BUSINESS LAW &TAX
JULY 2021 WWW.BUSINESSLIVE.CO.ZA
A REVIEW OF DEVELOPMENTS IN CORPORATE AND TAX LAW
How to handle staff who will not mask up
KEEP YOUR COLLEAGUES SAFE
Fair dismissals are possible — within reason — if •employees fail to stick to Covid-19 safety protocols Lauren Salt & Matlhatsi Ntlhoro ENSafrica
M
ore than a year after the start of the Covid19 lockdown, many citizens have adopted a lax approach to mask wearing, social distancing and sanitisation. However, a recent Labour Court judgment in SA indicates that employers may, within reason, be able to fairly dismiss employees for not adhering to Covid-19 safety protocols. In terms of the Disaster Management Act, 2002, wearing a face mask is mandatory for every person when in a public place, excluding children under six years old. Despite this, a number of employers have condoned lawlessness, or rather masklessness, where employees are alone in their private offices, on the basis
that private offices are not “public places”. However, regulation 70(5) states that an employer may not allow any employee to perform any duties or enter the employment premises if the employee is not wearing a face mask while performing his or her duties. This regulation seems to suggest employees ought to wear masks at all times when performing their duties, irrespective of where the duties are performed. On a strict interpretation of the regulation, this would include where an employee is working remotely from home. This is unlikely what the drafters of the regulation intended.
EMPLOYERS AND EMPLOYEES SHOULD BE MINDFUL OF NOT BECOMING BLASÉ ABOUT COVID-19 COMPLIANCE
A failure to adhere to these regulations would result in a person who commits this offence being liable, on conviction, to a fine or of imprisonment not exceeding six months, or to both a fine and imprisonment. From a compliance perspective, and to avoid any possible adverse finding if an inspection is conducted, the safest approach for employers would be to have a policy in the workplace that complies with regulation 70(5) and to have mask wearing mandatory in all spaces, closed or open, private or public, at the employer’s premises. In the recent judgment of Eskort Limited v Stuurman Mogotsi & Others LC, the Labour Court found the dismissal of an employee to be fair based on: ● Gross misconduct related to his failure to disclose to the employer that he took a Covid-19 test; and ● Gross negligence in that
/123RF — MILKOS even after receiving his positive Covid-19 test results, he failed to self-isolate and continued reporting for work, putting the lives of his colleagues and their families in danger. In this case, the Labour Court sought to consider all surrounding circumstances in totality prior to reaching a decision that the dismissal of the employee was fair. The following factors were considered: ● The employee’s role in being part of the Covid-19 awareness committee in the workplace; ● The employee’s negligence in failing to disclose his Covid-19 positive test results, placing the lives of colleagues and customers in danger; ● The employee’s conduct in walking around without a mask and hugging fellow employees after having tested positive; and ● The employee’s nonchalant attitude. In some instances, the
sanction of dismissal might not be appropriate for maskrelated transgressions (even if not wearing a mask is in contravention of the national laws). For example, in circumstances where an employee hastily leaves their office to fetch printing and forgets to wear their mask and is seen and confronted by another employee 3m down the corridor, but when confronted, the employee quickly apologises and fetches their mask and puts it on. Dismissal in this instance would likely be overly harsh and a verbal warning might be more suitable or a mere reminder to be more vigilant.
SANCTIONS
Employers whose disciplinary code prescribes the appropriate sanctions for misconduct should be careful not to follow it blindly. Dismissal does not automatically follow where the transgression amounts to a breach of the law. As in any other
assessment of the appropriate sanction, factors such as the severity and impact of the transgression, as well as any remorse shown, should be taken into consideration. The seriousness of the transgression and the surrounding circumstances in the Eskort case, however, certainly warranted dismissal. Employers and employees should be mindful of not becoming blasé about Covid19 compliance in the workplace. Employees need to understand their noncompliance could have serious ramifications. However, in taking heed of the court’s warning to take Covid-19 compliance seriously, employers should equally be mindful of the manner in which they enforce compliance and mete out discipline for noncompliance. Employers should not hastily jump to terminate transgressors’ employment, and should ensure that the facts of the case support a sanction of dismissal.
2
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX LATERAL THINKING
How cybercrime law works
SA recently enacted a new cybercrime law, which is long overdue. Business Day Law & Tax Editor Evan •Pickworth interviews Darryl Bernstein, partner and head of dispute resolution, and Janet MacKenzie,
partner and head of technology, media and telecommunications, at Baker McKenzie Johannesburg on the ramifications of this legal development
E
P: SA has recently enacted a new cybercrime law — what is the context for this latest legal development? DB/JM: The pandemic has driven home the high value of personal data to the global economy, while also highlighting its vulnerability to abuse and attack. In response, governments around the world have been reviewing their data privacy and protections laws and regulations, including in SA. Global cybersecurity firm Kaspersky recently noted that cyberattacks are set to rise in African countries, especially in the key financial centres of SA, Kenya and Nigeria. The cybersecurity firm noted that rapidly evolving digital techniques had led to an increased risk of advanced persistent threats and hacking-for-hire events in Africa. EP: Can you tell us more about SA’s new Cybercrimes Act? DB/JM: In SA, the Cybercrimes Act (act) was signed into law by President Cyril Ramaphosa in early June 2021, bringing the country’s cybersecurity legislation in line with global standards. The current legal framework to combat cybercrime consists of a hybrid of legislation and common law. The Cybercrimes Act takes its place as part of a set of laws and policy initiatives that aim to regulate the ever-expanding online economy, and the surge in cyber-related crimes from a South African and global perspective. Once it commences, the Cybercrimes Act will codify numerous offences (cybercrimes) and related penalties. The act provides for, inter alia: ● The creation of offences which have a bearing on cybercrime; ● The criminalisation of the disclosure of data messages which are deemed harmful and the provision of interim protection orders; ● The regulation of the jurisdiction of South African courts and authorities in respect of cybercrimes ● The regulation of the powers of authorities to investigate cybercrimes; ● The mutual assistance between authorities in different foreign states in the
investigation of cybercrimes; ● The establishment of a designated point of contact within the South African Police Services (SAPS), which office will be responsible for assisting with proceedings or investigations into a cybercrime; and ● The imposition of obligations to report cybercrimes The Cybercrimes Act creates a number of new cybercrime offences and substantially expands the ambit of criminalised activity, while simultaneously creating sanctions for offences and fines for these offences. The majority of the offences created by the Cybercrimes Act relate to data, messages, computers and networks involving hacking, the unlawful interception of data, ransomware attacks, cyber forgery and uttering, the theft of incorporeal property and cyber extortion. The act criminalises “malicious communications”, which means any electronic communication (called a “data message”) which is sent to a person, a group of persons or the general public with the intention to incite the causing of any damage to property belonging to, or violence against, a person or group of persons. The unlawful and intentional disclosure of a data message of an intimate image of a person is also an offence. The Cybercrimes Act also grants law enforcement extensive powers to investigate, search, access and seize various articles, such as computers, databases or networks. Notably, the act imposes a duty on electronic communications service providers and financial institutions to report certain offences within 72 hours. Failure to make the required report could lead to a fine on
conviction of a maximum of R50,000. Further, those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years. EP: Is it similar to the Protection of Personal Information Act in terms of how data breaches must be responded to? DB/JM: Yes, in some respects. In SA, data security is also governed by the Protection of Personal Information Act (Popia) and the substantive implementation of key provisions of Popia became enforceable on July 1 2021. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law. One of the conditions for lawful processing in terms of Popia is the use of security safeguards, which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information. This is prescribed by Popia to prevent loss, damage or unauthorised access to, or destruction of,
THE CYBERCRIMES ACT ALSO GRANTS LAW ENFORCEMENT EXTENSIVE POWERS TO INVESTIGATE, SEARCH, ACCESS AND SEIZE ARTICLES personal information. Popia also creates a reporting duty on persons responsible for processing personal information, whereby they must report any unlawful access to personal information (a data breach) to the Information Regulator within a reasonable period of time. Like the Cybersecurity Act, Popia brings SA in line with international data protection laws by regulating the processing of the personal information of natural and juristic persons and placing more onerous obligations on
“responsible parties” that process such information. In terms of Popia, where there are reasonable grounds to believe the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party has to notify the Information Regulator, as well as the data subject, unless that person’s identity cannot be established. The notification has to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation. The notification must be in writing and must be communicated either via e-mail or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media or as directed by the Information Regulator. It must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if
there are reasonable grounds to believe such publicity would protect a data subject. An organisation involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions. EP: Are there any other countries in Africa that have recently passed legislation governing cybersecurity? DB/JM: In 2020, Ghana similarly passed its Cybersecurity Act 2020, to oversee the country’s response to the prevention and management of cybersecurity incidents. The act establishes the Cyber Security Authority and provides for the protection of the critical information infrastructure of the country. The act also regulates cybersecurity activities, oversees the protection of children on the internet and seeks to develop Ghana’s cybersecurity ecosystem. EP: What are the latest developments with regard to how cybersecurity is legislated across the continent? DB/JM: Data privacy laws which govern, among other things, data security and breaches, are currently present in less than half of African countries. Regionally, the Southern African Development Community and the Economic Community of West African States have data protection policies in place and the continent is also covered by the African Union’s Convention of the African Union on Cybersecurity and Personal Data(2014) (convention). As of May 2020, the convention had only been ratified by eight out of 55 AU members (Angola, Ghana,
Guinea, Mauritius, Mozambique, Namibia, Rwanda and Senegal), while 14 countries had signed but not ratified it. SA, Kenya and Nigeria have not yet signed the convention. EP: Why is cybersecurity legislation essential in Africa? DB/JM: Legislation governing the digital economy is essential to protect African citizens in terms of both their digital privacy rights and cybersecurity threats, while at the same time also ensuring their online freedoms are not threatened. The AU has been encouraging its member states to sign the convention and implement balanced local legislation that is fully enforceable and that respects human rights. EP: How could the process of protecting data privacy and ensuring cybersecurity be facilitated in Africa? DB/JM: To facilitate this process, consultations with stakeholders in government, businesses (local and international) and organisations representing wider society would ensure a balanced approach during the drafting of these laws. International legislation should be considered alongside local laws, given the borderless nature of the online environment, and consulting with technology experts on policy means due consideration can be given to the specific nature of this rapidly developing sector. Considering the current rapid move to digitally focused business models, the implementation of these legal protections and guidance has become urgent for all African countries.
