How to handle staff who will not mask up
• Fair dismissals are possible within reason if employees fail to stick to Covid-19 safety protocols
Lauren Salt & Matlhatsi Ntlhoro ENSafrica
More than a year after the start of the Covid19 lockdown, manycitizens have adopted alax approachto mask wearing,social distancing and sanitisation.
However,a recentLabour Court judgment in SA indicates thatemployers may, withinreason,beabletofairly dismiss employeesfor not adhering toCovid-19 safety protocols.
In termsof theDisaster Management Act,2002, wearing a face mask is mandatory forevery person when ina publicplace, excluding childrenunder six yearsold. Despitethis,a number ofemployers have condoned lawlessness, or rather masklessness, where employees arealone intheir private offices, on the basis
that private officesare not “public places” However, regulation 70(5) states thatan employermay not allow anyemployee to perform anyduties orenter the employment premises if theemployeeisnotwearinga face mask while performing his or herduties. This regulation seems to suggest employees ought to wear masks at all times when performing their duties, irrespective of where the duties are performed. On a strict interpretation of the regulation, this would include where anemployee isworkingremotelyfromhome.This is unlikely what the drafters of the regulation intended.
EMPLOYERS AND EMPLOYEES SHOULD BE MINDFUL OF NOT BECOMING BLASÉ ABOUT COVID-19 COMPLIANCE
Afailuretoadheretothese regulationswould resultina personwho commitsthis offence being liable,on conviction, toa fine orof imprisonmentnot exceedingsix months, orto both afine and imprisonment.
From a compliance perspective, andto avoidany possible adverse findingif an inspectionis conducted,the safestapproach foremployerswouldbe tohaveapolicy in the workplace that complieswith regulation70(5) andto havemaskwearing mandatoryin allspaces, closed or open, private or public,at theemployer’s premises.
In therecent judgmentof EskortLimited vStuurman Mogotsi& OthersLC,the Labour Court foundthe dismissalof anemployee tobe fair based on:
● Gross misconductrelated to hisfailure to discloseto the employer thathe tooka Covid-19 test; and
● Grossnegligence inthat
even afterreceiving his positive Covid-19test results, he failed to self-isolate and continuedreportingforwork, puttingthe livesofhis colleagues andtheir families in danger.
Inthis case,theLabour Courtsought toconsiderall surrounding circumstances intotality priorto reachinga decision that thedismissal of the employee was fair.
The followingfactors were considered:
● The employee’srole in being partof theCovid-19 awareness committeein the workplace;
● Theemployee’snegligence in failing to disclose his Covid-19 positivetest results, placingthelivesofcolleagues and customers in danger;
● The employee’sconduct in walking aroundwithout a mask andhugging fellow employees afterhaving tested positive; and
● The employee’s nonchalant attitude.
Insome instances,the
sanction ofdismissal might not be appropriatefor maskrelated transgressions(even ifnot wearingamask isin contravention ofthe national laws). Forexample, incircumstances wherean employee hastilyleaves their office to fetch printing and forgetsto weartheirmask andisseenandconfrontedby another employee3m down the corridor,but when confronted, theemployee quickly apologisesand fetchestheirmask andputsit on.Dismissal inthisinstance wouldlikely beoverlyharsh and a verbalwarning might be more suitableor a mere reminder to be more vigilant.
SANCTIONS
Employers whosedisciplinary codeprescribes the appropriate sanctions for misconductshouldbecareful notto followit blindly.Dismissaldoesnotautomatically follow wherethe transgressionamountsto abreachof thelaw.As inanyother
assessment ofthe appropriate sanction, factors such as the severity and impact of the transgression,as wellasany remorse shown,should be taken intoconsideration. The seriousness ofthe transgression andthe surrounding circumstances inthe Eskort case, however, certainly warranted dismissal. Employers andemployees shouldbe mindfulof not becoming blaséabout Covid19 compliance in the workplace. Employeesneed to understand theirnoncompliancecouldhaveseriousramifications. However,in taking heedofthecourt’swarningto take Covid-19 compliance seriously, employers should equally be mindfulof the manner inwhich they enforcecomplianceandmete out disciplinefor noncompliance. Employersshould not hastily jumpto terminate transgressors’ employment, and should ensure that the factsof thecase supporta sanction of dismissal.
KEEP YOUR COLLEAGUES SAFE
/123RF MILKOS
LATERAL THINKING
How cybercrime law works
• SA recently enacted a new cybercrime law, which is long overdue. Business Day Law & Tax Editor Evan Pickworth interviews Darryl Bernstein, partner and head of dispute resolution, and Janet MacKenzie, partner and head of technology, media and telecommunications, at Baker McKenzie Johannesburg on the ramifications of this legal development
EP:SAhasrecently enacted anew cybercrime law what isthe context forthis latest legal development?
DB/JM: Thepandemic has drivenhomethehighvalueof personal data tothe global economy, whilealso highlighting itsvulnerability to abuse andattack. In response, governments aroundthe worldhavebeen reviewing theirdata privacy and protectionslaws and regulations, including in SA. Global cybersecurityfirm Kaspersky recentlynoted that cyberattacks areset to rise inAfrican countries, especially in thekey financial centresof SA,Kenyaand Nigeria. The cybersecurity firmnoted thatrapidlyevolving digital techniqueshad led to anincreased riskof advanced persistentthreats and hacking-for-hire events in Africa.
EP: Canyou tellus more about SA’snew Cybercrimes Act?
DB/JM:In SA,theCybercrimes Act (act)was signed into lawby President Cyril Ramaphosa inearly June 2021, bringingthe country’s cybersecurity legislation in line with global standards. Thecurrent legalframework tocombat cybercrime consistsofahybridoflegislation and common law. The Cybercrimes Acttakes its place as part of a set of laws and policy initiativesthat aim to regulatethe ever-expanding onlineeconomy, andthe surgeincyber-relatedcrimes from a SouthAfrican and global perspective.Once it commences, theCybercrimes Actwill codify numerous offences (cybercrimes) andrelated penalties. The act providesfor, inter alia:
● The creationof offences whichhave abearingon cybercrime;
● The criminalisationof the disclosure ofdata messages which aredeemed harmful and the provisionof interim protection orders;
● Theregulation ofthejurisdiction ofSouth African courts andauthorities in respect of cybercrimes
● Theregulation ofthepowers of authoritiesto investigate cybercrimes;
● The mutual assistance between authoritiesin different foreign states in the
investigation of cybercrimes;
● The establishmentof a designated pointof contact within theSouth African PoliceServices(SAPS),which officewill beresponsiblefor assisting withproceedings or investigations intoa cybercrime; and
● The impositionof obligations to report cybercrimes
TheCybercrimes Actcreatesanumber ofnewcybercrime offencesand substantially expands the ambit of criminalised activity, while simultaneously creating sanctions foroffences and fines for these offences. The majority ofthe offencescreated by theCybercrimes Act relate todata, messages, computers andnetworks involvinghacking,theunlawfulinterception ofdata,ransomware attacks,cyber forgery anduttering, thetheft of incorporealproperty and cyber extortion.
The act criminalises “malicious communications”, which meansany electronic communication (called a “data message”) whichis sent to a person, agroup of persons or the general public withtheintentiontoincitethe causing of any damage to property belongingto, orviolence against, aperson or groupofpersons.Theunlawful andintentional disclosure of a data messageof an intimateimageofapersonisalso an offence.
TheCybercrimes Actalso grants lawenforcement extensive powersto investigate,search, accessandseize variousarticles,suchascomputers, databasesor networks. Notably,the act imposes a dutyon electronic communications service providers andfinancial institutions toreport certain offences within72 hours. Failure to make the required report could lead toa fine on
conviction ofa maximumof R50,000. Further,those foundguiltyofacybersecurityoffencefaceheftyfinesand lengthy prisonsentences of up to 15 years.
EP:Is itsimilarto theProtection of Personal Information Act interms of how data breachesmust be responded to?
DB/JM: Yes,in some respects. In SA, data security is also governedby the Protection ofPersonal Information Act (Popia) and the substantive implementationof key provisionsof Popia becameenforceable onJuly1 2021. Thislegislation, among other things,promotes the protection ofpersonal information processedby public and privatebodies, outlines the rightsof datasubjects, regulates the cross-border flow ofpersonal information, introduces mandatoryobligations to report and notify data breachincidents, and imposes statutorypenalties for violations of the law.
Oneof theconditionsfor lawful processing interms of Popia is the use of security safeguards, which prescribes that the integrity and confidentiality ofpersonal information must be secured by a person incontrol ofthat information. Thisis prescribed byPopia toprevent loss, damageor unauthorised access to, ordestruction of,
THE CYBERCRIMES ACT ALSO GRANTS LAW ENFORCEMENT EXTENSIVE POWERS TO INVESTIGATE, SEARCH, ACCESS AND SEIZE ARTICLES
personal information. Popiaalso createsa reporting dutyon persons responsible forprocessing personalinformation,whereby they must report any unlawful accessto personal information (a databreach) to the InformationRegulator within a reasonableperiod of time.
Like the Cybersecurity Act,Popia bringsSA inline with internationaldata protection laws by regulating the processing ofthe personal information ofnatural and juristic personsand placing more onerousobligations on
“responsible parties” that process such information.
In terms ofPopia, where there arereasonable grounds to believethe personalinformationof adata subjecthas beenaccessedoracquiredby any unauthorisedperson, the responsibleparty hastonotify theInformation Regulator, as wellas thedata subject, unless thatperson’s identity cannot be established.
Thenotification hastobe made assoon asreasonably possibleafterthediscoveryof the compromise, considering theneedsoflawenforcement or anymeasures necessary todetermine thescope ofthe compromise andto restore the integrityof theresponsible party’sinformation system. Theresponsible party mayonly delaynotificationof the data subject if a public bodyresponsible fortheprevention, detectionor investigation ofoffences orthe Information Regulatordeterminesit willimpede acriminal investigation.
Thenotificationmustbein writingandmustbecommunicated eithervia e-mailor postedto thedatasubject’s lastknownaddress.Thenotification could also be placed in a prominentposition on thewebsiteoftheresponsible party, published in the media orasdirectedbytheInformation Regulator.It mustprovide sufficientinformation to allowthe datasubject totake protective measures against thepotentialconsequencesof the compromise.
Inaddition, theInformation Regulatormay directa responsible partyto publicise, inany mannerspecified, thefactofanycompromiseto the integrityor confidentiality of personalinformation, if
thereare reasonablegrounds tobelieve suchpublicity would protect a data subject.
