What does the Facebook data breach mean for SA?
for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
The further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated, where necessary.
The notification of the collection of personal information must be communicated to the data subject.
The responsible party must comply with certain security safeguards.
The requirements for the lawful processing of personal information set out in conditions 1 to 8 apply to social media users and Facebook as a social network. It also applies to public and private entities that process information.
In other words, when processing personal information of individuals, Facebook is a responsible party in terms of Popia. This means that Facebook may only collect/receive the personal information of its users if all the requirements for the lawful processing of personal information have been complied with.
Also, it will be deemed problematic in instances where Facebook forwards the personal information to third parties, without the consent of the user.
Popia expressly excludes the transfer of personal information about a data subject to a third party who is in a foreign country, unless the recipient of the information is subject to an adequate level of protection which effectively upholds the principles of reasonable processing of information that are substantially similar to the South African conditions for lawful processing.
However, Popia has not been fully enacted as yet. This will only happen once promulgated by the president.
The information regulator issued draft regulations during the latter part of last year and it is anticipated that the final regulations will be published over the next few months.
Despite this vacuum, the information regulator proactively and voluntarily engaged with Facebook with regards to the alleged data breach, and Facebook has responded with answers to the questions posed.
This, however, does not mean that companies can ignore Popia. Companies should review their business operations and determine and understand the applicable legal obligations in terms of Popia.
In addition, the EU General Data Protection Regulation (GDPR) came into force on May 25, and will have implications for South African companies in many instances. The GDPR places onerous accountability obligations on companies processing information.
Facebook is a warning to all. Now is the time to fully unpack Popia and understand your rights, obligations and duties, not only as far as it relates to South Africa, but at least to Europe, if not the world.