ENSafrica | data privacy
POPI is the new normal The POPIA clock has stopped counting down,compliance but your journey is just beginning. POPIA solutions,
strong expertise in data privacy Chambers Global Guide
scan QR code discover more
4
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Reading staff’s e-mails in the era of Popia
YOU HAVE MAIL
Correct wording of employment contracts will •head off disputes over monitoring of communication Suemeya Hanif & Nicole Gabryk ENSafrica
A
fter the Protection of Personal Information Act, 2013 (Popia) came into effect fully on July 1, there are some areas of dispute that may arise between employers and employees, including the monitoring of employee e-mails. In a recent Constitutional Court judgment in Turkey, the personal data protection rights of an employee were considered. It could provide some guidance as to how a similar situation may be handled in an SA context. In this matter, a private bank employee used his corporate e-mail account during working hours to assist his spouse in the running of her business. This resulted in the employer terminating his employment. The employee challenged his termination on the basis that his employer had infringed his right to data protection and freedom of communication when the employer inspected his corporate e-mail without his prior notice or consent. The Turkish Constitutional Court held that to ensure
employees conduct their work efficiently, and due to the nature of the employer’s business (the provision of financial services), the employer had a legitimate basis for inspecting employees’ corporate e-mails. In addition, the employee’s signed contract of employment stipulated he was required to use his corporate e-mail for business purposes only. As such, the employer could inspect the account at any time without prior notification, and the Constitutional Court held that the notification and consent requirement was fulfilled. The court also took note of the fact the employer had only had regard to the information which supported the allegations the employee had engaged in other business activities during working hours. Therefore, it found that the purpose of collecting the data, and the use thereof, was
IDEALLY, PERSONAL INFORMATION SHOULD BE PROCESSED WITH THE DATA SUBJECT’S CONSENT
limited to proving the allegations of misconduct. In the SA context, employment contracts usually contain clauses dealing with the monitoring and interception of communication on work devices and e-mails. These clauses usually provide that, as work devices and telecommunication systems are provided to promote the business’s objectives, they must be used for bona fide business purposes only and that the employer reserves the right to intercept and/or monitor any direct or indirect communication on their work devices and/or utilising the employer’s telecommunication systems. In terms of Popia: ● An employer who processes the personal information of an employee (data subject) must do so fairly and without negatively impacting the rights of the data subject; ● Ideally, personal information should be processed with the data subject’s consent. Absent consent, there are other grounds that an employer can rely on to process personal information, including where the processing is necessary for pursuing the legitimate interests of the responsible party (in this case
/123RF — RAWPIXEL the employer) or of a third party to whom the information is supplied; ● To comply with Popia, employers should ensure any clause in an employment contract allowing for the monitoring and interception of communications on the employer’s devices, or using the employer’s telecommunication systems, also clearly explains the purpose for such monitoring and interception. An employer may monitor and intercept communications on a company device and, if the employee is using their device, communications sent and/or received using the employer’s telecommunication systems. The reason for this is that these devices and/or systems are provided by the employer to enable the employee to perform their duties and to assist the employer to meet its legal, business, administrative and management obligations. This would constitute a legitimate reason for processing. If such a clause was
inserted into a contract of employment, an employer could use the argument raised in the Turkish court to justify the processing of information, because the employee would have been notified of the reason and the purpose for such processing.
COGNISANCE MUST ALSO BE TAKEN OF THE OTHER PROCESSING CONDITIONS FOR LAWFUL PROCESSING Cognisance must also be taken of the other processing conditions for lawful processing contained in Popia. An employer may only use personal information obtained from the employer’s devices or systems to ensure compliance with its obligations and not for any other purpose. An employee will be
provided with an opportunity to object to the use of his/her personal information during an investigation and/or disciplinary process thereby ensuring compliance with the openness and data participation condition. Employers should ensure their existing contracts of employment include appropriate wording (so that informed, express and voluntary consent is obtained at the outset, which is also compliant with the processing conditions in Popia). Including appropriate wording in any contract of employment will entitle the employer to monitor and/or intercept communications on the employer’s devices and/or sent or received using the employer’s telecommunication systems should the need arise at any stage during the employment relationship without seeking ad hoc consent on a case-by-case basis, and could prevent costly future litigation and protracted disputes with employees.
Does Popia apply to memes and photos? Zamathiyane Mthiyane Werksmans A great deal of attention has been given to juristic entities’ compliance with the Protection of Personal Information Act No 4 of 2013 (Popia), which came into effect on July 1 2021. Popia aims to protect an individual’s right to privacy by offering protection against the unlawful collection, retention, dissemination and use of personal information. The question we explore is whether the protection afforded by Popia also extends to photos, and pictures including “memes”, of “data subjects”, as defined in Popia, which are posted on
social media platforms. In the event an individual discovers a “post” on a social media platform disclosing certain of his/her “personal information”, as defined in Popia, including a photograph, on a prima facia reading of Popia, the subject of the post may be considered a data subject and the person who posted the photograph may be considered a “responsible party” as defined in Popia. Posting the personal information on social media would also, arguably, amount to the dissemination of personal information, as contemplated in the definition of “processing” in Popia. Thus, the responsible
party may be obliged to comply with the provisions of Popia. The consequences of being considered a “responsible party” in terms of Popia are substantial and include the requirement for a responsible party, inter alia, to comply with the eight conditions of lawful processing of personal information, as prescribed in Popia. The conditions include a requirement to obtain the consent of the data subject before posting a photograph or the views of that data subject on a social media platform. The responsible party would also be required to appoint an information officer and publish and comply with
a Popia manual as read with section 51 of the Promotion of Access to Information Act No 2 of 2000. Arguably, the application of Popia in the above circumstances would lead to an absurd result where every individual who posts photos, memes, videos or the views of another person is considered a responsible party who must comply with onerous conditions. To prevent the abovementioned situation from arising, section 6(1)(a) of Popia states that Popia does not apply to the processing of personal information in the course of a purely personal or household activity. The repercussions of sec-
tion 6(1)(a) of Popia, quoted above are, arguably, that: ● Popia applies only to business or professional activities. ● In so far as any pictures or video taken or views shared are disseminated on social media or any other platform in a personal capacity, Popia arguably does not apply. Popia does not define the terms “personal activity” or “household activity”. The aforementioned terms may have to be interpreted not only by the ordinary grammatical meaning of the words but also by taking into account, on a case-by-case basis, what contemplates work as opposed to personal use in respect of the relevant
social media user. Disgruntled individuals who find their personal information posted on social media platforms without their consent are, however, not without legal remedy. Our common law, as codified in the Constitution of the Republic of SA, 1996, protects individuals’ right to privacy on a professional and personal basis. Thus, social media users who post what may be considered as personal information should do so keeping in mind that the subject of the posts, though falling out of the ambit of Popia, are still protected by the common law in the event the post breaches the privacy of the subject.