An organisationinvolved inadatabreachsituationmay alsobesubjecttoanadministrative fine,penalty orsanction, or civil actions and/or class actions.
EP: Are thereany other countries in Africa that have recently passedlegislation governing cybersecurity?
DB/JM: In 2020, Ghana similarlypassed itsCybersecurity Act2020, tooverseethe country’sresponse tothe prevention and management of cybersecurity incidents. The act establishes the CyberSecurity Authorityand providesfor theprotectionof the criticalinformation infrastructureof thecountry. The actalso regulatescybersecurity activities,oversees theprotection ofchildrenon the internetand seeksto develop Ghana’s cybersecurity ecosystem.
EP: What are the latest developments with regard to how cybersecurity is legislatedacross thecontinent?
DB/JM:Data privacylaws whichgovern, amongother things,data securityand breaches,are currentlypresentinless thanhalfof African countries.Regionally, theSouthern AfricanDevelopmentCommunity andthe Economic Communityof West AfricanStates havedata protectionpolicies inplace and thecontinent isalso covered by theAfrican Union’s Conventionof theAfrican Unionon Cybersecurityand Personal Data(2014)(convention). As ofMay 2020, the conventionhad onlybeen ratifiedbyeight outof55AU members (Angola, Ghana,
Guinea, Mauritius,Mozambique,Namibia, Rwandaand Senegal),while 14countries hadsigned butnot ratifiedit. SA, Kenyaand Nigeriahave not yetsigned theconvention.
EP:Why iscybersecurity legislation essentialin Africa?
DB/JM: Legislation governing thedigital economyisessential to protectAfrican citizens in terms of both their digital privacyrights andcybersecurity threats, while at the sametimealsoensuringtheir onlinefreedoms arenot threatened. The AU hasbeen encouragingits memberstatesto signthe conventionand implement balanced local legislationthat isfully enforceableand thatrespects human rights.
EP: How couldthe process ofprotecting dataprivacy and ensuring cybersecurity be facilitated in Africa?
DB/JM: Tofacilitate thisprocess, consultationswith stakeholders ingovernment, businesses(local andinternational) and organisations representing widersociety wouldensure abalanced approachduring thedrafting ofthese laws.International legislationshould beconsideredalongside locallaws, giventheborderlessnatureof theonline environment,and consulting withtechnology experts on policymeans due consideration can begiven to the specific nature of this rapidly developing sector.
Considering the current rapidmove todigitally focusedbusiness models,the implementationof theselegal protectionsand guidancehas become urgent for all African countries.
POPI is the new normal
POPIA compliance solutions,
The POPIA clock has stopped counting down, but your journey is just beginning.
strong expertise in data privacy
Reading staff’s e-mails in the era of Popia
• Correct wording of employment contracts will head off disputes over monitoring of communication
Suemeya Hanif & Nicole Gabryk ENSafrica
After theProtectionofPersonal Information Act, 2013 (Popia) came intoeffectfullyonJuly1,there aresomeareasofdisputethat may arisebetween employers andemployees, including the monitoringof employee e-mails.
Ina recentConstitutional Court judgmentin Turkey, the personaldata protection rights of an employee were considered. Itcould provide some guidance asto how a similarsituation maybehandled in an SA context.
In this matter, a private bank employeeused hiscorporate e-mailaccount during working hoursto assisthis spouseinthe runningofher business. This resultedin the employer terminatinghis employment. The employee challengedhisterminationon the basisthat hisemployer hadinfringedhis righttodata protection andfreedom of communication whenthe employer inspected his corporate e-mailwithout his prior notice or consent.
Inaddition, theemployee’s signedcontract of employment stipulatedhe was required to use his corporate e-mailfor business purposes only. As such, the employer couldinspect the accountat anytimewithout prior notification,and the Constitutional Courtheld that the notificationand consent requirement was fulfilled.
Thecourtalsotooknoteof the fact theemployer had only hadregard tothe information whichsupported the allegations theemployee had engaged inother business activities duringworking hours. Therefore, it found that the purpose ofcollecting the data, and the use thereof, was
TheTurkishConstitutional Court held thatto ensure employees conduct their work efficiently, anddue to the natureof theemployer’s business (theprovision of financial services), the employer hada legitimate basis forinspecting employees ’ corporate e-mails.
IDEALLY, PERSONAL INFORMATION SHOULD BE PROCESSED WITH THE DATA SUBJECT’S CONSENT
limitedto provingtheallegations of misconduct.
IntheSAcontext,employment contracts usually contain clauses dealingwith the monitoring and interception of communication on work devices and e-mails.
These clausesusually providethat, asworkdevices and telecommunication systems are provided to promote the business’s objectives, they mustbe used for bonafide businesspurposesonly andthatthe employer reserves the right to intercept and/or monitor any direct orindirect communication on their work devices and/or utilising the employer’s telecommunication systems.
In terms of Popia:
● An employer who processes the personal information ofan employee(data subject) must doso fairly and without negativelyimpacting the rights of the data subject;
● Ideally, personalinformation should be processed with the data subject’s consent. Absent consent, there are othergrounds thatan employer can rely ontoprocess personal information, includingwheretheprocessingis necessaryforpursuing the legitimateinterests ofthe responsibleparty(inthiscase
the employer)or ofa third party to whom the information is supplied;
● To comply with Popia, employersshouldensureany clause in an employment contract allowing for the monitoring and interception of communications on the employer’s devices, or using the employer’s telecommunication systems, also clearly explains the purpose for such monitoring and interception. An employer may monitor and interceptcommunicationson acompanydevice and, if theemployee is using theirdevice,communications sent and/or received using the employer’s telecommunication systems. The reason for this is that these devices and/or systems are provided bytheemployertoenablethe employee to perform their dutiesand toassistthe employerto meetitslegal, business, administrative and management obligations. Thiswouldconstitutealegitimate reason for processing.
If sucha clausewas
inserted intoa contractof employment, an employer could use the argument raised inthe Turkishcourt to justify the processing of information, becausethe employee would have been notifiedof thereason andthe purpose for such processing.
COGNISANCE
MUST ALSO BE TAKEN OF THE OTHER PROCESSING CONDITIONS FOR LAWFUL PROCESSING
Cognisance must also be taken of the other processing conditionsfor lawfulprocessing contained in Popia.
An employer may only use personal information obtainedfromtheemployer’s devices or systems to ensure compliancewith itsobligations and not for any other purpose.Anemployeewillbe
providedwith anopportunity to objectto the useof his/her personal informationduring aninvestigation and/ordisciplinary process thereby ensuring compliance with theopennessanddataparticipation condition.
Employers should ensure theirexisting contractsof employment include appropriatewording (sothat informed,expressandvoluntaryconsentisobtainedatthe outset, whichis alsocompliant with theprocessing conditions in Popia) Including appropriate wording in anycontract of employmentwill entitlethe employerto monitorand/or intercept communications on the employer’s devices and/or sent orreceived using the employer’s telecommunicationsystems shouldthe needariseatanystageduring the employmentrelationship without seeking adhoc consent ona case-by-casebasis, andcould preventcostly futurelitigation andprotracted disputes with employees.
Does Popia apply to memes and photos?
Zamathiyane Mthiyane Werksmans
Agreat dealof attentionhas been given to juristic entities’ compliance withthe Protection ofPersonal Information ActNo 4of 2013(Popia), which came into effect on July 1 2021 Popia aims to protect an individual’s rightto privacy by offeringprotection against the unlawful collection, retention, disseminationand use of personal information.
The questionwe explore is whetherthe protection afforded byPopia also extends tophotos, andpictures including “ memes”, of “data subjects”, as defined in Popia, which are posted on
social media platforms. Inthe eventanindividual discovers a “post” on a social media platform disclosing certain ofhis/her “personal information”, asdefined in Popia, includinga photograph,ona primafaciareadingof Popia,thesubject ofthe post maybe considereda data subjectand theperson who postedthe photograph may beconsidered a “responsibleparty”asdefined in Popia.
Postingthepersonalinformation onsocial media would also,arguably, amount to the disseminationof personal information,as contemplated in the definition of “processing” in Popia. Thus, theresponsible
party may be obliged to comply withthe provisions of Popia.
The consequencesof being considereda “ responsible party” in terms of Popia are substantialand include the requirementfor a responsible party,inter alia, to comply withthe eight conditionsoflawfulprocessingof personal information,as prescribed in Popia.
The conditionsinclude a requirement toobtain the consent of the data subject before postinga photograph orthe viewsofthat datasubjectona socialmediaplatform. Theresponsible party wouldalso berequiredto appointaninformationofficer and publish and comply with
aPopia manualas readwith section 51 ofthe Promotion of Access to Information Act No 2 of 2000.
Arguably, the application of Popia in the above circumstanceswould leadtoan absurd resultwhere every individual whoposts photos, memes, videos orthe views of another personis considered aresponsible partywho must complywith onerous conditions.
To preventthe abovementioned situation from arising,section6(1)(a)ofPopia statesthat Popiadoesnot applyto theprocessingof personal informationin the courseofapurelypersonalor household activity.
The repercussionsof sec-
tion 6(1)(a) ofPopia, quoted above are, arguably, that:
● Popia applies only to business orprofessional activities.
● Inso farasany picturesor videotaken orviewsshared are disseminatedon social media or anyother platform in a personalcapacity, Popia arguably does not apply.
Popia does not define the terms “personal activity” or “household activity”. The aforementioned terms may have tobe interpretednot onlyby theordinarygrammaticalmeaningofthewords but also by taking into account, ona case-by-case basis, whatcontemplates work as opposedto personal use in respectof the relevant
social media user.
Disgruntled individuals whofindtheirpersonalinformation postedon social media platformswithout their consentare, however, not without legal remedy.
Ourcommon law,ascodified inthe Constitutionof the RepublicofSA,1996,protects individuals’ rightto privacy ona professionalandpersonal basis.
Thus, socialmedia users whopost whatmay beconsidered aspersonal informationshould doso keepingin mind that thesubject of the posts,thoughfallingoutofthe ambitofPopia, arestillprotected bythe commonlaw in the eventthe postbreaches the privacy of the subject.
BUSINESS LAW & TAX
Clarity on crypto asset laws
• Policy paper reveals how crypto asset service providers will be subjected to regulatory oversight
Seshree Govender Webber Wentzel
The recentlypublished Crypto Asset Policy Paper lays outthe types of crypto asset service providers that will be subjected toregulatory oversight and howthey will be supervised.
