The commencement date of POPIA is no April Fool's joke
- the Chairperson of the Information Regulator, Advocate Pansy Tlakula, recently sent a request to President Cyril Ramaphosa to declare that the remaining provisions of the Protection of Personal Information Act, 2013 ("POPIA") commence on 1 April 2020 ("commencement date").
- it is expected that the president will act on this request. A responsible party (ie, a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will then be given a one year transitional period after the commencement date to comply with its provisions. That means that organisations will have to be POPIAcompliant by 31 March 2021.
- read the full article here.
Sanction screening vs data protection
- in terms of South African
legislation, entities should not deal with persons or entities who
have been sanctioned by the United Nations Security Council
- section 25 of the Protection of Constitutional Democracy Against Terrorist and Related Activities, 2004 ("POCDATARA") says that the president must give notice that the UNSC has imposed sanctions. Section 4 of POCDATRA expressly prohibits any person from dealing with property that is associated with entities that are sanctioned pursuant to POCDATARA.
- under section 26A (3) of the Financial Intelligence Centre Act, 2001 ("FICA"), the Minister of Finance must announce the adoption of UNSC resolutions for financial sanctions. Thereafter, in terms of section 26B of FICA, a person may not (subject to limited exceptions) deal with a person or an entity who has been sanctioned.
- section 28A of FICA obliges accountable institutions, such as banks and money remitters, upon the publication of a proclamation under section 25 of POCDATARA or section 26A (3) of FICA as above, to scrutinise their information concerning clients with whom the accountable institution has business relationships in order to determine whether any such client is a person or entity mentioned in the proclamation or the notice. If a positive hit is found, a report must be filed by the accountable institution to the Financial Intelligence Centre.
- the Office of Foreign Assets Control of the United States ("OFAC") has previously penalised non-US banks for processing USD transactions involving countries sanctioned for terrorist and related activities.
- because of the significant risks for non-US banks and other companies that do business with OFAC-sanctioned jurisdictions or persons using USD payments, South African entities often perform sanction screening on employees, customers and suppliers that go beyond the requirements of local legislation (ie, FICA and POCDATARA which ban transactions with UNSC-sanctioned entities only).
- however, the legality of these screening operations is questionable under data privacy and protection legislation. While the substantive provisions of POPIA are not yet in force, the EU General Data Protection Regulation 2016/679 ("GDPR"), which, in certain instances applies directly to South African entities, came into force on 25 May 2018.
- in terms of section 26 of POPIA, the processing of personal information concerning criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings, as a general rule, is prohibited unless the data subject has consented to such processing.
- in terms of Article 10 of the GDPR, the lawful processing of personal data relating to criminal convictions and offences or related security measures must be carried out only under the control of official authority or be authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
- processing is therefore permitted if it its origin is in EU sanctions lists.
- on the contrary, the processing of personal data based on US listings does not constitute a legal obligation stemming either from EU law, or from the law of one of the member states.
- in this regard, the medical technology and life sciences multinational, GE Healthcare Group, made an application to the Swedish data protection authority for an exemption for the processing of personal data in order to comply with US (ie, OFAC) sanctions lists. The Swedish Data Protection Authority refused to grant the exemption and the matter was brought before the Administrative Court in Stockholm's county.
- while the court recognised the legitimate interest of the company to comply with the OFAC sanctions, it still found that these considerations were insufficient to offset the fundamental data-protection rights of the individuals concerned.
- it would seem as if the right to data protection and privacy (especially where special personal information is involved) under the GDPR and POPIA cannot, without further safeguards, be overridden by business and other interests in complying with OFAC and other sanctions.
- GDPR penalties for non-compliance may be up to EUR20-million or 4% of the total global turnover of an entity and non-compliance with POPIA (once in force) can lead to imprisonment of up to 10 years or a ZAR10-million fine, or both. However, penalties for US sanctions violations can exceed these amounts.
- to avoid falling foul of POPIA and to prevent sanction violations, it is recommended that entities obtain consent from data subjects in respect of sanction screening. Such consent must be a voluntary, specific and informed expression of will and can, for example, be included in privacy policies, customer terms of conditions, onboarding forms and the like. ENSafrica can assist in this regard.
To view the full article click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.