5
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Clarity on crypto asset laws
Policy paper reveals how crypto asset service •providers will be subjected to regulatory oversight Seshree Govender Webber Wentzel
T
he recently published Crypto Asset Policy Paper lays out the types of crypto asset service providers that will be subjected to regulatory oversight and how they will be supervised. On June 11 2021, the Intergovernmental Fintech Working Group (IFWG) published its long-awaited Crypto Asset Policy Paper. It shows the IFWG is officially moving towards regulating cryptoasset services in SA and bringing an end to the longstanding “user-beware” crypto asset regulatory position established in 2014. The SA crypto asset industry will now begin the process of transitioning from its unregulated landscape to an environment subject to the regulatory purview of the Financial Sector Conduct Authority (FSCA), the SA Reserve Bank and the Financial Intelligence Centre (FIC). Current landscape of crypto asset regulation in SA The SA policy position on crypto asset/currency regulation was first set out in the 2014 position paper on virtual currencies issued by the Reserve Bank as part of a joint initiative between the bank, National Treasury, the Financial Services Board, SA Revenue Service and the FIC. Due to the global lack of regulation and supervision of cryptocurrency at the time,
the 2014 policy position did not subject crypto assets to any regulatory oversight. Thus anyone who participated in the crypto asset sector did so at their own risk. While the SA crypto asset industry has changed and grown significantly since 2014, the regulatory position did not. Due to the prevailing application of the 2014 position, the industry now operates in a largely unregulated space, governed predominantly by the contractual relationships concluded between its participants. The core purpose of the impending crypto asset regu-
MARKET PLAYERS IN THE CRYPTO ASSET INDUSTRY SHOULD BEGIN DEVELOPING AND IMPLEMENTING APPROPRIATE STRATEGIES latory framework is not to regulate the nature of crypto assets or dictate the development of the underlying technology, but to subject the providers of crypto assetrelated services to regulatory supervision and oversight. The transition of the SA crypto asset industry to the impending regulatory framework will be driven by two important questions: (i) who is a crypto-asset service provider (Casp); and how
will Casps be supervised? The impending crypto asset regulatory environment will only be applicable to crypto asset-related activities that fall within the parameters of a “crypto asset service” as specifically contemplated in the Crypto Asset Policy Paper. Crypto asset-related activities which do not fall within the ambit of “crypto asset services” will continue to operate in an unregulated environment until determined otherwise by the relevant regulators. The Crypto Asset Policy Paper sets out the types of Casps that will be subject to regulation. These include trading platforms, intermediaries involved in the buying and selling of crypto assets, the providers of custodial wallets and the providers of investment funds or derivative options underpinned by crypto assets. However, providers of services such as noncustodial wallets and crypto asset mining will not be subject to regulation. Entities regarded as Casps will be subject to licensing requirements as well as compliance and reporting obligations under any or all of the following existing regulatory regimes: laundering ● Antimoney regulations (Fica) under the oversight of the Financial Intelligence Centre; ● Exchange control regulations under the oversight of the Reserve Bank (financial surveillance department); and
NOT-SO-SMALL CHANGE
/123RF — NAU2018 ● Financial services regulations under the oversight of the Financial Sector Conduct Authority A phased approach to regulation The Crypto Asset Policy Paper constitutes a mandate given by the IFWG to the relevant SA regulators to take the necessary regulatory steps to implement the 25 recommendations set out in the policy paper. A number of recommendations will be implemented with the enactment of the Conduct of Financial Institutions Bill (the impending legislative reform of market conduct regulation in the SA financial services sector). However, certain recommendations are already being implemented, with the
following proposed regulatory developments having commenced in 2020: The proposed amendment to the Financial Centre Intelligence Act (Fica) in terms of which Casps will be included in the list of accountable institutions, subjecting Casps to the full weight of Fica regulatory obligations and noncompliance penalties. This will require Casps to develop and implement a risk management and compliance programme detailing how they will conduct customer due diligences (KYC), monitor and report transactions and manage their particular antimoney laundering risk exposure. The draft declaration of crypto assets as a financial
product under the Financial Advisory and Intermediary Services Act (Fais Act): Casps providing advice on or intermediary services for the purchase or sale of crypto assets will be regarded as rendering financial services. Casps will thus need to register as financial service providers (FSPs) in terms of the Fais Act. The Crypto Asset Policy Paper states that the declaration of crypto assets as financial products is necessary to enable the FSCA to impose urgent consumer protection regulatory measures over Casps. Subjecting Casps to the “treating customers fairly” requirements of the Fais Act is a necessary development to protect consumers against the rampant proliferation of crypto-asset scams. However, subjecting crypto-asset services providers to the same fit and proper requirements and compliance obligations as incumbent FSPs may impose unduly onerous regulatory requirements upon Casps. Now the long-awaited roadmap to crypto asset regulation in SA has been laid out, current market players in the crypto asset industry should begin developing and implementing appropriate strategies to regularise their business models in line with the impending regulatory framework. They should also actively participate in the stakeholder engagements and commentary processes that will follow the promulgation of the necessary amendments to legislation to give effect to the Crypto Asset Policy Paper’s recommendations.
CONSUMER BILLS
AI has potential to make our online lives safer
I
tend to think, optimistically and pessimistically, that artificial intelligence (AI) can do anything to process information, for better and for worse. The extent to which it can be made to do so is a burning question in relation to consumer protection from cyber fraud, cyber bullies, cyber gender abuse and the other risks of being active online. The latest news is that the UK financial services regulator, the Financial Conduct Authority (FCA), has warned that it will take legal action against internet service providers and social media companies if they continue to publish advertisements that amount to online financial scams.
PATRICK BRACHER One of the consequences of the Covid-19 pandemic is, again, good and bad. More people have learnt to transact online, which has led to some major advantages many consumers had overlooked. The pandemic has also led to a downturn in the economy, lower interest rates on savings, loss of income and devalued assets. This means more people are looking for ways to supplement their income,
sometimes with unrealistic expectations. These expectations are the lifeblood of scammers and fraudsters. Consumers resorting to self-help in finding better investments are the targets of online scammers who place paidfor adverts on the internet and exploit social media marketing totally fraudulent or unregulated schemes. The FCA announced recently it was forced to issue 1,200 warnings online in 2020 about fraudulent adverts that were not issued or approved by lawfully authorised firms. Every week our local regulator, the Financial Sector Conduct Authority (FSCA), issues warnings about persons online
masquerading as accredited investment advisers. These crooks use grand titles, borrowed credentials and impossible benefits to scam the public. Not the least of the problem are those offering huge returns from cryptocurrency deals, which provide the huge returns for the advertisers only. The internet and social media have offered inestimable advantages to ordinary people and there is a line that has to be drawn between the good and the bad. It does seem that, if the local FSCA and the UK regulator can identify the scams and issue warnings, AI can do it better than any regulator if properly programmed. It must be
possible to develop algorithms that can step in when there is financial exploitation, gender abuse or bullying, for instance. It was encouraging recently to see that the US government was able to track down and act against the hackers who closed down the US oil pipeline. Given the right incentive it is clear that steps can be taken which are effective. I have said many times that cyber risk is the biggest
IT MUST BE POSSIBLE TO DEVELOP ALGORITHMS THAT CAN STEP IN WHEN THERE IS FINANCIAL EXPLOITATION
risk in the world, more even than the risk of physical pandemics. The interconnection of everything electronic and the ability to close down cities — and worse — is a risk to everyone. As consumers we all need to lobby for the attention at the highest level by governments and internet and social media service providers to stop the worst happening. If I am right about AI being able to do most things in this regard, it should be possible to do so without throwing the dishes out with the dishwater. ● Patrick Bracher (@PBracher1) is a director at Norton Rose Fulbright.
