Protection of Personal Information Bill: deliberations continued

Meeting report

Deliberations on the Protection of Personal Information Bill
Mr Henk Du Preez State Law Advisor picked up where the previous deliberation had ended. Every public and private body had to designate an Information Officer. This was to ensure that there was somebody who was responsible for the monitoring process as well as ensuring that the provisions were adhered to.

Mr J Jeffery (ANC) asked if data protection was being separated from the Promotion of Access to Information Act (PAIA), what were the implications of this in terms of the Bill?

Mr Du Preez replied that there were no specific recommendations for this part of the Act. The Department was concerned about using the label of Information Protection Officer; a preferred label would be Information Officer.

Ms M Smuts (DA) said that it would be a pity not to bestow upon the Regulator the power to enforce access to information requests. Since the Committee had not made any final decisions the clauses may remain roughly as they were. There had to be a Regulator who would handle public complaints and they in turn would have to forward these to the relevant Information Officer.

The Chairperson asked if the Information Protection Office and the Information Officer would be deemed as the same person?

Mr Jeffery replied that they could be the same or not.

Mr Du Preez also replied that since no decisions had been taken the option could be left open so that public or private bodies could decide if they wanted one and the same official or not.

The Chairperson said that PAIA promoted access to information whilst the Bill protected the use of personal information.

Mr Jeffrey said that no final decision had been taken on whether the Regulator should be given PAIA functions as well. PAIA should be given more teeth; the issue could be left with the Regulatory Body.

Ms Smuts referred to clause 3 and thought that it dealt with too many things that should be separated. The territorial application of the Bill, automated information and the requirement for data backups were covered in this clause. All of this information was squashed into this one clause and this was detrimental to the Bill. The United Kingdom (UK) Act had useful definitions on data.

Mr Du Preez said that the Department would look at this clause and possibly prepare an option. The clause dealt with territoriality under part A and B. Automated processing was under the provisor to the Bill.

Ms Smuts replied that in that case then there should be a separate clause.

Mr Du Preez reiterated that the Department would prepare the option.

Ms Smuts referred to Section 4 part A that was self-evident. The Bill did not apply to personal or household activity.

Mr Jeffery asked for an explanation for household and personal activity? The Bill did not have any definitions for them.

Mr Du Preez noted that the South African Law Reform Commission (SALRC) had similar concerns. Conducting personal or household activity was a factual question. Defining this would be extremely difficult. The purpose for which information was used, determined the type of activity as well.

Mr M Ambrosini (IFP) said the Bill had two aspects to it. This was the scope and object. The term ‘Person’ which was used in the Bill was very difficult to define in law. A suitable definition that should be used for activities was commercial and non commercial. What was the legal meaning of a household activity?

Ms Smuts referred to Section C and asked what the term ‘adequate’ safeguards meant. Who would make the decision of determining what the safeguards were? Section C could be excluded altogether. The Department could make use of the process that was in the UK Act.

Mr Ambrosini pointed out that the State could do much more harm than any other entity. Section C seemed to give power to the State to conduct activities, which were not authorised under any other law. If the Act was applicable to all citizens then what was the difficulty in its application to State entities.

Ms Ananda Louw State Law Advisor asked Ms Smuts to clarify if the UK Act made a distinction between the National Security Provision and the criminal activities. The European Union (EU) Directives made provision for exemptions under Section 3.

Mr Ambrosini said that the issue of National Security was very problematic. National Security was not subject to Judicial Review and this was a concern. National Security could be exempt during the collection stage of information, not when it was processed. The Bill essentially gave more powers to organs of state. The exclusion of organs of state also meant that all laws that governed organs of state had to be amended.

Mr Sisa Makabeni, State Law Advisor, Office of the Chief State Law Advisor, assured the Committee that the clause made no provision for the current laws that governed organs of state to be amended. The Bill provided that the state would be exempted in so far as there were adequate safeguards that were already in legislation. The adequacy of these safeguards would be tested against the provisions of the Bill.

