More than a year ago, in May 2018, the European Commission’s (EU) General Data Protection Regulation (GDPR) came into effect. The GDPR is a data privacy and protection framework aimed at improving Europe’s data privacy laws, and which could be described as a first cousin (replacing the EU’s Data Protection Directive (EU Directive)) to South Africa’s POPIA, the Protection of Personal Information Act 4 of 2013. POPIA, while currently only partially implemented, will apply to all businesses and organisations in South Africa, which by virtue of their interactions with South African consumers, collect and process their personal information.
While POPIA’s provisions only apply to the extent that businesses are registered and incorporated within the borders of South Africa, the GDPR is applicable to every organisation on the African continent that processes the personal data or monitors the online activities of EU citizens. In practical terms, this means that a South African online shopping site that sells its products to EU citizens will be expected to comply with the GDPR.
Non-compliance with the GDPR could result in varying consequences for the institution; including a written warning, periodic data protection audits and fines of up to 10€ million or 2% of an organisation’s annual worldwide turnover. The most serious penalties apply to organisations that suffer a data breach as a consequence of non-compliance. Since its implementation, the European Data Protection Board (Board) has noted that administrative fines totalling EUR 55.96 million have been issued by 11 European Economic Area (EEA) countries. The Board said that so far, 206,326 cases have been reported under the GDPR from 31 authorities in the EEA.
For the purposes of South Africa’s trade relationships, POPIA will have to be read together with the provisions of the GDPR. As a result of POPIA having been largely modelled on the EU Directive, POPIA and the GDPR are more similar than they are different. The GDPR imposes additional data protection requirements that were not contained in the EU Directive, and are not required under POPIA. A notable difference between the GDPR and POPIA is that while the GDPR only protects the personal data of natural persons and does not extend its protection to juristic persons, POPIA protects the data of both natural and juristic persons.
Hailed as the global standard for protecting the rights of any individual whose personal information enters the digital world, the fundamental user rights contained in the GDPR are seen as an instrument of best practice and most agree that since its implementation, the GPDR has significantly increased awareness of these rights. These fundamental rights, briefly discussed below, are the standard with which businesses and organisations on the African continent should aim to comply.
The right to transparency and information
Organisations must provide individuals with information regarding who has accessed their personal information, what purpose it will be used for, who the recipients of the information will be, and the period for which the information will be kept. This information must be provided to individuals in a clear and transparent manner, using intelligible and plain language.
The right to be forgotten
Individuals are entitled to request that their personal information be erased without undue delay, subject to specified grounds. These include the grounds that the usage of the personal data is no longer relevant for the purpose for which it was initially collected or processed, that the individual has withdrawn consent for the processing of the information and such consent was a legal requirement, and that the erasure of the information is a legal obligation on the part of the organisation in terms of local or foreign law.
The right to restrict data processing
Individuals have the right to request that organisations stop processing their personal information, subject to specified grounds. This may be to contest the accuracy of the information, or because the processing of the information was unlawful and the individual requests restriction of use as opposed to erasure.
The right to data portability
Individuals have the right to receive their personal information from a particular organisation and subsequently transfer such information to another organisation. This right will not be applicable where the processing of the information is for the purpose of the public interest or is done in the exercise of an official authority.
The right to object
Individuals have the right to object to the processing of their personal information if such information has been processed with the consent of the individual and they wish to withdraw such consent, or where the information is processed for direct marketing purposes.
Rights in respect of decisions involving automated processing and profiling
The GDPR stipulates that individuals may not be subject to decisions based solely on automated processing. This includes decisions that are based on profiling and produce legal consequences concerning an individual based on such automation.
The right to access
Individuals have the right to be informed whenever an organisation processes their information, to receive a copy of such information, to be informed of the sources of this information and to be afforded the opportunity to lodge a complaint against such collection and processing.
The GDPR has given African governments a yardstick by which to measure their own privacy laws and African organisations an international standard to adopt, and thereby maintain the trust of the international community. The implementation of the GDPR last year has signalled the beginning of a digitally secure future for Africa and all who live in it.