judges on the Supreme Court of Appeal (SCA) was asked to consider the relevance of criminal defamation.  Ultimately, after weighing up freedom of expression versus human dignity, the SCA decided that criminal defamation has not been abrogated by disuse and is still relevant. More recently, in Motsepe v S, the North Gauteng High Court in Pretoria confirmed that in its view, the “crime of defamation is not inconsistent with the constitution” and that “even though the defamation crime undoubtedly limits the right to freedom of expression, such limitation is reasonable and justified in an open and democratic society and consistent with the criteria laid down in Section 36 of the Constitution”.

From a civil perspective, in order to have a valid cause of action, a plaintiff must show that the defendant, (a) published, (b) defamatory matter, (c) referring to the plaintiff.  Once the plaintiff has proved the existence of these elements, three presumptions arise.  Firstly, that the publication was unlawful.  Secondly, fault or intention on the part of the plaintiff, and thirdly that the plaintiff suffered damage.  
In the ordinary course, a defendant in a defamation case has several defences open to it.  These are truth for the public benefit (published material must be true and in the publics’ interest to receive this material), fair comment (i.e.: editorial comment or a satirical piece) and privilege (i.e.: where there is a 
moral or social duty to publish the defamatory matter, and the recipient has a similar interest or duty in receiving it). 

In Naidoo’s case, it is unlikely any person will have a civil defamation claim against her given that the posts referred to a place in a derogatory fashion, and not a particular person. Moreover, from a criminal perspective, criminal defamation will not apply because it is unlikely any person's reputation will be impaired enough to satisfy the requirements for this offence. In terms of crimen injuria, the offence is typically in relation to the impairment of a particular person’s dignity in a serious way – for example, a racist outburst directed at a person (i.e.: Penny Sparrow).  In my view, even though the post is ill-conceived, it is unlikely to cause the serious impairment of dignity required to an individual (or group of persons) for this offence.

Often, the excuse is used “I didn’t post the offensive material”, or “my Instagram account was hacked” or something similar.  This is akin, at times, to a person saying to his high school science teacher – “the dog ate my homework”.  Unless there is evidence to support this type of defence, it will usually fail.

Consequently, in my view, it is unlikely that Naidoo’s social media post will result in anything more than negative publicity (or is all publicity good publicity?) – however, and hypothetically, if the matter went to court and the defence was that “someone else posted it”, then evidence must support that contention. The onus will be on the person alleging the defence to show it is reasonably possible.  If a "someone else did it" version is accepted, the person who is responsible for the social media account will likely be able to wriggle free of criminal action (lacking the required intention), but may not escape all action, as negligent publication of defamatory material may still result in civil action.

Thursday, 24 May 2018

General Data Protection Regulation (GDPR) and POPIA

In case you have been under a rock, or out since the 90’s, after years of preparation and debate, the General Data Protection Regulation(GDPR), which was passed by the EU Parliament in April 2016, comes into full force and effect from 25 May 2018.

What does this mean for South African businesses? Short answer: the GDPR is only relevantif a business processes the personal information of an EU resident.  

Does a South African business that is compliant with the Protection of Personal Information Act (POPIA) need to do anything different to comply with the GDPR?  Yes – but potentially not too much.  As others have noted, POPIA and GDPR are different shades of the same colour – in basic terms, they both attempt to achieve the same thing.

Key with POPIA and GDPR is on-going compliance and having privacy as a core concern.  Compliance is not a once off exercise or a static target and will be an on-going process.

As with all forms of data protection laws, POPIA and the GDPR require opt-inconsent: an expression of will to indicate that the person agrees with his/her data being processed.  In the past, businesses relied on an “opt-out” (tell us to stop if it annoys you, but we will use your information as we please) – this is no longer the case, although communication should still include some form of opt-out mechanism, even after express consent. Further, it must be clear why data is being collected; how it is being collected; why it is being processed; how long it is retained; and finally, if and how it is being shared with other parties.  

In any business – from small to listed entity – documented policies must exist setting out how personal information is collected, processed and used.  This is not rocket science.  But it takes some preparation, thought and plenty administration… 

Monday, 23 April 2018

Protection of Personal Information Act (POPIA) for Small Businesses

I often get asked: does POPIA apply to my small business?  The answer is definitely yes. POPIA gives effect to section 14 of the Constitution, which provides that everyonehas the right to privacy – the right to privacy includes a right to protection against the unlawful use of personal information. 

POPIA sets out data protection principles and provides guidelines on how to deal with personal information.  It follows international trends and puts South African on par with global best-practice in so far as data protection is concerned.  An Information Regulator has already been established, and this body will have the ability to impose significant fines and investigate non-compliance.  Although the Act was signed into law in 2013, it only commenced partial operation in 2014, and has yet to commence full operation: we expect this will happen during 2018, and once the POPIA is fully operative, all businesses will have one year to comply – or face severe sanctions.

Does your business collect, store or process any personal information? Personal information is any data relating to an identifiable living or juristic personand includes: contact details, demographic information, personal history, product preferences, or any other information that can be used to identify a person.   

It is highly likely most small to medium businesses will answer “yes” – in that most – if not all – businesses process some personal information. POPIA requires you to ensure data is processed in accordance with eight ‘conditions’: the conditions oblige you to only collect information with a specific purpose; store it safely; ensure the information is relevant and accurate; only collect what is required; and allow the “subject” to inspect any information you hold.

Importantly, personal information can only be collected if the person has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

How can you comply with POPIA?  Ensure you have a brief, written policy outlining how you process personal information. Think carefully about how your business uses data, and why – is the use of personal information necessary?  If so, document it carefully and ensure you are familiar with POPIA.