Ms C Silkstone content Adviser for the Committee asked who would take responsibility for the exclusions?

The Chairperson said that the issue of National Security was important for the survival of the state; the state should not be weakened to such an extent that this action would be detrimental to its own citizens. The Committee should debate this issue.

Mr Ambrosini said that it was during the time of dire need that the state had to abide by the laws. The government had to be bound to the Constitution. The legislation should not have as many loopholes as Swiss cheese.

Mr Jeffrey National Security as well as public safety were real concerns. The provisions of the legislation were not a problem. The definition may pose a problem however. The Bill did not exclude state entities form the Bill of Rights.

Ms Smuts said that the Constitution guaranteed the protection of rights and all laws were subject to it. The criminal justice rights were the bedrock of the Bill of Rights and they were not violated. The Bill had to comply with the Constitution

Ms Sithole (ANC) said that the Committee should not make decisions that would impede the state from protecting citizens, times were different and the state had to be very alert.

Mr S Ntapane (UDM) agreed with Ms Smuts. The Constitution was the highest law in the land and the state was subject to it.

Mr M Gungubele said that in its maintenance of the law, the state had a special role to play. The Constitution gave leeway to ensure that there was a balance with National Security. This clause did not violate the Constitution. The clause was there in order to smoothen the implementation of the law.

Mr Ambrosini reiterated that it was how the information was used that posed a problem, not the collection of it. National Security subverted the burden of proof. The burden of proof lay with the complainant in Constitutional law and this was very difficult.

Mr Gungubele pointed out that the main question that one had to ask was what new situation would be created by this law that was not already covered by existing laws. Certain issues happened until they were tested.

Mr Ambrosini said if there was no need for the law then it should not be adopted. The purpose of the Bill was to protect privacy, why should privacy be not protected by the state? Why should the state be not restrained from passing on information during processing?

Mr S Holomisa (ANC) said the state had a duty to provide security. It had to prevent terrorist threats as well as investigating them. How else could the Committee deal with the scepticism that the state could act in malafide manner? The Bill also excluded the journalists in so far as ethics were concerned. Journalists themselves could abuse their exclusionary status.

Mr Jeffery said that the Committee had to accept that the state needed to be excluded. The Bill was not ousting out the courts. The Regulator would ensure the enforcement of the Bill.

Ms Smuts noted that a majority position had emerged on this matter and it should be put aside for now.

Mr Gungubele supported the proposal.

Ms Smuts felt that the law was not appropriate for journalism if the UK Act had to be followed; the Bill was not appropriate for journalism. The Dario Millo position should be followed. The journalists should be excluded totally so that the Bill did not apply to them. There was a real danger that the Regulator would censor the media and the provisions should be totally excluded.

Mr Ambrosini said that the suggestion by Ms Smuts was not an easy one to adopt. An alternative suggestion that could be inserted in the Bill could be: For any purpose embodying the exercise of a Constitutional right could be excluded as an activity, including but not limited to journalistic purposes. The concept of purpose is key to Constitutional protection.

Ms Smuts felt that the definition by Mr Ambrosini was too wide.

Mr Jeffery said the Bill was not about freedom of speech, it was about the protection of personal information. The proposal by Mr Ambrosini was too wide; the same could be said for Dario Millo’s position. The proposals should be principal based as opposed to rule based. This section was a total exclusion and was very wide, this was a concern. The UK version of the Bill was more favourable. The Committee was not making the law it was merely setting up a framework within which the Regulator would adjudicate.

Ms Smuts said if the Committee went this route then the UK Act was of more benefit. The benefit of the UK Act was that relief could be sought under the common law and in addition, individuals could institute civil action for damages under the Act.

Mr S Swart (ACDP) preferred the Dario Millo route from the 3 available options. Mr Ambrosini’s approach was too broad. Another alternative was for all 3 options to be made available, the options had to made available in case there was no consensus.

