February 2017

Hallo there CLR subscriber

Happy 2017! The biggest question for consumer lawyers this year is probably whether we will finally find out when POPI is going to become effective.

This month we also focus on a particularly contentious issue: the processing of the personal information of children.

For those of you who want to know more about POPI, there is a book, some courses and you can always access all the old issues of the Consumer Law Review.

Happy reading!

Elizabeth de Stadler

Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Long Street in Cape Town (http://www.esselaar.co.za). The firm specialises in consumer law. She is also a founding director of Novation Consulting (www.novcon.co.za or @NovConSA), a company which specialises in providing regulatory compliance solutions and designing innovative and effective ways to communicate ‘legal’ documents to consumers. She is the author and co-author of a number of chapters and works on consumer law including A Guide to the Protection of Personal Information Act (2015) and Commentary on the Consumer Protection Act (updated annually).

By Elizabeth de Stadler & Paul Esselaar

So, the Information Regulator had a press conference today (13 February 2017). We were waiting with baited breath to hear what the effective date was going to be. Alas (or mercifully, depending on your perspective), it seems that the Information Regulator will only be making a recommendation to the President regarding the effective date towards the end of the year.

The chairperson of the Information Regulator, Adv Pansy Tlakula, explained that the Regulator must first be fully operational and staff trained on the Act before it can become effective. There is also the matter of outstanding regulations. A refreshingly sensible approach if one thinks about the haphazard way in which the National Consumer Commission came into being.

She also pointed out that public and private bodies will have at least a year to become compliant, but remarked that ‘we are looking at 3 years probably’, which is the maximum deferral period provided for in POPI.

We will be keeping a close eye on developments over the coming months. The next interesting phase will be when draft regulations are published. In the meantime, we will keep unpacking the implications of POPI for business and government.

If you are wondering whether your institution should be doing something about data protection, the answer remains a resounding ‘yes’! Why? Well not because of POPI, but because data security breaches do not require legislation to be devastating to a company. Here is a wonderful infographic of the biggest breaches in recent history.  But the reasons why good information governance is important are not only negative – it is good business and good for the bottom line.

By Elizabeth de Stadler

Before we talk about the challenges of processing the personal information of minors, let’s take a step back.

What is up with POPI?

It feels like POPI has been in this kind of legislative limbo for years. Oh wait, it has been years. There seems to be some movement lately. Since Adv Pansy Tlakula and the other members of the Regulator were appointed last year, they have had their inaugural meeting. Despite a lot of speculation, there has been no indication of when the act will become effective. But we will be watching…

We were talking about the information of children (in South Africa that is a person under the age of 18). The fact of the matter is that not all processing of child PI is controversial. Children are large consumers of particularly digital services, of educational products, of apps and games, music…the list goes on.

POPI recognises that children are vulnerable. Processing the personal information of children is prohibited unless one of the following justifications are present: 

•    A parent or guardian can consent to the processing.

•    The processing is necessary for the establishment, exercise or defence of a right or obligation in law (which includes obligations of international public law). This exception is very wide. The phrase ‘in law’ could refer to legislation, the common law or even contract. But in the case of a contract, the child would need parental consent to validly conclude a contract anyway. One would assume that the Regulator will interpret these exceptions are narrowly as possible.

•    The personal information is being used for historical, statistical or research purposes if it serves a public interest and it is impossible (or would require a disproportionate effort) to ask for consent. The business would also need to provide sufficient guarantees that the privacy of the child is not disproportionately affected. In most cases POPI can be avoided entirely be de-identifying the information.

•    The prohibition also does not apply if the child deliberately made the personal information public with the consent of a parent or guardian.

Most businesses seem to be at a bit of a loss as to how to approach this requirement, particularly in cases where parental consent is required. I often see clauses like this one in terms & conditions:

You must be 18 years of age or older to make use of our services/our website. If you are under 18 years of age, you must have your parent or guardian’s consent.

This is not enough, particularly in cases where no attempts are made to ascertain the age of the consumers and the term is hidden in the terms and conditions. If the person ‘agreeing’ to the term is a child, they do not have the necessary legal capacity to conclude a valid agreement anyway. The problem is that verification methods and obtaining parental consent (particularly online) are notoriously difficult and costly to verify. 

First prize is always to obtain the child’s information directly from the parent or guardian. That way, the act of handing over the information doubles as permission to use it, as long as the parent is aware of what the information will be used for. 

We are in favour of a risk-based approach. The higher the risk, the more effort and expense will be required by the Information Regulator. The United Kingdom’s Information Commissioner’s (ICO) Personal information online code of practice lists the following scenarios as instances where parental consent should be obtained (at the time it was drafted parental consent was not yet a requirement, but the list is useful nonetheless): 

•    where the child’s personal information is going to be disclosed to a third party.

