February 2016

Hello Consumer Law Review recipient

I always find that it is useful to take stock at the beginning of a new year. We start this year’s CLRs with a round-up of all the consumer law related news from the last six months.

We have decided to start a new series on the Protection of Personal Information Act. It will deal with the application of the Act to specific industries or activities. We start the series with a topic which will be relevant for every company in South Africa: POPI and Human Resources.

We also look at some of the interesting decisions made by the Consumer Goods and Services Ombud in the last year. They provide valuable insights given the shortage of court cases relating to the application of the CPA.

May you have a prosperous new year.

Happy reading!

Elizabeth de Stadler

Elizabeth de Stadler is the editor of the Consumer Law Review and the founding director of Novation Consulting (www.novcon.co.za or @NovConSA), a company which specialises in providing regulatory compliance solutions, designing innovative and effective ways to communicate legal documents to consumers and developing compliance training and awareness campaigns. She is also a senior associate at Esselaar Attorneys in Long Street in Cape Town (http://www.esselaar.co.za). The firm specialises in consumer law. She is a co-author of A Guide to the Protection of Personal Information Act (Juta), Commentary on the Consumer Protection Act (Juta) and chapters in a number of other publications.

When will POPI come into effect?

Since the last edition of CLR the nominations for the Information Regulator have closed. However, it seems that we are no closer to an actual appointment. In November last year, Parliament held a meeting to discuss the role of the Regulator. They have called for a workshop on the importance of POPI, who it protects (specifically whether it will protect the poor), the role of the Regulator and the interaction between POPI and the Protection of State Information Act and the Promotion of Access to Information Act (see this article on ITWeb). These questions seem very elementary given that POPI has been signed into law for several years now.

Controversy around the Cybercrimes and Cybersecurity Bill:

There has been a lot of controversy around the Cyber Security Bill that was recently gazetted for public comment. The Bill is aimed at combating cyber crimes. Without a doubt this is important given that South Africa has one of the highest rates of cybercrime in the world (the highest in Africa). It is linked to POPI, because it criminalises the acquisition of personal and financial information with the intent of committing an offence. But the Bill has been criticised for threatening freedom of expression and association as well as the right to privacy by giving broad powers to new state entities to monitor and censor the internet (see the full analysis in the Mail and Guardian). Comments closed on 30 November 2015.

Safe harbour agreement rejected by EU Court of Justice:

The protection of personal information is a global issue at the moment. In 2000 the European Commission concluded an agreement with the US government in which the US promised to protect the personal information of EU citizens when that information is transferred to the US. This agreement was known as the ‘safe harbour agreement’. Why was this necessary? Because, just like POPI, EU data protection laws prohibit the transfer of personal information to other countries unless that country has ‘adequate privacy protections’. However, on 6 October 2015 the European Court of Justice declared that the agreement is invalid as it did not adequate protect EU citizens against snooping by the US government. Negotiators for a new agreement were scrambling to meet the January deadline for a new framework, but new US legislation which gives EU citizens the right to enforce their privacy rights in the US has stalled in the Senate.

Why do we care? The judgment provides a good barometer for South African companies who want to transfer personal information to other countries (eg when personal information is stored in a ‘cloud’). Our principles are based on EU data laws (although they are currently being replaced). This means that transfers to European countries will be less problematic for South African companies than transfers to the US. Read this article in The Guardian for more information.

Financial Sector Regulation Bill (Twin peaks) tabled:

Treasury tabled the ‘twin peaks bill’ in parliament in October 2015. It is the execution of a decision years ago to shift to a two-pillar regulatory regime in the financial sector – a new prudential authority within the Reserve Bank for financial product providers and the Financial Sector Conduct Authority for financial service providers. The Reserve Bank is also made responsible of monitoring financial stability. While the Consumer Protection Act 68 of 2008 will remain out of the picture when financial service laws* apply, the Bill does provide for an Inter-Ministerial Council which is comprised of the Treasury Minister and Cabinet members responsible for consumer protection and consumer credit, health and economic development (see section 83). It provides that the Minister responsible for consumer protection can request that particular provisions of any financial sector law must be considered by the Council to determine whether it provides equivalent protection to consumers as they would have had under the CPA and to make recommendations for amendments if they do not (see section 85). There have been calls for a further round of amendments to the Bill.

