Africa_Cross Border Legislation Data Privacy Framework and Status_Deloitte_Sep14

Regulatory & Compliance: Data privacy: a global perspective on application and future regulation

Daniella Kafouris Associate Director Deloitte Risk Advisory

Deloitte screen small Jan 2010

© 2014 Deloitte Touche Tohmatsu Limited 2

Data Privacy in South Africa

PPIA Description The PPIA sets conditions for how information must be processed and how entities are to comply with global data privacy standards. It has been signed by the President and is now law. Entities will only have one year from the commencement date to comply or face significant consequences Data privacy regulates personal information, which is processed by public or private entities whether in hard or soft copy format.

Protection of Personal Information Act 4 of 2013

3

1997 2005 2009 2012 2013

Constitution published

Law Commission

finalised investigation

PPIB published

Portfolio Committee approved

PPIB

PPIB became

law

Regulation of the entire data life cycle

Additional Requirements •  Special Personal

Information •  Information about

children •  Information Regulator •  Direct Marketing •  Trans-border

Information Flows

Key Conditions

Personal Information

Accountability Processing Limitations

Purpose Specification

Further Processing

Information Quality Openness

Security Safeguards Data Subject Participation

Your duties and obligations

5. Information

officer

6. Regulator

7. Reporting –

DS and loss

8. Security –

self audit

9. Special

PI – religion/ philosophy, race/ethnicity, union, politics, health/sexuality, biometrics, criminal allegations, child

10. Operator contract – processing, security & reporting

11. Direct

marketing*

12. Cross

border*

Direct Marketing Approach in person or by mail or by electronic communication

•  Contain – sender contact details •  Electronic communication prohibited unless

consent or customer (similar services/product) – approach once but can opt out

•  In person or by mail – meet all lifecycle requirements (reasonableness and non-excessive, RP legitimate interest, DS can object, DS notified of collection, security, cross border, SPI)

7

Privacy protection globally

Constitutional coverage

Has Privacy Law Protection

Law in Process

No Data Protection Law

Sectoral Laws

7

8

Privacy protection in Africa

Lesotho South Africa

Swaziland

Namibia Mauritius

Mozambique

Botswana

Zimbabwe

Somalia

Burundi

Rwanda

Congo

Uganda

Gabon

Egypt

Tunisia Morocco

Western Sahara

Cape Verde Islands

Senegal

Guinea-Bissau

Algeria

Niger Mali

Chad

Libya

Sudan

Democratic Republic of

Congo

Angola Zambia

Ethiopia Nigeria

Benin

Mauritania Central African Republic

Ghana

Burkina Faso

Tonga

Liberia Ivory Coast

Tanzania

South Sudan

Kenya Cameroon

Reunion

Mayotte

Comoros

Seychelles

Constitutional coverage

Has Privacy Law Protection

Law in Process

No Data Protection Law

Sectoral Laws

8

9

What is the privacy impact?

Information Regulator

Self-reporting notification

Criminal investigation

Complaints

Audit

Data Subject

Post

Email

Media

Website

Fines

Imprisonment

Up to R10 million 12 months to 10 years

9

Deloitte screen small Jan 2010

What is the global movement towards compliance and privacy

Data Protection / Information Protection Authorities

Office of the Privacy Commissioner for Personal Data, Hong Kong

U.S. has no national data protection authority.

Federal Trade Commission (FTC)

State Attorneys General

Federal financial regulators

Japan has a similar consumer protection stance.

Multiple regulators

UK Information Commissioner Office

Bundesbeauftrager für den Datenschutz und

die Informationsfreiheit

Privacy Commissioner of Canada

?

South African Information Regulator

Current privacy regulatory framework…..

Proposed privacy regulatory framework…..

Deloitte screen small Jan 2010

What has gotten companies in trouble ?

What has gotten companies in trouble ?