6
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Inheritance tax to aid poor
Tackling wealth inequality in poor countries could •benefit from an OECD report published on a study Prenisha Govender Baker McKenzie Johannesburg
O
n May 11 2021, the Organisation for Economic Cooperation and Development (OECD) published a report exploring the role of inheritance tax in addressing wealth inequality in poorer countries. The report was motivated by high wealth inequalities across OECD countries and the economic pressures suffered internationally as a result of the Covid-19 pandemic. According to the OECD, inheritance tax could be an important tool “to address inequality, particularly in the current context of persistently high wealth inequality and new pressures on public finances linked to the Covid19 pandemic”. The OECD’s report, Inheritance Taxation in OECD Countries, compares inheritance, estate and gift taxes in the 37-member OECD countries. SA is not an OECD member but adheres to many OECD instruments. The findings in the report on ways to address unequal wealth distribution have important implications for the country. The report states that, on average, the inheritance and
gifts reported by the top 20% of wealthy households in OECD countries is about 50 times higher than those reported by the bottom 20% poorest households. Inheritance tax is a tool intended to reduce this wealth concentration and enhance equality. The report also notes that inheritance taxes are easier to assess and collect than other forms of wealth tax, but that only about 0.5% of total tax revenues are sourced from inheritance, estate and gift taxes across the OECD countries that levy them. At present, tax exemptions and other forms of tax relief
THE AVERAGE WEALTH OF THE POOREST 50% IS NEGATIVE IN THAT THEIR DEBTS EXCEED THEIR ASSETS enable wealthy individuals to pass their wealth on tax free, and in-life gifts are also used to avoid paying inheritance tax. The report notes these taxes need to be designed better, but that such reforms tend to be country specific. The report suggests inher-
itance tax that is levied on an inherited asset’s value is a fair approach, with exemptions applied to low value assets. Another solution mentioned is lifetime inheritance tax, where tax is levied on the full amount of wealth inherited over a lifetime. But while this could reduce tax avoidance, it would also increase the costs of compliance and administration. The report says more information needs to be made available to the public on the way such taxes addressed inequality and to review other forms of taxes such as income tax and capital gains that should also be part of the solution. In SA, laws such as Administration of Estates Act (1965), the Wills Act (1953) and the Intestate Succession Act (1987) govern inheritance tax. Beneficiaries of an inheritance don’t pay inheritance tax on their inherited assets in SA, estate duty is payable by the deceased estate, which is regulated by the Estate Duty Act (1955). Estate duty is payable now at 20% on the first R30m and at 25% on amounts above R30m. In 2013, the Davis committee was set up to review and recommend improvements in the tax policy framework in SA. In 2016, judge Davis submitted his
FISCAL SUSTAINABILITY
/123RF — VITALIY VODOLAZSKYY report, which contained significant proposals to change the way estate duty is paid in the country. To date, National Treasury has implemented only some of the committee recommendations. One of which was to increase the estate duty to 25% on estates valued above R30m. Other changes the Davis committee proposed included a change to section 4q of the Estate Duty Act, which involves cancelling the deduction of the full value of a property, that accedes to the surviving spouse, from the estate of the deceased. The suggestion was that this should be replaced with a substantial rebatement. Another suggestion by the
committee is that donations made before death should no longer be exempt from donations tax. The committee also found that taxpayers were using trusts to reduce income and avoid paying estate duty and proposed instead a flat tax rate of 41% on all discretionary income in a trust. The committee also suggested that where an interest or low interest loan existed between a trust and connected person, the assets of the trust should be brought into the estate of the taxpayer for tax duty purposes. The Davis committee did not provide details on a potential wealth tax, but said it would conduct further investigations regarding its
implementation. According to research by Chatterjee, Czajka and Gethin — Taxing wealth in a context of extreme inequality legacy: The case of SA — the unequal distribution of wealth in SA would make a wealth tax an efficient policy to aid fiscal sustainability. The authors estimated the potential revenue that could be collected from a progressive wealth tax on the richest 1% could amount to R160bn. The authors found that the top 10% own 86% of total wealth in SA and the top 1% own 55%. The top 0.01% (3,560 individuals) own about 15% of household wealth, greater than the share of wealth owned by the bottom 90% of the population as a whole (32-million individuals). The average wealth of the poorest 50% is negative in that their debts exceed their assets. They noted that wealth inequality remained stable at extreme levels since the end of the apartheid regime. SA, alongside the rest of the world, is now actively looking at ways to address the devastating economic and social impact of the pandemic, with new and innovative ways to collect revenue currently being studied, proposed and implemented. The recommendations of the OECD paper on inheritance tax, in line with Davis committee proposals, could become applicable in some form in the SA context.
China ban a chance for wine exporters Donvay Wegierski Werksmans Attorneys China reportedly implemented antidumping duties on Australian wines recently, introducing import tariffs of 100% to 215%. Understandably this will have dealt Australian wine producers exporting to China a severe blow. Australia is a significant trader with China. Even though China produces some of its own wines, it continues to import a significant range from all over the world. Curtailment of Australian wine imports means further opportunities for other wine growing regions to sell their wines in China. Exporters are reminded that intellectual property, in this case trademarks, are both territory and class specific so the filing and continued maintenance thereof in all relevant territories is essential. Further, since China’s trademark regulations
make provision for brand owners to deal with trademarks filed and registered in bad faith, termed “malicious trademarks” in the regulations, the following considerations are key for comprehensive protection: a) Is the scope of your trademark registration adequate? In China it is possible to file a trademark in three different forms — that is, in “first language” (majority being in English), Mandarin and the transliteration which is the way the local audience would recognise your brand, and it is also the most common method by foreign entities to develop a Chinese language mark and tradename. Three forms of a mark can make it difficult to monitor unauthorised use. So if your mark is used, or proposed to be used, in a variety of ways in China, consider registration in each form. Classes 29-33 are the food and beverage classes, 33
being the most relevant class for alcoholic beverages, in particular wine, while class 32 is the relevant class for nonalcoholic beverages and beers. The Covid-19 pandemic has accelerated online prevalence with increased social media presence, online marketing and communications, particularly for FMCGs. It is highly recommended that protection extends to include service class 35, namely advertising; marketing consultancy in the social media field; marketing services; presentation of goods on communication media and the provision of an online marketplace for buyers and sellers of goods and services. b) What if someone else owns your mark? Before filing a trademark, searches of the relevant registers are recommended which may also reveal your mark belongs to an unrelated third party. Unfortunately this practice is common, particu-
larly in China, often by an existing/past and/or future agent or distributor. In 2019, the Chinese Trade Mark Regulations introduced several key amendments in particular Article 4 which concerns “the application for registration of a malicious trademark that it not intended for use should be rejected”. Article 33 and 34 in turn extend the provisions for trademark oppositions and/or invalidations to also include the definition of “malicious trademarks”. The following can be indicative of a “malicious trademark”: ● The mark is identical and/or similar to another trademark with a reputation; ● The applicant/registrant has a history of infringements and/or the filing of other marks; ● There are previous decisions or judgments against the applicant or records of prior recognition of malicious trademark registrations;
● Trademarks have been filed in bulk. c) What remedies are available against “malicious trademarks”? If someone else owns your mark, your preferred agent or distributor may be reluctant to act on your behalf. Customs may also require proof of your ownership. As a consequence of Article 4 there are several remedies available to brand owners depending on the whether the mark is a pending application or is registered: ● Application — in this case if an application for the mark has been made but not yet been published, a trademark opposition can be filed once the application is published in the Chinese Trade Mark Journal. If not yet published, a watch should be implemented so as to alert you when published; ● Registration — in this case the mark is already registered therefore it will be necessary to apply to invalidate
the malicious mark, filed in bad faith. Nonuse cancellation proceedings can also be instituted provided the mark has not been used for at least three years in China.
SAFEGUARDS
● Maintain regular contact with agents, retailers and distributors to stay up to date with market trends and to monitor activity; ● Maintain and retain existing trademarks, albeit for defensive purposes; ● Prior searches of the relevant trademark registers are recommended before committing to a new venture and filing your trademark — ask an expert for guidance; ● Consider implementing a trademark watching service — watches can be tailored to certain goods/services, certain countries alternatively worldwide; ● Maintain and retain all evidence of use including exhibition and virtual conference attendance.
7
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Legal checklist for chatbots
These new technologies also have to be Popia •compliant, as they glean reams of personal data Maison Samuels Webber Wentzel
A
rtificial intelligence (AI) and digitisation are transforming the business
landscape. Many new technologies, such as chatbots, are being created to streamline customer engagement. Given the quantity of personal information a chatbot may acquire, how do you ensure your chatbot is Protection of Personal Information Act, 2013 (Popia) compliant? A chatbot is an operating system that simulates a conversation with humans in written or spoken form. This enables the user to interact with digital devices in the same way they would communicate with a real person. These interactions typically take place over messaging applications or may be embedded functions on a website. The chatbot is insentient — it allows you to chat with it about the product or service being offered. A chatbot enables the end user to receive an instant response to a question or issue. The intended result is that the end user saves time, which is intended to increase his or her satisfaction and translate into increased business sales and leads. For example, an e-commerce retail business may consider using a chatbot to direct end users to the specific pages of the website when the end user asks about a particular clothing item he or she wishes to buy, or it will give information on a product when an end user queries the product’s applications. When a business uses a
chatbot, a lot of real-time data about end users may be obtained during the conversation. In some instances, the data obtained includes personal information. Accordingly, if your business uses a chatbot service, you must ensure compliance with Popia, which became fully operational on July 1 2021. There are essentially three parties involved in the chatbot service and it is important to distinguish them to comply with Popia. First, there is the end user, the data subject to whom the personal information relates and who is typically identified through an identifier such as
A DOWNLOAD FEATURE AND THE ABILITY TO REQUEST THE DELETION OF PERSONAL INFORMATION ARE RECOMMENDED a name or identification number. The end user is protected by Popia, and organisations that process the end user’s personal information must comply with the act. Second, there is the responsible party, the organisation using the chatbot service to process the end user’s data for a specific purpose (for the purposes of this article, we will refer to this party as the chatbot customer). Finally, there is the operator, the entity providing the chatbot service to the chatbot customer. The distinction between the latter two parties is important in determining who attracts liability in the event of a data breach.
It is also important to determine the type of information processed by the chatbot, as organisations have a duty to protect personal information under Popia. This includes biometric information (that is, information that identifies a person based on physical, physiological or behavioural characteristics), basic identifying information (name and surname; any identifying number; e-mail address and location ); and information relating to a person’s racial and ethnic origin, religious beliefs and health. The chat session and sharing of personal information will typically unfold in a three-step process. First, before a chat session, the chatbot is able to obtain and identify the end user’s information such as name, location, phone numbers and e-mail addresses. Notably, this may differ from platform to platform. Second, when the chat session has started and the end user and the chatbot are conversing, further personal information or files may be introduced to the chat. Finally, when the chat session is concluded, the chatbot may integrate the data received from the end user with the customer relationship management (CRM) software (which administers interactions with end users) used by the chatbot customer, and other related technologies, to improve business relationships with end users. Considerations for chatbot operators in ensuring Popia compliance There are various measures a chatbot operator and its customers should take to ensure Popia compliance. The con-
BOTS AND THE LAW
/123RF — SEBASTIEN DECORET siderations discussed below should not be considered as exhaustive. ● Purpose — records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected. If a chatbot informs an end user it will be using their e-mail address to provide further information about the chatbot customer’s services, it should be used for that purpose only. ● Consent — importantly, because the chatbot will request personal information from the end user, he/she should consent to the personal information being used, unless there is another justification for the chatbot to process the end user’s personal information. Before the conversation starts, the chatbot should provide the end user with a link to the terms of service, which should include appropriate consent provisions to the processing of the end user’s personal information.