* The following Acts are financial services laws: Pension Funds Act 24 of 1956, Friendly Societies Act 25 of 1956, Banks Act 94 of 1990, Financial Services Board Act 97 of 1990, Financial Supervision of the Road Accident Fund Act 8 of 1993, Mutual Banks Act 124 of 1993, Long-term Insurance Act 52 of 1998, Short-term Insurance Act 53 of 1998, Financial Institutions (Protection of Funds) Act 28 of 2001, Financial Advisory and Intermediary Services Act 37 of 2002, Collective Investment Schemes Control Act 45 of 2002, Co-operative Banks Act 40 of 2007, Financial Markets Act 19 of 2012 and the Credit Rating Services Act 24 of 2012. 

National Credit Act limitations on fees and interest rates reviewed:

The Department of Trade and Industry published final Regulations on Review of Limitations on Fees and Interest Rates on 6 November 2015. The regulation contains revised maximum prescribed interest rates, initiation fees and service fees. The micro-lending industry is the most affected. The rates that can be charged on short and unsecured loans as well as store and credit cards have been reduced and fluctuations in the Repo Rate will no longer have such a big effect on the cost of this type of credit – when the Repo Rate goes up 1%, so will the cost of credit. This way of calculating the maximum rates will be (a little) easier for consumers to grasp. The regulation will come into effect on 6 May 2016.  Read more in this Business Day article. One interesting question which has surfaced is whether existing credit agreements must be amended to comply with the new limitations? We will look into that in the next edition.

National Credit Regulator goes after retailers:

The National Credit Regulator has referred several retailers, including Lewis, Edcon, JD Group and Shoprite to the National Consumer Tribunal. The investigation relates to ‘mis-sold insurance products’; specifically the sale of unemployment and disability cover as part of a credit transaction to pensioners and self-employed customers. Other allegations include reckless lending and charging a fee for clubs linked to store cards. Read this interesting article in the Financial Mail for a historical perspective on how the crisis in this market developed.

Debt Collectors Amendment Draft Bill:

The Debt Collectors Amendment Draft Bill was published for comment. One of the main aims of the Debt Collectors Act is to regulate abusive behaviour in the debt collection process. The new Bill includes attorneys in the definition of debt collector. This means that attorneys who do debt collection will have to register. There have been additions to the list of forms of improper conduct in section 15. For instance, it now includes a prohibition on charging ‘collection costs, an initiation fee, service fees, default administration charges or other charges which exceed the unpaid balance of the principal debt at the time of default’. In addition to the sanctions prescribed in the Act, attorneys who are found guilty of improper conduct will be referred to the relevant Law Society. Comments were due by 31 January 2016.

Department of Telecommunications and Postal Services published ‘Proposed Policy Direction on Effective Competition in Broadband Markets and the Reduction of Data Costs’:

The Department of Telecommunications and Postal Services has published a ‘proposed policy direction’ in which ICASA is instructed to commence an enquiry and publish regulations to ensure effective competition in broadband markets and the reduction of data cost. This is a step towards achieving the vision of the National Broadband Policy (South Africa Connect) that ‘by 2020, 100% of SA citizens will have access to broadband services at 2.5% or less of the population’s average monthly income.’ The National Broadband Policy identified the high cost of communication services as a primary factor hampering South Africa’s competitiveness. The proposed policy direction was published on 4 November 2015 for public comment. 

Draft amended End-User and Subscriber Service Charter Regulations in terms of the Electronic Communications Act:

The draft amended End-User and Subscriber Service Charter was published in terms of the Electronic Communications Act. It applies to any person licenced by ICASA (this would include Telkom, Vodacom, MTN, Cell C etc). The amendments are aimed at creating ‘a more informed consumer who is better able to select products and services best suited to their needs and circumstances. The charter regulates what information end-users must receive at the point of sale (regulation 5), information about promotions (regulation 6), information on international roaming (regulation 7), the format in which end-users must be billed (regulation 9) etc. All information must be consumer friendly and in simple language. The charter also regulations the quality of the service (particularly availability), installation and the correction of faults (regulation 10). Complaints management, dispute resolution and end-users’ rights in the event of poor service is also regulated (regulation 14 to 16). End-users are also protected against the sharing of their personal information without their consent (regulation 18). The penalty for contravening the charter is a fine between R250 000 and R5 000 000 (regulation 21).

