• Yoland Swales

A Comparison of the Information Regulator’s Strategic Plan and the EDPB's Work Program

The Information Regulator’s Strategic Plan for 2020/21 to 2025 was released in May 2020. The Plan is important as it provides insight into the key strategic goals which inform the Regulator's activities for the period 2020/21 until 2025. The Regulator has identified two key priorities, being, ensuring that personal information is protected and the promotion of access to information.

The Strategic Plan notes outcome indicators in the form of the number of the Protection of Personal Information Act (POPIA) related complaints and the percentage improvement compliance with s32 of the Promotion of Access to Information Act (PAIA). The Regulator has five key programmes which are:

  • The promotion and protection of personal information processed by public and private bodies in compliance with POPIA.

  • To ensure the effective implementation of the promotion of the constitutional right of access to information as provided in PAIA.

  • Education and communication activities in the form of engagement with the public and stakeholders.

  • Legal, policy, research and information technology analysis.

  • Administrative activities related to the effective management of the office of the Information Regulator.

On presentation of the Plan to the parliamentary Justice Committee in May, the Information Regulator discussed the following risks:

  • There was delay in full implementation of POPIA and the Regulator wrote to the President and the Minister of Justice and Constitutional Development to request a Proclamation to operationalise POPIA.

  • There is a delay in the full establishment of the administration of the Regulator’s office and the Regulator hopes to develop a strategy to address the financial and human resources issues affecting the Regulator’s administration.

  • The Regulator is concerned that inadequate funding will hinder its ability to effectively and efficiently fulfil its mandate. In this regard, the Regulator seeks to Secure funding from the National Treasury to fill prioritised positions on a phased-in approach.

The European Data Protection Body is guided by the EDPB Work Program 2019/2020 and its mandate comprises the following tasks:

  • To provide opinions, guidelines, recommendations and best practices for promotion of a common understanding of the GDPR and the Law Enforcement Directive.

  • To advise the European Commission on all issues related to the protection of personal data in the European Union.

  • To advance the consistent application of the GDPR, in particular in cross-border data protection cases.

  • To promote cooperation and facilitate the effective exchange of information and best practice between national supervisory authorities of EU member states.

The EDPB has developed its two-year Work Program for 2019 and 2020 and an important objective of the Program is to focus on emerging technologies. The EDPB’s work program is informed by any needs identified by the members as priority for stakeholders as well as the EU legislator planned activities. The Work Program provides an undertaking on the EDPB’s commitment to regularly monitor its implementation and update the plan if necessary.

The key activities for the period 2019 to 2020 can be summarised as follows: to provide opinions, guidelines, recommendations and best practices to promote a common understanding of the GDPR and the Law Enforcement Directive on the following:

  • Guidelines Guidelines on Codes of Conduct and Monitoring Bodies.

  • Guidelines on delisting Guidelines on PSD2 and GDPR.

  • Guidelines on international transfers between public bodies for administrative cooperation purposes.

  • Guidelines Certification and Codes of Conduct as a tool for transfers.

  • Guidelines on Connected Vehicles.

  • Guidelines on Certification (finalisation after the public consultation).

  • Guidelines on video surveillance Guidelines on Data Protection by Design and by Default.

  • Guidelines on Targeting of social media users.

  • Guidelines on children’s data.

  • Guidelines on reliance on Art. 6(1) b in the context of online services..

  • Guidelines on concepts of controller and processor (Update of the WP29 Opinion.) Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion).

  • Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation).

  • Guidelines on the powers of DPAs in accordance with Art. 47 of the Law Enforcement Directive.

  • Guidelines on data subjects rights with main focus at a first stage on the rights of access, erasure, objection, restriction and limitations on these rights.

To provide Consistency Opinions on the following themes:

  • Opinion on the administrative arrangements between EEA and non EEA financial market regulators.

  • Opinion on the Interplay between GDPR and ePrivacy.

The Plan proposes that the EDPB will engage in the following activities:

  • Privacy Shield - Complete a follow-up of the Joint Review.

  • ePrivacy Regulation.

  • Procedural rules on the Supervision of EU large scale IT systems.

  • Consultation from the Commission on the Clinical Trials Regulation.

  • Reflection paper on international mutual assistance and other cooperation tools to enforce the GDPR outside the EU (Art. 50.)

  • EDPB Enforcement Strategy FATCA - Statement in response to the European Parliament’s resolution Statement on the use of personal data in the context of elections.

  • Enhancement of existing IT solutions and development of new IT solutions

  • Data breach notifications.

  • Consultation from the Commission on the report regarding the evaluation and review of the GDPR in terms of Art. 97.

