Experts are divided on the impact that the Protection of Personal Information (Popi) Act, due to take effect in the near future, will have on the South African economy. Some say it will hamper local businesses while others maintain it will enhance trade with countries that have stringent personal information laws.

“We are trying to protect people at the cost of innovation and trying to grow the economy,” said economist Mike Schüssler, owner of economists.co.za.

Addressing media on Thursday at a Popi roundtable, Schüssler argued that Popi makes it more difficult for South African businesses to compete with the likes of Google, Facebook and Amazon, which do not have to comply with Popi.

Popi promotes the protection of personal information by public and private bodies. It contains rules governing the way that personal information — including anything from race, gender and age to contact details, personal opinions and employment history — is obtained, managed, stored and protected.

“Popi will affect every organisation in South Africa at some level,” said KPMG’s senior manager of legal, Nikki Pennel.

“To the extent that Popi has caused us to re-examine the way we process and secure data, it is a very important asset. But we are concerned that a couple of provisions will compound the under-performance of the economy,” commented Wayne Mann, director of group risk at The Unlimited, at Thursday’s roundtable.

The Unlimited is a financial services company and direct marketing specialist, which has spent close to R1m on Popi compliance.

Chiefly, Mann argued that Popi compliance represents a significant cost burden for small businesses and it impedes their ability to reach new customers via low-cost electronic marketing, such as e-mail and SMS.

Under Popi, a company can send only one unsolicited e-mail or SMS to a potential customer. If the potential customer does not explicitly “opt in” to future communication from that company, further direct marketing is prohibited. This does not apply to existing customers.

“Consumers are already protected under the Consumer Protection Act and can opt out of electronic marketing,” Mann said. “Why change from ‘opt out’ under the CPA to ‘opt in’ under Popi? This is simply another piece of red tape to make it more difficult for small businesses and start-ups to sustain themselves.

“Is it really that much of an inconvenience to receive those unsolicited SMSes or e-mails? The business sending them may employ 10 people who support another 30.”

Mann believes that, over and above that, direct marketers play a key role in delivering information about products and services to historically underserved markets that might not have access to such information by other means.

Francis Cronjé, information governance specialist and adviser to parliament’s technical working committee on Popi, argued that aside from enforcing our constitutional right to privacy, effective data protection legislation opens up certain trade barriers that might have existed — for example, with the European Union, which itself has very strict data protection laws.

He believes there is a lack of responsibility for the protection of personal information among South African companies and noted that one of the big four banks spent in the region of R350m on IT systems alone to ready itself for Popi.

“The Popi Act must be read in the context of the preamble, which clearly recognises the need for economic and social progress,” Cronjé added.

The act’s preamble is explicit that the act must bear in mind that economic and social progress “requires the removal of unnecessary impediments to the free flow of information, including personal information”.

“We think cases will be brought to the National Consumer Commission where the law is broken but the spirit of the law is not and exclusions [to Popi compliance] will be created,” said Warren Moss, chairman of the Direct Marketing Association (DMA) of South Africa.

Moss said the DMA supports Popi but shares similar concerns around its impact on small businesses.

“A horizontal piece of legislation [such as Popi] cannot be tailored for every industry. Associations such as the DMA should work with the Information Regulator to develop codes of conduct for their members, where issues specific to particular industries can be taken into account. The regulator’s job is not to issue fines, but get everyone on board,” said Cronjé.

The office of the Information Regulator, responsible for implementing Popi, is currently being established. Once Popi is effective, organisations will have a 12-month grace period to comply, which can be extended in terms of the act.