30 Jun Data Protection And Privacy – Transitioning Into Implementation Of Legislation #POPIA
I am a firm believer in it not being the “what”, but the “how” a message is communicated.
Personally, I found myself annoyed by the “or-else” approach that was taken by #WhatsApp. It reminded me of the “eat your vegetables or else… “scenario lived through by my younger self.
Once the déjà vu had worn off, I however took time to understand what these changes entail and without going into lengthy details, took an informed decision to stay on the platform.
Hence in my first article, I urged end-users to take control and understand the platforms that they use as well as their data and privacy settings. Sufficient articles have since been written about this subject, as recently as the past few days in which #Facebook and #WhatsApp further explain the privacy changes. This article will therefore not focus on analysis of said reporting, but on the #Data Protection Laws in South Africa as well as in the EU.
The aspects related to the EU will be covered by my learned colleague, Ms Suvi Julin, Partner, Lawyer, Licensed Legal Counsel, at Berggren Oy, Finland.
In South Africa we have the #Protection of Personal Protection Information Act, 2013 also known as the #POPIA. As a country, we are currently in the transition and implementation stage. The transitional provisions contained in section 114 of the Act, in effect state that all processing of personal information must within one year from 1 July 2020 conform to the Act. Hence, all entities that process personal data, have to be compliant as from 1 July 2021. Thereafter, penalties come into effect.
Companies and entities have already started obtaining opinions and arranging training for employees on the impact that this legislation will have on their operations. Take heed that the #POPIA needs to be read in conjunction with other related legislation, to ensure that any gaps are closed and to avoid conflict of interpretation between these various legislations. Hence, training and advisory opinions need to take cognisance of this.
As a legal practice, we take a wide interpretation approach in order to ensure that all aspects of the business data management are assessed. This will include assessing whether any of the data/metadata is shared outside of the borders of South Africa, because this will trigger obligations to comply to other jurisdictional and legislative provisions.
At this point, I hand over to my learned colleague Suvi, to enlighten us on how the EU dealt with the transition process as well as what transpired once the data privacy regulations came fully into effect.
The EU’s General Data Protection Regulation, the #GDPR, has been implemented and applied since May 2018. Although the legislative preparation process was lengthy and followed by a two-year transition period prior to full implementation in May 2018, we’re still on a learning curve.
What have we learnt in the EU so far?
- Don’t expect everything to be clear at the time #POPIA is implemented. Instead, keep following up on the developments. As at present, we still receive new guidelines on a regular basis and decisions of data protection authorities in reported cases provide interpretation of the application of the #GDPR constantly.
- Know your data! It all starts with understanding what kind of personal information you collect and process and what are the requirements applied to it by your laws and regulations.
- If you share personal data outside South Africa, or you receive personal data originating from outside South Africa, you may become subject to data protection laws and regulations of another jurisdiction. For example, in case you choose to use a service provider domiciled in the EU, the service provider is likely to be obliged to enter into certain agreements with you on the basis of the GDPR.
That in a nutshell is a tale of “Two-Continents” in as far as data protection goes. There are other jurisdictions to take cognisance of, however we will not be able to enlighten you with the limited word count we can apply to this article.
For more information and advice contact us at the following email addresses:
Co- Authored by Anastasia Machobane – BIuris, L.L.B. (University of Pretoria); MDP (GIBS/UP); Air Law Diploma (IATA); Certificate Editing and Proofreading (University of Cape Town), LLM (Mercantile Law) Candidate at UP
Ms Suvi Julin – LLM (University of Lapland); MSc. (Information Processing, University of Oulu)
This article contains the views of the writers and should not be construed to be legal advice.