South Africa’s main data protection law PoPI, enacted in 2013, will soon take effect once a date has been determined. Certain provisions of the Act relating to the establishment of the Information Regulator and regulations under POPI have, however, come into force.
According to Chris Cilliers, CEO and principal for Lew Geffen Sotheby’s International Realty, in terms of property transactions, it’s essential that consumers understand what this means for them.
Disclosing sensitive information
“In order to successfully conclude a property transaction, both parties to the sale need to disclose sensitive information to the professionals involved in the transaction relating to their personal information, status and financial affairs – and all of this information is protected in terms of the PoPI Act.
“This information is held on the servers or in the files of the banks, the mortgage originators, estate agents, insurers and attorneys and, although the disclosure of information has historically been regulated in various ways, the PoPI Act applies to all of them and adds another layer of protection and recourse for buyers and sellers.”
Craig Guthrie, specialist attorney at Guthrie Colananni, explains: “In simple terms, the PoPI Act is law to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information.
“It also holds them accountable should they abuse or compromise this information in any way, which is good new for buyers and sellers as it will give them rights to protect their personal information and give them the ability to exercise control over how and when the data is shared.”
However, Guthrie says that in a constantly evolving technological environment where it is almost impossible to do business without making your data available on some or other electronic platform, it is a challenge to remain on top of all the potential loopholes.
He adds that it is interesting to note that the PoPI Act was a response to the privacy and data protection laws in other countries.
“For businesses, the main challenge is to educate their staff to understand how precious people’s information is, and how they could be personally liable if they compromise it.
“The PoPI Act imposes heavy fines (up to R10m) and criminal sanctions if they don’t take reasonable steps to protect client’s information, and the duty imposed on businesses is not easy when you consider what information needs to be protected and how easy it is to electronically share it.
“Furthermore, the Act imposes the same obligations on ‘any person’ who compromises the data which means that everybody needs to be careful with what personal information they collect, process or share, which is a challenge in itself as information is held in so many different places.”
Guthrie says that in light of the potential vulnerability of information, clients should also ensure that they take measures to protect themselves.
“Before providing your information, you need to verify that you are giving such information to a reputable and responsible organisation that will reasonably protect your data.
“Additionally, you now have the right to check that the data relating to you is correct and, in most cases, have the right to request that the data be destroyed when it is no longer needed, however, in property transactions, this data needs to be held for a number of years due to other legislation.”
Never ignore the fine print
He adds that consumers should never ignore the fine print and must be aware of the T&C’s that they are consenting to regarding the sharing of their data.
However, in the event of the unlawful sharing of data, consumers do have recourse.
They can either report the matter to the office of the Information Regulator, which is a committee appointed in terms of the PoPI Act. The regulator’s function is to investigate the complaints and take appropriate action where necessary. It is not empowered to award compensation to victims of data abuse, however the regulator is empowered to take civil action against the party in breach of the Act, presumably to persuade a court to order civil damages to the victim.
Departure from common law
Section 99 of the PoPI Act also entitles an aggrieved person to sue any person in breach of the Act for damages. In a departure from the common law requirement for damages, an action under the PoPI Act does not require the plaintiff to prove that the defendant acted negligently or intentionally. The court’s powers to award damages to the victim are wide.
The defences available to the defendant business are also limited in the Act. They need to prove that the regulator exempted them, or compliance was not reasonably practical, or that the plaintiff consented or was at fault themselves, or the breach was due to an act of God.
Cilliers concludes: “Now, more than ever, it is essential that buyers and sellers ensure that they appoint well-established, recognised agencies with known track records and that their selected agent is experienced and knowledgeable in all legal and administrative matters relating to property transactions.”