OnJune 112021, theIntergovernmental FintechWorking Group(IFWG) published itslong-awaitedCryptoAsset Policy Paper.It showsthe IFWG isofficially moving towards regulatingcryptoasset services in SA and bringingan endto thelongstanding “user-beware” crypto assetregulatory position established in 2014.
TheSA cryptoasset industry willnow beginthe process oftransitioning from its unregulatedlandscape to anenvironmentsubjecttothe regulatory purviewof the Financial Sector Conduct Authority (FSCA),the SA Reserve Bank andthe Financial Intelligence Centre (FIC). Current landscapeof crypto asset regulation in SA
The SA policy position on crypto asset/currency regulation was first setout in the 2014positionpaperonvirtual currencies issuedby the Reserve Bank aspart of a joint initiativebetween the bank, NationalTreasury, the Financial ServicesBoard, SA Revenue Service and the FIC. Due to the global lack of regulation andsupervision of cryptocurrency atthe time,
the2014 policypositiondid not subject cryptoassets to any regulatoryoversight. Thus anyonewho participatedin thecrypto assetsector did so at their own risk.
While the SAcrypto asset industry haschanged and grown significantlysince 2014, theregulatory position did not.
Dueto theprevailing application ofthe 2014 position, theindustry now operates ina largelyunregulated space,governed predominantly bythe contractual relationshipsconcluded between its participants.
The core purpose of the impendingcryptoassetregu-
MARKET PLAYERS IN THE CRYPTO ASSET INDUSTRY SHOULD BEGIN DEVELOPING AND IMPLEMENTING APPROPRIATE STRATEGIES
latory frameworkis notto regulate the natureof crypto assets or dictate the development of theunderlying technology, but to subject the providers ofcrypto assetrelated servicesto regulatory supervision and oversight.
The transition ofthe SA crypto asset industry to the impending regulatory frameworkwill bedriven bytwo important questions:(i) who is acrypto-asset service provider (Casp);and how
will Casps be supervised?
The impending crypto assetregulatoryenvironment willonly beapplicableto crypto asset-related activities that fall within the parametersofa“cryptoassetservice” as specifically contemplated in the CryptoAsset Policy Paper. Crypto asset-related activities which donot fall within the ambitof “crypto asset services” will continue to operatein anunregulated environment until determined otherwise by the relevant regulators. The Crypto Asset PolicyPaper setsout thetypesofCaspsthatwillbe subject to regulation.
These include trading platforms, intermediaries involved inthe buyingand selling of cryptoassets, the providers of custodial wallets and the providersof investment funds or derivative options underpinnedby crypto assets.However, providers of servicessuch as noncustodial wallets and crypto asset miningwill not be subject to regulation.
Entities regardedas Casps will be subject to licensing requirements as well as compliance and reporting obligationsunder anyor allof the following existing regulatory regimes:
● Antimoney laundering regulations (Fica) under the oversight of the Financial Intelligence Centre;
● Exchange control regulationsunder theoversightof the Reserve Bank (financial surveillance department); and
● Financial services regulationsunder theoversightof the Financial Sector Conduct Authority
A phased approach to regulation
The Crypto Asset Policy Paper constitutes a mandate given by the IFWG to the relevant SA regulators to take the necessaryregulatory stepsto implementthe25 recommendations set out in the policy paper.
A numberof recommendations will be implemented withthe enactmentofthe Conduct of Financial Institutions Bill (theimpending legislative reform of market conduct regulation in the SA financial services sector).
However, certainrecommendationsarealreadybeing implemented, withthe
CONSUMER BILLS
AI has potential to make
Itend to think, optimistically and pessimistically, that artificial intelligence (AI) can do anything to process information, for better and for worse. The extent to which it can be made to do so is a burning question in relation to consumer protection from cyber fraud, cyber bullies, cyber gender abuse and the other risks of being active online.
The latest news is that the UK financial services regulator, the Financial Conduct Authority (FCA), has warned that it will take legal action against internet service providers and social media companies if they continue to publish advertisements that amount to online financial scams.
One of the consequences of the Covid-19 pandemic is, again, good and bad. More people have learnt to transact online, which has led to some major advantages many consumers had overlooked. The pandemic has also led to a downturn in the economy, lower interest rates on savings, loss of income and devalued assets. This means more people are looking for ways to supplement their income,
sometimes with unrealistic expectations.
These expectations are the lifeblood of scammers and fraudsters. Consumers resorting to self-help in finding better investments are the targets of online scammers who place paidfor adverts on the internet and exploit social media marketing totally fraudulent or unregulated schemes.
The FCA announced recently it was forced to issue 1,200 warnings online in 2020 about fraudulent adverts that were not issued or approved by lawfully authorised firms. Every week our local regulator, the Financial Sector Conduct Authority (FSCA), issues warnings about persons online
following proposed regulatory developments having commenced in 2020:
The proposedamendment to theFinancial Centre Intelligence Act (Fica) in terms of whichCasps will be included in thelist of accountable institutions, subjecting Caspsto thefull weight of Fica regulatory obligations and noncompliance penalties.
This will require Casps to developandimplementarisk management and compliance programmedetailing howthey willconductcustomer due diligences (KYC), monitor and report transactions and managetheir particular antimoney laundering risk exposure.
The draftdeclaration of crypto assets asa financial
product under the Financial Advisory and Intermediary Services Act (FaisAct): Casps providingadvice onorintermediary services forthe purchase orsale ofcrypto assets will be regardedas rendering financial services.
Casps will thusneed to register as financial service providers (FSPs) interms of theFaisAct.TheCryptoAsset Policy Paper statesthat the declaration of crypto assets as financial products is necessary to enable the FSCA to impose urgent consumer protection regulatorymeasures over Casps.
Subjecting Caspsto the “treating customers fairly” requirements of the Fais Act is a necessary development to protect consumers against the rampant proliferation of crypto-asset scams.
However, subjecting crypto-asset services providersto thesame fitand proper requirements and compliance obligations as incumbent FSPs may impose unduly onerousregulatory requirements upon Casps.
Now the long-awaited roadmapto cryptoassetregulation inSA hasbeen laid out,currentmarketplayersin the crypto asset industry should begindeveloping and implementing appropriate strategies to regularise theirbusiness modelsinline with the impending regulatory framework. They shouldalso actively participate in the stakeholder engagements and commentary processes thatwill followthe promulgationofthe necessary amendmentsto legislation to give effect to the Crypto Asset Policy Paper’s recommendations.
our online lives safer
masquerading as accredited investment advisers. These crooks usegrand titles, borrowed credentials and impossible benefits to scam the public. Not the least of the problem are those offering huge returns from cryptocurrency deals, which provide the huge returns for the advertisers only.
The internet and social media have offered inestimable advantages to ordinary people and there is a line that has to be drawn between the good and the bad.
It does seem that, if the local FSCA and the UK regulator can identify the scams and issue warnings, AI can do it better than any regulator if properly programmed. It must be
possible to develop algorithms that can step in when there is financial exploitation, gender abuse or bullying, for instance.
It was encouraging recently to see that the US government was able to track down and act against the hackers who closed down the US oil pipeline. Given the right incentive it is clear that steps can be taken which are effective.
I have said many times that cyber risk is the biggest
IT MUST BE POSSIBLE TO DEVELOP ALGORITHMS THAT CAN STEP IN WHEN THERE IS FINANCIAL EXPLOITATION
risk in the world, more even than the risk of physical pandemics. The interconnection of everything electronic and the ability to close down cities and worse is a risk to everyone.
As consumers we all need to lobby for the attention at the highest level by governments and internet and social media service providers to stop the worst happening.
If I am right about AI being able to do most things in this regard, it should be possible to do so without throwing the dishes out with the dishwater.
PATRICK BRACHER
● Patrick Bracher (@PBracher1) is a director at Norton Rose Fulbright.
BUSINESS LAW & TAX
Inheritance tax to aid poor
• Tackling wealth inequality in poor countries could benefit from an OECD report published on a study
Prenisha Govender Baker McKenzie Johannesburg
On May 11 2021, the Organisation for Economic Cooperation and Development (OECD)published a report exploring the role ofinheritance taxin addressing wealth inequality in poorer countries. The report wasmotivated by highwealth inequalities across OECDcountries and the economicpressures suffered internationallyas a resultof theCovid-19pandemic.
Accordingto theOECD, inheritance taxcould bean important tool “to address inequality, particularlyin the current contextof persistentlyhigh wealthinequalityand new pressureson public financeslinked totheCovid19 pandemic”
TheOECD’sreport,Inheritance Taxationin OECD Countries, comparesinheritance,estateand gifttaxesin the 37-memberOECD countries. SA isnot an OECD memberbutadherestomany OECD instruments.The findingsin thereporton waysto address unequalwealth distribution have important implications for the country.
The report states that, on average, theinheritance and
gifts reported bythe top 20% of wealthyhouseholds in OECD countries isabout 50 times higherthan those reportedby thebottom20% poorest households. Inheritance tax is a tool intended toreduce this wealth concentrationand enhance equality.The report also notesthat inheritance taxes are easierto assess and collect than other forms of wealth tax, butthat only about0.5%of totaltaxrevenues aresourced from inheritance, estateand gift taxesacrosstheOECDcountries that levy them. Atpresent,taxexemptions and other formsof tax relief
THE AVERAGE WEALTH OF THE POOREST 50% IS NEGATIVE IN THAT THEIR DEBTS EXCEED THEIR ASSETS
enable wealthy individuals to pass their wealthon tax free, and in-lifegifts arealso used to avoid paying inheritance tax. The reportnotes these taxes need to be designed better,but thatsuchreforms tend to be country specific. Thereportsuggestsinher-
itance taxthat islevied onan inheritedasset’svalueisafair approach, with exemptions applied to low value assets.
Another solution mentioned is lifetime inheritance tax,wheretaxisleviedonthe full amountof wealthinherited over alifetime. But while thiscould reducetaxavoidance, it wouldalso increase thecosts ofcomplianceand administration.
The reportsays more information needs to be made available to the public on theway suchtaxes addressed inequality and to review other formsof taxes suchasincome taxandcapitalgainsthat shouldalsobe part of the solution.
In SA, laws such as Administration of Estates Act (1965), the WillsAct (1953) and the Intestate Succession Act (1987) govern inheritance tax.Beneficiaries ofaninheritance don’t pay inheritance taxontheirinheritedassetsin SA,estateduty ispayableby thedeceased estate,whichis regulated bythe EstateDuty Act (1955).Estate dutyis payable nowat 20%on the firstR30m andat 25%on amounts above R30m.
