Consider the following scenario: Your son is eight years old and you celebrate his birthday by inviting his friends over for a birthday party. You take pictures of your child having a good time friends. Are you allowed to post those pictures on social media?
Legislative Framework
The Protection of personal Information Act (The Act) came into effect on the 1st of July 2021 and seeks to give effect to the Constitutional right to privacy, whilst balancing it against competing rights and interests, particularly the right of access to information.
For purposes of this article, it will be important to understand what is meant by the terms “Consent”, “Data Subject” and “Responsible Person”. The Act defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. A Responsible Person is defined as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. Furthermore, a data subject is “the person to whom the data relates”. In the aforementioned scenario, the parent is the Responsible Person and the child the data subject. The Act describes what is required before information may be shared and in the case of children, provides for additional measures to be met before information may be processed.
In terms of section 11 of the Act, information may only be processed if the data subject or a competent person where the data subject is a child, consents to the processing. Section 34 and 35 of the Act stipulates that Personal information of children may not be processed unless the processing is:
(a) carried out with the prior consent of a competent person;
(b) necessary for the establishment, exercise or defence of a right or obligation in law;
(c) necessary to comply with an obligation of international public law;
(d) for historical, statistical or research purposes to the extent that-
(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
(e) of personal information which has deliberately been made public by the child with the consent of a competent person.
In terms of section 6(1) (a) of the Act, the Act does not apply to the processing of personal information in the course of a purely personal or household activity.
How will these provisions affect our daily lives?
It is clear that the Act does not allow for the process of personal information of another person without their consent and provides additional protection to minors. The Act defines a child as being someone under the age of 18 years. It is important to note that the Act does not apply to the processing of personal information that occurs purely in the course of a household activity. The term household activity is not defined in terms of the Act and therefore the question arises whether posting pictures of your children on social media falls within the ambit of the household exception listed under section 6.
Guidance can be found in the General Data Protection Regulation (the GDPR) which regulates data protection in European countries. Article 2(2)(c) of the GDPR reads as follows: “This Regulation does not apply to the processing of personal data… (c) by a natural person in the course of a purely personal or household activity”. The related Recital 18 GDPR explains the provision by stating as follows: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Therefore, the GDPR sheds some light on the interpretation of a “household activity”. Until a South African court declares otherwise, it can be assumed that the where the processing of information does not have any connection to professional or commercial activities, the household exception listed under section 6 will find application.
Based on the aforementioned, we can assume that where parents simply post pictures of their children on their social media pages without it being linked to any professional or commercial purpose, will enjoy protection in terms of the Act.
What would the position where the images are used in a school’s marketing campaign or if a photographer takes pictures at a school and places it on his website?
As discussed, the Act defines consent as being a voluntary, specific and informed expression of will. Therefore, in order for consent to be valid, parents would have to make an expression of their will for example tick “YES”. Therefore it will not suffice where there is a clause, newsletter or email stating that unless parents raise an objection against the processing of their children’s personal information, consent will be considered to have been given.
It can be assumed that a marketing campaign would fall within the ambit of commercial activities and therefore the school would need to ensure that they comply with the Act. This means that consent will need to be obtained from parents before the processing of any information can take place. Furthermore, in terms of section 9 and 10 of the Act, the processing of information must be done in a manner that does not unreasonably infringe on the children’s privacy rights and must not be excessive. Section 14 of the Act provides that once the information is no longer relevant, it will have to be removed.
Minors and the social media era
Children are some of the biggest consumers when it comes to social media apps. In terms of section 35, children’s information may be processed if the information has deliberately been made public by the child with the consent of a competent person. Apps, websites and services hide clauses in their terms and conditions stipulating that in order for the website or service to be used, users must be over the age of 18. If it’s not the case, minors are required to obtain the consent of their parent(s). Such a clause is not sufficient to validate consent and steps should be taken in order to ascertain the age of the user. If the person who agrees to the term happens to be a child, the user did not have the capacity to enter into the agreement in the first place.
Lessons from other Jurisdictions
It is interesting to note that the GDPR and French Data Protection Act allows children, 15 years and older, to provide their own consent for certain types of processing that requires non-contractual “consent”. Examples include accepting cookies on a website, exercising the decision of whether or not his or her social media account settings should be set to public or private as well as whether or not to activate an optional geolocation feature on an app. However, it does not recognise “general digital adulthood” at the age of 15. In this case, the GDPR does not establish a child’s capacity to sign up to a social network by him or herself. In this case, the ordinary laws applicable to minors applies and children would need to obtain parental authority depending on the context and the interpretation of case law.
Takeaway
This article discussed the processing of children’s information in terms of POPI and the possible pitfalls that parents, schools and anyone processing information of children should consider. It is clear that there is still some uncertainty as to exactly how the Act will regulate specific situations. Before processing any information relating to children, always make sure that you obtain the required parental consent and be especially mindful of situations where you are processing information that could be interpreted to be for a professional or commercial purpose.