Ms Louw the position in the Bill closely mirrored that which was in the Australian Act. The Australian press were in favour of this position. The exclusion was not complete, the journalists were allowed to self-regulate in terms of the provisions of the Bill until there was a need for the Regulator to intervene. The Bill was applicable to them; it was not a complete exclusion.

Ms Smuts suggested that since there would be options, section 32 from the UK Act could be one of them.

Mr Jeffrey asked if the Australian Act had been accepted in its present form.

Ms Louw replied in the affirmative and that the Regulator had to approve the code

Mr Jeffery suggested that the options should be included as a separate clause, it would then mirror the UK one and the option could be the Australian Act as well.

Ms Smuts said that there were other considerations that should apply. It did not make any sense to exclude the Cabinet. Surely the Provinces and Municipalities dealt with vast amount of information and therefore they should not be excluded.

Mr Jeffery suggested that this section should be separated from PAIA. The Bill was about accessing personal information The Cabinet, Cabinet Committees and Provincial executives were already classified and would not disseminate information. What was the logic behind excluding municipalities and council’s?

Mr Du Preez admitted that it was overzealous on the Department’s side and this would be corrected.

Mr Jeffery suggested that the Cabinet, Cabinet Committees and the executive council should remain but the Municipalities and councils should be removed. What was the reference to judicial functions? The courts should be excluded completely.

Mr Gungubele agreed with the proposal.

Ms Silkstone reminded the Committee that there was a query from the last meeting concerning the non-exclusion or even mention of Parliament in the Bill.

Mr Gungubele suggested that more clarity must be sought as to what the law says about such matters.

Mr Ambrosini asked if the definition of a court included the court register and did the definition of judicial functions included the NPA?

Mr Jeffery suggested that the issue of the exclusion of courts should be flagged.

Mr Du Preez replied that the register as well as the judicial functions was excluded. The National Prosecuting Authority (NPA) was not part of the judiciary.

Mr Ntapane pointed out that the NPA was excluded under section 4 (c).

Ms Silkstone reminded the Committee that in the previous meeting the issue of public bodies that kept records for public purposes had been flagged in the previous meeting.

Mr Du Preez referred to clause 4 (c), the Department proposed that the word state should be replaced with public body as there was already a definition of a public body. The word state was inappropriate.

Ms Louw also added that there was no reason why public records should not be included. It was very important to note that the Bill was applicable when there was a processing or provision of information. The Bill regulated information that was put out there and not information that was essentially private.

Mr Ambrosini vehemently disagreed; one of the main problems was that the processing of information included storing information.

Mr Gungubele said his understanding of what Ms Louw had said was that that private information was effectively private.

Mr Ambrosini said it was not the case in reality. Under Section 5 (2), the word extensive should be replaced with the word greater.

Mr Swart disagreed and suggested that more extensive was more suitable.

Mr Jeffery said Chapter 2 was problematic in terms of structure, not the content. The structure under Chapter 2 number 6 became a problem. This chapter needed to be re-structured so that one could see the principles and how they should be applied. Clause 10 was essentially a rule, which was unenforceable. The Department had to be careful so as not to make rules.

Ms Smuts said that there should be a simple statement of the principles in this section. This should be followed by a Schedule with the relevant conditions. Clause 10 was not making any rules.

Mr Ambrosini asked if this would not be the case if Section 7 was re-phrased so that it read as follows: The responsible party should comply with the principles as set out in this chapter as and to the extent that they were embodied and implemented in an applicable manner.

Mr Jeffery said the codes would be there but one wanted the Bill would apply generally and residually. The difficulty was casting the net wide so that the provision made certain actions wrong.  The provision rendered a lot of processing to not be allowed. The provision should be phrased differently so that what should be done became clear.

Mr Ambrosini said the Regulator could not be allowed to determine the scope of application of the law, only the scope of enforcement. The more desirable approach should be to allow the Regulator to determine the scope of application through the codes and this would be constitutionally applicable.

