News / Legal Brief

Information Regulator grants its first exemptions under POPIA

Oct 4,2023

Ahmore Burger-Smidt - Head of Regulatory

The Information Regulator (Regulator) recently granted its first exemptions in terms of section 37(1) of the Protection of Personal Information Act 4 of 2013 (POPIA).

The exemptions, which were granted to –

  • private security services firm Bidvest Protea Coin Proprietary Limited (Bidvest Protea Coin);
  • investigation services firm IRS Forensic and Investigations Proprietary Limited (IRS Forensic);
  • road traffic and transport public body Road Traffic Infringement Agency (RTIA); and
  • private security services firm SSG Security Solutions (SSG);

allow these bodies to process personal information even where such processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition.

The relevant conditions which each body was granted exemption from include sections 11(3)(a) and 24 of POPIA, which allows data subjects to –

  • object to the processing of their personal information
  • request the correction or deletion of their personal information that is under the control of a responsible party.

The exemptions in relation to each responsible party can be summarised as follows –

  • Bidvest Protea Coin: exempted from compliance on the basis that the public interest, in particular as it relates to the prevention, detection and prosecution of offences, outweighs to a substantial degree any interference with the privacy of a data subject that could result from such processing. This is because Bidvest Protea Coin conducts official investigations to assist the South African Police Service (SAPS), and the National Prosecuting Authority (NPA), in their duties and functions.
  • IRS Forensic: exempted from compliance when conducting official investigations in line with requests from the SAPS, the Directorate for Priority Crime Investigations (DPCI), National Council of Society for the Prevention of Cruelty to Animals, Society for the Prevention of Cruelty to Animals, and the NPA. This exemption was granted on the basis of the public interest in the processing, which includes the prevention, detection and prosecution of offences.
  • RTIA: exempted from compliance when assisting in the combatting, prevention, detection, investigation, and prosecution of crimes in South Africa. The RTIA also enforces penalties imposed against persons who contravene road traffic laws and provides specialised prosecution support services to the NPA. The Regulator found that the public interest in the processing, which includes the prevention, detection and prosecution of offences, and the important economic and financial interest of a public body (i.e. the RTIA), outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing.
  • SSG: exempted from compliance when conducting official investigations in line with requests from the SAPS and DPCI, on the basis of the overriding public interest in the prevention, detection and prosecution of offences.

However, the exemptions grated does not mean that overall compliance with POPIA is not required. There remains an obligation to ensure that personal information is processed in compliance with POPIA and where applicable the agreements must be entered into to ensure POPIA are complied.

Also, personal information must still be secured and protected in line with the security safeguards requirement of POPIA.

Furthermore, even though the exemptions were grated, the parties remain bound by any other conditions for the lawful processing of personal information that may apply in terms of a Guidance Note to be issued by the Regulator on surveillance by CCTV.

Section 37(1) of POPIA provides two bases on which the Regulator may grant an exemption to a responsible party –

  • The first is the public interest which must outweigh, to a substantial degree, any interference with the privacy of a data subject. Public interest considerations include, amongst others, matters of national security, and the prevention, detection and prosecution of offences.
  • The second basis is a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject.

It is yet to be seen how the Regulator will approach an exemption application based on a clear benefit to a data subject or a third party.

What is evident is that the clear benefit or, as is the case in the abovementioned exemptions, the public interest must outweigh, to a substantial degree, any interference with the privacy of a data subject that could result from the contemplated processing.

What is left to be determined is how much responsible parties such as banks, telecommunications service providers, insurers, medical schemes and others which are significantly data driven and process significant amounts of personal information, including special personal information, will seek to rely on such exemptions.

In other words, will they seek to rely on legitimate interests for example and hope to justify same should an issue arise or is it better to approach the Regulator for an exemption where processing may be contentious?

Only time will tell.