July / August 2013
Dear Consumer Law Review recipient
We are still keeping our eye on PoPI. Since the last issue of CLR the Bill was discussed in the Justice Committee of the National Assembly and the amendments made by the National Council of Provinces was approved. Read more about the remaining steps in the legislative process below. In this issue we include an article on the duty to ensure that personal information is secure. This is probably one of the most important duties introduced by PoPI and the area in which most suppliers will fall short. This is part 6 of our series of introductory articles on PoPI.
The Constitutional Court confirmed that class actions are now a very real tool in the consumer’s arsenal. Of course, this presupposes organisations that have the capacity to undertake such actions on consumers’ behalf.
One of the most contentious issues raised by the CPA is whether goods can still be sold ‘as is’ or ‘voetstoots’. While these clauses are sometimes abused by suppliers, they do have a legitimate place in some transactions. Read about our views on ‘voetstoots’ clauses and the CPA below.
See you next month!
Elizabeth de Stadler
Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Cape Town (http://www.esselaar.co.za). Her practice consists of general regulatory compliance audits; training and workshops on regulatory compliance; opinion work on the CPA, the National Credit Act, marketing law, data protection and contract law; and plain language drafting. She is also a founding director of Novation Consulting, a company which specialises in designing innovative and effective ways to communicate ‘legal’ documents to consumers.
She conducts regular workshops and training sessions on the CPA and other consumer legislation for businesses and for UCT Law@work, a unit situated within the Law Faculty at the University of Cape Town. She is the co-author of a consumer law textbook and a guide to plain language legal drafting, both of which are to be published by Juta Law.
WE WELCOME YOUR FEEDBACK
Please forward any comments and suggestions regarding the Consumer Law Review to firstname.lastname@example.org
Juta General Law
IN THIS EDITION OF THE CONSUMER LAW REVIEW
— Consumer law in parliament
— Intro to PoPI (part 6): Information security
— The CPA and quality problems (cars as a case study)
— Direct marketing: Opt-out registry still in the works?
— Constitutional court decides on bread class action
— Plain language tip
PoPI update: Last month, the Select Committee of the National Council of Provinces accepted and tabled the Bill with some minor changes (see their memorandum of 12 June 2013). These changes have now been accepted by the Justice Committee of the National Assembly. This means that both the houses must now vote on the Bill. After that the President signs it into law. The President will also determine the commencement date of the Bill. Once that date is determined, suppliers will have one year to ensure that they become compliant.
National Credit Regulator releases research on alternative dispute resolution: The National Credit Regulator has released its research on the functioning of the ‘alternative dispute resolution market’. This comes at a good time as amendments to the National Credit Act are in the works (the NCA Amendment Bill was gazetted on 29 May 2013). These amendments also include provisions on the regulation of alternative dispute resolution. Here are links to the NCR’s press release and an executive summary of the research report.
We came across a cautionary tale about information security recently. The NHS Surrey was fined £200 000, because the records of 3000 patients were found on a second-hand computer. What had happened was that the NHS employed another company to wipe and destroy old computer equipment. This will not be a strange notion for most companies. It was part of the deal that salvageable equipment would be sold.
The computer in question was bought in an online auction and the buyer discovered the records on the machine. The core of the problem appears to be that the agreement between the NHS and the service provider did not contain any provisions relating to the legal requirements under the UK Data Protection Act and the NHS did not monitor the destruction process.
This is what the Head of Enforcement at the Information Commissioner’s Office had to say:
The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.
This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.
(Go to the website of the UK Information Commissioner’s Office for more information on this case and guidance on how IT equipment containing personal information can be destroyed.)
This is all happening against the backdrop of calls for stricter data protection laws in Europe (see The Guardian ‘European Commission backs Merkel’s call for tougher data protection laws’ 15 July 2013). Where Europe goes, the rest of the world will probably follow due to the implications that a tightening of their laws will have on the global information economy.
Several principles emerge from this case, which are equally relevant in terms of PoPI. Firstly, the destruction of personal information also falls within the definition of ‘processing’ and therefore PoPI will apply to it. Secondly, suppliers have obligations relating to the security of personal information. Thirdly, suppliers retain responsibility in cases where another service provider is used. The first principle does not need elaboration, but let us look at the other two.
Sections 19(1) puts an obligation on businesses to:
secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical (sic) and organisational measures to prevent
(a) Loss of, damage to or unauthorised destruction of personal information; and
(b) Unlawful access to or processing of personal information.’
The more practical section 19(2) lists some of the ‘reasonable measures’ which a company can take:
Identify all internal and external risks to the security of the information. There are companies who specialise in this.
Establish and maintain safeguards against the risks which have been identified.
