Plugins and POPI: A Critical Discussion into the Legal Implications of Social Plugins and the Protection of Personal Information

Authors

DOI:

https://doi.org/10.17159/1727-3781/2023/v26i0a15758

Keywords:

POPI, social plugins, Directive 95/46/EC, GDPR, internet trackers, joint responsible parties, legitimate interests, consent, processing of personal information

Abstract

Social plugins are one of the many trackers used by companies with an online presence. However, under the Protection of Personal Information Act 4 of 2013 (POPI), these trackers have certain legal consequences for internet users. The main reason for this is that trackers tend to process personal information without informing internet users that their data are being collected, the reason for the collection or processing thereof, or who the responsible parties are that are collecting and processing the personal information. The article looks at these issues, amongst others, in the light of a 2019 judgment from the Court of Justice of the European Union or CJEU, namely, Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. EU:C:2019:629. Due to the fact that it has had data protection legislation for much longer than other countries or legal jurisdictions, including South Africa, the European Union (the EU) has a substantial body of case law interpreting the data protection legislation of the EU itself as well as that of the individual member states. One of the main instruments used as guidance by the drafters of POPI was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereafter Directive 95/46). Directive 95/46 was previously considered the gold standard, before Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (hereafter the GDPR) was enacted and Directive 95/46/EC was finally repealed. Since Directive 95/46 was one of the main guiding documents used in drafting POPI, one may expect that the South African courts may turn to the EU and consider how the CJEU has interpreted the similar provisions contained in Directive 95/46, especially since there is very little South African jurisprudence available on POPI. The four main issues under discussion are: who, other than the internet users, has the locus standi to bring an application in terms of POPI? Second, what are the responsibilities of joint responsible parties towards internet users? Third, where there are joint responsible parties, do both need a legitimate interest to process personal information? Lastly, who will be responsible for obtaining the necessary consent to process the personal data?

Downloads

Download data is not yet available.

Author Biographies

  • Helga Schultz, University of KwaZulu-Natal

    PhD Candidate, School of Law, University of KwaZulu-Natal, Pietermaritzburg Campus, South Africa

  • Warren Freedman, University of KwaZulu-Natal South Africa

    Associate Professor, School of Law, University of KwaZulu-Natal, Pietermaritzburg Campus, South Africa

References

Bibliography

Literature

Aladeokin A, Zavarsky P and Memon N "Analysis and Compliance Evaluation of Cookies-Setting Websites with Privacy Protection Laws" in Twelfth International Conference on Digital Information Management (ICDIM) (12-14 September 2017 Fukuoka) 121-126

Coetzee SA "A Legal Perspective on Social Media Use and Employment: Lessons for South African Educators" 2019 PELJ 1-36 http://dx.doi.org/10.17159/1727-3781/2019/v22i0a5778

De Conca S "Between a Rock and a Hard Place: Owners of Smart Speakers and Joint Control" 2020 SCRIPTed: Journal of Law, Technology and Society 238-268

De Stadler E et al Over-Thinking the Protection of Personal Information Act: The Last POPIA Book You Will Ever Need (Juta Cape Town 2021)

Docksey C and Hijmans H "The Court of Justice as a Key Player in Privacy and Data Protection: An Overview of Recent Trends in Case Law at the Start of a New Era of Data Protection Law" 2019 EDPL 300-316

Duina F "Explaining Legal Implementation in the European Union" 1997 Int'l J Soc L 155-179

Ermakova T et al "Web Tracking: A Literature Review on the State of Research" in Proceedings of the 51st Hawaii International Conference on System Sciences (3-6 January 2018 Waikoloa Village) 4732-4741

Gerlitz C and Helmond A "The Like Economy: Social Buttons and the Data-Intensive Web" 2013 New Media and Society 1348-1365

Globocnik J "On Joint Controllership for Social Plugins and Other Third-Party Content: A Case Note on the CJEU Decision in Fashion ID" 2019 IIC 1033-1044

Karjiker S "Hyperlinking and Copyright" 2022 SALJ 181-204

Larson E "Tracking Criminals with Internet Protocol Addresses: Is Law Enforcement Correctly Identifying Perpetrators?" 2017 NC J L & Tech 316-358

Lindroos-Hovinheimo S "Who Controls our Data? The Legal Reasoning of the European Court of Justice in Wirtschaftsakademie Schlewig-Holstein and Tietosuojavaltuutettu v Jehovan todistajat" 2019 Info & Comm Tech L 225-238

Röttgen C "Like or Dislike—Web Tracking" in Hoeren T and Kolany-Raiser B (eds) Big Data in Context: Legal, Social and Technological Insights (Springer Cham 2018) 73-80

