Summary of the POPIA case of Munetsi v Madhuyu and Another
At a glance
- The Western Cape High Court recently handed down a judgment that applied certain provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) following an application to the court seeking a public apology after the respondents published the applicant’s personal information on social media.
- The court found that by making the applicant's mobile number publicly available on social media, the respondents breached section 11 of POPIA.
- The court also noted that a public apology is not a competent remedy for breach of POPIA. The recognised remedies are damages or an interdict.
Section 11 of POPIA provides that personal information may only be processed if:
the data subject consents to the processing;
the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- the processing complies with an obligation imposed by law on the responsible party;
- the processing protects a legitimate interest of the data subject;
- the processing is necessary for the proper performance of a public law duty by a public body; or
- the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
- The court agreed with the applicant and found that:
- section 11(1) of POPIA stipulates that personal information may only be processed in specific circumstances, and none of those circumstances applied in this case; and
- by making the applicant’s mobile number publicly available on social media, the respondents breached section 11 of POPIA.
The court ordered that the respondents remove any video or message containing the applicant’s picture and mobile number from their social media platforms and an interdict prohibiting them from publishing the applicant’s personal information without his consent in the future.
Competent remedy for a breach of POPIA
The court also noted that a public apology is not a competent remedy for a breach of POPIA. The recognised remedies are damages or an interdict. Therefore, the court did not grant the applicant’s request for a public apology. Furthermore, the court found that the publication of the applicant’s personal information to thousands of followers on social media platforms breached his common law right to privacy.
The decision by court highlights the importance of being cautious when publishing personal information to social media in a business capacity. POPIA does not apply to the processing of personal information in the course of a purely personal or household capacity. For example, this is where an individual would post content in a personal capacity under a personal account, and such individual would not be expected to abide by POPIA’s provisions. This does not mean that such an individual may publish other data subject’s personal information without obtaining consent for the publication. Affected individuals will have recourse under common law in the event that the post breaches the privacy of that individual. However, where a social media post is created in a business capacity, the business is required to adhere to POPIA’s requirements, by seeking consent or relying on another ground of justification under section 11 for the publication of personal information.
The court in this case also clarified that an interdict is an appropriate remedy for a breach of POPIA. It is also an important precedent as public apologies are not construed as appropriate remedies for breaches of POPIA and responsible parties must consider the prospect of damages instead. An apology may, however, be considered as a form of mitigation in relation to a damages claim.
In light of the above, businesses as responsible parties in terms of POPIA should take care when publishing to their business social media accounts. Here are key tips for ensuring compliance with privacy laws such as POPIA:
- Develop a social media policy and procedure which sets out guidelines for responsible social media use and protections for personal information.
- Obtain informed consent for the publication of personal information. Individuals that will be featured on a business page must understand what information will be shared and used.
- Provide clear privacy notices. When running a social media campaign, ensure that your privacy notices explain how personal information will be used.
- If you use third party tools for marketing and publication, ensure that the tools are compliant with privacy laws such as POPIA and the General Data Protection Regulation (EU) 2016/679.
- Be cautious with user-generated content. Ensure that you have obtained permissions to reshare user-generated content, especially if it contains personal information.
- Restrict publication of personal information on publicly accessible social media platforms and ensure that personal information is only exchanged privately through direct messages.
The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.
Subscribe
We support our clients’ strategic and operational needs by offering innovative, integrated and high quality thought leadership. To stay up to date on the latest legal developments that may potentially impact your business, subscribe to our alerts, seminar and webinar invitations.
Subscribe