Most of these issues would be covered by both the Electronic Communications and the Consumer Protection Act, so one might be forgiven for wondering how these two pieces of legislation interact. In July 2015 a Memorandum of Agreement between the NCC and ICASA was published which provides guidelines for interaction between the two regulatory authorities. It provides that they must develop a common framework for the referral of complaints. The NCC commissioner has indicated that the ‘NCC will attend to matters relating to contracts, misrepresentation, bait marketing, faulty handsets, as well as call limits’ while ‘ICASA will deal [with] data, international roaming, pricing and quality of networks’.

Insurance Bill tabled:

The Insurance Bill was tabled in the National Assembly on 29 January 2016. The objectives of the Bill are to: facilitate the monitoring and preservation of a financially sound and safe insurance sector; enhance existing policyholder protection; and improve ‘access to insurance’ by providing (amongst other things) ‘an enabling framework for micro-insurance’. This is welcome given that the Consumer Protection Act does not apply to the insurance sector (it was first excluded in the CPA itself and later by the Financial Services Laws General Amendment Act). Read more in this article on BD Live.

Draft Franchise Code of Conduct out for comment:

A draft Franchise Code of Conduct was published for comment on 29 January 2016. The Code is published in terms of section 82 of the Consumer Protection Act. This means that if the Code is approved all franchisors will have to comply or else they could face an administrative fine. Comments are due 30 business days after the publication date. 

PAIA manuals for private bodies deferred until 2020:

The Minister of Justice and Correctional Services has decided to exempt private bodies from compiling a manual in terms of section 51 of the Promotion of Access to Information Act until 31 December 2020 (the notice which was published on 11 December 2015 is available here). Private bodies are still encouraged to compile manuals and must comply with all other provisions of PAIA. 

The bulk of personal information in a particular business is often found in Human Resources (HR) departments. In addition to the volume of the information, it is of a very sensitive nature (like medical and financial information).  Yet, HR departments are often overlooked in the compliance exercise – partly because employee personal information is seen as less important and risky than customer personal information and because of the enormity of the task. However, a breach of employee personal information can be just as expensive and embarrassing for an organisation.

* In addition to the harm that the employee can suffer, employee data breaches (particularly when username and passwords are compromised) can lead to further access to confidential information.

In the course of a couple of compliance programmes the following has become clear:

• HR over-collects information. Forms often ask for information that HR already has. This is problematic because each copy of the information has to be protected. Sometimes this is easy to remedy by just amending the forms and making sure that information is pulled through to different HR areas and systems.
  
  
• Often HR departments still rely on paper files as their primary records despite having sophisticated systems. This is important, because generally speaking paper files are much harder to secure than electronic information. Ask yourself why a system is not being used? Do people have the right access? Does the system have the right functionality? Have people received enough training on how to use the system?
  
  
• POPI compliance is impossible if HR does not have proper records management. What do we mean by that? Do you have a list of all the types of information and documents HR collects? Are there policies and procedures on how and for how long different types of records must be retained and how they must be destroyed?
  
  
• POPI compliance in HR often leads to other operational wins. It leads to improvements to existing procedures and increases efficiency. It reduces the amount of paper that is retained (storage costs money!). It gives momentum to becoming paperless. It ensures that existing systems are used to their full potential. This can help compliance officers to motivate why spending money on POPI in the HR department is worthwhile for any business.
  
  

Wondering where to start? The UK Information Commissioner’s Office has drafted The employment practices code. It contains good practice recommendations on a very wide range of topics relating to the processing of employee personal information. The UK legislation is very similar to POPI but it is not 100% identical (it comes very close), but the practice code can be used for guidance.

*Recent examples include breaches of employee personal information at Sony, Morrisons (a large UK retailer) and the United States Office of Personnel Management . See this article on the International Association of Privacy Professionals’ website.