In 2013, theDavis committeewasset uptoreview and recommendimprovements in the tax policy frameworkin SA.In2016, judge Davis submitted his
FISCAL SUSTAINABILITY
report, which contained significant proposals to change the way estate duty is paid in the country.To date,National Treasury hasimplemented onlysome ofthecommittee recommendations. One of whichwas toincreasethe estate duty to 25% on estates valued above R30m.
Other changesthe Davis committee proposedincluded a change to section 4q of the Estate Duty Act, which involves cancelling the deductionofthefullvalueofa property, that accedes to the surviving spouse, from the estate of the deceased. The suggestion was that this should bereplaced witha substantial rebatement.
Another suggestionby the
committee is that donations made beforedeath shouldno longer be exempt from donations tax. The committee also found that taxpayers were usingtruststoreduceincome andavoid payingestateduty andproposed insteadaflat tax rate of 41% on all discretionary income in a trust.
The committeealso suggested that where an interest or low interest loan existed between a trust and connected person, the assets of the trustshould bebroughtinto the estate ofthe taxpayer for tax duty purposes.
The Daviscommittee did not provide details on a potential wealth tax, but said it would conduct further investigations regardingits
implementation.Accordingto research by Chatterjee, Czajkaand Gethin Taxing wealth ina contextof extreme inequalitylegacy: The caseof SA the unequal distribution ofwealth inSA wouldmake awealth taxan efficient policy toaid fiscal sustainability. Theauthors estimated the potential revenuethat couldbecollected fromaprogressivewealthtax on therichest 1%could amount to R160bn.
Theauthors foundthatthe top10% own86% oftotal wealth inSA andthe top1% own 55%.The top0.01% (3,560individuals)ownabout 15% of household wealth, greater than the share of wealth owned bythe bottom 90%of thepopulation asa whole (32-million individuals). The averagewealth of thepoorest50%isnegativein that theirdebts exceedtheir assets. They noted that wealth inequality remained stable atextreme levelssince the end ofthe apartheid regime.
SA,alongside therestof the world, is now actively looking atways toaddress the devastating economic andsocialimpact ofthepandemic,withnewandinnovativeways tocollectrevenue currently being studied, proposed and implemented.
The recommendationsof the OECD paperon inheritancetax,in linewithDavis committee proposals,could become applicable in some form in the SA context.
China ban a chance for wine exporters
Donvay Wegierski
Werksmans Attorneys
China reportedlyimplemented antidumpingduties on Australian wines recently, introducing importtariffs of 100% to215%. Understandably this will have dealt Australian wine producers exporting toChina asevere blow. Australia is a significant trader with China.
Even thoughChina produces some of its own wines, it continues toimport a significant range from all over the world.Curtailment of Australian wine imports means furtheropportunities for otherwine growing regionstosell theirwinesin China.
Exporters are reminded that intellectualproperty, in this casetrademarks, are bothterritory andclassspecific sothe filingand continued maintenancethereof in all relevantterritories is essential. Further,since China’s trademark regulations
make provisionfor brand owners to dealwith trademarks filed and registered in bad faith,termed “malicious trademarks” inthe regulations, thefollowing considerationsare keyforcomprehensive protection: a) Is the scope of your trademark registration adequate?
In China it ispossible to file a trademark inthree different forms thatis,in “first language” (majoritybeing in English), Mandarinand the transliteration whichis the waythelocalaudiencewould recognise yourbrand, andit isalso themostcommon method by foreign entities to develop aChinese language mark and tradename.
Threeformsofamarkcan make itdifficult tomonitor unauthoriseduse. Soifyour mark isused, orproposed to be used, in avariety of ways in China,consider registration in each form.
Classes29-33arethefood and beverageclasses, 33
being the mostrelevant class for alcoholicbeverages, in particular wine,while class 32isthe relevantclassfor nonalcoholic beveragesand beers.
The Covid-19pandemic hasacceleratedonlineprevalence withincreased social media presence,online marketing and communications, particularly for FMCGs.
It ishighly recommended that protectionextends to include serviceclass 35, namely advertising;marketing consultancy in the social media field;marketing services; presentationof goods on communicationmedia andtheprovisionofanonline marketplace forbuyers and sellers of goods and services. b)What ifsomeoneelse owns your mark?
Before filinga trademark, searches of therelevant registers are recommended which may alsoreveal your mark belongs toan unrelated third party. Unfortunately this practice iscommon, particu-
larlyinChina, oftenbyan existing/past and/orfuture agent or distributor.
In2019,theChineseTrade Mark Regulationsintroduced several keyamendments in particular Article4 which concerns “theapplication for registration ofa malicious trademarkthatitnotintended foruse shouldberejected”
Article 33and 34in turn extend theprovisions for trademark oppositions and/or invalidationsto also include thedefinition of “malicious trademarks”
The followingcan be indicative ofa “malicious trademark”:
● The markis identical and/or similarto another trademark with a reputation;
● The applicant/registrant hasahistoryofinfringements and/or the filingof other marks;
● There areprevious decisions orjudgments against the applicantor recordsof priorrecognitionofmalicious trademark registrations;
● Trademarks havebeen filed in bulk.
c) Whatremedies areavailable against “malicious trademarks”?
Ifsomeone elseownsyour mark,yourpreferredagentor distributor maybe reluctant toacton yourbehalf.Customs may alsorequire proof of yourownership. Asa consequence ofArticle 4there are severalremedies available tobrand owners depending onthe whether themarkis apendingapplication or is registered:
● Application inthiscaseif an application for the mark has been made but not yet been published,a trademark oppositioncan befiledonce theapplicationispublishedin the ChineseTrade Mark Journal. If not yet published, a watch shouldbe implemented so as toalert you when published;
● Registration in this case the mark isalready registered therefore itwill be necessary to apply to invalidate
the malicious mark,filed in bad faith.Nonuse cancellation proceedings canalso be instituted providedthe mark has not been usedfor at least three years in China.
SAFEGUARDS
● Maintain regular contact withagents,retailersanddistributors tostay upto date with markettrends andto monitor activity;
● Maintain andretain existing trademarks,albeit for defensive purposes;
● Prior searchesof therelevant trademarkregisters are recommended before committing toa newventure and filing your trademark ask an expert for guidance;
● Consider implementing a trademark watchingservice watches canbe tailored to certain goods/services,certain countries alternatively worldwide;
● Maintain andretain allevidence of use including exhibition andvirtual conference attendance.
/123RF VITALIY VODOLAZSKYY
BUSINESS LAW & TAX
Legal checklist for chatbots
• These new technologies also have to be Popia compliant, as they glean reams of personal data
Maison Samuels Webber Wentzel
Artificial intelligence (AI) and digitisation are transforming the business landscape.
Many newtechnologies, such as chatbots, are being created tostreamline customerengagement.Giventhe quantity ofpersonal information a chatbotmayacquire, howdo youensure your chatbot isProtection ofPersonal InformationAct, 2013 (Popia) compliant?
A chatbot isan operating systemthat simulates a conversation withhumans in written or spoken form. This enablesthe usertointeract with digitaldevices inthe sameway theywouldcommunicate witha realperson. These interactionstypically take placeover messaging applications ormay be embedded functionson a website.Thechatbotisinsentient it allowsyou to chat with it about the product or service being offered.
A chatbot enables the end user toreceive aninstant response to a question or issue. Theintended resultis that the enduser saves time, which isintended toincrease his orher satisfactionand translate intoincreased business sales and leads.
Forexample, ane-commerce retailbusiness may consider usinga chatbot todirectenduserstothespecific pages of the website when theend userasks about aparticular clothing item he or shewishes to buy, oritwillgiveinformationona product when anend user queries theproduct’s applications.
When a business uses a
chatbot,alotofreal-timedata about endusers maybe obtained duringthe conversation.
Insome instances,the data obtainedincludes personal information. Accordingly, if yourbusiness uses a chatbot service,you must ensure compliance with Popia, whichbecame fully operational on July 1 2021.
Thereareessentiallythree partiesinvolved inthechatbotserviceanditisimportant todistinguishthemtocomply with Popia.
First,there isthe enduser, thedatasubject towhomthe personal informationrelates andwhoistypicallyidentified throughan identifiersuchas
A DOWNLOAD FEATURE AND THE ABILITY TO REQUEST THE DELETION OF PERSONAL INFORMATION ARE RECOMMENDED
anameoridentificationnumber.Theenduserisprotected by Popia,and organisations thatprocess theenduser’s personal informationmust comply with the act.
Second,there isthe responsibleparty,theorganisation usingthe chatbotservice to process the end user’s data fora specificpurpose (forthepurposes ofthisarticle, we will referto this party as the chatbot customer).
Finally, thereis theoperator, the entity providing the chatbot service tothe chatbot customer. The distinction between the lattertwo parties isimportant indeterminingwhoattractsliabilityinthe event of a data breach.
It isalso importantto determine the typeof information processed by the chatbot, as organisations have aduty toprotect personal informationunder Popia. This includes biometric information (that is, information that identifies a person based on physical, physiological or behavioural characteristics), basicidentifying information (name and surname; any identifying number;e-mail addressandlocation );and informationrelatingtoa person’s racial and ethnic origin, religious beliefs and health.
The chatsession and sharing of personal informationwilltypically unfoldina three-step process.
First, before achat session,thechatbot isableto obtainand identifytheend user’s information such as name, location, phone numbers and e-mail addresses. Notably,this maydifferfrom platform to platform.
Second, whenthe chat sessionhas started and the enduser andthe chatbotare conversing, further personal information or files may be introduced to the chat.
Finally, whenthe chat session is concluded, the chatbot may integrate the data receivedfrom theend user with the customer relationship management (CRM) software (which administers interactions with end users) usedby thechatbotcustomer, and other related technologies, to improve business relationshipswith end users.
Considerations for chatbot operators in ensuring Popia compliance Therearevariousmeasuresa chatbot operator and its customers should take to ensure Popia compliance. The con-
siderations discussedbelow should not beconsidered as exhaustive.
● Purpose records ofpersonal information must not be keptany longerthan is necessary for achieving the purposefor whichtheinformation was collected. If a chatbotinformsanenduserit will be usingtheir e-mail address to provide further informationaboutthechatbot customer’s services, it should be used for that purpose only.
