With the introduction of POPIA in South Africa, organisations are adapting to the implementation and management of their POPI compliance – as regulated by the mandatory appointment of the Information Officer as the gatekeeper or responsible person ensuring such compliance.
In larger organisations this seems manageable enough but for the purpose of this article, let us focus on the impact this has on smaller organisations where the individual is registered as a trading entity, such as in the case of private consultants and or other SMME’s.
The “responsible person” as defined in the act as “means a public/ private body or any other persons which alone or in conjunction with others determines the purpose of means for processing of personal information and the “data subject” means the person to whom personal information relates”
The Act further refers to personal information as information relative to an identifiable, living natural person and where applicable and identifiable existing juristic person”
Thus, the assumption is made that in smaller organisations, the owner/ trader or registered entity is both the responsible person and the data subject, which begs the question as to in the case of SMME’s what is considered “personal information”?
Such organisations often rely on social media platforms to advertise their products and services, and therefor by default, their personal information is available in the public domain – which according to the act information that is within the public domain is considered as exempt from protection under the act.
The moral dilemma that face both individuals and that posed by the act is the Rights as set-out in the Constitutional Court – which advocates the freedom of expression and freedom of speech, thus in the case of SMME’s – what does POPIA mean to those who are subject to scrutiny and criticism by an unhappy customer or consumer?
In larger organisations it is rather straight-forward with dedicated channels and platforms dealing with complaints or disputes – as related to the product or service, thus remaining rather autonomous, whereas in the case of smaller SMME’s, the same disputes and or complaints become more personal as there is seldom a larger “entity” protecting the SMME or representative thereof, and the lines between the protection of personal information and that of one’s right to freedom of speech and freedom of expression becomes somewhat blurred.
While POPIA does make provision for the protection of personal information is waived in the event of purposes relating to criminal activities and those relating to the disclosure of information where personal information is released in matters that are relative to that of public interest- however where is the line drawn?
In a recent case held on 10 January 2022 the Supreme Court of Appeal handed down judgement in the matter of Smuts and Another v Botha Smuts and Another v Botha (887/2020) [2022] ZASCA 3 (10 January 2022) (saflii.org).
The matter concerned the publication by Smuts of personal and private details of Botha on a Facebook page.
Smuts is an environmental activist who came to know of certain animal trapping practices employed by Botha. Smuts regarded the practices as unethical and after a WhatsApp engagement with Botha published on Facebook pictures of Botha, some personal information relating to Botha and Smuts’ views on these practices.
Botha obtained an interdict in the Eastern Cape High Court. The high court reasoned that the name of the farm and Botha’s identity, as owner of it, constituted personal information protected by his right to privacy. It held that Botha established a clear right to an interdict, and his right to privacy was infringed by the publication of his personal information on Facebook.
It adopted an approach that the public interest lay in the topic and not in Botha’s personal information. As a result, the high court concluded that Smuts had acted unlawfully in linking Botha to the practice of animal trapping.
At paragraph 8 of the judgement the Court stated:
“The right to privacy is a fundamental right that is protected under the Constitution. It is a right of a person to be free from intrusion or publicity of information or matters of a personal nature.
It is central to the protection of human dignity, and forms the cornerstone of any democratic society. It supports and buttresses other rights such as freedom of expression, information and association.
It is also about respect; every individual has a desire to keep at least some of his/her information private and away from prying eyes. Another individual or group does not have the right to ignore his wishes or to be disrespectful of his desire for privacy without a solid and reasoned basis”.
This article as available (www. saflii.org) is in my opinion but a small example of where the gaps lie in the balance between personal information vs public interest, in this case the ruling was in favour of the protection of personal information vs that of public interest, does this then set the tone for future reference that diminishes disclosure of information that is in the public interest?
And if the ruling was in favour of the defendant – where the information disclosed was of greater public interest than that of the applicant’s protection of personal information (which as a matter of fact was available in the public domain), would that set the benchmark to allow for freedom of speech and freedom of expression override the protection of personal information?
Perhaps it might be useful to more clearly define information in the public domain and that which is of public interest to get a clearer understanding of the extent of the applicability of the law in both these instances