Ms Smuts reminded Mr Ambrosini that he was there when the codes were written; the codes went way beyond the powers and duties of the Regulator. The rights of data subjects should be right up front. Some of the prohibitions should be removed and a few more clauses on crime, politics and philosophy and health should be included.

Ms Louw said the organisation for Economic Development (OECD) guidelines made provision for the principles. The EU directives categorised a list of things that had to be done under different headings. The Department took the ideas for the principles from the OECD guidelines. The content of the EU directives was used together with the OECD guidelines. The idea was that it would be easier for citizens to comply with 8 principles only. Principles and rules based legislation should not be confused. Rules based legislation prescribed what one should not do by listing offences and hoping for a certain outcome. The Bill was saying that this was the outcome and there was flexibility in how the outcome was going to be. In rules based legislation one would state the rules and hoped for the outcome. The structure in he Bill was trying to make it easier to read the Bill.

Mr Ambrosini said the main issue was who was responsible for the outcome. The reformulation of this section from the previous meeting called for the Regulator to bring the principles into force and effect. It was irrelevant whether this was in terms of the rules or the outcomes. It was important to determine whom the Bill covered.

The fusion of the OECD guidelines and the EU directives did not work; the problem with clause 10 was that it was a rule.

Mr Gungubele advocated for a principle-based approach that would cover many different types of situations in detail. It was wishful thinking that this section as it stood would cover all types of situations. It was important to say as little as possible when it came to principles.

Ms Louw said the drafters would re-look at the section and map out its application for the benefit of the reader.

Mr Ambrosini suggested that the American approach could be adopted where there was a regulatory agency, the Bill set out the goals, the principles were mandates for the regulatory agency, the regulatory agency embodied the principles and the citizens were subject to the regulations themselves.

Mr Gungubele explained to the Department that the committee was trying to ensure that individuals were able to comply with the Bill. The danger was that there would be high levels of non-compliance.

Ms Louw responded to Mr Ambrosini’s proposal and referred to the UK Act, which explained the different sections, where they were in the Bill and how they all came together.  

Mr Du Preez had some difficulty as a drafter in finding a way in which the principles would be suitable as per the Committee’s approach. The Committee had previously requested that the language in the Bill should be simple. The provisions were substantively connected; if they were to be removed then placed in schedules the result would be a difficulty in reading the Bill altogether. There was difficulty in grasping the direction that the Committee wanted the Department to take at this stage.

Mr Ambrosini reiterated that Clause 10 was a rule and it applied immediately. This was the difficulty.

Ms Louw explained to the Committee that Clause 10 had 3 subsections. The whole of this clause dealt with the fact that the Bill was opt out legislation. The clause was saying that the processing of data could be done freely for the purpose of a legitimate interest. The data subject may object whilst this was being done and the processing had to stop. The clause was wide. The legislation was about purpose and openness.

Mr Gungubele asked if it was possible for a data subject to always know when their information was being processed? A framework that was capable of dealing with unique situations should be considered.

Ms Louw responded that the point of the legislation was that the data subject had to know when information was being processed in order to be able to protect him/herself.

Mr Ambrosini said this meant that for example everybody who had his number would have to inform him that they had it in their possession This would constitute an incredible amount of unwanted spam.

Mr Jeffery said it felt like the Department and the Committee was going around in circles. It was not possible to know from everybody that your information was being processed. Clause 10 was a rule; the concern was that any form of processing that did not meet the criteria would then be illegalised.

The Chairperson asked for resolutions.

Mr Jeffery said that the Committee wanted a set of principles and guidelines that applied to everybody subject to the Regulator’s adjudication.

The Chairperson expressed concern over the fact that the Committee was spending a lot of time on the Bill and it had to move on. The proposal was that Mr Ambrosini and Mr Jeffery would draft relevant provisions that would guide the Department. A sub-committee comprising Mr Ambrosini, Ms Smuts and Mr Jeffery would deal with all further aspects of the Bill.

Mr Jeffery said that anybody would be welcome to attend the meetings.

The meeting was adjourned.