Regulatory & Compliance:

Data privacy: a global

perspective on application
and future regulation

Daniella Kafouris
Associate Director
Deloitte Risk Advisory

Data Privacy in South Africa

2014 Deloitte Touche Tohmatsu Limited

Protection of Personal Information Act 4 of 2013

PPIA Description
The PPIA sets conditions for how information must
be processed and how entities are to comply with
global data privacy standards. It has been signed by
the President and is now law. Entities will only have
one year from the commencement date to comply or
face significant consequences
Data privacy regulates personal information, which is
processed by public or private entities whether in
hard or soft copy format.

1997
Constitution
published

2005
Law
Commission
finalised
investigation

2009
PPIB
published

2012
Portfolio
Committee
approved
PPIB

2013
PPIB
became
law

Regulation of the entire data life cycle

Personal Information

Key Conditions

Accountability

Processing
Limitations

Purpose
Specification

Further
Processing

Information
Quality

Openness

Security Safeguards

Data Subject Participation

Additional
Requirements
Special Personal
Information
Information about
children
Information Regulator
Direct Marketing
Trans-border
Information Flows

Your duties and obligations

5. Information
officer

9. Special
PI religion/
philosophy, race/
ethnicity, union,
politics, health/
sexuality,
biometrics, criminal
allegations, child

6. Regulator

10. Operator
contract
processing,
security &
reporting

7. Reporting
DS and loss

8. Security
self audit

11. Direct
marketing*

12. Cross
border*

Direct Marketing
Approach in person or by mail or by electronic communication

Contain sender contact details

Electronic communication prohibited unless
consent or customer (similar services/product)
approach once but can opt out
In person or by mail meet all lifecycle
requirements (reasonableness and non-excessive,
RP legitimate interest, DS can object, DS notified of
collection, security, cross border, SPI)

Privacy protection globally

Has Privacy Law Protection

Constitutional coverage
Law in Process
Sectoral Laws
No Data Protection Law

Privacy protection in Africa

Burkina
Faso
Morocco

Tunisia

Western Sahara
Algeria

Egypt

Libya

Cape Verde Islands

Mauritania

Niger

Mali

Central African Republic

Sudan
Chad

Senegal

Nigeria
Ghana

Guinea-Bissau
Ivory Coast

Liberia

Benin

Tonga

Cameroon

Uganda
Democratic
Republic of
Congo

Kenya

Gabon
Congo

Somalia

South Ethiopia
Sudan

Tanzania
Angola

Has Privacy Law Protection

Rwanda
Burundi

Seychelles
Comoros

Zambia
Mozambique

Mayotte

Constitutional coverage
Law in Process
Sectoral Laws
No Data Protection Law

Mauritius
Namibia

Zimbabwe
Reunion

Botswana

Swaziland
South Africa

Lesotho

What is the privacy impact?

Information
Regulator

Data Subject

Fines

Imprisonment

Self-reporting
notification

Post

Up to R10 million

12 months to
10 years

Criminal investigation

Email

Complaints

Media

Audit

Website

What is the global movement towards

compliance and privacy

Data Protection / Information Protection Authorities

U.S. has no national data
protection authority.
UK Information
Commissioner Office

Privacy Commissioner
of Canada

Federal Trade Commission

(FTC)
State Attorneys General
Federal financial regulators
Japan has a similar
consumer protection
stance.
Multiple regulators

Bundesbeauftrager fr
den Datenschutz und
die Informationsfreiheit

Office of the
Privacy Commissioner for
Personal Data, Hong Kong

?
South African Information
Regulator

Current privacy regulatory framework..

Proposed privacy regulatory framework..

What has gotten companies in trouble ?

What has gotten companies in trouble ?