The following are recurring activities which are also relevant to the period 2019 to 2020 and the EDPB will issue consistency opinions and decisions on:

  • Opinions regarding relevant draft decisions by competent supervisory authorities, e.g. decisions on DPIA lists (Art. 35(4)-(5))

  • Codes of conduct Accreditation criteria for code monitoring and certification bodies and certification criteria under Art. 42(5) (European Data Protection Seal)

  • Standard contractual clauses for international transfers under Art. 46(2)

  • Standard contractual clauses for processors under Art. 28(8)

  • Ad hoc contractual clauses for international transfers under Art. 46(3)

  • Binding Corporate Rules (Art. 47(1))

  • Any opinion on matters of general application or producing effects in several member States, in response to requests from any supervisory authority, the Chair or the Commission under Art. 64(2)

  • Any binding decision in the context of dispute resolution (Art. 65(1)) or the urgency procedure (Art. 66)

Legislative consultations on:

  • All opinions, statements and advice at the request of the Commission following the adoption of proposals for legislative acts, international agreements or when preparing delegated acts or implementing acts, if the act is of particular importance for the protection of individuals’ rights and freedoms in relation to the processing of personal data, for example, opinions on the future and also review of existing Adequacy decisions.

The Working Plan also indicate the EDPB’s intention to investigate and engage the following topics:

  • Guidelines on the interpretation of Art. 48 of the GDPR.

  • Guidance on the interaction between the Regulation on the free flow of non-personal data in the EU and the GDPR.

  • Opinion on cross-border requests for e-evidence.

  • Comments on updated PNR agreement with Canada.

  • Update of guidance on government access to data both in Essential Guarantees paper and Adequacy Referential.

  • Enforcement against controllers in 3rd countries.

  • e-Invoices and creation of centralised databases by Ministries of Finance

  • Use of credit cards for distant payments and the post-transaction retention of card numbers.

  • Good practices regarding research projects.

  • Approval procedure for ad hoc contractual clauses.

  • Blockchain.

  • Interoperability between BCRs.

  • The emergence and use of new technologies, such as AI, connected assistants.

A cursory examination of the Information Regulator’s Strategic Plan for 2020/21 to 2025 in distinction to the European Data Protection Body’s Work Program for 2019/2020 indicates that data protection in South Africa remains incipient.

While POPIA was enacted in 2013, the lack of operationalisation hindered the development of a robust framework for data protection. The Strategic Plan for 2020/21 illustrates that the Members of the Information Regulator were only appointed in 2016 and have faced the daunting challenge of establishing the office of the Regulator. In her foreword appended to the Strategic Plan, Chair Adv Pansy Tlakula lamented budgetary constraints and spoke of the need for the recruitment of personnel on all levels in order for the Regulator to function on a national level. Tlakula also expressed the urgent need for the Regulator’s office to separate from the Department of Justice and Constitutional Development to ensure that the Regulator functions independently, impartially and without fear, favour and prejudice in compliance with POPIA.

Adv Tlakula noted the urgent need for the full implementation of POPIA as the lack of a functional data protection regime has an undesirable effect as South Africa experiences an increase in cybercrime, data breaches and the incidence of unlawful and unauthorised use of individuals’ personal information. The Regulator was unable to fulfil its mandate and victims were unable to seek redress while POPIA was not in force. Earlier this year Adv Tlakula wrote to the President and the Minister of Justice to request the operationalisation of POPIA within the next year.

A positive development is that on 22 June 2020, President Ramaphosa announced that sections 2 to 38, 55 to 109, 111, and 114(1), (2), and (3) POPIA would come into force on 1 July 2020. The relevant sections pertain to the following:

  • The conditions for the lawful processing of personal information.

  • The regulation of the processing of special personal information.

  • Codes of conduct issued by the Information Regulator.

  • Procedures for the resolution of complaint.

  • Provisions which regulate direct marketing via unsolicited electronic communication.

  • Provisions related to the general enforcement of the act.

Sections 110 and 114(4) will only commence on 30 June 2021 as these relate to legislative amendments and the transfer of functions of the Promotion of Access to Information Act, 2000 (PAIA) from the South African Human Rights Commission to the Information Regulator. POPIA provides that all processing of personal data must be compliant with the Act by 1 July 2021. The Information Regulator urges proactive compliance and entities (whether public or private institutions) are advised to attempt compliance without delay.

The EDPB’s Working Plan stands in stark contrast to the South African situation as it indicates a well established framework for data protection. The Plan gives evidence of a robust strategy and indicates the wide range of activities in which the EDPB is engaged. The Plan also illustrates that the EDPB has prioritised engagement with emerging technologies which means that European citizens will not be unprotected as these technologies are widely adopted.

In comparison with Europe, data protection is still in its infancy in South Africa. While POPIA will commence soon, there will be a long process of preparing the Information Regulator‘s administrative functions to fulfil its mandate. There is also a year long grace period for organisations to become compliant which is an additional delay in the data protection regime becoming operational. The office of the Information Regulator is under-resourced as the Information Regulator recently appealed for a larger budget and it may be some years before the office is able to function at the optimal level. The commencement of POPIA is a positive development, however it will take time to develop a robust framework for data protection in South Africa.

#insights #popia #gdpr #southafrica #informationregulator #dataprotection