Amongst other reasons, this was done with the aim of complying with articles 13 and 14 of GDPR, which provide data subjects with a right to be informed who has their personal data, as well as what is being done with that data. Typically, this information is to be provided at the time of collection, or where the personal data is collected indirectly, "within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed ". So, the flood of emails dealt with personal data that had already been collected prior to GDPR coming into force.
The Protection of Personal Information Act, No 4 of 2013 ("POPIA") contains a similar requirement in section 18, which requires responsible parties to take reasonably practicable steps to ensure that data subjects are aware of:
(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;
(b) the name and address of the responsible party;
(c) the purpose for which the information is being collected;
(d) whether or not the supply of the information by that data subject is voluntary or mandatory;
(e) the consequences of failure to provide the information;
(f) any particular law authorising or requiring the collection of the information;
(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
(h) any further information such as the—
(i) recipient or category of recipients of the information;
(ii) nature or category of the information;
(iii) existence of the right of access to and the right to rectify the information collected;
(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and
(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator,
which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
Similar to GDPR, POPIA requires this notification to be before collection (in the case of personal information collected directly from data subjects), and "before the information is collected or as soon as reasonably practicable after it has been collected" (in the case of personal information collected indirectly).
POPIA provides an exception for collecting more personal data later without the need for repeat notification, if the information is the same, or of the same kind, provided that the purpose of collection remains the same. This is similar to the GDPR exception for repeat notifications "where and insofar as the data subject already has the information ".
Does Section 18 of POPIA mean that companies in South Africa will need to go through a similar exercise to notify each data subject individually about all the personal information that they already have on them? One could certainly not fault a company that opts to do so. However, we would caution against treating GDPR compliance measures as necessarily ensuring POPIA compliance, since the two laws are not identical. For instance, both GDPR and POPIA list exceptions for where data subject notification is not required. In GDPR, this includes "where and insofar as the data subject already has the information", as well as the following additional exceptions which only apply to personal data collected indirectly:
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
POPIA provides a broader set of exclusions, which apply regardless of whether the personal information was collected directly or indirectly. These include where:
(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
(b) non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
(c) non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
(iv) in the interests of national security;
(d) compliance would prejudice a lawful purpose of the collection;
(e) compliance is not reasonably practicable in the circumstances of the particular case; or
(f) the information will—
(i) not be used in a form in which the data subject may be identified; or
(ii) be used for historical, statistical or research purposes.
Of particular interest in this list is that under POPIA a responsible party does not have to comply with section 18 where a data subject has consented to this non-compliance. Consent to non-compliance is an odd inclusion, especially considering that without the contents of a notification, it is difficult to imagine how the data subject could know what they are consenting to. POPIA defines "consent" as "any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information " (emphasis added). We would therefore advise extreme caution in using consent to non-compliance as a basis for not providing such a notification, particularly in the absence of guidance on this point from the Information Regulator.
As to whether emails, specifically, would be required, POPIA does not expressly provide for how section 18 notice should be conveyed to data subjects. The Information Regulator has hinted in public forums that companies that are required to have PAIA manuals may be able to use their PAIA manuals to serve as this notice. This has yet to be included in an official guidance note, however, and our suggestion would be to wait for the Information Regulator to publish such a guidance note, which it has stated that it is planning to do within the next few months, before placing too much reliance on their PAIA manual.
Meanwhile, the clock is still ticking. While waiting for further guidance from the Information Regulator, we recommend that companies begin their impact assessments in order that when the guidance arrives, they will be in a position to implement it before the 30 June 2021 deadline, whether this is ultimately achieved by updating their PAIA manuals or privacy notices, or whether it is necessary to notify each data subject individually.
Feel free to contact us should you require assistance with a gap analysis.
Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.