Examples of
activities
where noncompliance
led to
enforcement
actions,
lawsuits, or
monetary
fines:

Failure to comply with the organizations privacy policies (especially

when third parties are involved in processing data)
Misrepresenting the purpose for collecting personal data

Failure to disclose the means used to collect data, i.e., the use and/
or duration of cookies, web bugs, spyware, tracking technologies
(especially in HR environment)
Disclosing, sharing, or selling personal data to third parties
contrary to the organizations privacy policy or legal/contractual
framework (eg in Cloud environment)
Export of personal data not in compliance with privacy laws of the
originating country
Misrepresenting the security protection and redress possibilities of
personal data

What has gotten companies in trouble ?

Organizations that do
not adequately
manage the risk of
compliance with
privacy laws and
regulations may face
the following:

BUT ALSO

Suspension or stopping of data processing an data transfers

Restructuring of local and global IT systems and processes
Relocation of services and renegotiation of contracts with
vendors, suppliers etc.
Need to obtain consent to be able to lawfully use the data
Loss of potential revenues or opportunities where use of
databases is restricted
Liabilities to customers, partners and others whose information is
compromised
Time lost taking systems offline to do the forensics necessary to
find out what went wrong
Extra Software and other upgrades to make sure the problem
doesnt happen again
Opportunity Cost (personnel performing all of these tasks are not
doing any other
revenue earning things that would be benefiting the company)
Damage to company reputation can affect future sales efforts
Loss of confidence with data protection authorities and/or
employees/customers
Joint & severe liability for supplier failures

Foreign
Jurisdictions
overview &
actions taken to
address
e-commerce

Foreign Jurisdictions & Organisations

Overview & Actions Taken
European Union

The EU list of electronically supplied services is as follows:

i.

Website supply, web-hosting, distance maintenance of

programmes and equipment;

ii. Supply of software and updating thereof;

iii. Supply of images, text and information and making available
of databases;
iv. Supply of music, films and games, including games of chance
and gambling games, and of political, cultural, artistic,
sporting, scientific and entertainment broadcasts and events;
v. Supply of distance teaching.
18

2014 Deloitte Touche Tohmatsu Limited

South Africa
Pre-2014 and
post 2014 VAT
Amendments

South Africa
Post Electronic Service VAT Amendments
VAT Treatment of Cross-Border Electronic Services Certain
foreign suppliers will now be required to register in SA
The South African VAT legislation was officially amended in December
2013 to address electronic services supplied by persons from an export
country to a South African resident or where payment for the supply
originates from a SA bank account.
The amendments were due to come into effect 1 April 2014, however, this
was postponed until 1 June 2014.
From 1 June 2014 foreign suppliers supplying services which qualify as
electronically supplied services will be required to register for VAT in SA at
the end of any month where the value of supplies exceeds R50,000.

20

2014 Deloitte Touche Tohmatsu Limited

South Africa
Post Electronic Service VAT Amendments
The list includes the following main categories and then each
category includes specific sub-categories:
i.

Educational services

ii.

Games and Games of chance

iii.

Internet-based auction services

iv.

Miscellaneous services (e.g. supply of e-books, music, etc.)

v.

Subscription service to a list of specific items

South Africa does not make a B2B and B2C distinction.

21

2014 Deloitte Touche Tohmatsu Limited

Deloitte TMT predictions 2014

Deloitte TMT predictions 2014

Tablets
(BYOD)
Wearable
computing
($3 billion)

E-visits
100 million
globally

Massive Open
Online Courses
(MOOCs)
100%

VOD in SubSaharan Africa

growth (1m)

Contact details
Daniella Kafouris
Deloitte Associate Director Johannesburg
Risk Advisory-Legal
BA LLB
HDIP Cyberlaw
Certified Information Privacy Professional CIPP US / EU
International Association of Privacy Professionals - Certified
Trainer
Member of IAPP Faculty

Tel: + 27 (011) 209 8101

Mobile: +27 (0)72 559 0360
dkafouris@deloitte.co.za
@dkafouris

24

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of
which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting and financial advisory services to public and private clients spanning multiple industries. With a globally connected
network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they
need to address their most complex business challenges. The more than 200 000 professionals of Deloitte are committed to becoming the standard of
excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively,
the Deloitte Network) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte Network shall be responsible for
any loss whatsoever sustained by any person who relies on this communication.
2014 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited