News / Legal Brief

POPIA and consent, the biggest misunderstanding?

Aug 3,2022

Ahmore Burger-Smidt - Head of Regulatory and Dale Adams - Associate
Sometimes you have to travel a long way to find what is near” Paulo Coelho

It has been over a year since the compliance deadline of the Protection of Personal Information 4 of 2013 (POPIA), and yet there are still many misconceptions, misleading interpretations and misunderstandings regarding POPIA. A specific example in this regard is the fact that POPIA remains to be considered as “consent driven”.[1]

Most recently, the Information Regulator (Regulator) of South Africa pronounced that the consent of matric candidates or their parents will have to be obtained if the Department of Basic Education wants to publish matric results at the end of the year.[2] This again adds to the unfortunate impression that consent is the be-all and end-all when it comes to the processing of personal information – something not supported by POPIA itself.

POPIA is not consent-driven

Simply put, POPIA is not consent-driven, meaning that a responsible party[3] does not necessarily need a data subject’s[4] consent in all instances to process their personal information. However, there are certain instances when a responsible party must obtain a data subject’s consent, such as when the personal information of children is concerned – consent must be obtained from a parent or guardian.[5]

There are five other grounds, apart from consent, that allow for the lawful processing of personal information, these are when the:

  • processing is necessary to carry out actions to conclude or perform in terms of a contract;
  • processing complies with an obligation imposed by law on the responsible party;
  • processing protects a legitimate interest of the data subject;
  • processing is necessary for the proper performance of a public law duty by a public body; or
  • processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Accordingly, even though consent is a lawful basis for processing, there are alternatives. Consent is not inherently better or more important than these alternatives.

Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.

POPIA sets a high standard

POPIA sets a high standard for consent, which must be a “voluntary, specific and informed expression of will” under which permission is given for the processing of personal information.[6] POPIA also gives a specific right to data subjects to withdraw consent at any point. Since consent can be withdrawn by a data subject at any time, consent could possibly be one of the weakest grounds for processing.

We say this because if consent is withdrawn this would deprive a responsible party’s ability to continue processing personal information of a data subject lawfully. Furthermore, a responsible party bears the burden of proof to demonstrate that a data subject has provided consent.

From this, the following characteristics of consent become apparent:

  • consent must be freely given, giving data subjects genuine ongoing choice and control over how a responsible party uses their personal information.
  • consent must be obvious and require a positive action to opt-in, this means that consent requests ought to be prominent, unbundled from other terms and conditions, concise and easy to understand.[7]

Accordingly, a “catch all‘ or “blanket” type of consent contained in, amongst others, contracts and terms of use will not suffice and in fact constitute invalid consent.

Consent is consequently multifaceted

Consent is consequently multifaceted, therefore public authorities, employers and other organisations may find it difficult to demonstrate voluntary and specific consent. Consent should be avoided, unless it can be confidently demonstrated that consent is freely given.

In the context of the national long-standing tradition of publishing matric results, this issue was hotly contested in the High Court in January 2022. Relying on matriculants’ rights to privacy and rights under POPIA, the Department of Education (DBE) sought to do away with the historic practice of having matric results published and, instead, have matriculants collect their results from their schools. The High Court ordered that the DBE must publish the results “as was the practice in previous years” and that this publication is not to reflect “the first names and/or surnames of any of the learners“.[8]

The order of the High Court is interesting because it questions whether a matric exam number in and of itself (and separate from a learner’s ID number, name and surname) constitutes personally identifiable information.

Indeed, this is an important question because if a matric exam number does not constitute personally identifiable information, then it cannot be linked to or used to identify a matric learner.

One could ask if it is in the public interest for matric results to be published. If it indeed is the case, the Regulator could authorise a newspaper owner to proceed with the publishing of matric results on the current basis i.e., exam number and results and no consent would be required.

Robust understanding of what consent actually requires and when it should be obtained is without doubt important.

Sometimes you have to travel a long way to find what is near” Paulo Coelho

Footnotes
[1] See, for example, “POPI D-Day: Impact on WhatsApp groups and what you should know“, accessed on 18 July 2022, where it was discussed that WhatsApp group admin is responsible for obtaining consent from members to process their personal information such as phone numbers and profile photos.
[2] See “Govt may need to get parents’ consent before publishing this year’s matric results” T Monama, accessed on 18 July 2022.
[3] A responsible party is a public or private body who alone or together with others determines the purpose of and means for processing personal information.
[4] A data subject is the person (natural or juristic) to whom personal information relates.
[5] See sections 34 and 35(1)(a) of POPIA.
[6] See generally the note on consent issued by the Information Commissioner’s Office, accessed on 19 July 2022.
[7] See section 1 of POPIA.
[8] See Spies and Others v Minister of Basic Education and Others (1652/2022) [2022] ZAGPPHC 2 (18 January 2022).