In November 2022, the exclusive Saint Champagne Bar and Lounge (“Saint Restaurant”) released a notice to its customers on its Facebook page requiring them to pay their outstanding balances within 12 hours. The notice further stated that if these outstanding amounts were not paid, Saint Restaurant would have no choice but to make their identities public on social media (such as their account names and handles), and their outstanding balance. We provide an analysis below on whether such a publication would contravene the provisions of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).
POPIA sets out the minimum standards for the processing of personal information of individuals. Any party that processes the personal information of an individual is subject to POPIA. One of the exceptions is where the individual (or data subject) has made the information public or where the information is contained in or derived from a public record.
What Does POPIA Say?
Some analysts have determined that such publication does not contravene the provisions of POPIA because the accounts of certain Saint Restaurant customers are publicly available for anyone to view on social media. However, we respectfully disagree with this viewpoint based on the following:
- Under POPIA, Saint is considered as a responsible party, and is therefore required to comply with the provisions of POPIA;
- Saint’s customers would be considered as data subjects, because their personal information, such as outstanding balances and banking details is processed by Saint;
- The definition of personal information includes: the name of a person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
- The combination of the customers names, account names and handles, and outstanding balances would not be considered to be publicly available information. Such information is only available to Saint as the responsible party.
Therefore, in light of the above, we are of the view that the publication of the names and outstanding balances of customers contravenes the provisions of POPIA. As a responsible party, Saint is required to process personal information only if a lawful basis exists. In order to remedy this, Saint can take one of the following actions in order to publicise the information lawfully:
- issue a privacy notice to their customers outlining the prospective actions to be taken once a customer is in default, such as publication of their names and outstanding balances owed on social media. However, even if such a notice is issued, it must be noted that the publication of the information may still be considered to be unreasonable because one could argue that Saint can take less drastic measures to receive payment; or
- Saint could obtain informed consent from its customers before they open a tab at the restaurant informing them of the terms of their service and the actions that can be taken in the event of them defaulting on payment.
The interpretation of the provisions of POPIA requires careful consideration. Information such as public social media profiles does indeed fall in the public domain, however, pieces of information that may be combined with other information that reveals details that is not ordinarily known, is considered as personal information under POPIA.
Contact us for more good, clear, precise advice.
Co-authored by Lucinda Botes and Sadia Rizvi.