Putting a stop to spam calls in South Africa

Direct marketers are within their right to use an individual’s personal information to make initial contact with them without their consent, according to data and technology attorney and Michalsons managing director John Giles.

Therefore, the participation of the South African public is crucial to the country’s ability to crack down on those abusing this right, given the nature of the Protection of Personal Information Act (Popia).

Giles told MyBroadband that Popia allows direct marketers to obtain personal information for marketing purposes.

This is stated in Section 11 of the Act, which sets out the lawful grounds under which an entity may process information. According to the Act, “Process” refers to the collection, dissemination, or merging of data.

Data may be processed if it meets one of the six grounds, which includes processing information “for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

This means direct marketers may acquire and use personal information for cold calling without consent from data subjects.

Information Regulator advocate Lebogang Stroom previously pointed this out, saying that the Act does not prevent telemarketers from conducting their business.

Instead, the Act states that direct marketers are only allowed to contact an individual once, during which time they should ask for consent to contact the data subject again.

Stroom said spam callers exploit this part of the regulation, as they will contact a data subject on a particular number and stop communications with them when told to.

However, they will use a different number to contact and bombard them with marketing, which Stroom said was wrong and against the objectives of Popia.

Giles says because Popia is a principles-based piece of legislation, there was far more of a grey area when it came to policing what the Act regulates, as opposed to rules-based legislation that is more certain.

He gave the analogy of driving a car, where a rules-based system would set out a given speed limit, which, if exceeded, would constitute breaking the law.

“A principles-based system, on the other hand, would say that you are allowed to drive as fast on this road as you, the driver, believe is responsible based on several factors,” Giles said.

“The factors or conditions are what the weather conditions are, how good the tyres are, and whether there are children around, for instance. And it’s your choice.”

Similarly, when processing the personal information of thousands of people, responsible parties need to consider Popia’s eight principles or conditions.

These include accountability, processing limitation, purpose-specific, further processing limitation, information quality, openness, security safeguards, and data subject participation.

“So the way Popia is structured is that because it’s principle-based, it’s difficult to know how fast to drive that’s not illegal,” Giles added.

He said because the Act is principles-based, a party deemed to be contravening it will be issued an enforcement notice instructing them not to continue processing information in the way they have.

“In other words, if I’m on the road and I’m doing 140km/h, it might be lawful or legal because of all those conditions,” Giles said.

“But if the regulator comes along and says you were doing 140, and I hear what you said about why, but I disagree with you because of x, y, and z. You can’t do 140km/h anymore; you must do 100km/h on that road.”

He noted that in the case of spam calls if a data subject becomes aware of a telemarketer that is not complying with Popia, they will need to report them to the Information Regulator, who will then issue an enforcement notice if necessary.

Because it is a principles-based regulation, the question of whether the responsible party is responsible for contravening the Act is up to interpretation.

A complaint can be made on the Information Regulator’s website, which the watchdog strongly encourages.