Can’t make head or tail of POPIA? Lessons from Sheburi V Rail Safety Regulator

The Protection of Personal Information Act 4 of 2013

The Protection of Personal Information Act 4 of 2013 (“POPIA“) came into full effect on 1 July 2021 and therefore a basic understanding of what POPIA regulates is without a doubt important. Personal information is everywhere, and privacy arguments are raised by many in different contexts and forums.

When privacy arguments are raised in legal proceedings, they are often raised in a convoluted manner. In the matter of Sheburi v Railway Safety Regulator GATW 15200-2 various issues were argued and considered which had their foundation in POPIA. Some of these aspects before the Commission for Conciliation, Mediation and Arbitration (“CCMA“) related to –

• the processing of personal information based on consent;[1] and
• the concept of processing personal information for purely personal or household activity.[2]

In short, the Railway Safety Regulator (“RSR“) objected to the inclusion of two offers of employment in the evidence bundle of Ms. Koliswa Sheburi (“Ms. Sheburi“), an employee of the RSR. The RSR argued that the disclosure of the offers of employment contravened POPIA in that Ms. Sheburi did not obtain the consent of those employees to whom the offers of employment-related to.

Ms. Sheburi argued that the offers of employment had been voluntarily made available to her and that the employees who gave her these documents had, in fact, given her consent to table these documents before the CCMA.

Also, the CCMA considered during the proceedings whether its proceedings might be excluded from POPIA’s application in that its proceedings “constitute purely personal or household activity”.

The CCMA inadvertently reached the correct conclusion and allowed for the inclusion of the offers of employment in the evidence bundle, but what is evident from the ruling is that a clear interpretation and application of the relevant POPIA provisions were lacking.

Consent

The CCMA found that consent was in place for the disclosure of the offers of employment. To this end, the CCMA reasoned that even though the emails of the employees made no mention of consent, consent was indeed in place given that – “these employees must obviously have been aware of the fact that the applicant needed the information for a reason. They could, after all, have refused to furnish the documents to the applicant“.

But this in itself does not align with POPIA. POPIA requires consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. Breaking this down, in order for consent to be valid –

• it must be an expression of will. A reading of the words “expression of will” means that there must be an action demonstrating consent. Consequently, implied consent (or inaction) is questionable;
• given voluntarily. Voluntary consent means that data subjects must be able to freely exercise a choice and be free from impediments such as negative consequences if he/she does not consent;
• be specific. Specific consent means that a data subject must be aware of the specifics of what they are consenting to. In order words, what specifically will happen to the personal information disclosed. A blanket authorisation to process personal information does not suffice.
• be informed. Informed consent is linked to the fact that consent must be specific. This means that a data subject must be aware of what they are consenting to i.e. the data subject must be aware of the processing activities of the responsible party. This includes, for example, the purpose/s for which the responsible party will use the information.

It is also noteworthy that POPIA places a burden of proof for proving consent on the individual or entity responsible for collecting and wishing to make use of the personal information.

Considering the facts before the CCMA and from a POPIA perspective, it ought to have been considered whether those individuals that provided Ms. Sheburi with the offers of employment agreed (consented) to her using it during the CCMA proceedings. Consent can never be assumed.

Purely personal or household activities

The CCMA, with a disclaimer, that it might be wrong, referred to section 6(1)(a) of POPIA which provides that POPIA does not apply to the processing of personal information in the course of a purely personal or household activity and found that the presentation of a case by the party at a CCMA arbitration arguably constitutes a purely personal activity, therefore, POPIA does not apply to CCMA proceedings.

Albeit POPIA does not guide what constitutes personal or household activity, guidance can be obtained from the General Data Protection Regulation, 2016 (“GDPR“). The GDPR provides that purely personal or household activities are activities with no connection to professional or commercial activity and could include, for example, correspondence (i.e. communications between friends or family members) or social networking activities.

The European Court of Justice in the Lindqvist case (C-101/01, ECLI:EU:C:2003:596) held the following in relation to purely personal and household activities “That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals“.

Legal proceedings before the CCMA generally arise from disputes between an employer and an employee. This is a business relationship founded on contract, therefore, CCMA proceedings cannot constitute purely personal or household activities, but follows from a commercial dispute.

Long is the road to adopting a clear command of POPIA principles.

Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.

[1] As set out in section 11(1)(a) of POPIA.

[2] As set out in section 6(1)(a) of POPIA.