● Consent importantly, because the chatbot will request personalinformation from the enduser, he/she should consent tothe personal information being used, unlessthereisanotherjustification forthe chatbotto process the enduser’s personal information. Before the conversation starts, the chatbot should provide theend user with alink tothe termsof service, whichshould include appropriate consent provisions to the processing of the end user’s personal information.
● Accessto anddeletionof information Popia provides datasubjects withthe rightto requestaccessto their personalinformation oncecollected. Itiscommon practice to enablethe end usertodownloadtheirdatain digital formby makinguse of aquery andresponseformat in the chatbot.
Further, Popia provides datasubjectswith therightto request thedeletion oftheir information. The end user may be provided with an option torequest thathis, her or itspersonal informationbe deleted.
A downloadfeature and theabilitytorequestthedeletion of personal information arerecommendedfeaturesto enable Popia compliance.
● Automated decision making a datasubjectmay notbe subjectto adecision that may adversely affect him/her, which is based solely on the automated processing of personal information.
Therefore, itis prudent that chatbot operators ensure
there is human oversight or involvement over the chatbot.
● Transborder information flows thechatbotcustomer should determine whether any personal information is being transferred to a third party outside SAwhen using the chatbot service.
A responsibleparty may not transfer personal information of a data subject to a third partywho isin aforeign countryunlesscertainconditions are met.
Thoughchatbotsareinnovative and transform aspects ofthe onlinebusinesslandscape, it iscrucial to consider the rightsof theend user, and theobligations ofthe chatbot customer and provider under Popia. The purpose of Popia is to protect the constitutional right to privacy.
However, thisshould not stifle innovation, and organisations using chatbots and those thatprovide thisserviceshouldreceiveappropriate legal adviceto ensure Popia compliance.
Home offices claims may be problematic
Jonathan Goldberg & Jerry Botha
Global Business Solutions and Tax Consulting South Africa
As theCovid-19 pandemic continues, theability of employees usinghome offices todeduct related expenses fromtheir income needs to be investigated. The legalconsequences from anemployment law perspective are that, providedthereis clarityonthe rules andregulations around working fromhome, this should be encouragedas per the Disaster Management Act. Employees mayclaim home officeexpenses asa deduction ifthey meetthe requirements ofthe Income Tax Act. The home officemust be specificallyequippedwiththe instruments, toolsand equipment requiredby employees to perform their duties. In addition,the home officemust beusedregularly and exclusivelyfor work purposes. Finally,employees must work at the home office for more than half of their
working time duringthe year of assessment.
The homeoffice expenses that employeesmay claim arelimited torental,repairs and expensesincurred in relation to the property, as well as wearand tear on office equipmentused for work purposes. However, expenses incurredin relationtothe entire propertymust be apportioned inaccordance withthe floorarea ofthe home office.
To claimthe deduction employeesmustsubmit,with
their incometax return, copies oftheir employment agreement, theemployer’s work-from-home policy,a letter bytheir employerand proof of the expenses.
Regarding theletter, the employer canonly confirm the employmentagreement permitsanemployeetowork away fromthe employer’s premises and thatthey were not present at such premises for aparticular numberof days.
Employeesmusttakenote that thededuction claimed willhaveaneffectonthecap-
ital gains tax when they sell theirhome. Thepart thatwas usedas ahomeoffice willbe apportioned fornonresidential use, and the R2m primary residence exclusionwill not apply thereto.
BLENDED APPROACH
A lot hasbeen said about occupational healthand safety and thatthe home work environment should also subscribe tothe basicminimums ofoccupational health and safety.These arecomplexissues thatneed tobe sortedout asitwould seema
blended approach towork is going to continuefrom many employees andpotentially become the new norm. Oneof thebiggestbattles will be gettingpeople back to work when themajority of the populationis vaccinated. Internationally, wesee many organisations strugglingto do that where thevaccine rollout has been successful. People havebecome used to and love the blended type approach andthis is going tocause several employer/employee problems going forward.
BOTS
/123RF SEBASTIEN DECORET
How far are we with the NHI rollout?
• There are certain objectives that must be met before phase 1 ends on or before December 31
Neil Kirby & Helen Michael Werksmans
Notwithstanding the attention that has come to befocused ontheCovid-19 pandemic, preparations continuein respectofthe implementation and establishment ofNational Health Insurance (NHI) in SA.
In this regard,we are guided by the provisions of theNationalHealthInsurance Bill [B11-1019].
While thebill remainsa billandisnotenforceableasa matteroflaw,thebillcontains various transitionalarrangements, which are set out in clause 57.
The transitionalarrangementsare dividedintotwo phases. There isarguably not muchtime withinwhichto substantively achievethe requirements thatare described in thebill for the completion of phase 1.
In terms of clause 57(2)(a) various tasks areset out in respect of whatmust be achievedduringthecourseof phase 1. These tasks are described as follows:
“(i)continue withtheimplementation ofhealth systems strengthening initiatives, including alignment of human resourceswith that which maybe requiredby users of the fund;
(ii) includethe development of NationalHealth Insurance legislation and amendments to other legislation;
(iii)includetheundertakingof initiatives which areaimed at establishing institutions that must bethe foundationfor a fully functional fund; and
(iv) includethe purchasingof personal healthcare services forvulnerablegroupssuchas children, women, people with disabilitiesand the elderly.”
It is notclear from the provisionsofthebillhowone isto measurethesuccessful implementation ofthe tasks orinitiativesset outinclause 57(2)(a), moreparticularly with reference to the relativelyvague wordingusedin the clause.
If oneis to haveregard to the wordingused inclause 57(2)(a),then oneisrequired
to havea clearunderstanding of the following concepts:
● The “strengthening initiatives” currently inplace, the structure ofthose initiatives andthe goalssuchinitiatives are arguablyrequired to attain;
● Thecurrent statusofother pieces oflegislation tobe amended soas tofacilitate the existenceof anNHI schemeandthe natureofthe amendmentsconcernedwith referenceto theprovisionsof thosepiecesoflegislationand the provisions of the bill;
● The particularinstitutions that areto bethe foundation ofa fullyfunctioningNHI scheme, moreparticularly with referenceto the committees thatare referred to in clause 57(3)of the bill anddealtwith inmoredetail below;
● The particular human resources required for purposes ofoperating asubstantively successfulNHI fund,based onwhat willbe
CLAUSE 57(3) DEALS WITH WHAT INTERIM COMMITTEES ARE TO BE ESTABLISHED TO ADVISE THE HEALTH MINISTER
required by usersof the NHI scheme and, more particularly,withreferencetowhatit is that users will be able to access in termsof healthcareservices providedbythe proposed NHI scheme
Clause 57(3) ofthe bill deals with what interim committees are tobe establishedto advisethehealth minister on the implementation of an NHI scheme
These interimcommittees are described as the national tertiary health services committee,thenationalgoverning bodyon traininganddevelopment, the ministerial advisory committee on healthcare benefitsfor NHIand the ministerial advisorycommittee on health technology assessment for NHI.
Each of thecommittees is afforded amandate inclause 57(3)of thebill. However,the various committees are
described as interim committeesinthebillandarethus intended to beprecursors to final committees to be established presumably once the bill becomes an act.
Clause 57(4) of the bill sets out certain objectives that mustbe metduring phase 1 and therefore onor before December 31 2021.
Primarily, theobjectives are concerned with the structuringofcertaincomponents of theNHI scheme, which are arguably designed to create thefoundation of such a scheme.
Allinall, thereareeight objectives to be achieved during the courseof phase 1.
These objectives include:
● The migration of central hospitals that are otherwise funded, governed and managed nationally to “semiautonomous entities”— albeit that the term “semiautonomous entities” is not defined in the bill and the precise intended status of central hospitals is therefore largely unknown;
● The structuring ofthe contracting unit for primary healthcareat adistrictlevel “in a co-operative management arrangement” with the relevant district hospital/s, which hospital/s is/are, in turn,linkedto anumberof primary health-care facilities.
The precise terms and conditionsof a “co-operative management arrangement” are not detailed in the bill;
● The establishment of the NHIfund,includingitsgovernance structures bearing in mind thefund isto beestablished in terms of clause 9 of thebill, which,in turn,contemplates that forthe fund to be established, thebill will have tobecome effectivelegislation, which is not one of the objectivescontemplated during the course of phase 1;
● Thehealthpatientregistrationsystem needstobe established as contemplated in clause5 ofthe billand, once again, one is required to have clause 5of the bill enacted into law for its provisionstotakeeffectlegallyand for the proposed registration system tobe establishedin accordance with the principles oflegality thatemerge from the constitution and various pronouncementsby
JUST THE MEDICINE
the Constitutional Court;
● The process for the accreditation of health care providers who are to provide services to users of the NHI scheme, which includes the requirementoftheinspection and certification of health establishments by the Office of Health Standards Compliance. But, onceagain, the process for accreditation of both healthestablishments and health care providers, for purposes of providing servicesto usersofthefund, isa feature ofthe billthat willbe required to become effective lawfor theparticularobjective to be achieved;
● The purchasing of health care services benefitsby the fund. Such services are described in thebill as both primary health care services and hospitalservices aswell as other clinical support services.
The particularprimary health care services referred to inclause 57(4)(f)of thebill include maternity and child health care services, which include school health services, health services for the elderly andpeople withdisabilities and those in rural communities.