Regularly verify that the safeguards are being implemented.
Ensure that the safeguards are up to date to respond to new risks or deficiencies.
These measures all presuppose an internal policy on IT security.
In addition, section 19(3) provides that the business ‘must have due regard to generally accepted information security practices and procedures’.
If someone else is processing the information on the business's behalf (as was the case in the NHS matter) there must be a written contract with this third party which ensures that they establish and maintain security measures (see sections 20 and 21 for the specifics). The third party must also notify the business immediately if there are grounds to suspect that the security of the information has been compromised.
Section 22 provides that if there are reasonable grounds to believe that personal information has been obtained in an unauthorised manner, the business must notify the Regulator and the data subject as soon as possible (see section 22 for the specifics).
If you are still in doubt about the serious risk posed by information insecurity, do read this article at www.riska.com. One of the interesting facts in the article is that cyber risk, that is, the risk of unauthorised access to the personal information of company clients (amongst other things), has moved from 12th to third place in the Lloyd’s 2013 Global Risk Index. Luckily, the article also offers some guidance on how to improve IT security. For even more tips, read ‘What security measures should I take to protect the personal data I hold’ on the website of the UK Information Commissioner’s Office.
Since the enactment of the CPA, the question whether goods can still be sold ‘voetstoots’ or ‘as is’ has been a hotly debated topic. The short answer is that ‘voetstoots’ clauses as we know them are no longer acceptable in transactions where the CPA applies. This will cause difficulties for suppliers of second hand goods or low quality (but consequently cheap) goods.*
Why do I say it is not applicable?
The point of departure is that consumers have the right to goods which meet the standards and requirements listed in section 55(2) of the CPA. They are that goods must:
be reasonably suitable for the purpose for which they are generally intended or suitable for any specific purpose which was communicated to the supplier;
be of a good quality, in good working order and free of defects;
be useable and durable for a reasonable period of time; and
comply with any other legislation which regulates their quality.
A seller will no longer be able to rely on a ‘voetstoots’ clause or a clause which provides that the goods are sold ‘as is’, because such clauses preclude buyers from claiming against sellers for sub-standard or defective goods. Why is it no longer available to a seller? This is the result of section 51 which provides that a seller may not contract out of the CPA. Because the buyer is entitled to return, repair or replace goods which do not comply with the quality requirements, a seller cannot rely on a term which deprives the consumer of that right.
Section 55(6) does provide some relief in this regard, but it does not breathe life into the ‘voetstoots’ clause. It provides that a consumer cannot rely on the fact that the goods were not fit for their ordinary purpose, of inferior quality or defective if the consumer ‘has been expressly informed that particular goods were offered in a specific condition’ and ‘has expressly agreed to accept the goods in that condition, or knowingly acted in a manner consistent with accepting the goods in that condition.’ This means that if a seller points out a defect to a consumer before the sale and the consumer still buys the product, the consumer cannot hold the seller responsible for that defect. This could also mean that a seller could tell a consumer that goods are used or are factory rejects as a result of which they will be cheaper, but a consumer cannot return them if they are defective. In other words, pointing out the heightened risk of the goods being defective may be enough. Any clause inserted in terms of section 55(6) must be in plain language and the fact, nature and effect of the clause (ie that the consumer will not be able to claim) must be pointed out to the consumer. If this is not done, the clause will not be valid (see section 49).
Suppliers should also note that, section 55(6) does not safeguard the supplier against all claims relating to post-purchase quality issues. It only qualifies the first two of the four standards listed above. It will always be open to a consumer to claim that the goods were not useable or durable for a reasonable period of time or that they did not meet other statutory requirements. This right can never be excluded (this decision by the legislature is quite strange, but until such a time that it is changed, suppliers will have to live with it).
There are other ways in which suppliers can protect themselves in addition to section 55(5). The definition of ‘defect’ and all the standards to which a consumer is entitled hinge on the consumer’s reasonable expectation of the goods or what the goods are reasonably capable of. [T]he manner in which, and the purposes for which, the goods were marketed, packaged and displayed, the use of any trade description or mark, any instructions for, or warnings with respect to the use of the goods must be taken into account when evaluating the quality of the goods. For example, a consumer is not entitled to expect that a second-hand car will perform like a new one, or that a factory reject will be perfect. Put simply, the goods won’t be considered defective.
What is the implication of this? Suppliers would be well advised to manage consumer’s expectations of the quality of the product carefully. It should be clear to a consumer that what they are buying is of a particular standard. If the goods suffer from a particular defect suppliers should clearly and unambiguously point this out to consumers.
*Remember that if it is a private sale (ie a person wants to sell their own car or house but is not a professional supplier of cars or houses), the CPA will not apply and ‘voetstoots’ clauses will be acceptable as long as the seller is not fraudulent.
