Main Article Content
Plugins and POPI: A critical discussion into the legal implications of social plugins and the protection of personal information
Abstract
Social plugins are one of the many trackers used by companies with an online presence. However, under the Protection of Personal Information Act 4 of 2013 (POPI), these trackers have certain legal consequences for internet users. The main reason for this is that trackers tend to process personal information without informing internet users that their data are being collected, the reason for the collection or processing thereof, or who the responsible parties are that are collecting and processing the personal information. The article looks at these issues, amongst others, in the light of a 2019 judgment from the Court of Justice of the European Union or CJEU, namely, Case C- 40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. EU:C:2019:629. Due to the fact that it has had data protection legislation for much longer than other countries or legal jurisdictions, including South Africa, the European Union (the EU) has a substantial body of case law interpreting the data protection legislation of the EU itself as well as that of the individual member states. One of the main instruments used as guidance by the drafters of POPI was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereafter Directive 95/46). Directive 95/46 was previously considered the gold standard, before Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (hereafter the GDPR) was enacted and Directive 95/46/EC was finally repealed. Since Directive 95/46 was one of the main guiding documents used in drafting POPI, one may expect that the South African courts may turn to the EU and consider how the CJEU has interpreted the similar provisions contained in Directive 95/46, especially since there is very little South African jurisprudence available on POPI. The four main issues under discussion are: who, other than the internet users, has the locus standi to bring an application in terms of POPI? Second, what are the responsibilities of joint responsible parties towards internet users? Third, where there are joint responsible parties, do both need a legitimate interest to process personal information? Lastly, who will be responsible for obtaining the necessary consent to process the personal data?