There has been a lot of discussion on how to get around the direct marketing provisions in POPI. The issue which attorneys are trying to navigate is how to get around the provision which states that a consumer can only be contacted once to request permission to send them direct marketing.

Here is the solution according to this article in the Financial Mail:

‘POPI allows a marketer (whether as an individual or as a company) to make one unsolicited communication to a person they have not dealt with before. A “clever marketer” need only set up a company to send out that one unsolicited communication from, before using the same marketing database in a new company, adds Pierce. On each occasion, a person would only have been marketed to once and POPI would not have been contravened.’

While it is true that section 69 may not have been contravened (I say ‘may’, because certainly the spirit of section 69 has not been adhered to), this strategy may fall foul of at least two other POPI principles. In fact, this type of behaviour is exactly what the legislator wanted to address when it adopted sections 12 and 18 which state that personal information must be collected directly from the consumer and that consumers must be informed where their information was obtained and whether it will be shared with anyone. As always there are a number of exceptions to these principles and, depending on the circumstances, they may apply. However, in many cases, consumers would have to consent to the sharing of their information for direct marketing purposes – and it is pretty unlikely that consumers would oblige.

What this shows is that it is very dangerous to approach POPI in a piecemeal fashion. It requires a holistic approach, which takes all of the principles into account and looks at the entire lifecycle of the information – from collection to destruction.

This particular issue also raises an important and complex question: How will the Regulator approach companies who engage in the selling of personal information? We will discuss this in our next edition.

PS: In this article on TimesLive.co.za telemarketers are warned that POPI will make their lives harder by requiring that consumers must give consent before they can be contacted for direct marketing. This is not true. While the rest of POPI applies to the processing activities (eg the information must be secure and of a good quality), section 69 does not. It only applies to electronic communications, which do not include telephone calls (see the definition in section 1). It is odd that this is the case, but there it is.

Language and logic in form design

You might be wondering why we are talking about forms again* and what forms have to do with consumer law? It is true that most attorneys do not recognise application forms as legal documents. But consider this: In many cases the application is the offer to enter into a contract. If the form creates ambiguity it can affect the validity of the contract. In addition, poorly designed forms lead to incomplete transactions and the supplier will have to follow up with the consumer (often via a call centre) – this is not free. In other words, designing good forms manages legal risk and keeps costs down.

We’ve all struggled through ‘If you are renewing your account, complete sections A, B, and G. If you are applying for a new account, skip section A and complete sections B, C and F’ when filling in a form. It’s called conditional branching and the digital world has opened up a world of possibilities for usable forms.

Conditional branching allows you to send the user to a different question or section in a form based on his or her reaction to a previous question. For example, if a minor completes an application form and provides his ID number, he could be taken to a page that explains parental consent, while an adult applicant would never have to see that section. Easy as pie. But what to do if your organisation still uses paper forms?

On paper, the reader has to skip over irrelevant sections and complete others while keeping track of his or her own progress. In forms where there are many conditional questions, clarity is more important than ever. Here is a check-list to help you ensure that your forms stay user-friendly regardless of the level of difficulty of the contents:

• Is there a consistent and predictable sequence throughout the form?
  
  
• Have you used clear headings that will make sense to the user?
  
  
• Are there conventional and familiar approaches to collecting common information, such as name, address, and phone number?
  
  
• Does the form keep branching and question skipping to a minimum, but adequately signpost those that are required?
  
  
• Is there little need for users to page back and forth between questions?
  
  
• Are the questions that apply to most people up front, with the questions that apply to only some groups further down the form?
  
  

(User-friendly forms. Key principles and practices to effectively design and communicate Australian government forms (2006) Australian National Audit Office.)

Remember that no-one likes filling out a form, so keep it simple and easy to follow. If you have the budget, do usability testing to ensure that the form is user-friendly (there are many companies who specialise in this). If you don’t have the budget, grab a couple of people from the office.

* In the previous plain language tip we listed 10 ways to design better forms.

© Stellenbosch University Language Centre and Elizabeth de Stadler

Click here for the latest Labour Law releases.