● Access to and deletion of information — Popia provides data subjects with the right to request access to their personal information once collected. It is common practice to enable the end user to download their data in digital form by making use of a query and response format in the chatbot. Further, Popia provides data subjects with the right to request the deletion of their information. The end user may be provided with an option to request that his, her or its personal information be deleted. A download feature and the ability to request the deletion of personal information are recommended features to enable Popia compliance. ● Automated decision making — a data subject may not be subject to a decision that may adversely affect him/her, which is based solely on the automated processing of personal information. Therefore, it is prudent that chatbot operators ensure
there is human oversight or involvement over the chatbot. ● Transborder information flows — the chatbot customer should determine whether any personal information is being transferred to a third party outside SA when using the chatbot service. A responsible party may not transfer personal information of a data subject to a third party who is in a foreign country unless certain conditions are met. Though chatbots are innovative and transform aspects of the online business landscape, it is crucial to consider the rights of the end user, and the obligations of the chatbot customer and provider under Popia. The purpose of Popia is to protect the constitutional right to privacy. However, this should not stifle innovation, and organisations using chatbots and those that provide this service should receive appropriate legal advice to ensure Popia compliance.
Home offices claims may be problematic Jonathan Goldberg & Jerry Botha Global Business Solutions and Tax Consulting South Africa As the Covid-19 pandemic continues, the ability of employees using home offices to deduct related expenses from their income needs to be investigated. The legal consequences — from an employment law perspective — are that, provided there is clarity on the rules and regulations around working from home, this should be encouraged as per
the Disaster Management Act. Employees may claim home office expenses as a deduction if they meet the requirements of the Income Tax Act. The home office must be specifically equipped with the instruments, tools and equipment required by employees to perform their duties. In addition, the home office must be used regularly and exclusively for work purposes. Finally, employees must work at the home office for more than half of their
working time during the year of assessment. The home office expenses that employees may claim are limited to rental, repairs and expenses incurred in relation to the property, as well as wear and tear on office equipment used for work purposes. However, expenses incurred in relation to the entire property must be apportioned in accordance with the floor area of the home office. To claim the deduction employees must submit, with
their income tax return, copies of their employment agreement, the employer’s work-from-home policy, a letter by their employer and proof of the expenses. Regarding the letter, the employer can only confirm the employment agreement permits an employee to work away from the employer’s premises and that they were not present at such premises for a particular number of days. Employees must take note that the deduction claimed will have an effect on the cap-
ital gains tax when they sell their home. The part that was used as a home office will be apportioned for nonresidential use, and the R2m primary residence exclusion will not apply thereto.
BLENDED APPROACH
A lot has been said about occupational health and safety and that the home work environment should also subscribe to the basic minimums of occupational health and safety. These are complex issues that need to be sorted out as it would seem a
blended approach to work is going to continue from many employees and potentially become the new norm. One of the biggest battles will be getting people back to work when the majority of the population is vaccinated. Internationally, we see many organisations struggling to do that where the vaccine rollout has been successful. People have become used to — and love — the blended type approach and this is going to cause several employer/employee problems going forward.
8
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
How far are we with the NHI rollout?
JUST THE MEDICINE
There are certain objectives that must be met •before phase 1 ends on or before December 31 Neil Kirby & Helen Michael Werksmans
N
otwithstanding the attention that has come to be focused on the Covid-19 pandemic, preparations continue in respect of the implementation and establishment of National Health Insurance (NHI) in SA. In this regard, we are guided by the provisions of the National Health Insurance Bill [B11-1019]. While the bill remains a bill and is not enforceable as a matter of law, the bill contains various transitional arrangements, which are set out in clause 57. The transitional arrangements are divided into two phases. There is arguably not much time within which to substantively achieve the requirements that are described in the bill for the completion of phase 1. In terms of clause 57(2)(a) various tasks are set out in respect of what must be achieved during the course of phase 1. These tasks are described as follows: “(i) continue with the implementation of health systems strengthening initiatives, including alignment of human resources with that which may be required by users of the fund; (ii) include the development of National Health Insurance legislation and amendments to other legislation; (iii) include the undertaking of initiatives which are aimed at establishing institutions that must be the foundation for a fully functional fund; and (iv) include the purchasing of personal health care services for vulnerable groups such as children, women, people with disabilities and the elderly.” It is not clear from the provisions of the bill how one is to measure the successful implementation of the tasks or initiatives set out in clause 57(2)(a), more particularly with reference to the relatively vague wording used in the clause. If one is to have regard to the wording used in clause 57(2)(a), then one is required
to have a clear understanding of the following concepts: ● The “strengthening initiatives” currently in place, the structure of those initiatives and the goals such initiatives are arguably required to attain; ● The current status of other pieces of legislation to be amended so as to facilitate the existence of an NHI scheme and the nature of the amendments concerned with reference to the provisions of those pieces of legislation and the provisions of the bill; ● The particular institutions that are to be the foundation of a fully functioning NHI scheme, more particularly with reference to the committees that are referred to in clause 57(3) of the bill and dealt with in more detail below; ● The particular human resources required for purposes of operating a substantively successful NHI fund, based on what will be
CLAUSE 57(3) DEALS WITH WHAT INTERIM COMMITTEES ARE TO BE ESTABLISHED TO ADVISE THE HEALTH MINISTER required by users of the NHI scheme and, more particularly, with reference to what it is that users will be able to access in terms of healthcare services provided by the proposed NHI scheme. Clause 57(3) of the bill deals with what interim committees are to be established to advise the health minister on the implementation of an NHI scheme. These interim committees are described as the national tertiary health services committee, the national governing body on training and development, the ministerial advisory committee on healthcare benefits for NHI and the ministerial advisory committee on health technology assessment for NHI. Each of the committees is afforded a mandate in clause 57(3) of the bill. However, the various committees are
described as interim committees in the bill and are thus intended to be precursors to final committees to be established presumably once the bill becomes an act. Clause 57(4) of the bill sets out certain objectives that must be met during phase 1 and therefore on or before December 31 2021. Primarily, the objectives are concerned with the structuring of certain components of the NHI scheme, which are arguably designed to create the foundation of such a scheme. All in all, there are eight objectives to be achieved during the course of phase 1. These objectives include: ● The migration of central hospitals that are otherwise funded, governed and managed nationally to “semiautonomous entities” — albeit that the term “semiautonomous entities” is not defined in the bill and the precise intended status of central hospitals is therefore largely unknown; ● The structuring of the contracting unit for primary health care at a district level “in a co-operative management arrangement” with the relevant district hospital/s, which hospital/s is/are, in turn, linked to a number of primary health-care facilities. The precise terms and conditions of a “co-operative management arrangement” are not detailed in the bill; ● The establishment of the NHI fund, including its governance structures — bearing in mind the fund is to be established in terms of clause 9 of the bill, which, in turn, contemplates that for the fund to be established, the bill will have to become effective legislation, which is not one of the objectives contemplated during the course of phase 1; ● The health patient registration system needs to be established as contemplated in clause 5 of the bill and, once again, one is required to have clause 5 of the bill enacted into law for its provisions to take effect legally and for the proposed registration system to be established in accordance with the principles of legality that emerge from the constitution and various pronouncements by
/123RF — SUNTORN NIAMWHAN the Constitutional Court; ● The process for the accreditation of health care providers who are to provide services to users of the NHI scheme, which includes the requirement of the inspection and certification of health establishments by the Office of Health Standards Compliance. But, once again, the process for accreditation of both health establishments and health care providers, for purposes of providing services to users of the fund, is a feature of the bill that will be required to become effective law for the particular objective to be achieved; ● The purchasing of health care services benefits by the fund. Such services are described in the bill as both primary health care services and hospital services as well as other clinical support services. The particular primary health care services referred to in clause 57(4)(f) of the bill include maternity and child health care services, which include school health services, health services for the elderly and people with disabilities and those in rural communities. Such services are to be provided by contracted health care providers, whom are described as general practitioners, audiologists, oral health practitioners,
THE VARIOUS COMMITTEES ARE DESCRIBED AS INTERIM COMMITTEES AND ARE PRECURSORS TO FINAL COMMITTEES
optometrists, speech therapists and other designated providers at a primary health care level “focusing on disease prevention, health promotion, provision of primary health-care services and addressing critical backlogs”. Particular hospital services and other clinical support services are also dealt with in clause 57(4)(g), where there is an implied indication that the purchasing of hospital services and other clinical support services will be an expansion of those services referred to in the bill as primary health care services; ● Various pieces of legislation are to be amended. These pieces of legislation, which are currently in effect, are identified in clause 57(4)(h) of the bill and include the Medical Schemes Act No 131 of 1998, as amended, the Traditional Health Practitioners Act No 22 of 2007 and the Medicines and Related Substances Act No 101 of 1965, as amended. Of interest and importance to potential users of the NHI scheme is clause 57(5), which contemplates that the objectives to be achieved in phase 2, which is described as operating from 2022 to 2026, must be achieved on the basis of a system of mandatory prepayment. It is unclear from the provisions of the bill when a system of mandatory prepayment by users will be implemented — bearing in mind the term “mandatory prepayment” is not defined in the bill. Presumably, to achieve the particular objectives that are included in phase 2, a system of mandatory prepayment may have to be introduced sooner rather
than later to secure the requisite funds prior to the commencement of phase 2 on January 1 2022. However, the bill is largely silent on when the particular steps contemplated in phase 1 are to be taken and the consequences should the time periods stipulated for phases 1 and 2 not be met as a result of external factors, including prevailing pressure on the department of health in order to deal with the Covid-19 pandemic and a successful roll-out of an appropriate
THERE ARE MANY I’S TO BE DOTTED AND T’S TO BE CROSSED, FROM A LEGAL PERSPECTIVE, FOR THE BILL TO BECOME LAW vaccination programme for the entire country. The bill remains alive and we should be keenly watching the developments that occur to achieve the objectives of phase 1 ahead of the commencement of phase 2 during the course of next year. However, there are many i’s to be dotted and t’s to be crossed, from a legal perspective, for the bill to become law, more particularly a law consistent with existing pieces of health care legislation and, more importantly, the legality provisions imposed by the constitution — a process that, within and of itself, cannot be rushed or manipulated no matter how laudable the objectives of the bill may be.