The National Consumer Commission said recently that an opt-out registry was still being set up (see Nicola Mawson’s ‘No uniform opt-out solution’ (22 July 2013) on www.itweb.co.za*). This brings us to an old question: How do we deal with the CPA and PoPI at the same time? (See the August 2012 edition of Consumer Law Review.)
You will recall that the CPA provides that direct marketing is allowed, but a consumer can opt out to the supplier directly or, in the future, consumers will be able to register their details at a national opt-out registry. Once the registry is set up suppliers would have to check it before doing direct marketing. This is an opt-out system.
PoPI is going to throw a big spanner in the works as it is not consistent with the approach taken in the CPA. PoPI provides (in short) that:
suppliers cannot engage in direct marketing without a person’s consent,
unless that person is an existing customer,
who provided their contact details for the purpose of direct marketing during the course of a transaction for the same or similar goods or services,
and has been given ample opportunity to opt out every time direct marketing was done; and that
the supplier can contact the customer once to get this consent.
This is essentially an opt-in system.
So, the CPA and PoPI are inconsistent, but what does that mean:
Given that an opt-in system provides more protection, PoPI will apply. This means that when a supplier is engaging in electronic direct marketing, PoPI will apply.
When the marketing is not electronic the CPA will apply. (To add insult to injury, it is not clear what will be considered electronic or not, particularly when it comes to telephonic marketing.)
Another way to read it is that both the CPA and PoPI will apply. This means that a supplier will have to get consent from consumers and check the registry. If a name is on the registry the supplier cannot even phone the person to get their consent to do marketing. But what if a consumer gives consent and is on the registry?
In the meantime, before the registry is established, suppliers would be well advised to get consent before doing direct marketing as that will comply with PoPI and with the CPA, even when the registry is established. This is because regulation 4(3)(g) provides that if an existing client gave consent to receiving direct marketing after the CPA became effective (31 March 2011), but before the registry is established, a supplier does not have to check the registry.
Confused? Don’t worry, it is understandable. Let’s hope this gets cleared up soon.
*The Itweb article actually raises a different, but very important issue. Opting out of direct marketing must be free. This is problematic when marketing is done via bulk SMSes as some of the cellular service providers do not provide a technical solution which enables this.
The class action of consumers against bread producers was discussed in the November 2012 edition of the Consumer Law Review. That article was about the case before the Supreme Court of Appeal on behalf of consumers. At the same time the SCA also heard the case on behalf of the bread distributors (ie the middleman between the consumers and the bread producers). Their case was not successful and the distributors appealed the decision. On 27 June 2013, the Constitutional Court held that the SCA applied the incorrect test when deciding on the prior certification of the class [para 55]. The court held that [para 38]:
Courts must embrace class actions as one of the tools available to litigants for placing disputes before them. However, it is appropriate that the courts should retain control over class actions. Permitting a class action in some cases may, as the Supreme Court of Appeal has observed in this case, be oppressive and as a result inconsistent with the interests of justice. It is therefore necessary for courts to be able to keep out of the justice system class actions which hinder, instead of advancing, the interests of justice. In this way prior certification will serve as an instrument of justice rather than a barrier to it.
The court pointed out that the factors listed by the SCA when determining whether prior certification should be granted are not exhaustive and that a court can consider any ‘relevant and material’ factors [para 47]. These factors were discussed in the November 2012 edition of the Consumer Law Review.
The court ordered that the applicants can supplement their application before the High Court. The High Court will then apply the procedural rules which have now been established in the SCA and the Constitutional Court.
The judgment is available on http://www.legalbrief.co.za/article.php?story=20130628084145555
Avoid preposition chains. Your sentences will be shorter and clearer. Here are some examples:
The manner in which – how
At the present time – now
Due to the fact that – because
In the event that – if
In view of the fact that – because, since
With reference to – about, concerning, relating
At all times – always
At an early date - soon
© Stellenbosch University Language Centre and Elizabeth de Stadler
HOW CAN WE ASSIST YOU?
MANAGE YOUR MARKETING COMMUNICATIONS FROM JUTA LAW:
> Click here to opt-in to continue to receive these newsletters.
> Click here to unsubscribe from this communication
> Jutastat e-publications user helpdesk email@example.com
> Juta Customer Services firstname.lastname@example.org
> Juta Law Marketing email@example.com
Jutastat electronic subscribers and print subscribers may receive important service-related information relating to their Juta publications from time to time.
|SOUTH AFRICA'S PREMIER PUBLISHERS OF LEGAL AND REGULATORY INFORMATION|
|2019 © Juta and Company Ltd|