Such services areto be provided by contracted health care providers, whom are described as general practitioners, audiologists, oral health practitioners,
THE VARIOUS COMMITTEES ARE DESCRIBED AS INTERIM COMMITTEES AND ARE PRECURSORS TO FINAL COMMITTEES
optometrists, speechtherapists and other designated providers ata primaryhealth care level “focusing ondisease prevention, health promotion, provision of primary health-care services and addressing critical backlogs”
Particular hospitalservices and otherclinical support servicesare alsodealt with in clause 57(4)(g), where thereis animpliedindication that thepurchasing ofhospital services andother clinical support services willbe an expansion of those services referred toin thebill asprimary health care services;
● Various pieces of legislationaretobeamended.These pieces of legislation, which arecurrently ineffect,are identifiedin clause57(4)(h)of the bill andinclude the Medical Schemes Act No 131 of 1998, asamended, the Traditional Health PractitionersActNo22of2007andthe Medicines andRelated SubstancesAct No101of 1965, as amended. Of interestand importanceto potentialusers ofthe NHI schemeis clause57(5), which contemplates that the objectives tobe achievedin phase 2,which isdescribed as operating from 2022 to 2026, must be achieved on the basis of a system of mandatory prepayment. Itis unclearfromthe provisionsof thebill whena system of mandatory prepayment by userswill be implemented bearing in mind the term “mandatory prepayment” isnot definedin the bill. Presumably, to achieve the particular objectives thatare included in phase 2, a system of mandatoryprepaymentmayhaveto be introduced sooner rather
than laterto securethe requisite fundsprior tothe commencementof phase2 on January 1 2022. However,thebillislargely silenton whentheparticular stepscontemplatedinphase1 are tobe taken andthe consequencesshould thetime periodsstipulated forphases 1 and 2 not bemet as a result of external factors,including prevailingpressure onthe department ofhealth inorder todeal withtheCovid-19 pandemicand asuccessful roll-outof anappropriate
THERE ARE MANY I’S TO BE DOTTED AND T’S TO BE CROSSED, FROM A LEGAL PERSPECTIVE, FOR THE BILL TO BECOME LAW
vaccination programmefor the entire country. The bill remainsalive and we should bekeenly watching thedevelopments that occur to achievethe objectivesof phase1ahead ofthe commencement ofphase 2 duringthe courseofnext year. However,there aremany i’s to be dottedand t’s to be crossed, from a legal perspective, for thebill to become law,more particularly a lawconsistent with existingpieces ofhealthcare legislation and,more importantly, thelegality provisions imposedbytheconstitution a processthat, withinand of itself, cannot berushed or manipulated nomatter how laudable the objectivesof the bill may be.
/123RF SUNTORN NIAMWHAN
BUSINESS LAW & TAX
Trademarks: you gotta have (good) faith
• Registering intellectual property in bad faith to get an edge on rivals can backfire spectacularly
Liézal Mostert ENSafrica
InSA,asinmanyjurisdictions,theconceptofgood faith(bona fides)crops up a lot.
So,forexample,togetregistration ofa trademark,the applicantmust haveagood faithintention tousethe trademark. Oncethe trademark is registeredthe owner must use it ingood faith in orderto keeptheregistration alive.In thewords ofGeorge Michael, “Yougotta have faith”. Good faith.
THE (BOARD) GAME
A recentEU decision,Hasbro v EUIPO, dealt with an interesting applicationof thegood faithprinciple.Thetrademark involved is onewe all know, Monopoly. Hasbro is both the manufacturer ofthe game and theowner ofthe trademarkMonopoly. Ithasa number ofEU trademark registrations forthe trademarkdating backto1998, 2009 and 2010. These regis-
trations cover a range of goodsand servicesinclasses 9, 16, 25, 28 and 41.
OPPOSITION TO MONOPOLY
In 2011,Hasbro fileda further application toregister the trademark Monopolyin the EU in four ofthese classes: 9, 16, 28 and 41 only class 25 (clothing) wasmissing. The application was opposed by a thirdpartywhoclaimedHasbrohad fileditin badfaith. The opponent’s argument was that as Hasbro already had earlieridentical registrations covering allthe goods andservices namedin itslatest application,one could onlyinfer thatthe 2011appli-
HASBRO IS BOTH THE MANUFACTURER OF THE GAME AND THE OWNER OF THE TRADEMARK MONOPOLY
cation was filed in bad faith.
The opponentargued that theonly possiblepurposeof thenew applicationwasto avoid the hassle and irritation ofhavingto proveactualuse ifanyof itsexistingregistrations were ever attacked on thebasis ofnon-use forfive years orlonger. This could happen since Hasbro had recentlyraiseditsheadabove the parapetby opposingan application to register the trademark Drinkopoly (more fun probably than Monopoly).
THE COURT Thematter madeits wayup tothe GeneralCourt,which decided thatthe 2011Monopoly application had indeed beenfiled inbad faith.The court concluded Hasbro had intended to improperly and fraudulently extend the fiveyear non-use grace period.
The company hadin its court papers even admitted there was an administrative benefitinbeingabletorelyon later trademarks without the need toprove use.The court
ruled that Hasbro’s intention had been to artificially extend the grace period for non-use, andthefactthatitcouldactuallyhave provenuseif required to doso was irrelevant.
But everyone’s playing this game.
Hasbro arguedthe refiling oftrademarks isa “ common and accepted” practice, so common, in fact,that it even hasa quaintlittle name “evergreening”. But the court was not interested.
Forstarters, thecourtsaid theclaim ofcommonpractice was mere conjecture, and even ifit is common practice thisdoes notmake it acceptable. Hasbro, said the court, hadsought tocircumventa “fundamental rule” of EU trademark lawto derive anadvantagetothedetriment of the system.
It had thereforeacted in bad faith.
BAD FAITH: A FAIR BIT OF THAT ABOUT
Other examples ofbad faith charges being raised:
● Exhibit one: Banksy Aclaim ofbad faithwas made ina caseinvolving the graffiti artist Banksy.A greeting cardcompany appliedto cancel Banksy’s trademark registration for his famous picture The Flower Thrower Lots ofarguments were raised: there had never been any intention to use the artworkasatrademark;Banksy had himself announced he hadnointention ofusingit; the artwork hadnever been used as a trademark.
But the one that grabbed the headlines was Banksy’s (reckless) statement that “copyright is for losers”, which the court described as showing a “disdain forintellectual property rights”
The courtconcluded the trademarkhad notbeenreg-
isteredwitha viewtoengage fairly in competition, but ratherwith aview tounderminethe interestsofthird parties.So,it hadbeenregistered in bad faith. ● Exhibit two: Sky We also saw itin a case involving Sky, where the issue was whether the use of thevery broadterm “ computer software” in a trademark specificationcan amountto badfaith.Europe’s highest court decided it could ifthere wereno intentionto use the trademarkon those goods. This wasthe case here: thecourt saidthe intention wasto underminethe interests ofothers, andthe company was seeking very broad trademarkprotection “purely as a legal weapon” To sum up keep the faith!
Reviewed by Gaelyn Scott, head of ENSafrica’s intellectual property department
Vaccinations help rein in insurance costs
Vusi Maswili ASI Financial Services
Employers seekingto manage thecosts oftheir group riskcover woulddo wellto actively encouragetheir employees tohave the Covid-19 vaccineas soonas possible, withinthe government’s structuredrollout programme.
As anindependent financial servicesadvisory, we have seen thegroup risk and personal insurance providers we work withincrease premiumssignificantlyinthelast while, as a directresult of the significantly higher mortality rate and claimsrate caused bythe Covid-19 pandemic.
All insurers are bound to conduct “own riskand solvency assessments” (orsa) annually, whichsees them gathering the datathey need to anticipate,understand and managepotentialrisks,andin turn toimplement any
LOWERING RISK
controls necessaryto protect their business strategy.
Risks assessed inthe orsa include diverseitems, which during thecurrent pandemic could varybetween operational risks dueto more team members working remotely to an increase in death
/123RF DMITRY SERGEEV
claims,orevenanincreasein unpaidpremiums duetothe impact of lockdowns.
Insurers arealso affected byfactorsin themarketgenerally, suchas fallingequity markets andinterest rates that couldput pressureon their balance sheets.
While manyinsurers are implementing new models and shiftingtheir reliance away fromtraditional channels, we’ve seen many take thedifficultdecisiontoimplement increases intheir group risk premiums.
Some increases have been aroundthe 20%-30% mark, butsome insurers have implemented increases ashighas150%,inaneffortto mitigate theimpact ofCovidrelated claimsalready made, and those that are still likely.
However, goingforward, aspartof theirongoingorsa process, grouprisk insurers are likely toassess what percentage oftheir clients’ workforces havehad the Covid-19 vaccination.Those who have alreadyhad the virusaredeemed tobehigh riskasa resultof “long Covid”, but thosewho have nothadthe virusorthe vaccination are also seen as high risk.
If an employeegroup has
a high proportionof members who are seento be high risk, the insurer is likely to implement higher premium increases,and thiswillbe evenmore likelyifemployees arein high-riskdemographics, such asthose over the age of 50.
This will be even more trueifmost ofthoseolder than50are higherearners asthey arelikelytobe as a claim fromthe insurerwould result in greater cost to them.
Those whohave hadthe vaccination are deemed to be lower-risk candidates,but with group riskpolicy premiums levying asingle rate
SOME INCREASES HAVE BEEN AROUND 20%-30%, BUT SOME INSURERS HAVE IMPLEMENTED INCREASES AS HIGH AS 150%
for livescovered, those organisations whose populationsare notvaccinatedare likely to be expectedto pay a higher premium. In companieswhere costto-companypackagesarethe norm, thiscould severely impact employees’ net salaries at theend of the month.
Thisisjust oneproofpoint of how companiesneed to have a clear strategy to demonstrate theircare for their employees,by offering access tobenefits suchas retirement planning, group risk, wellness and health. Inthecurrentclimate,part of that demonstration of care isencouraging asmanypeopleas possibletosign upfor the vaccination, andto have it done as soonas government’s roll-outprogramme makes it possible. It’s the smart thing to do foryourpeople, andforyour business and for your country too.
BUSINESS LAW & TAX
Minister’s plan could choke SA’s data and cloud sector
• Vague proposals to tackle competition fall outside Ndabeni-Abrahams’s ambit and complicate matters
Heather Irvine & Tshidi Vilakazi Bowmans
InApril 2021,communications& digitaltechnologies minister Stella Ndabeni-Abrahams publisheda draftpolicy document aspart ofthe government’s effortsto develop frameworks toharness the economicandsocialpotential of data and cloud computing.
Whilethedraftpolicyproposes a numberof interventions fallingwithin the scope ofNdabeni-Abrahams’s powers interms of the Electronic Communications Act (ECA),some of the actions proposed, including amendmentstotheCompetitionAct89of1998(CompetitionAct),falloutsideherportfolioand failto takeexisting legislative tools into account.
Thedraftpolicy referstoa draft paper publishedby the Competition Commission in 2020 titled “Competition in the DigitalEconomy”, which identifieda rangeofpotential competition issuesin various online markets.
Forexample,thecommission identifiedthat controlof or accessto significant amounts of data can be a source ofmarket power: “Owing to thecentral role of datain poweringthedigital economy, marketpower coupledwith theabilityand incentive to use it is the most common competition concern arisingfrom datarich entitiesand othercompanies that ownand process big data.
“It could be argued that data is to the digital economy what oil is to the industrial economy. Therefore, any company with significant influenceoverthisall-important resource would need to be kept under scrutiny to avoid it abusingits market power tothe detrimentof rivals andthe competitive process as a whole.”
