Hon Speaker, I think it only right that the technical committee, in turn, thanks the hon Jeffery for his chairing of that technical committee and for all the work that he has put into this important Bill.
I want to quote from a study of this Bill, undertaken by PricewaterhouseCoopers:
Open any newspaper or news website and the chances are that you will find a report on someone's right to personal privacy being infringed, or yet another intrusion through an organisation's security systems with the credit card or other financial information being stolen. With the free flow of information over the Internet, the popularity of social media, increasing ID book theft and other intrusions, governments worldwide have become increasingly concerned with the purposes for which organisations collect personal information, why they keep it and how they protect it. The position in South Africa is no different and consumers in South Africa should be welcoming the impending Protection of Personal Information Bill.
As you have heard, this Bill has been a long time in the making. At the conclusion of the writing of the Promotion of Access to Information Act in 2000, this House requested the Law Reform Commission to undertake work on privacy. Their work was long since done, but many other factors have delayed the completion of this Bill.
We were fortunate to have the advice of two people who travelled the entire road, from the Law Commission Report through to our tenth and final version of this Bill. They are Ms Ananda Louw, wearing red in the gallery - clearly it's a red-letter day! - and Mr Mark Heyink, from the private sector who assisted us. The Bill has greatly benefited from the enormous expertise and drafting skill of Mr Henk du Preez. We believe we have produced a law that will serve South Africans well. I quote PricewaterhouseCoopers again:
Although there are some disadvantages in lagging behind other countries in adopting privacy legislation, one major advantage is that the South African legislatures have been able to draw on the models developed and experience acquired in other countries, selecting the best of the best for our privacy legislation.
This Bill is the best of the best. The challenge for organisations, however, is that complying with the requirements of the Protection of Personal Information Bill is going to have a significant impact on the way they do business.
I am afraid that "a significant impact" is what is called for, on organisations both big and small. Our e-mail addresses, cellphone numbers, transactional history and financial details are constantly offered for sale. One seller of lists told his prospective buyers that they must remember that they owned data once they purchased it and could even resell it once they had used it. That is why we all constantly receive unsolicited calls and electronic messages which someone somewhere has matched to a profile that should only be created on the basis of information given with our knowledge and consent.
This Bill will be welcomed by everyone drowning in the daily tide of spam that washes into our inboxes. We have finally done what even the Internet service providers and e-commerce entities encouraged us to do in 2002, when we legislated the Electronic Communications and Transactions Act. We have moved away from the opt-out position, in terms of which you have to refuse a direct marketing offer or suffer the incoming spam. We have moved to an opt-in regime. Even the "techies" wanted us to do that as long ago as 2002. An opt-in regime means that unless you are already a customer of an enterprise, you specifically have to say yes before a direct marketer can send you its offers. That marketer can approach you only once and has to identify itself with contact details. We have seen one consumer case too many, covered by journalists like Independent Newspapers' Wendy Knowler, where unsuspecting consumers, often poor ones, suddenly find debit orders running off bank accounts whose details they never supplied for services or products they did not order, or which they were duped into signing up for. When they managed to track down the source, Knowler's readers were frequently told that the banking details had been obtained from the national consumer database, a thing that does not exist. Account details are stolen. We have therefore criminalised the obtaining, procurement, disclosure and sale of account numbers. The offence will carry a maximum sentence of 10 years or a commensurate fine.
We want all the benefits of computerisation to be realised in South Africa, including e-commerce. Trust is the ingredient that makes it work. That is why a company like Deloitte has spelled out the business benefits, including return on investment, that adherence to privacy rules present. Deloitte says: "PPI value for a brand is incalculable, just as its opposite incurs reputational and monetary loss." This was illustrated when R41 million was stolen from the Postbank by means of infiltrating an insecure database.
It is important to note that the Bill gives effect to the constitutional right to privacy while giving copious recognition to all other rights and social interests that compete with privacy, such as the free flow of information. It sets only minimum conditions for the processing of information. Each condition is qualified by exceptions, and over and above the exceptions, there are exclusions, and there is scope for exceptions. In other words, the Bill is replete with exceptions, exclusions and the like. It is more than reasonable.
The Information Regulator, which we create under the Bill, will help consumers by taking their complaints and, failing resolution, helping them to sue for damages. The regulator will also help organisations - and that includes government departments and businesses - to process private information properly, but if they don't, there are eventual sanctions, as the hon Jeffery has just set out.
The Information Regulator, a new, independent regulator that we are herewith creating - and this is a big breakthrough - will have functions and dedicated regulators under both the Protection of Personal Information Bill and the Promotion of Access to Information Act, Act 2 of 2000. We hope that the failure of access to information to date in South Africa, despite the Promotion of Access to Information Act, may now be cured. This regulator will be able to assess Promotion of Access to Information Act practices, take complaints for conciliation and also for action. Appeals against refusals for information under Promotion of Access to Information Act will be able to be taken to the regulator. This, finally, is the breakthrough that we suggested in the Chapter 9 review, and it is an enormous advance. Let me point out just one last endorsement: The hon Minister Trevor Manuel, who was here earlier, gave this Bill the "good housekeeping seal of approval". His National Development Plan, which has just been endorsed by Cabinet, states:
The Protection of Personal Information Bill that is being discussed in Parliament seeks to establish an information regulator covering certain aspects of information and personal data. This body should be equipped with the necessary resources to do its job properly and independently. The body should strike the right balance between its responsibilities to protect personal data, while providing recourse to those claiming their right of access to information.
It does, and we are delighted to support it. [Applause.]