9
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Trademarks: you gotta have (good) faith
PROPERTY PORTFOLIO
intellectual property in bad faith to •getRegistering an edge on rivals can backfire spectacularly Liézal Mostert ENSafrica
I
n SA, as in many jurisdictions, the concept of good faith (bona fides) crops up a lot. So, for example, to get registration of a trademark, the applicant must have a good faith intention to use the trademark. Once the trademark is registered the owner must use it in good faith in order to keep the registration alive. In the words of George Michael, “You gotta have faith”. Good faith.
THE (BOARD) GAME
A recent EU decision, Hasbro v EUIPO, dealt with an interesting application of the good faith principle. The trademark involved is one we all know, Monopoly. Hasbro is both the manufacturer of the game and the owner of the trademark Monopoly. It has a number of EU trademark registrations for the trademark dating back to 1998, 2009 and 2010. These regis-
trations cover a range of goods and services in classes 9, 16, 25, 28 and 41.
OPPOSITION TO MONOPOLY
In 2011, Hasbro filed a further application to register the trademark Monopoly in the EU in four of these classes: 9, 16, 28 and 41 — only class 25 (clothing) was missing. The application was opposed by a third party who claimed Hasbro had filed it in bad faith. The opponent’s argument was that as Hasbro already had earlier identical registrations covering all the goods and services named in its latest application, one could only infer that the 2011 appli-
HASBRO IS BOTH THE MANUFACTURER OF THE GAME AND THE OWNER OF THE TRADEMARK MONOPOLY
cation was filed in bad faith. The opponent argued that the only possible purpose of the new application was to avoid the hassle and irritation of having to prove actual use if any of its existing registrations were ever attacked on the basis of non-use for five years or longer. This could happen since Hasbro had recently raised its head above the parapet by opposing an application to register the trademark Drinkopoly (more fun probably than Monopoly).
THE COURT
The matter made its way up to the General Court, which decided that the 2011 Monopoly application had indeed been filed in bad faith. The court concluded Hasbro had intended to improperly and fraudulently extend the fiveyear non-use grace period. The company had in its court papers even admitted there was an administrative benefit in being able to rely on later trademarks without the need to prove use. The court
/123RF — BAGWOLD ruled that Hasbro’s intention had been to artificially extend the grace period for non-use, and the fact that it could actually have proven use if required to do so was irrelevant. But everyone’s playing this game. Hasbro argued the refiling of trademarks is a “common and accepted” practice, so common, in fact, that it even has a quaint little name — “evergreening”. But the court was not interested. For starters, the court said the claim of common practice was mere conjecture, and even if it is common practice this does not make it acceptable. Hasbro, said the court, had sought to circumvent a “fundamental rule” of EU trademark law to derive an advantage to the detriment of the system. It had therefore acted in bad faith.
BAD FAITH: A FAIR BIT OF THAT ABOUT
Other examples of bad faith charges being raised: ● Exhibit one: Banksy A claim of bad faith was made in a case involving the graffiti artist Banksy. A greeting card company applied to cancel Banksy’s trademark registration for his famous picture The Flower Thrower. Lots of arguments were raised: there had never been any intention to use the artwork as a trademark; Banksy had himself announced he had no intention of using it; the artwork had never been used as a trademark. But the one that grabbed the headlines was Banksy’s (reckless) statement that “copyright is for losers”, which the court described as showing a “disdain for intellectual property rights”. The court concluded the trademark had not been reg-
istered with a view to engage fairly in competition, but rather with a view to undermine the interests of third parties. So, it had been registered in bad faith. ● Exhibit two: Sky We also saw it in a case involving Sky, where the issue was whether the use of the very broad term “computer software” in a trademark specification can amount to bad faith. Europe’s highest court decided it could if there were no intention to use the trademark on those goods. This was the case here: the court said the intention was to undermine the interests of others, and the company was seeking very broad trademark protection “purely as a legal weapon”. To sum up — keep the faith! Reviewed by Gaelyn Scott, head of ENSafrica’s intellectual property department
Vaccinations help rein in insurance costs Vusi Maswili ASI Financial Services Employers seeking to manage the costs of their group risk cover would do well to actively encourage their employees to have the Covid-19 vaccine as soon as possible, within the government’s structured rollout programme. As an independent financial services advisory, we have seen the group risk and personal insurance providers we work with increase premiums significantly in the last while, as a direct result of the significantly higher mortality rate — and claims rate — caused by the Covid-19 pandemic. All insurers are bound to conduct “own risk and solvency assessments” (orsa) annually, which sees them gathering the data they need to anticipate, understand and manage potential risks, and in turn to implement any
LOWERING RISK
/123RF — DMITRY SERGEEV controls necessary to protect their business strategy. Risks assessed in the orsa include diverse items, which during the current pandemic could vary between operational risks due to more team members working remotely to an increase in death
claims, or even an increase in unpaid premiums due to the impact of lockdowns. Insurers are also affected by factors in the market generally, such as falling equity markets and interest rates that could put pressure on their balance sheets.
While many insurers are implementing new models and shifting their reliance away from traditional channels, we’ve seen many take the difficult decision to implement increases in their group risk premiums. Some increases have been around the 20%-30% mark, but some insurers have implemented increases as high as 150%, in an effort to mitigate the impact of Covidrelated claims already made, and those that are still likely. However, going forward, as part of their ongoing orsa process, group risk insurers are likely to assess what percentage of their clients’ workforces have had the Covid-19 vaccination. Those who have already had the virus are deemed to be high risk as a result of “long Covid”, but those who have not had the virus or the vaccination are also seen as high risk. If an employee group has
a high proportion of members who are seen to be high risk, the insurer is likely to implement higher premium increases, and this will be even more likely if employees are in high-risk demographics, such as those over the age of 50. This will be even more true if most of those older than 50 are higher earners — as they are likely to be — as a claim from the insurer would result in greater cost to them. Those who have had the vaccination are deemed to be lower-risk candidates, but with group risk policy premiums levying a single rate
SOME INCREASES HAVE BEEN AROUND 20%-30%, BUT SOME INSURERS HAVE IMPLEMENTED INCREASES AS HIGH AS 150%
for lives covered, those organisations whose populations are not vaccinated are likely to be expected to pay a higher premium. In companies where costto-company packages are the norm, this could severely impact employees’ net salaries at the end of the month. This is just one proof point of how companies need to have a clear strategy to demonstrate their care for their employees, by offering access to benefits such as retirement planning, group risk, wellness and health. In the current climate, part of that demonstration of care is encouraging as many people as possible to sign up for the vaccination, and to have it done as soon as government’s roll-out programme makes it possible. It’s the smart thing to do for your people, and for your business — and for your country too.