Strauß S and Nentwich M "Social Network Sites, Privacy and the Blurring Boundary between Public and Private Spaces" 2013 Science and Public Policy 724-732

Srinivasan D "The Antitrust Case against Facebook: A Monopolist's Journey towards Pervasive Surveillance in Spite of Consumers' Preference for Privacy" 2019 Berkeley Bus LJ 39-101

Strauß S and Nentwich M "Social Network Sites, Privacy and the Blurring Boundary between Public and Private Spaces" 2013 Science and Public Policy 724-732

Truyens M "No more Cookies for Unregistered Facebook Users in Belgium: Belgian Data Protection Legislation Applies to Facebook" 2016 EDPL 135-140

Veale M and Zuiderveen Borgesius F "Adtech and Real-Time Bidding under European Data Protection Law" 2022 German Law Journal 226-256

Wiedemann K "The ECJ's Decision in 'Planet49' (Case C-673/17): A Cookie Monster or Much Ado about Nothing?" 2020 IIC 543-553

Zalnieriute M and Churches G "When a 'Like' is not a 'Like': A New Fragmented Approach to Data Controllership" 2020 MLR 861-876

Case law

European Union

Breyer v Bundesrepublik Deutschland (C‑582/14) EU:C:2016:779

Bundesverband der Verbraucherzentralen und Verbraucherverbände - VerbraucherzentraleBundesverband eV v Planet 49 (C-673/17) EU:C:2019:801

Data Protection Commission v Facebook Ireland and Maximillian Schrems (C-311/18) EU:C:2020:559

Facebook Ireland Ltd v Gegevensbeschermingsautoriteit (C-645/19) EU:C:2021:483

Fashion ID GmbH and Co KG v Verbraucherzentrale NRW e.V. (C-40/17) EU:C:2019:629

Google Spain SL, Google LLC v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (C-131/12) EU:C:2014:317

Institut Professionnel des Agents Immobiliers (IPI) v Geoffrey Englebert (C-473/12) EU:C:2009:293

Lindqvist (C-101/01) EU:C:2003:596

Meta Platforms Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Case C- 319/20) EU:C:2022:322

Rechnungshof v Österreichischer Rundfunk and Christa Neukomm and Joseph Lauermann v Österreichischer Rundfunk (C-465/00, C-138/01 & C-139/01) EU:C:2003:294

Schrems v Data Protection Commissioner (C-362/14) EU:C:2015:650

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16) EU:C:2018:388

Valsts Policijas Rīgas Reģiona Pārvaldes Kārtības Policijas Pārvalde v Rīgas Pašvaldības SIA 'Rīgas Satiksme' (Case C-13/16) EU:C:2017:336

South Africa

H v W 2013 2 SA 530 (GSJ)

Isparta v Richter 2013 6 SA 529 (GNP)

Smuts v Member of the Executive Council: Eastern Cape Department of Economic Development Environmental Affairs and Tourism (1199/2021) [2022] ZAECMKHC 42 (26 July 2022)

United States of America

Largent v Reed and Pena (Case No 2009-1823) 39th Judicial District of Pennsylvania, Franklin County (7 November 2011)

Legislation

Germany

Gesetz gegen den Unlauteren Wettbewerb (1909) (Law against Unfair Competition)

South Africa

Constitution of the Republic of South Africa, 1996

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 4 of 2013

Government publications

Proc 21 in GG 43461 of 22 June 2020

International instruments

Charter of Fundamental Rights of the European Union (2000)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995)

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (2002) (Directive on Privacy and Electronic Communications)

European Convention for the Protection of Human Rights and Fundamental Freedoms (1950) (as amended by Protocol Nos 11 and 14, and Supplemented by Protocols Nos 1, 4, 6, 7, 12, 13 and 16)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (2016) (General Data Protection Regulation)

Internet sources

Acar G et al 2015 Facebook Tracking through Social Plug-ins: Technical Report Prepared for the Belgian Privacy Commission https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf accessed 10 October 2022

Kelly MJ 2019 What is a Web Tracker? Mozilla Explains https://blog.mozilla.org/en/internet-culture/mozilla-explains/what-is-a-web-tracker/ accessed 16 November 2022

Published

04-03-2024

Issue

Section

Articles

How to Cite

Schultz, H., & Freedman, W. (2024). Plugins and POPI: A Critical Discussion into the Legal Implications of Social Plugins and the Protection of Personal Information. Potchefstroom Electronic Law Journal, 27, (Published on 4 March 2024) pp 1-32. https://doi.org/10.17159/1727-3781/2023/v26i0a15758

Similar Articles

1-10 of 1158

You may also start an advanced similarity search for this article.