Examples of activities where non-compliance led to enforcement actions, lawsuits, or monetary fines:

Failure to comply with the organization’s privacy policies (especially when third parties are involved in processing data)

Misrepresenting the purpose for collecting personal data

Failure to disclose the means used to collect data, i.e., the use and/or duration of cookies, web bugs, spyware, tracking technologies (especially in HR environment)

Disclosing, sharing, or selling personal data to third parties contrary to the organization’s privacy policy or legal/contractual framework (eg in Cloud environment)

Export of personal data not in compliance with privacy laws of the originating country

Misrepresenting the security protection and redress possibilities of personal data

What has gotten companies in trouble ?

Organizations that do not adequately

manage the risk of compliance with privacy laws and

regulations may face the following:

• Suspension or stopping of data processing an data transfers • Restructuring of local and global IT systems and processes • Relocation of services and renegotiation of contracts with

vendors, suppliers etc. • Need to obtain consent to be able to lawfully use the data • Loss of potential revenues or opportunities where use of

databases is restricted

BUT ALSO

• Liabilities to customers, partners and others whose information is compromised

• Time lost taking systems offline to do the forensics necessary to find out what went wrong

• Extra Software and other upgrades to make sure the problem doesn’t happen again

• Opportunity Cost (personnel performing all of these tasks are not doing any other revenue earning things that would be benefiting the company)

• Damage to company reputation can affect future sales efforts • Loss of confidence with data protection authorities and/or

employees/customers • Joint & severe liability for supplier failures

Foreign Jurisdictions overview & actions taken to address e-commerce

European Union

•  The EU list of electronically supplied services is as follows:

i.  “Website supply, web-hosting, distance maintenance of programmes and equipment;

ii.  Supply of software and updating thereof;

iii.  Supply of images, text and information and making available of databases;

iv.  Supply of music, films and games, including games of chance and gambling games, and of political, cultural, artistic, sporting, scientific and entertainment broadcasts and events;

v.  Supply of distance teaching.”

Foreign Jurisdictions & Organisations Overview & Actions Taken

18 © 2014 Deloitte Touche Tohmatsu Limited

South Africa Pre-2014 and post 2014 VAT Amendments

VAT Treatment of Cross-Border Electronic Services – Certain foreign suppliers will now be required to register in SA

•  The South African VAT legislation was officially amended in December 2013 to address electronic services supplied by persons from an export country to a South African resident or where payment for the supply originates from a SA bank account.

•  The amendments were due to come into effect 1 April 2014, however, this was postponed until 1 June 2014.

•  From 1 June 2014 foreign suppliers supplying services which qualify as electronically supplied services will be required to register for VAT in SA at the end of any month where the value of supplies exceeds R50,000.

South Africa Post Electronic Service VAT Amendments

20 © 2014 Deloitte Touche Tohmatsu Limited

•  The list includes the following main categories and then each category includes specific sub-categories:

i.  Educational services ii.  Games and Games of chance iii.  Internet-based auction services iv.  Miscellaneous services (e.g. supply of e-books, music, etc.) v.  Subscription service to a list of specific items

•  South Africa does not make a B2B and B2C distinction.

South Africa Post Electronic Service VAT Amendments

21 © 2014 Deloitte Touche Tohmatsu Limited

Deloitte screen small Jan 2010

Deloitte TMT predictions 2014

Deloitte TMT predictions 2014

Wearable computing ($3 billion)

Tablets (BYOD)

Massive Open Online Courses

(MOOCs) 100% E-visits

100 million globally

VOD in Sub-Saharan Africa

growth (1m)

24

Daniella Kafouris Deloitte Associate Director - Johannesburg Risk Advisory-Legal BA LLB HDIP Cyberlaw Certified Information Privacy Professional – CIPP US / EU International Association of Privacy Professionals - Certified Trainer Member of IAPP Faculty Tel: + 27 (011) 209 8101 Mobile: +27 (0)72 559 0360 [email protected] @dkafouris

Contact details

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. The more than 200 000 professionals of Deloitte are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2014 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited