In the recent High Court decision of Munetsi v Madhuyu, the applicant sought a court order against the respondents to remove a video that they posted on social media which contained alleged defamatory remarks about the applicant, coupled with his cell phone number. The judgment holds important POPIA-related lessons. The judgment however fails to consider whether the respondents were ‘responsible parties’ for purposes of POPIA.
In Munetsi v Madhuyu (16255/2024) [2024] ZAWCHC 209 (6 August 2024) (the “judgment“), Mr Munetsi (the “applicant“) approached the Cape Town High Court for an urgent interdict against Mr Madhuyu and Ms Tonsani (the “respondents“).
The applicant argued that the publication of his cell phone number breached the Protection of Personal Information Act No 4 of 2013 (“POPIA“) because a telephone number is “personal information” as defined in POPIA.
The respondents’ affidavit filed with the Court did not challenge the applicant’s averments, which meant that unfortunately there was nothing on the papers which contested the applicant’s case.
Cease and Desist: The Interdict
The Court held that personal information may only be “processed” in certain “specified circumstances” as set out in POPIA. The “specified circumstances” which the Court referred to are also known as “lawful” or “legal” bases. We discuss lawful bases later in this article.
The Court held that the respondents had breached POPIA by making the applicant’s cell phone number available on social media without having a lawful basis to do so. To add insult to injury, the video prompted viewers to contact the applicant, resulting in a “deluge of phone calls” to him.
The Court held that the respondents’ publication of the applicant’s cell phone number to thousands of followers on Facebook and Tiktok also breached the applicant’s common law right to privacy. The Court emphasised that whether the applicant’s personal information was publicly available elsewhere was irrelevant.
The Court ordered the respondents to remove the video and cell phone number and not to publish the applicant’s personal information without his consent in future.
No Need to Say Sorry: The Defamation Claim
The applicant also claimed that the statements in the video were defamatory. The Court held that most of the content of the posts was not defamatory, except for the respondents calling the applicant “evil”. The Court did not order an apology, stating that it was not a competent remedy for a violation of privacy or a breach of POPIA. The Court also referred to the fact that the respondents had in any event already apologised for this portion of the post. The Court considered the interdict that it granted as sufficient relief for the defamatory statement.
Overbroad and Overburdened: Were the Respondents Actually ‘Responsible Parties’?
The Court held that POPIA applied to the processing in question because the definition of “processing” in the Act includes the dissemination and transmission of information. The Court did not however assess POPIA’s application provisions. POPIA only applies to a “responsible party“, which it defines as a public or private body “or any other person” (emphasis added) who determines the purpose and means of processing personal information (section 1).
Although a responsible party could be an organisation or an individual, POPIA specifically excludes the processing of personal information in the course of purely personal or household activities (section 6(1)(a)). POPIA is understood not to apply to the processing of personal information for personal purposes not connected to professional or business activities.
European courts have interpreted a similar exclusion narrowly and held that it does not apply when information is published on the internet and accessible to a large number of people (see the CJEU decision in Lindqvist). How realistic such an interpretation is today is dubious considering the plethora of personal information posted online by individuals in their personal capacity. Indeed, the recitals (interpretive guidelines) to the EU’s General Data Protection Regulation or GDPR, refers “social networking and online activity” relating to personal activity as specifically falling within the exclusion and therefore not subject to data protection compliance.
In the judgment, the Court did not specifically consider whether the respondents were acting in a business or professional capacity when posting about the applicant on social media. Although the respondents were being sued in their personal capacity, they stated in their papers that the applicants undermined their business and that the applicant had proposed a business venture. Based on the judgment, the respondents’ business position is vague at best.
Even though the respondents did not put up an alternative version to contest the applicant’s one, it was necessary for the Court to consider whether the respondents were actually responsible parties for purposes of POPIA to determine that POPIA applies to the processing in question.
The danger of taking too broad an interpretation of POPIA is that labelling an individual as a responsible party – where they are not acting in a professional or business setting – results in them having to comply with a host of obligations in POPIA, like appointing an information officer, giving notice of processing, and complying with data subject rights. These obligations would be nonsensical and almost impossible for individuals to comply with.
Be Careful What You Post For: Why This Decision Is Important
There are nevertheless important lessons to be studied from the judgment.
First, a responsible party needs a lawful basis for processing personal information, including where it posts such personal information on social media: a responsible party would probably have to show that the data subject consented to the processing; alternatively that the processing is in the responsible party’s legitimate interests, the legitimate interests of a third party, or that of the data subject. Legitimate interests has often been used as a safety net in the absence of another lawful basis; it should however not infringe on the rights of the data subject and the processing in question should be aligned with their expectations.
Second, a court may order an interdict to prevent the unlawful processing of personal information. In terms of POPIA, a court may order damages for losses suffered by a data subject due to a breach of the Act.
Remember that even if POPIA does not apply to a social media post, the common law right of privacy could still be relied on, and an interdict could be granted to prevent the continued infringement of such right. There is of course also the risk of a defamation claim, as seen in this case.
Suffice to say: beware and be aware when posting on social media, whether in your personal or business capacity.
--
Read the original publication at Werksmans Attorneys