GDPR is not just another four-letter word

Jul 10, 2018 | News

“Sticking your head into the sand is perhaps the last thing South African companies should do”

From the 25th of May this year estate agencies in South Africa that interact with European Union residents must comply with Europe’s General Data Protection Regulation (GDPR), or face the possibility of paying heavy fines. How compliant are SA agencies?

According to GDPR consultant Wade Bennett, based in the UK, many real estate companies in South Africa market themselves as international real estate companies and interact with European Union (EU) residents, but he hasn’t found one with a compliant website yet.

“Perhaps South African businesses do not appreciate how serious the EU is about privacy and data protection or perhaps they feel the EU is not going to do anything about non-compliance. The fact is that Google and Facebook are already facing huge court actions because of non-compliance,” says Bennet.

Bennet says if you put the POPI Act and the GDPR Act side by side you will note areas that involve protection of personal information are well aligned. However, the POPI Act fails to look at certain aspects of EU user data privacy and certain EU user rights. Bennett explains why as follows:

Companies are required to get authorization from a user before they can use any of the user’s personal information or user data. Whereas most people understand what personal information is, a user’s e-mail address, phone number, address and so on, what constitutes a user’s data is less understood. Take an e-mail newsletter as a simple example. A user subscribes to a digital e-mail publication and hands over their e-mail address. The e-mail address is regarded as the user’s personal information and must be protected by the company in accordance with the POPI or GDPR legislation.

However, what the user may not be aware of is that the e-mail software is doing a lot more than sending out a mail. The software tracks if the user opens the e-mail of simply deletes the e-mail. It tracks if the user forwards the e-mail to another person and a whole lot of other things about the user. This is where the company collecting this data starts migrating into the domain of the user’s data privacy.

Bennet says surely a user using their personal computer in the privacy of their home should be able to do whatever they wish with the e-mail without having their actions monitored, but adds he thinks most people would not care about these simple observations of their private activity by some company. However, he says when the software starts looking at cookies placed on a user’s computer when they visit a website or the hidden functionality of many apps most people will start worrying in a big way, and Bennet says they would be correct for doing so.

GDPR legislation starts dealing with this aspect of a user’s data privacy that includes the data created by a user accessing a website or app commonly called user data. To achieve this GDPR laws give users rights that companies are lawfully obliged to uphold.

These rights include the right to get copies of their data, the right to have their data deleted, the right to data portability and the right to have their data corrected and ask how their data is being used.

Bennet says to note that the act refers to user data which includes personal information as well as data created by the user and stored by the company. (user data)

He explains further: The act also requires companies to get a user’s permission to store their personal information and user data and use their information and data for specific uses. For example: If a user subscribes to a property alert the company cannot by default start sending the user the monthly newsletter. The use of default selections are not allowed. If a user requests that their data and information be deleted the company must delete the data, they cannot just deactivate or archive the data. This includes all the user generated data linked to that user.

Companies that have e-mail databases of EU residents must ensure that all EU users have opted in or be removed / deleted from the database. Companies that have databases of EU users that have not opted in after 25 May 2018 will be in contravention of the GDPR Act and liable for a fine regardless of what country the company is situated.

Regarding the use of cookies, GDPR require companies to publish on their websites if cookies are used and how they are used and many companies comply with this requirement, However, the Act also requires companies to get permission or approval from users if they intend collecting and using their information and data. Accordingly, a website should not place a cookie on a user’s computer or start using the data generated by that cookie without the users consent or approval. In the illustration below you can see the website is complying by requesting the user accepts the terms and conditions relating to the use of cookies upfront when the user enters the website. This pop-up bar loads when the visitor enters the company’s web site.

The use of cookies relates to a person’s private user data and is governed by the EU laws regarding privacy. A company can no longer place a program (cookie) onto a person’s personal computer / cell phone and start monitoring and tracking a person’s private activities without the prior consent of the user.

The EU has made it very clear that they will enforce these laws in every country where international agreements allow them to be enforced. South African companies should be aware that they are not immune from EU enforcement of these laws.

Bennet says the real estate industry is perhaps one of the most vulnerable industries in SA as many EU citizens buy and sell property in South Africa. Many real estate companies market their listings and their websites internationally to attract international buyers.

He says ironically, on the 6th of June 2018, shortly after 25 May when the GDPR Act came into force, he received an e-mail from a South African real estate company. He had no idea who the company is and he says he had never subscribed to any e-mail publication from them. When he contacted the company requesting information, as he’s am lawfully entitled to do, they simply stopped communicating.

“Sticking your head into the sand is perhaps the last thing South African companies should do,” Bennet says adding that he also receives emails from a few well-known estate agencies and many other smaller agencies with whom he has never subscribed.

He says the EU enforcement agencies have made it very clear, they are not out to fine everybody who does not comply. They realize full compliance will take time. However, every complaint will be investigated and companies that totally and continually disregard the law will be prosecuted. Nobody should underestimate the serious manner in which the EU intend to protect their citizens’ privacy in the global digital space, warns Bennet.

On 25 May this year, the same day Europe’s GDPR went into effect, pro-privacy advocate Max Schrems, an Austrian lawyer, filed multi-billion euro lawsuits against Facebook and Google for failing to comply with the new regulations. This is despite the fact that both companies have attempted to comply. Read more here.

Google and Facebook CEO’s have had to attend EU hearings where they have had to explain their recent actions as well as give the EU community assurances that their personal data will be respected.

“Everybody knows we are all in uncharted waters regarding digital privacy and there is some confusion as to how the laws may be interpreted but one thing is certain, this is going to get far more complicated as we start to learn how technology is making its way into and the way it monitors the most personal parts of our lives,” Bennet concludes.

About the author: Wade Bennet operates a private consultancy in the UK. He says he has been, in one way or another, been involved with the real estate industry for over 30 years and he has clients in the EU, UK, USA, South Africa and Australia.

PS: I visited the websites of eight local property agencies, that market themselves as international, of which only two had a cookies pop up bar, Knight Frank and Engel&Völkers. It would appear Mr. Bennet may have a point. Ed.