The Protection of Personal Information Act, No 4 of 2013 (POPI) was promulgated into law on 26 November 2013 and will commence on a date to be determined by the President by proclamation.
As of 11 April 2014, certain provisions of POPI dealing with the establishment of the office of the Information Regulator as well as the powers, duties and functions of the Information Regulator have come into effect. Although the full extent of its application in South African law and how our courts will interpret its provisions remains uncertain, it is likely that we will need to look to foreign jurisdictions for guidance in the future. In this context, the recent judgment by the European Court of Justice (ECJ) in the matter Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Gonzalez C-131/12 (dubbed 'the right to be forgotten' case) in which certain fundamental privacy issues were highlighted is relevant and of interest, particularly in relation to the rights and obligations of search engine operators. Whilst the internet has revolutionised the way in which information can be sourced search engine operators may also infringe on privacy rights.
In summary, the complainant in the matter had launched a complaint with the Spanish Data Protection Agency (AEPD) against a widely circulated daily Spanish newspaper, Google Spain and Google Inc. (Google). The newspaper had contained announcements pertaining to the auctioning of real estate which was the subject of attachment proceedings for the recovery of social security debts from the complainant. In his complaint, the complainant submitted that when his name and surname were entered into the Google search engine, a link to the pages of the newspaper appeared and that such information was irrelevant as the debts had long since been settled and should therefore be removed.
In July 2010, the AEPD dismissed the complaint against the newspaper on the grounds that such information was lawfully published. The AEPD did however uphold the complaint against Google, as a result of which Google initiated proceedings in the Spanish National High Court (SNHC) to appeal the decision by the AEPD. In considering the matter, the SNHC addressed the question whether search engine operators are obliged to protect personal data published lawfully on third parties' websites where the data subject to whom the personal data relates wishes to have such information removed. Although the personal data is not published by a search engine operator, search engines make the locating, linking and indexing of such information available to Internet usersindefinitely.
The SNHC held that to determine whether search engine operators have data privacy obligations in this context, it was necessary to rely on an interpretation of the EU Directive 95/46/EC (Privacy Directive) and the matter was referred to the ECJ for final adjudication, with the ECJ being requested to consider the following in particular:
- whether the activities of Google (including locating information which contains personal data published on the internet by third parties, indexing it automatically, temporarily storing it and making it available to internet users in an order of preference) fall within the ambit of 'processing' as used in the Privacy Directive;
- whether Google should be regarded the 'controller' of the personal data as contemplated in the Privacy Directive; and
- whether the data subject's 'right to be forgotten' arising from Article 14 of the Privacy Directive and which allows a data subject 'to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him' was wide enough in scope to allow the data subject to object to the publication of certain and request the removal thereof.
The ECJ held that the operator of a search engine 'collects', 'retrieves', 'organises', 'stores' and ultimately 'discloses' (all terms expressly contained in the Privacy Directive) data to internet users. The ECJ determined that Google was indeed processing personal data as contemplated under the Privacy Directive.
Google contended that, although its activities constituted 'data processing' for the purposes of the Privacy Directive, the operator of a search engine cannot be considered a 'data controller' as it possesses no knowledge of the information processed and exercises no control over the data. Under the Privacy Directive, a 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The ECJ rejected Google's argument and held that Google was a data controller as contemplated in the Privacy Directive, in that a search engine operator determines the purpose and means of its processing activities and carries out processing of personal data itself within the framework of such activities. In addition, the ECJ held that this determination fell within the objectives of the Privacy Directive, including ensuring the effective and complete protection of data subjects.
On the issue of the data subject's 'right to be forgotten' and have certain information removed by Google from its indices, the ECJ interpreted the applicable provisions of the Privacy Directive in light of the fundamental rights contained in Article 7 (Respect for Private and Family Life) and Article 8 (Protection of Personal Data) of the Charter of Fundamental Rights of the European Union (2000/C 364/01). In this context, the ECJ was of the view that links directing internet users to the newspaper pages published 16 years prior and relating to matters which had since been settled posed a significant threat
to the legitimate interests of the complainant and amounted to interference in his private life. Google argued that the principle of proportionality should place the responsibility of addressing any requests for the removal of information on the publisher of that information and that requiring a search engine operator to remove information published on the internet from its indices would unduly prejudice the fundamental rights of internet users, website publishers and the search engine operator itself.
Despite this argument, the ECJ ruled that Google’s activities in the particular circumstances had detrimental implications on the individual which Google's economic interests did not justify. The ECJ also held that a fair balance ought to be struck between the fundamental right of access to information and protection of the individual’s fundamental right to privacy, with consideration being given to the nature of the information as well as a data subject's role in public life. Google was ordered to comply with the AEPD's ruling to remove the link to the information.
The ECJ finding imposes an obligation on search engine operators to distinguish between relevant and irrelevant personal data and also whether the information could serve the public interest. The ECJ finding also highlights that the strict interpretation of legislation which fails to take cognisance of and evolve congruently with the speedy evolution of information and communication technologies is not feasible.
Since the judgment was delivered on 13 May 2014, Google has taken steps to comply with the ruling and has uploaded a 'right to be forgotten' form for EU member states which allows EU citizens to complete the online form explaining why a link is outdated, irrelevant or otherwise inappropriate and if approved, Google will remove the link.
Persons processing South African personal information are strongly encouraged to assess their level of compliance with the provisions of POPI so as to consider and implement any compliance processes, procedures and policies which may need to be established and implemented. Although POPI provides for a one year compliance transition period, the obligations imposed by POPI are extensive and far reaching and persons (both natural and juristic) processing personal information should be focussing on becoming acquainted with the provisions of and their obligations under POPI, creating awareness of the implications of POPI within their organisations and taking all appropriate steps towards compliance. Non-compliance may amount to severe penalties, including fines of up to R10 million or 10 years imprisonment and may also expose organisations to civil damages claims by data subjects.
For more information about our Data Protection and Privacy services, please contact:
National Practice Head Director
T +27 (0)11 562 1079
Preeta Bhagattjee National Practice Head Director
Technology, Media and Telecommunications
T +27 (0)11 562 1038
National Practice Head Director
T +27 (0)11 562 1107
Cape Town Regional Practice Head Director
T +27 (0)21 481 6315
Technology, Media and Telecommunications
T +27 (0)11 562 1249
T +27 (0)21 481 6308
Faan Coetzee Executive Consultant Employment
T +27 (0)11 562 1600
This information is published for general information purposes and is not intended to constitute legal advice. Specialist legal advice should always be sought in relation to any particular situation. Cliffe Dekker Hofmeyr will accept no responsibility for any actions taken or not taken on the basis of this publication.
BBBEE STATUS: LEVEL THREE CONTRIBUTOR
1 Protea Place Sandton Johannesburg 2196, Private Bag X40 Benmore 2010 South Africa Dx 154 Randburg and Dx 42 Johannesburg
T +27 (0)11 562 1000 F +27 (0)11 562 1111 E firstname.lastname@example.org
11 Buitengracht Street Cape Town 8001, PO Box 695 Cape Town 8000 South Africa Dx 5 Cape Town
T +27 (0)21 481 6300 F +27 (0)21 481 6388 E email@example.com
Cliffe Dekker Hofmeyr is a member of DLA Piper Group,
an alliance of legal practices