Legislative framework

In terms of Section 11 of POPIA, information may only be processed: if the data subject, or a competent person where the data subject is a child, consents to the processing; and provided such processing meet the requirements set out in Sections 34 and 35 of POPIA.

POPIA defines a 'child' as 'any natural person under the age of 18 who is not legally competent to take any action or decision for themselves without the assistance of a competent person'.

Although POPIA does not explicitly require the responsible party to verify the age of the data subject, the responsible party will be required to show that the conditions for lawful processing have been met.

One such condition, under Section 35(1)(a) of POPIA, is valid consent. In order for consent to be valid, it must be obtained prior to processing. POPIA defines a 'competent person' as 'any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning the child'.

A competent person would therefore be someone with parental responsibilities over the child. In terms of the Children's Act 38 of 2005, this can be parents or legal guardians. If the child attains majority and the responsible party is relying on consent provided by the parents or legal guardians, it is likely that the responsible party would need to obtain the child's consent afresh.

A second requirement, under Section 35(1)(b) of POPIA is for such processing to be necessary for the establishment, exercise, or defence of a right or obligation in law. This provision creates a very wide exception and is based on the wording of the corresponding section in the Data Protection Directive (Directive 95/46/EC). The exception refers to any recognised legal right a data subject might have in terms of South African law.

A third condition, under Section 35(1)(c) of POPIA, is if the processing is necessary to comply with an obligation of international or public law. Public international law consists of three main sources: (i) customary international law; (ii) treaties and conventions; and (iii) soft law (guidelines and non-binding judgements). The Constitution of the Republic of South Africa ('the Constitution') recognises international customary law unless it is inconsistent with the Constitution or local legislation. Furthermore, South Africa is bound by an international treaty once the treaty is approved by the National Assembly. An example of this authorisation would be to return a person who was kidnapped to their home country.

A fourth requirement, under Section 35(1)(d) of POPIA, is if the processing is required for historical, statistical, or research purposes. Any person who seeks to process personal information for historical, statistical, or research purposes needs to provide sufficient guarantees that the individual privacy of the data subject is not adversely affected and that the processing is necessary to serve a public interest or it appears impossible or would involve disproportionate effort to ask for consent.

A fifth condition, under Section 35(1)(e) of POPIA, is a child's personal information that was deliberately made public by the child with the consent of a competent person. The child's information may be validly processed provided that:

• the personal information of the child was deliberately made public;
• the personal information was made public by the data subject; and
• the personal information was made public with the consent of a competent person.

In terms of POPIA, information would be regarded to have been made deliberately available to the public if the information is contained in or derived from a public record or has deliberately been made public by the data subject.

Lastly, the Information Regulator may authorise the processing of personal information of children on application from the responsible party. The Information Regulator may only grant the authorisation if the processing is in the public interest and appropriate safeguards have been put in place in order to protect the personal information.

There is no definition in POPIA to determine what constitutes 'public interest' and such discussion would go beyond the scope of this article. It is, however, worthy to note that the guidance note on processing of special personal information¹, published by the Information Regulator, describes public interest as the belief that a specific outcome would benefit the public at large and should be accepted in the spirit of equality and justice.

In addition to the aforementioned requirements, Section 19(1) of POPIA requires the responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical, and organisational measures in order to prevent the loss of, damage to, or unauthorised destruction of personal information, and unlawful access to or processing of personal information.

However, there are certain exceptions to the general rules; Section 6(1) of POPIA does not apply to the processing of personal information in the course of a purely personal or household activity. The term 'household activity' is not defined in terms of POPIA. 

Article 2(2)(c) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') also states that the GDPR does not apply to 'the processing of personal data… (c) by a natural person in the course of a purely personal or household activity'. Recital 18 of GDPR further clarifies this Article2(2)(c) and states that such Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.

Therefore, it seems that the GDPR is of the stance that if the data is processed by a natural person, and as long as some form of a commercial or professional activity is not present, then the same would fall within the ambit of a purely household or personal activity and would therefore not require consent or compliance otherwise with the GDPR for the processing of such information.

However, according to Section 3 of POPIA, POPIA applies to both natural as well as juristic persons. Section 6 of POPIA does not include the wording 'natural person' as in the case of the GDPR. In terms of South African company law, a company has separate legal liability and is regarded to be a separate legal persona, thus, it could be questions whether a company could be regarded as having a pure household or personal activity.

