It has been 10 months since the commencement of the Protection of Personal Information Act, 2013 (POPIA). We have taken stock of recent data protection developments and have set out some key learnings to guide you in your POPIA compliance journey.
The matric results debacle – the parameters of compliance when publishing personal information
At the start of 2022, the Department of Basic Education (DBE) decided not to publish the 2021 matric results on public platforms, as it has traditionally done at the start of each year. The Information Regulator issued a statement following this decision, in which it said that the DBE “has a duty to ensure that matriculants receive their results“, but that this must be done in a manner which complies with POPIA. The Information Regulator emphasised the following (non-exhaustive) requirements in her statement:
One matriculant challenged the DBE’s decision in the High Court, seeking an order compelling the DBE to publish her results on public platforms. This learner stated that the results could be published without reflecting the learners’ names and surnames. The court granted the order as the matter was unopposed but did not provide any reasons for its decision.
The matter emphasises that the right to privacy must be balanced with the right to access information. This relationship can be complicated, and many factors need to be considered in assessing each particular set of circumstances to strike the right balance. Future judgments should provide further guidance on this dynamic.
Learnings from the TransUnion data breach
In March 2022, credit bureau TransUnion announced that it had suffered a data breach. The Information Regulator has expressed its views regarding the handling of this data breach, indicating that the notification by TransUnion was “inadequate, unsatisfactory and falls short of what is required” by POPIA. The Information Regulator’s concerns centred around the lack of detail provided to the Information Regulator, indicating that less is not always more when demonstrating to the Information Regulator that a data breach has been managed appropriately.
There are three important takeaways from the Information Regulator’s statement on this data breach:
M&A and POPIA
Every business process personal information about its employees, customers, suppliers, contractors, and other stakeholders. A particularly vexing question is how to comply with POPIA when selling a business to a third party. This question must be considered at each stage of the transaction, including post-transaction, when systems are being integrated.
Companies often grapple with determining whether employee consent is needed to transfer employee personal information to an acquirer. If the acquirer is located outside South Africa, the seller must consider how to lawfully transfer personal information to the offshore acquiring party, given POPIA’s specific requirements. The Information Regulator has not yet provided a guidance note on this particular issue. In the interim, overseas guidance may prove useful, including the Data Sharing Code of Practice published by the Information Commissioner’s Office (ICO) in the UK.
Ensuring POPIA compliance during an M&A transaction may require some upfront planning, and we recommend involving a privacy lawyer at an early stage of the transaction to avoid falling foul of any regulatory requirements.
- Karl Blom, Peter Grealy, Nozipho Mngomezulu, Wendy Tembedza, Partners & Cindy Leibowitz, Knowledge Lawyer at Webber Wentzel
1 Comment
I am super excited to announce that CoinDCX is now India’s Highest Valued Crypto Exchange ecosystem driver in India. They have raised USD 135 million (INR 1033 Cr) in their Series D funding primarily led by Pantera and Steadview, along with strong participation from prominent investors like Kingsway, DraperDragon, Republic, and Kindred and joined by our returning investors B Capital Group, Coinbase, Polychain, and Cadenza, putting us in a strong position to support the growth of the crypto/web3 industry in India.
https://sastaoffer.in/blog/coindcx-is-now-indias-highest-valued-crypto-exchange/