The commissionfurther noted thatnetwork effects and economiesof scale, drivenbybigdata,canpoten-
tially confermarket power and adurable competitive advantage. However,the commission recognised that competition authoritieshave typicallynotisolatedthehandling andanalysis ofdata as the source ofmarket power rather, they have evaluated “theories of harmrelated to the possession of data”
Thiswould include,for example,if firmsin thedigital economy engagein conduct that hamperstheir rivals, suchas“self-preferencing,by which digitalplatforms will give preferentialtreatment to their ownservices overthe
THE DRAFT POLICY ADOPTS A HOSTILE STANCE TO CLOUD AND DATA COMPANIES, APPLYING ‘BIG EQUALS BAD’ THINKING
servicesof othercompanies and as suchmaintain their positions of dominance”
However,thecommission notedthat furtherinvestigation isrequired toassess whether thereis conductof this natureoccurring inSA (orelsewhere, butaffecting SA suppliers or consumers).
The commission proposed anumber ofinterventions,including amarket inquiryintoonlineintermediary platforms (currently ongoing),mapping ofthedigital landscape ofSA, initiating more formal investigations into prohibited conduct underthe CompetitionAct, and enhanced scrutinyby the commissionof mergersin the digitalworld, usingan updated “toolkit”
The commission did not suggestthat amendmentsto theCompetition Actare required, or thatthe test for what constitutesanticompetitive conduct inthe cloud and dataspace necessarilyneeds to be changed.
Incontrast,thedraftpolicy
adopts a hostilestance to cloudand datacompanies, applying “big equalsbad” thinking,rather thanan empiricalanalysis ofthe competitivedynamics inSA cloud and data markets.
Forexample,thedraftpolicynotes thedata andcloud computing market structure is “dominated bya handful of large multinationalcompanies”,and says “a lackof competitionin thismarket hasgiven consumersfew alternativechoices forthe protectionof privacyand none arelikely toappear in the near future”
The policyaccordingly proposes that “competition law shall bereviewed to address specificchallenges relating to dominance by a fewestablished players,and anticompetitive behaviour which might arise within the dataand cloudenvironment, takinginto considerationthe FAIR(free, accessible,interoperable, reusable) principles of data” and that “legislation shall alsobe reviewedto ensurelocal companieshave a fairand equitablechance of competingwith theirglobal counterparts”
It alsosuggests thatto support competition,the OpenData Strategyshould enable the development of a regulatory frameworkfor exportability, interoperability, dataportabilityanddatatradingand sharing,which should alsoinform thedevelopment of “sector-specific regulations”
Finally, the draft proposes that “sector-specific regulators,supported bypolicy from relevant departments, shall develop regulatory frameworksto facilitatedisruption for the purposes of
IT IS NOT CLEAR WHICH LEGISLATION APPLICABLE TO DATA AND CLOUD COMPUTING MIGHT NEED TO BE AMENDED
UP IN THE CLOUDS
fostering inclusion and reducing marketconcentration”
These are vague proposals.Forexample,itisnotclear whatsort of “disruption” may berequired, orwhythis would necessarily foster inclusionor reducemarket concentration (disruption of traditionalnews sourcesby socialmedia hasarguably increased concentrationin the global print sector, for example).
It is not clear which legislationapplicable todataand cloudcomputing mightneed tobeamendedtoenablelocal companiesto competewith globalcompetitors, orwhat form these amendments mighttake. Thisisunfortunate, sincethe wholereason forissuingpolicies istoassist companies(and investors) to understand what islikely to happen next, and why.
Quite a lotof the legislation that mightbe relevant to the provisions ofthese servicesinSA sits outside of the minister’sportfolio andis thereforebeyond thescope of interventionby theminister interms ofher power tomakepolicy intermsof the ElectronicCommunications Act (ECA).
The proposal to amend theCompetition Actdoesn’t mentionthe amendmentsto thislegislation in2019,which givethe commissionfar greater powers todeal with abuses in SAby dominant purchasersandsellers.These couldpotentially beapplied byour competitionauthoritiesto tackleany firmsabus-
ingtheir dominantpositionin the cloud and data space.
The draft also doesn’t mentionthe variousactions that already havebeenproposedby thecommissionin itsDigital Economypaper, usingthe existingprovisions of the Competition Act, some of which are already under way,including themarket inquiryintoonlineintermediaryplatforms andamendmentsto thecommission’s guidelineonsmallmergersto enhance its abilityto scrutiniseacquisitions that fall belowthe monetarythresholds.
It isalso notclear whya newsector-specificregulator and adifferent setof regulationsforthis industryisnecessary.The experienceto dateinSA hasbeenthatsectorregulation iscomplexand time-consuming. Forexample,the IndependentCommunicationsAuthority of SA (Icasa) has concurrentjurisdiction over competition matterswith theCompetition Commissionin theelectronic communications space, in terms of the ECA
However, Icasahas sofar battledto investigatecomplaints about anticompetitive conductby dominantnetwork operators,or totake an active role in vetting mergers involvinglicensees interms of the ECA.
Most of the enforcement actionagainst dominantnetworkoperators andbroadcasters todate hasbeen spearheadedby thecommission,including throughits recentmarket inquiryinto
mobile data prices. However, as Icasa’s parallel inquiryinto mobilebroadbandillustrates, enablingtwo differentregulators toattend tosimilar tasksundertwo differentpieces oflegislation requires significantamounts of co-ordination and is costly. Itmight bemorecosteffectiveandefficienttoallow the Competition Commission toapplytheexistingcompetition legislationin thecloud anddata space,than tointroducemore regulators,or develop additionalsectorspecific regulations.
The draft paper correctly emphasises the needfor SA to adoptstrategies to exploit the opportunitiespresented by data and cloud computing, toenable thedevelopmentof various applications,services andtechnologies, whichin
IT IS NOT CLEAR WHY A NEW SECTOR-SPECIFIC REGULATOR AND A DIFFERENT SET OF REGULATIONS IS NECESSARY
turn canbe harnessedto addresschallenges ofservice deliveryand economicinclusion, and enableSA to become globally competitive. However,we shouldalso recognise that overregulation and ineffectiveregulators maystifleinnovation,hamper growthand jobcreation,and deter investment
/123RF NEYRO2008
BUSINESS LAW & TAX
SA monitors EU trademark developments
• It is important to keep abreast of what happens in Europe because of the similarities in legislation
Ilse du Plessis ENSafrica
It makes sense for us to keep an eyeon trademark developmentsin Europe becauseSouth Africantrademark lawis similar to EUtrademark law and there’s far more activity in the EU.
SouthAfricancourtsdo,of course, oftenconsider EU trademark judgments. Here are a few recent cases:
Rounded curves, thicker lines and a horizontal orientation was the judge’s mind wandering a little?
This wasan interestingone. It’s probably not often that a perfume houseand acomputergiantcomeintoconflict, but they managed todo so in Europe. Huaweifiled an application toregister the logo that appears above left. Theapplicationwasinclass9 and it covereda wide range of electronicgoods including computer hardware.
Chanelfiled anopposition tothis application.Theopposition was basedon its logo
(shown top right)and, in particular, aFrench trademarkregistrationinclass9in respectof roughlythesame goods asHuawei’s application.
Chanel alsorelied ona French registrationfor its logo markcovering totally unrelatedgoods(suchasperfumes),coupledwithasignificant reputation. Chanel allegedtherewasalikelihood of confusionbetween the marks. It alsoclaimed there would be dilution and unfair advantagethatcouldbedetrimental tothe distinctive nature or repute of its mark. The firsthurdle, ofcourse, wasto establishthatthe marksare indeedsimilar.No easy task.Chanel claimed there wasa highdegree of
THE COURT WENT ON TO SAY THE TWO MARKS ‘SHARE SOME SIMILARITIES BUT THEIR VISUAL DIFFERENCES ARE SIGNIFICANT’
similarity between the two marks when Huawei’s mark wasrotated by90%. Butwas that a valid argument?
No,saidtheGeneralCourt, notional use of this nature doesnot comeintothe enquiry, one must simply consider the formin which marks appear on the Register. It’snot OKto rotatethem: “The marks must be compared as applied for and registered, without altering their orientation.”
The court went on to say that the twomarks “share some similarities but their visual differences are significant”. It went on to explain: “In particular Chanel’s marks have more rounded curves, thickerlines andahorizontal orientation, whereas the orientation ofthe Huaweimark is vertical.”
Therewere,saidthecourt, also conceptualdifferences. Theserelated tothe factthat whereas Chanel’s mark evokes two letters C, Huawei’s mark evokesa letter H,or possiblytwo letters U. The court ended as follows: “Consequently the
General Court concludes the marks are different.”
It will beinteresting to see whether Chanel seeks to appeal this judgment to Europe’s highest court.
Our ‘mirroring’ bottles InVenice,they knowathing or twoabout glass.The Venice Court of Appeal, or as we internationaltrademark lawyers like tosay, la corte d’appello di Venezia, has recentlyruled inaninteresting trademarkinfringement case.
This case involved an EU trademark registration belongingtotheBottegawinery for a three-dimensional shapemark.Thiscomprisesa
wine bottle ina distinctive gold and pink colour combination, withthe bulkof the bottle being gold except for the top which pink.
The wineryclaimed its trademark registration had been infringedby acompetitor, the wineryCa’di Rajo, which had also used gold colouring on a wine bottle, albeitabottlethathasadifferent shape and label to that of Bottega.
The court ruled the trademark registration had been infringed, thus providing a good example ofhow colour canbothfunctionandbeprotected as a trademark.
The owner of the Bottega winery said thisafter the
judgment: “I expect the competition now understands that le nostrebottiglie specchiate, our mirroring bottles, are unique and unmistakable.” Si, certamente! El Clasico, something a little different, but still topical Thiswillbeofinteresttofootball lovers. You obviously knowElClasico istheunofficial name given to any match between Real Madrid and Barcelona. You’ll also know thesetwo teamswere inthe news recently whenit transpiredthat 15of Europe’s top teamswereseekingtoforma breakaway super league, a development thatwould have hada huge(possibly negative) impact on European football. It might also have resulted in meetings between the two Spanish giants becoming quite rare.
The 15clubs quickly washed their handsof this when it became apparent football fans were furious.
It nowtranspires that some enterprising type has appliedto registerElClasico as anEU trademarkin class 41, theclass thatcovers sporting andentertainment services. But the authorities have rejected this application onthebasisoflackofdistinctiveness, andan absenceof proof of any commercial link between the applicant and the name.