POPIA does not provide any guidance on this topic yet, or at least for as far as we know, and we will have to wait and see if the courts will ever be required to rule on such matter.

Practical implications with obtaining valid consent in the modern age of technology

In the modern age of technology, children as young as two years old play with mobile devices, and children in school buy video games and merely accept the terms and conditions of such sale. It is also not strange to see parents posting pictures, videos, and information (such as places and events etc.) of their children on social media, such as the birthday celebrations, achievements, and other success in sport and school achievements.

It is interesting to consider the potential risks and implications associated with these actions, such as:  

• Does the child have the necessary capacity to accept such terms?
• Must the child be supported by its legal guardian for the consent to be valid?
• How should the service provider monitor and authenticate the validity of such consent, if at all?
• Are you allowed to post pictures of your child on social media without their consent?
• What about other children that might be in the picture with your child, do you need their or their legal guardians' consent?

Children make up some of the largest volume of consumers when it comes to the use of social media in South Africa². As mentioned above, children's information may be processed if the information has deliberately been made public by the child with the consent of the competent person.

Apps, websites, and other online products and/or services may sometimes hide clauses in their terms and conditions such as 'in order for the website or service to be used, users must be over the age of 18. If it's not the case, minors are required to obtain the consent of their parent(s)'.

This begs the question whether or not such wording discharges the responsible party/service provider of its obligation to ensure that it complies with the requirement of POPIA when it comes to the processing of children's information and, more specifically, would such meet the requirements for valid consent.

Parents are not necessarily always technologically educated, or should we rather say 'tech savvy' when it comes to the latest technologies, such as software applications and other technologies that children use nowadays. Parents are also not always part of the process when children 'subscribe' to certain products and/or services on these platforms and they do not place the necessary restrictions for the use thereof on the devices of their children beforehand.

In terms of current law of contract provisions in South Africa, a child acquires legal capacity to enter into a valid and binding agreement only at the age of 18.

It is interesting to note that the GDPR and French Data Protection Act allows children, 15 years and older, to provide their own consent for certain types of processing that requires non-contractual 'consent'. Examples of this include: accepting cookies on a website; exercising the decision of whether or not their social media account settings should be set to public or private; as well as whether or not to activate an optional geolocation feature on an app. However, it does not recognise 'general digital adulthood' at the age of 15. In this case, the GDPR does not establish a child's capacity to sign up to a social network by themselves. The ordinary laws applicable to minors would apply here and children would need to obtain parental authority depending on the context and the interpretation of case law.  

In terms of parents posting pictures of their children and their children's friends on social media, the difficulty is to understand under what circumstances such actions would be regarded to be of a purely personal or household activity.

What might be regarded to one person as personal might not be regarded as personal to another. Is this a subjective or objective test? What about 'purely household activity'? Which activities will be regarded as purely household? Will friends of a person's children be regarded as part of their household when they come visit their child and will they be allowed to post pictures of them playing with their child, without the consent of the child's parents, thus regarding the same as 'purely household'?

Another consideration is regarding schools, which are also regulated by POPIA, and which may, for instance, have a wall of fame where the names, surnames, and dates of birth etc., of both current and past students that might be publicly displayed on the school grounds itself or perhaps on the social media pages of these schools. Would the same be regarded as a purely household or personal activity for the school, or could such, based on the principles of the GDPR, be regarded to have some form of professional or commercial connection and would therefore not fall within the exclusions and would therefore require consent. POPIA is not clear on this.

Conclusion

There is still great uncertainty as to exactly how POPIA will regulate the processing of information of children and it remains to be seen how the courts will interpret and rule on the many questions posed herein above, if ever needed.

What is evident, however, is the world as we knew it has changed for good. The mere posting of a picture of a child on social media is no longer as simple as uploading and posting, as such could potentially have far reaching data privacy concerns.

PR de Wet Partner
[email protected]
Jako Fourie Associate
VDT Attorneys Inc., Pretoria

1. Available at: https://inforegulator.org.za/wp-content/uploads/2020/07/Guidance-Note-Processing-Special-PersonalInformation-20210628-004.pdf
2. See: https://www.statista.com/statistics/1100988/age-distribution-of-social-media-users-south-africa/