Data privacy issues a hurdle

Publication:  BUSINESS DAY BUSINESS LAW & TAX REVIEW - Key trading partners in Europe do not trust SA’s data protection laws enough to confidently impart information and this is a threat to ongoing business with a major trading partner at a time when the weak rand and trade deficit are already placing significant pressure on the economy.

At the moment many South Africans must fly to European countries in order to secure opportunities for South Africa, many of which are lost, due to European organisations being uncomfortable with sharing information.  Accordingly, despite the delay in the implementation of South African data privacy protection laws, organisations choosing to wait before becoming compliant, should think again.

But it is not only in SA where uncertainty and the potential loss of cross-border business exists.  The US-EU safe harbour agreement, which underpinned how US companies dealt with EU data, was recently nullified by the EU courts and it is hoped a new agreement can be thrashed out early this year to ensure US compliance levels can match those in Europe. In the interim, plenty of confusion and uncertainty reigns, much like it does in SA.

If not even the US is seen as adequate to transact, you have to ask where it places SA in terms of increasing commercial activity with Europe.

From an organisational perspective, SA companies should be looking to become compliant now with European standards by putting contractual measures in place to secure international growth and innovation opportunities.

These efforts will go some way to reassuring Europeans to do business with SA but what is required is the full implementation of our local legislation Protection of Personal Information Act (Popi), thus making us a data protected country and providing certainty to the international business world.

Popi became law in 2013, but an Information Regulator needed to be appointed for it to become fully effective. Nominations were made on 14 August 2015 and Parliament needed to make an appointment. But then on November 11 2015, a further meeting was held on the role of the Regulator and now Parliament has delayed the process again by calling for another workshop this year to address issues ranging from how the Act will protect the poor and exactly who it protects, to how state secrecy requirements can be balanced or enhanced.

These issues should have been addressed in 2013 when Popi was still a Bill and indeed have mostly been addressed during the interim phase. However, the delay in appointment of the Regulatory has again delayed the commencement of the initial “grace period” of one year for companies to become compliant.

There have been a number of delays, frustrating both local and international business and orfinary South Africans (who should be able to reply on the protection which Popi offers them but cannot due to its delayed implementation). Businesses which operate cross border are particularly impacted since day to day operations become complex when you are unsure which information can or cannot be shared.

Improving compliance levels would not only ensure SA sets the bar for the whole of Africa – African trade is equally under threat until privacy protection rules are improved – but would facilitate trade by ensuring SA can freely transact with Europe, send data, and look to provide data services at what is a favourable exchange rate for most of the globe. The data service business is a potential growth market for countries that can provide skills and expertise at competitive rates.

However, further delays, just when the rand is weak and the trade deficit is widening, is limiting opportunities. It is likely that many companies would need to completely overhaul their information management systems once the rules come into effect. Delaying aligning to international date protection rules will only increase the cost burden of doing it later, when technology costs and other fees are likely to have increased. In addition, once appointed, the Regulator will be able to impose up to 10 years in prison, or a R10m fine for non-compliant organisations.

No concrete date for implementation has been provided, but we certainly hope for clarity soon. In the interim, the best advice is for companies to self-comply and ensure they do not lose out on any potential business. They will then also be better prepared when the inevitable changes happen.