Is co-responsible parties a foreign concept to POPIA?
I was having a casual catch up with a former colleague of mine and as usual data privacy found its way into our discussion. I was quite surprised at how long the discussion took on the use of the term co-responsible parties. There is a view that holds that this is a concept used in the EU General Data Protection Regulation (GDPR).
In my head, I immediately went back to the class on legal interpretation.
I am going to start with the Protection of Personal Information Act, 04 of 2013 (POPIA)
Accordingly, I pulled out my copy of the act and headed straight to the definitions. POPIA defines a responsible party as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. I would like to specifically highlight alone or in conjunction with others and others being other responsible parties.
The GDPR does not use the term “responsible party” and therefore I could not find it in the definitions nor in the body of the legislation. However, a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data is defined as a controller; so, we can say that controller is synonymous with responsible party. GDPR defines joint controllers in Art 26 vizas where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. It gives little a bit more detail on the arrangements.
Bar section 1, POPIA does not mention joint or co-responsible parties. But does it need to? I don’t believe so. The definition empowers responsible parties to partner in processing activities as defined by POPIA and not in a responsible party-operator relationship. POPIA defines an operator as a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. In simple corporate terminology, this is where one party outsources an activity to another. In a responsible party-operator relationship, the responsible party is the accountable party, and the operator is the responsible party using the RACI matrix. In contrast, a responsible party-responsible party relationship, both parties are accountable as they both determine the purpose and the means.
As co-responsible parties is not a term explicitly used or defined in POPIA, where does it come from? We were taught in interpretation of statutes that a term is defined in a specific law where that term means something different to the ordinary meaning and for the purpose of that law must be used as defined. As “responsible party” is defined in POPIA, the contention is in the use of co-.
According to the Oxford dictionary, as a forming noun co- means joint, mutual, common, (e.g. co-accused in a murder trial), as a forming adjective, co- means jointly, mutually (jointly liable) or even forming verb such as co-produce. My focus is on the forming noun because responsible party is a noun making co-responsible parties a forming noun. This typically describes a scenario wherein two parties act together, equally or as agreed to, to achieve a common goal. As mentioned earlier, in section 1, POPIA permits two or more responsible parties to determine the purpose and the means of processing; making them jointly accountable for the processing to the extent agreed. Co-, in this form is commonly used in everyday language.
Is the concept of co-responsible parties foreign to POPIA? I say no. The term is not explicitly used nor defined, but the concept is clearly outlined in the definition of responsible party.
Can we say that the concept of “co-responsible parties” is strictly a GDPR concept? No, by virtue of the definition of data controller, which we agree is the equivalent of POPIA’s responsible party, in the Malabo Convention, SADC Model on Data Protection, Kenyan, Ugandan, Nigerian, Mauritian and other data protection laws, the concept is not strictly GDPR concept.
Many industry colleagues believe that the Act explicitly permits, in section 2(b), the reliance of international standards for interpretation of, and compliance with, its provisions. I would like to refer back to interpretation of statutes model. International law, without delving into the technicalities, is generally applicable to a number of jurisdictions while foreign law is applicable to a specific jurisdiction. The United Nations conventions are international laws. We can even speak to customary international law as internal law for the interpretation of POPIA. Outside the borders of South Africa, POPIA is foreign law and so is GDPR outside the EU. Malabo Convention is international law in Africa. The Constitution of the Republic of South Africa, however, obligates the consideration of international law when interpreting the right to privacy, but leaves the consideration of foreign law to the discretion of the Information Regulator South Africa (Regulator).
Back to POPIA. Section 2(b) does not grant the regulated the discretion to harmonise POPIA with international standards as it is the legislature that established the conditions for processing. I am of the opinion that while we can rely on international standards to understand provisions of POPIA, we can only but hope that the Regulator will agree with our interpretation. It cannot be said, however, that co-responsible parties is a foreign concept to GDPR.