10
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Minister’s plan could choke SA’s data and cloud sector
UP IN THE CLOUDS
Vague proposals to tackle competition fall outside •Ndabeni -Abrahams’s ambit and complicate matters Heather Irvine & Tshidi Vilakazi Bowmans
I
n April 2021, communications & digital technologies minister Stella Ndabeni-Abrahams published a draft policy document as part of the government’s efforts to develop frameworks to harness the economic and social potential of data and cloud computing. While the draft policy proposes a number of interventions falling within the scope of Ndabeni-Abrahams’s powers in terms of the Electronic Communications Act (ECA), some of the actions proposed, including amendments to the Competition Act 89 of 1998 (Competition Act), fall outside her portfolio and fail to take existing legislative tools into account. The draft policy refers to a draft paper published by the Competition Commission in 2020 titled “Competition in the Digital Economy”, which identified a range of potential competition issues in various online markets. For example, the commission identified that control of or access to significant amounts of data can be a source of market power: “Owing to the central role of data in powering the digital economy, market power — coupled with the ability and incentive to use it — is the most common competition concern arising from datarich entities and other companies that own and process big data. “It could be argued that data is to the digital economy what oil is to the industrial economy. Therefore, any company with significant influence over this all-important resource would need to be kept under scrutiny to avoid it abusing its market power to the detriment of rivals and the competitive process as a whole.” The commission further noted that network effects and economies of scale, driven by big data, can poten-
tially confer market power and a durable competitive advantage. However, the commission recognised that competition authorities have typically not isolated the handling and analysis of data as the source of market power — rather, they have evaluated “theories of harm related to the possession of data”. This would include, for example, if firms in the digital economy engage in conduct that hampers their rivals, such as “self-preferencing, by which digital platforms will give preferential treatment to their own services over the
THE DRAFT POLICY ADOPTS A HOSTILE STANCE TO CLOUD AND DATA COMPANIES, APPLYING ‘BIG EQUALS BAD’ THINKING services of other companies and as such maintain their positions of dominance”. However, the commission noted that further investigation is required to assess whether there is conduct of this nature occurring in SA (or elsewhere, but affecting SA suppliers or consumers). The commission proposed a number of interventions, including a market inquiry into online intermediary platforms (currently ongoing), mapping of the digital landscape of SA, initiating more formal investigations into prohibited conduct under the Competition Act, and enhanced scrutiny by the commission of mergers in the digital world, using an updated “toolkit”. The commission did not suggest that amendments to the Competition Act are required, or that the test for what constitutes anticompetitive conduct in the cloud and data space necessarily needs to be changed. In contrast, the draft policy
adopts a hostile stance to cloud and data companies, applying “big equals bad” thinking, rather than an empirical analysis of the competitive dynamics in SA cloud and data markets. For example, the draft policy notes the data and cloud computing market structure is “dominated by a handful of large multinational companies”, and says “a lack of competition in this market has given consumers few alternative choices for the protection of privacy and none are likely to appear in the near future”. The policy accordingly proposes that “competition law shall be reviewed to address specific challenges relating to dominance by a few established players, and anticompetitive behaviour which might arise within the data and cloud environment, taking into consideration the FAIR (free, accessible, interoperable, reusable) principles of data” and that “legislation shall also be reviewed to ensure local companies have a fair and equitable chance of competing with their global counterparts”. It also suggests that to support competition, the Open Data Strategy should enable the development of a regulatory framework for exportability, interoperability, data portability and data trading and sharing, which should also inform the development of “sector-specific regulations”. Finally, the draft proposes that “sector-specific regulators, supported by policy from relevant departments, shall develop regulatory frameworks to facilitate disruption for the purposes of
IT IS NOT CLEAR WHICH LEGISLATION APPLICABLE TO DATA AND CLOUD COMPUTING MIGHT NEED TO BE AMENDED
/123RF — NEYRO2008 fostering inclusion and reducing market concentration”. These are vague proposals. For example, it is not clear what sort of “disruption” may be required, or why this would necessarily foster inclusion or reduce market concentration (disruption of traditional news sources by social media has arguably increased concentration in the global print sector, for example). It is not clear which legislation applicable to data and cloud computing might need to be amended to enable local companies to compete with global competitors, or what form these amendments might take. This is unfortunate, since the whole reason for issuing policies is to assist companies (and investors) to understand what is likely to happen next, and why. Quite a lot of the legislation that might be relevant to the provisions of these services in SA sits outside of the minister’s portfolio and is therefore beyond the scope of intervention by the minister in terms of her power to make policy in terms of the Electronic Communications Act (ECA). The proposal to amend the Competition Act doesn’t mention the amendments to this legislation in 2019, which give the commission far greater powers to deal with abuses in SA by dominant purchasers and sellers. These could potentially be applied by our competition authorities to tackle any firms abus-
ing their dominant position in the cloud and data space. The draft also doesn’t mention the various actions that already have been proposed by the commission in its Digital Economy paper, using the existing provisions of the Competition Act, some of which are already under way, including the market inquiry into online intermediary platforms and amendments to the commission’s guideline on small mergers to enhance its ability to scrutinise acquisitions that fall below the monetary thresholds. It is also not clear why a new sector-specific regulator and a different set of regulations for this industry is necessary. The experience to date in SA has been that sector regulation is complex and time-consuming. For example, the Independent Communications Authority of SA (Icasa) has concurrent jurisdiction over competition matters with the Competition Commission in the electronic communications space, in terms of the ECA. However, Icasa has so far battled to investigate complaints about anticompetitive conduct by dominant network operators, or to take an active role in vetting mergers involving licensees in terms of the ECA. Most of the enforcement action against dominant network operators and broadcasters to date has been spearheaded by the commission, including through its recent market inquiry into
mobile data prices. However, as Icasa’s parallel inquiry into mobile broadband illustrates, enabling two different regulators to attend to similar tasks under two different pieces of legislation requires significant amounts of co-ordination and is costly. It might be more costeffective and efficient to allow the Competition Commission to apply the existing competition legislation in the cloud and data space, than to introduce more regulators, or develop additional sectorspecific regulations. The draft paper correctly emphasises the need for SA to adopt strategies to exploit the opportunities presented by data and cloud computing, to enable the development of various applications, services and technologies, which in
IT IS NOT CLEAR WHY A NEW SECTOR-SPECIFIC REGULATOR AND A DIFFERENT SET OF REGULATIONS IS NECESSARY turn can be harnessed to address challenges of service delivery and economic inclusion, and enable SA to become globally competitive. However, we should also recognise that overregulation and ineffective regulators may stifle innovation, hamper growth and job creation, and deter investment.
11
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
SA monitors EU trademark developments
WHAT YOU SEE, WHAT YOU GET
It is important to keep abreast of what happens in •Europe because of the similarities in legislation Ilse du Plessis ENSafrica
I
t makes sense for us to keep an eye on trademark developments in Europe because South African trademark law is similar to EU trademark law and there’s far more activity in the EU. South African courts do, of course, often consider EU trademark judgments. Here are a few recent cases:
Rounded curves, thicker lines and a horizontal orientation … was the judge’s mind wandering a little? This was an interesting one. It’s probably not often that a perfume house and a computer giant come into conflict, but they managed to do so in Europe. Huawei filed an application to register the logo that appears above left. The application was in class 9 and it covered a wide range of electronic goods including computer hardware. Chanel filed an opposition to this application. The opposition was based on its logo
(shown top right) and, in particular, a French trademark registration in class 9 in respect of roughly the same goods as Huawei’s application. Chanel also relied on a French registration for its logo mark covering totally unrelated goods (such as perfumes), coupled with a significant reputation. Chanel alleged there was a likelihood of confusion between the marks. It also claimed there would be dilution and unfair advantage that could be detrimental to the distinctive nature or repute of its mark. The first hurdle, of course, was to establish that the marks are indeed similar. No easy task. Chanel claimed there was a high degree of
THE COURT WENT ON TO SAY THE TWO MARKS ‘SHARE SOME SIMILARITIES BUT THEIR VISUAL DIFFERENCES ARE SIGNIFICANT’
similarity between the two marks when Huawei’s mark was rotated by 90%. But was that a valid argument? No, said the General Court, notional use of this nature does not come into the enquiry, one must simply consider the form in which marks appear on the Register. It’s not OK to rotate them: “The marks must be compared as applied for and registered, without altering their orientation.” The court went on to say that the two marks “share some similarities but their visual differences are significant”. It went on to explain: “In particular Chanel’s marks have more rounded curves, thicker lines and a horizontal orientation, whereas the orientation of the Huawei mark is vertical.” There were, said the court, also conceptual differences. These related to the fact that whereas Chanel’s mark evokes two letters C, Huawei’s mark evokes a letter H, or possibly two letters U. The court ended as follows: “Consequently the
General Court concludes the marks are different.” It will be interesting to see whether Chanel seeks to appeal this judgment to Europe’s highest court. Our ‘mirroring’ bottles In Venice, they know a thing or two about glass. The Venice Court of Appeal, or as we international trademark lawyers like to say, la corte d’appello di Venezia, has recently ruled in an interesting trademark infringement case. This case involved an EU trademark registration belonging to the Bottega winery for a three-dimensional shape mark. This comprises a
wine bottle in a distinctive gold and pink colour combination, with the bulk of the bottle being gold except for the top which pink. The winery claimed its trademark registration had been infringed by a competitor, the winery Ca’di Rajo, which had also used gold colouring on a wine bottle, albeit a bottle that has a different shape and label to that of Bottega. The court ruled the trademark registration had been infringed, thus providing a good example of how colour can both function and be protected as a trademark. The owner of the Bottega winery said this after the
judgment: “I expect the competition now understands that le nostre bottiglie specchiate, our mirroring bottles, are unique and unmistakable.” Si, certamente! El Clasico, something a little different, but still topical This will be of interest to football lovers. You obviously know El Clasico is the unofficial name given to any match between Real Madrid and Barcelona. You’ll also know these two teams were in the news recently when it transpired that 15 of Europe’s top teams were seeking to form a breakaway super league, a development that would have had a huge (possibly negative) impact on European football. It might also have resulted in meetings between the two Spanish giants becoming quite rare. The 15 clubs quickly washed their hands of this when it became apparent football fans were furious. It now transpires that some enterprising type has applied to register El Clasico as an EU trademark in class 41, the class that covers sporting and entertainment services. But the authorities have rejected this application on the basis of lack of distinctiveness, and an absence of proof of any commercial link between the applicant and the name. The reports on this are sketchy but it appears the two clubs were themselves opposed to the application, although whether the application even reached the stage of formal opposition isn’t clear. Football’s reputation has taken something of a knock, but it will no doubt recover. The decisions we’ve discussed here may one day prove to be influential in SA.