•    if the child’s details is going to be used for marketing purposes.

•    if the information is going to be made public.

•    if the child’s image is going to be used on a website which is open to the public.

•    where the child is going to be asked for personal information of third parties like family members or friends (excluding of course the parents’ details – how else could you get parental consent).

The ICO concludes that ‘where minimal information is being collected, such as an email address to register on a site and to ask the child to confirm their age, then asking the child to tick a box to confirm parental consent and sending an e-mail to the parent may be sufficient.’

Are you wondering how to get parental consent? You are not alone and there are many ways of doing it. In the past we have found the Advertising Education Forum’s report on best practices for parental consent very helpful. It includes several existing examples of how other businesses are doing it (from page 20). 

Matters become particularly complicated for businesses who operate globally, because not all countries have the same age of majority. In such cases it is often necessary to cater for, in this case, the highest common denominator.

By Paul Esselaar

Every day thousands of emails go out with email disclaimers. Some of the disclaimers are at the top, others at the bottom and still others contain a simple hyperlink which takes you to the actual text of the disclaimer. But are they really useful?

There are three basic questions that should be used to consider what (if anything) should be inserted into a disclaimer:

#1 Are you trying to reach an agreement or simply notifying the other person?

In general, if the text of the disclaimer is seeking to achieve some kind of an agreement it will not be enforceable, unless there is an affirmative response from the person. This is because there is no clear consensus between the parties (and also, let’s be honest, most people do not even read them). For example, an email disclaimer cannot bind the recipient to a duty of confidentiality unless that duty already exists in law (for example if the recipient is a police officer investigating a case) or the recipient actually agrees beforehand to treat the email as confidential. This was stated in the European Union case of Philips [2012] E.P.O.R 41 which held that the recipient can elect whether to keep the email confidential or not.

In contrast a disclaimer notifying the recipient of something, such as the fact that this is a business communication that may be monitored by the employer, can be quite useful as it goes to show that both the sender, and more important, the recipient should have been aware of the employers’ right to intercept the communications. This also holds true for e-mail disclaimers which are used to discharge the notification duties in terms of POPI.

#2 Do you routinely breach your disclaimer’s statements?

Another useful question is whether the email disclaimer always applies to every email you send? For example, inserting ‘this email does not contain legal advice’ into an attorneys’ email disclaimer is not helpful if it can be proven that the attorney does provide legal advice by email, even infrequently. The fact that this is automatically inserted both when appropriate and when it is inappropriate means that the reasonable reader is entitled to disregard the disclaimer.

In contrast if a disclaimer asserting the content is not legal advice which is only used when, in fact, the email is not intended to be legal advice, is much more likely to be enforced by the courts. This means that you should either:

•    Only include something in your disclaimer that will always be true, or

•    Insert / don’t insert the email disclaimer as the situation dictates.

#3: Are you trying to vary the actual content of the email?

A disclaimer cannot vary the content of an email which is self-evident. For example, an email stating ‘payback is a b****’ signed ‘your most determined, unstoppable and visceral enemy’ cannot suddenly become non-threatening because the email disclaimer states that ‘Not one word herein should be construed by anyone as meaning threating or violent intentions’ (this actually happened in the Californian case of Romero v Romero 2011 Cal, App. Unpub. Lexis 8706 (Cal. App. 4th Dist, Nov. 14, 2011)).

Similarly, stating that ‘this email should not be considered to be a written amendment to an agreement’ could fly in the face of the actual intention of the parties as set out in the body of the email. This last point is particularly important as the relatively recent South African case of Spring Forest Trading v Wilberry 2015 (2) SA 118 (SCA) has made it clear that a mere email with the name of the sender (‘Greg’) at the end of the email is considered to be both ‘in writing’ and (somewhat incredibly) ‘signed’ by the sender. This means that it is possible to amend all your paper agreements with a simple email! If you don’t like that, you are going to have to prohibit e-mail expressly in the contract. Doing it in an e-mail disclaimer is not going to help.

So where does this leave you? While email disclaimers can be useful, their use is limited. An email disclaimer will not stop a defamatory statement being a defamatory statement, nor will it help an attorney who is clearly providing legal advice from claiming that the email content was not legal advice. However, it may help to contain a leak of information (if for no other reason than the recipient may be less likely to send it out if it states ‘PRIVATE AND CONFIDENTIAL’) and it can make it difficult for the recipient to allege that they were unaware that their racy emails could be monitored. Where something is important (such as making sure that the recipient knows that the content is protected by legal privilege or that the email is a without prejudice offer) then it is better to state that specifically in the body of the email, rather than rely on the email disclaimer where it may be missed.  

Oh, and this isn’t legal advice ;).

Paul is a founding director of Novation Consulting.

Click here for the latest Consumer Law releases.