The reports onthis are sketchybutitappearsthetwo clubs werethemselves opposed to the application, although whether the applicationevenreachedthestage of formal opposition isn’t clear. Football’s reputation has taken something of a knock, but it will no doubt recover.
The decisionswe’ve discussed heremay oneday prove to be influential in SA.
Sars scores points in loyalty card case
Herna-Dette van der Zanden AJM Tax
Now thisis somethingwe don’twitness everyday a taxmatterinthehighestcourt of our country.
But the parameters of the Constitutional Court’s jurisdiction wereentered inthe matter between Clicks Retailers (Pty)Limited and Commissioner forThe South African RevenueService (CC) in that leave to appeal ought to have been granted based on section 167(3)(b)(ii)of the constitution amatter of general public importance. Retailloyaltyprogrammes arewellknown as75%of South Africans use them. Ad idem that this isa matter of public importance,since South Africanswill be affected, albeit indirectly.
It all started with section 24CoftheIncomeTaxAct,58 of 1962 whereby an excep-
tion is created to the general rule thatexpenditure isonly deductible in the year of assessment inwhich the expenditure is actually incurred
With applicationto Clicks (andher peers)section24C can be construed as follows.
A loyaltyprogramme member makesa purchase and presents herClubCard at checkout.Acontractofsaleis manifested andClicks receives income. Subsequently, themember earns loyaltypoints whichcanlater be redeemed.
These loyaltypoints are now thecontingent matter. Clicksmust latergiveaway stockto thevalue ofthe “points” accrued, without receiving anyfurther consideration, whenyou claimyour “free” shampoo.Therefore a deductionis claimedforthis future financialexpenditure to be incurred.
On this said day a second contract is concluded the redemption contract.
Section24C alludestothe fact that thesame contract must create both the income and theobligation tofinance futureexpenditureinorderto claim a deductionof that expenditure inthe current year of assessment.
Clickswished toclaima deduction basedon section 24C, as itsway of thinking was that whena customer joins theloyalty programme a “compositecontract”comes into existence it constitutes an indivisibleClubCard contract and a contract of sale.
Needless to say, the SA Revenue Service(Sars) was of a different opinion. It held that the income from the contractof salewill beused to financefuture expenditure (thegivingawayofstockatno monetary value),but arising from theredemption con-
tract, asecond obligationcreating contract.
Upon analysing section 24C, contractualsameness became adisputed element forwhich boththelower courts andthe Constitutional Courtturned totherecent Supreme Courtof Appeal Big Gcase (Commissioner South AfricanRevenue Service v BigG Restaurants (Pty) Ltd, 2018).
Thecruxofthecaseliesin theplainattributablemeaning to the word “ same ” From Big Gwe gather that where theincome accrues
YOU EARN POINTS WHEN SWIPING YOUR CLUBCARD AT ONE OF THESE PARTNERS. BUT, YOU REDEEM THE POINTS ONLY AT CLICKS
and thefuture expenditure arecontained ina singlecontract,thescopeofsection24C poses noproblem. However, when taxpayersseek to widenthe ambittocover arrangements where the income andfuture expenditureareinseparatecontracts, but inextricablylinked, alittle more mind needs to be applied to try to satisfy the “ sameness ” requirement.
An inextricablelink indicates sameness,but itsmere presence is not sufficient.
Important tonote isthat Clicks hasaffinity partners including Discovery,NetFlorist andSpecsavers. This means you earnpoints when swiping yourClubCard at one of thesepartners. However, youare ableto redeem the points onlyat Clicks. The income andfuture expenditure have a different source. Whether thiswas the trying characteristicthat set
Clicks up for failure,as this is a distinctionfrom other loyalty programmes,will have to beconfirmed once we seeanother loyalty rewards programme challenge section 24C.
DEDUCTION
Take caution that the amount ofthe saiddeduction wasnot in dispute, but rather formed part of thedispute. In colloquialterms,eitherthedeductionwouldbeallowedwholly or not at all.
In conclusion,Sars won onthebasis thatClickscould not satisfyinglyprove samenesstotheextentrequiredby section 24C. Itisunclearwhattheexact consequences willbe. But sinceadeductionisnolonger applicable, companieswill inevitablyconsidertheviability of these rewards cards. But onething isfor sure: your loyalty lies with Sars.
BUSINESS LAW & TAX
Popia 101: what you must do
• From ensuring you have consent to reporting data breaches here is your key compliance checklist
Janet MacKenzie & Reinhardt Biermann Baker McKenzie, Johannesburg
From July 1 2021, the substantive implementation ofkey provisions of the Protection ofPersonal InformationAct (Popia) became enforceable. This legislation,among other things,promotes the protection ofpersonal information processedby public and privatebodies, introduces minimum requirements for theprocessing of personal information,outlinestherights ofdatasubjects, regulatesthe crossborderflowofpersonalinformation, introducesmandatory obligationsto report andnotify databreachincidents andimposes statutory penalties for violations
COMPLIANCE CHECK
Canyou answeryes tothe following questions?
● Have youcompleted your data processingand protectiondue diligenceandimpact assessments?
● Have yousecured valid consents to use the data of your data subjects?
● Have you entered into a contract withservice providers whoprocess your customers’ personal information toensure theyare Popia compliant?
● Have youappointed an information officer?
● Do you knowhow to address data processing operations thattrigger material data protection risks?
● Doyou knowwhatto doif you experience a breach?
● Are you ableto prove you are Popia compliant?
● Are privacyrules now embedded inyour technology andbusiness practices?
● Forcross-bordertransfers, do you knowhow to transfer and process personaldata of EU residents,and areyou able to transfer personal data from Africa to the EU?
● Have youidentified and engaged withlead supervisory authorities regarding privacylawinallthejurisdictions in which you operate?
● Have youconsidered privacy lawenforcement and sanctions both interms of hefty monetaryfines and reputational disasters?
● Have you met the eight conditions forprocessing personal information?
THE INFORMATION OFFICER MUST BE REGISTERED … TO PERFORM THE DUTIES AND RESPONSIBILITIES SET OUT IN POPIA
There are eight conditions forthe lawfulprocessingof personalinformationaccording to Popiaand your businessshould nowhave ensureditisabletomeetallof these eight conditions.
1. Accountability your businessis responsiblefor ensuringthe conditionsfor lawful processing are met.
2.Processing limitation yourbusiness mustprocess personal informationlawfully,minimally, inaccordance with theconsent, justificationand objectionprovisions, and withthe data sub-
ject’sconsent, unlesscertain exceptions apply.
3.Purpose specification yourbusiness mustprocess personalinformation fora specificpurpose andadhere to theretention andrestriction of records provisions in Popia.
4.Further processinglimitation furtherprocessingof informationmustbecompatible with the purpose of collection.
5. Information quality yourbusiness musttakereasonablypracticable stepsto ensure personalinformation iscomplete, accurate,not misleading and updated.
6. Openness yourbusiness mustmaintain thedocumentationofallprocessingoperationsunder itsresponsibility andtakereasonablypracticable stepsto ensurethe data subject is aware of certain information.
7.Security safeguards yourbusinessmust:(i)secure theintegrityandconfidentiality of personalinformation in itspossession orunderits control by taking appropriate, reasonable technical and organisational measures;(ii) in terms of a written contract, ensurethe operatorwho processes personalinformationfor thebusiness,establishesand maintainssecurity measures;and(iii) assoonas reasonablypossible afterthe discoveryof acompromise, notifytheinformationregulator and the data subject.
8.Data subjectparticipation yourbusinessmustallowa data subjectto accessand correctits personalinformation. Your businessmay also berequired tocorrect,delete ordestroy personalinformation.
FOR THE RECORD
FURTHER IMPORTANT ISSUES TO CONSIDER
Theinformationregulatorhas published a guidancenote in respect ofthe appointmentof information officersand deputy information officers.
Though Popia does not require an information officer to bea local person,the guidance note providesthat to ensure accessibility, the informationofficerofamultinationalentity basedoutside SAmust authoriseanyperson withinSA asan information officer.
Popiaalsoprovidesforthe appointmentof deputyinformation officers.
The information officer mustbe registeredwiththe informationregulator toperformthedutiesandresponsibilities set out in Popia. The personauthorising anypersonas theinformationofficer ofa juristicperson retainsthe accountability and responsibilityfor anypower orthe functionsauthorised tothat person. The namesand contact details ofa company’s information officer and deputy informationofficer willbemade availableonthe
information regulator’s website.
THE MANUAL
A manual interms of section 51of PAIAis alsorequired. The manual mustbe lodged withthe informationregulatoranditmustbemadeavailable onthe company’s website.
DIRECT MARKETING
Popiarequires an “opt-in” systemfor directmarketing.
FromJuly 2021,businesses willbe prohibitedfrom approaching consumers for the purposesof directmarketing, unless:
● Thebusiness hasobtained consent; or
● Theconsumer isacustomer of the business.
CONSENT
Yourbusiness mayapproach a data subjectonly once to request their consent:
● Inthe prescribedForm4; and
● If consentwas notpreviously withheld.
Your business may processthepersonalinformation ofadatasubjectwhoisacus-
tomer of the business:
● Ifyour businessobtained the contact detailsof the data subject inthe contextof the sale of a product/service;
● Forpurposes ofdirect marketingof yourbusiness’s own similarproducts/services; and
● Ifthedata subjecthasbeen givena reasonableopportunityto object,free ofcharge and in amanner free of unnecessary formality.
BREACH NOTIFICATION UNDER POPIA
Ifyour businessexperiences a databreach, itmust notify theinformation regulatorand the datasubject, wherethere arereasonable groundsto believethat personalinformation has beenaccessed or acquiredbyanyunauthorised person.Thisnotificationmust be made as soon as reasonablypossibleafterthediscovery ofthe compromiseand you can onlydelay the data subjectnotification ifcertain exceptions apply.
In terms ofthe obligations ofbusiness operators,any personwho processespersonalinformationonbehalfof another business (that is, the responsibleparty),intermsof a contract or mandate, must notifythat businessimmediatelywheretherearereasonable grounds to believe personalinformation hasbeen accessed oracquired byany unauthorised person. With data fast becoming thenew goldforbusinesses aroundthe world,businesses that ensure theyare processingand protectingthispersonal informationcorrectly will not only ensure they are legallycompliant, butwill also be equippedto successfullynavigate thedigitalnew normal, while maintaining theloyalty andtrust oftheir most valuableassets their customers.
/123RF CONVISUM