Sars scores points in loyalty card case Herna-Dette van der Zanden AJM Tax Now this is something we don’t witness every day — a tax matter in the highest court of our country. But the parameters of the Constitutional Court’s jurisdiction were entered in the matter between Clicks Retailers (Pty) Limited and Commissioner for The South African Revenue Service (CC) in that leave to appeal ought to have been granted based on section 167(3)(b)(ii) of the constitution — a matter of general public importance. Retail loyalty programmes are well known as 75% of South Africans use them. Ad idem that this is a matter of public importance, since South Africans will be affected, albeit indirectly. It all started with section 24C of the Income Tax Act, 58 of 1962 — whereby an excep-
tion is created to the general rule that expenditure is only deductible in the year of assessment in which the expenditure is actually incurred. With application to Clicks (and her peers) section 24C can be construed as follows. A loyalty programme member makes a purchase and presents her ClubCard at checkout. A contract of sale is manifested and Clicks receives income. Subsequently, the member earns loyalty points which can later be redeemed. These loyalty points are now the contingent matter. Clicks must later give away stock to the value of the “points” accrued, without receiving any further consideration, when you claim your “free” shampoo. Therefore a deduction is claimed for this future financial expenditure to be incurred.
On this said day a second contract is concluded — the redemption contract. Section 24C alludes to the fact that the same contract must create both the income and the obligation to finance future expenditure in order to claim a deduction of that expenditure in the current year of assessment. Clicks wished to claim a deduction based on section 24C, as its way of thinking was that when a customer joins the loyalty programme a “composite contract” comes into existence — it constitutes an indivisible ClubCard contract and a contract of sale. Needless to say, the SA Revenue Service (Sars) was of a different opinion. It held that the income from the contract of sale will be used to finance future expenditure (the giving away of stock at no monetary value), but arising from the redemption con-
tract, a second obligationcreating contract. Upon analysing section 24C, contractual sameness became a disputed element for which both the lower courts and the Constitutional Court turned to the recent Supreme Court of Appeal Big G case (Commissioner South African Revenue Service v Big G Restaurants (Pty) Ltd, 2018). The crux of the case lies in the plain attributable meaning to the word “same”. From Big G we gather that where the income accrues
YOU EARN POINTS WHEN SWIPING YOUR CLUBCARD AT ONE OF THESE PARTNERS. BUT, YOU REDEEM THE POINTS ONLY AT CLICKS
and the future expenditure are contained in a single contract, the scope of section 24C poses no problem. However, when taxpayers seek to widen the ambit to cover arrangements where the income and future expenditure are in separate contracts, but inextricably linked, a little more mind needs to be applied to try to satisfy the “sameness” requirement. An inextricable link indicates sameness, but its mere presence is not sufficient. Important to note is that Clicks has affinity partners including Discovery, NetFlorist and Specsavers. This means you earn points when swiping your ClubCard at one of these partners. However, you are able to redeem the points only at Clicks. The income and future expenditure have a different source. Whether this was the trying characteristic that set
Clicks up for failure, as this is a distinction from other loyalty programmes, will have to be confirmed once we see another loyalty rewards programme challenge section 24C.
DEDUCTION
Take caution that the amount of the said deduction was not in dispute, but rather formed part of the dispute. In colloquial terms, either the deduction would be allowed wholly or not at all. In conclusion, Sars won on the basis that Clicks could not satisfyingly prove sameness to the extent required by section 24C. It is unclear what the exact consequences will be. But since a deduction is no longer applicable, companies will inevitably consider the viability of these rewards cards. But one thing is for sure: your loyalty lies with Sars.
12
BusinessDay www.businessday.co.za July 2021
BUSINESS LAW & TAX
Popia 101: what you must do
From ensuring you have consent to reporting data •breaches — here is your key compliance checklist Janet MacKenzie & Reinhardt Biermann Baker McKenzie, Johannesburg
F
rom July 1 2021, the substantive implementation of key provisions of the Protection of Personal Information Act (Popia) became enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the crossborder flow of personal information, introduces mandatory obligations to report and notify data breach incidents and imposes statutory penalties for violations.
COMPLIANCE CHECK
Can you answer yes to the following questions? ● Have you completed your data processing and protection due diligence and impact assessments? ● Have you secured valid consents to use the data of your data subjects? ● Have you entered into a contract with service providers who process your customers’ personal information to ensure they are Popia compliant? ● Have you appointed an information officer? ● Do you know how to address data processing operations that trigger material data protection risks? ● Do you know what to do if you experience a breach? ● Are you able to prove you are Popia compliant?
● Are privacy rules now embedded in your technology and business practices? ● For cross-border transfers, do you know how to transfer and process personal data of EU residents, and are you able to transfer personal data from Africa to the EU? ● Have you identified and engaged with lead supervisory authorities regarding privacy law in all the jurisdictions in which you operate? ● Have you considered privacy law enforcement and sanctions — both in terms of hefty monetary fines and reputational disasters? ● Have you met the eight conditions for processing personal information?
THE INFORMATION OFFICER MUST BE REGISTERED … TO PERFORM THE DUTIES AND RESPONSIBILITIES SET OUT IN POPIA There are eight conditions for the lawful processing of personal information according to Popia and your business should now have ensured it is able to meet all of these eight conditions. 1. Accountability — your business is responsible for ensuring the conditions for lawful processing are met. 2. Processing limitation — your business must process personal information lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data sub-
ject’s consent, unless certain exceptions apply. 3. Purpose specification — your business must process personal information for a specific purpose and adhere to the retention and restriction of records provisions in Popia. 4. Further processing limitation — further processing of information must be compatible with the purpose of collection. 5. Information quality — your business must take reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated. 6. Openness — your business must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure the data subject is aware of certain information. 7. Security safeguards — your business must: (i) secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures; (ii) in terms of a written contract, ensure the operator who processes personal information for the business, establishes and maintains security measures; and (iii) as soon as reasonably possible after the discovery of a compromise, notify the information regulator and the data subject. 8. Data subject participation — your business must allow a data subject to access and correct its personal information. Your business may also be required to correct, delete or destroy personal information.
FOR THE RECORD
tomer of the business: ● If your business obtained the contact details of the data subject in the context of the sale of a product/service; ● For purposes of direct marketing of your business’s own similar products/services; and ● If the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality.
BREACH NOTIFICATION UNDER POPIA
/123RF — CONVISUM
FURTHER IMPORTANT ISSUES TO CONSIDER
The information regulator has published a guidance note in respect of the appointment of information officers and deputy information officers. Though Popia does not require an information officer to be a local person, the guidance note provides that to ensure accessibility, the information officer of a multinational entity based outside SA must authorise any person within SA as an information officer. Popia also provides for the appointment of deputy information officers. The information officer must be registered with the information regulator to perform the duties and responsibilities set out in Popia. The person authorising any person as the information officer of a juristic person retains the accountability and responsibility for any power or the functions authorised to that person. The names and contact details of a company’s information officer and deputy information officer will be made available on the
information regulator’s website.
THE MANUAL
A manual in terms of section 51 of PAIA is also required. The manual must be lodged with the information regulator and it must be made available on the company’s website.
DIRECT MARKETING
Popia requires an “opt-in” system for direct marketing. From July 2021, businesses will be prohibited from approaching consumers for the purposes of direct marketing, unless: ● The business has obtained consent; or ● The consumer is a customer of the business.
CONSENT
Your business may approach a data subject only once to request their consent: ● In the prescribed Form 4; and ● If consent was not previously withheld. Your business may process the personal information of a data subject who is a cus-
If your business experiences a data breach, it must notify the information regulator and the data subject, where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person. This notification must be made as soon as reasonably possible after the discovery of the compromise and you can only delay the data subject notification if certain exceptions apply. In terms of the obligations of business operators, any person who processes personal information on behalf of another business (that is, the responsible party), in terms of a contract or mandate, must notify that business immediately where there are reasonable grounds to believe personal information has been accessed or acquired by any unauthorised person. With data fast becoming the new gold for businesses around the world, businesses that ensure they are processing and protecting this personal information correctly will not only ensure they are legally compliant, but will also be equipped to successfully navigate the digital new normal, while maintaining the loyalty and trust of their most valuable assets — their customers.