This document summarizes a presentation on managing legal risks related to social media in the workplace. It discusses four main risks: [1] defamation, [2] breaching confidentiality, [3] misuse of personal information, and [4] infringement of intellectual property rights. For each risk, it outlines steps to eliminate, mitigate, share, or accept the risk. It also provides an overview of the Electronic Communications and Transactions Act and Consumer Protection Act in South Africa and how they relate to social media and consumer rights.
1. PART 1
Managing the Legal Risks:
Social Media in the Workplace
Andrew Allison, Quirk
Disclaimer: This presentation has been prepared for the sole use of the delegates who attended the
workshops held by Quirk Education in CT and JHB on 3 and 5 April 2012. Furthermore, no information
contained in this presentation shall be construed as advice – it is for educational and information purposes
only and is provided on an "as is" basis. You accordingly assume total responsibility and risk for your use of
and reliance on the presentation.
2. If you want to
learn about
risk, give
mining a try
13. What is
vicarious
liability?
Strict – or “no fault” - liability of an employer for
the conduct of an employee acting in the
course and scope of employment
20. Defamation
Confidentiality
4 specific
risks
Personal
Information
Intellectual
Property
21. Defamation
Confidentiality
1st risk
Personal
Information
Intellectual
Property
22. Defamation
“the intentional and wrongful publication of words or
behaviour to a third party which has the effect
(objectively viewed) of injuring or undermining a
person’s or entity’s good name, status or reputation”
23. Defamation
The internet has increased the scope of and risk
associated with defamation
There are now more ways in which publication may
occur
24. Remember
Defamation includes the repeating, confirmation or
proliferation of defamatory content…
…so beware of republishing, email forwarding, linking
and retweeting
25. Key criteria
Once publication has been established, it is
presumed that publication was:
> intentional
> wrongful or unlawful
26. Defences
Against wrongfulness: truth for public benefit, fair
comment, privilege, consent and necessity
Against intent: mistake, jest, intoxication and insanity
44. Defamation
Confidentiality
3rd risk
Personal
Information
Intellectual
Property
45. The right to privacy is protected by the
Constitution
However, there is currently no umbrella law
governing privacy of personal information in
South Africa
46. Chapter 8 of ECTA contains a data protection
“Code of Good Practice”, but compliance is
voluntary
If adopted, the principles should be included in
website privacy policy and consequences of
breach should be clearly stipulated
47. By contrast, the UK’s Data Protection Act has
been in effect since 1998 and gives effect to
the EU Data Protection Directive
48. Enter the Protection of Personal Information
Bill (POPI)
…to be discussed in more detail later
50. Direct
marketing
Opt out
ECTA (section 45) and the CPA (section 11) both require
direct marketers to provide recipients with an option to “opt
out”
The CPA envisages an “opt out” registry (like that of the
DMASA), but this has not yet been implemented
51. Direct
marketing
Opt out
DMASA and ISPA Codes of Good Practice both endorse an
“opt out” system
.
52. Direct
marketing
Opt in
POPI, however, will implement an “opt in” framework,
mirroring the approach being adopted in Europe
53. Direct
marketing
Opt in
Direct marketing will be prohibited except:
> with specific consent of the data subject
> to customers, where:
> the processor has obtained personal information in the context of a
sale
> for marketing of processor’s similar products/services
> if data subject has been given opportunity to object or opt out (free
of charge)
54. Direct
marketing
Soft opt in
In the UK, the implied “opt in” is known as a “soft opt
in”
It applies also in the context of negotiations leading
up to a sale
61. Defamation
Confidentiality
4th risk
Personal
Information
Intellectual
Property
62. What is IP?
“A work or invention that is the result of
creativity, such as a manuscript or a design,
to which one has rights and for which one may
apply for a patent, copyright, trademark, etc.”
65. What is
copyright?
“A proprietary right which arises automatically
when an author reduces an idea to a material
form”
66. What is
copyright?
No requirement for registration (in SA)
Copyright can be:
> assigned (must be in writing and signed)
> licenced
67. What is
copyright?
Copyright persists for 50 years:
> from date of publication (for companies)
> from the death of the author (for natural persons)
68. Moral
rights
Moral rights vest in the author/creator of copyrighted
works
Cannot be assigned, but can be waived
69. Moral
rights
Moral rights include:
> the right to attribution (paternity)
> the right to integrity
70. Breach of
copyright
Breach or infringement of copyright may be:
> direct (guilty knowledge is not a pre-requisite)
> secondary/indirect (unauthorised dealing)
> contributory (facilitation of infringement)
71. Important!
Copyright in work produced by employee in the
course of employment vests with employer
Online properties often comprise of many different
copyrighted assets
73. What is a
trademark?
A mark which distinguishes a person’s goods or
services (requirement of distinctiveness)
Must be registered with CIPC and renewed every 10
years
74. Breach of
TM
Infringer’s mark is confusingly similar in respect of
the same goods/services (reasonable likelihood of
confusion)
Infringer’s mark is identical or similar to a registered
mark in respect of similar goods or services
75. Breach of
TM
Dilution of trade mark:
> by blurring (dilution of uniqueness; may be
different or non-competing goods/services)
> by tarnishment (negative/offensive use of TM)
76. Meta tags
and PPC
A common sense approach should be employed
(certain bona fide uses protected under Trade Marks
Act)
> purely descriptive purposes (advertising
products on an e-commerce site) would generally
be ok
> use of a competitor’s marks to deceive or lure
consumers would generally not be ok
84. “We’re comfortable with people using our images to
build traffic. The point in time when they have a
business model, they have to have some sort of
licence”.
Jonathan Klein
CEO, Getty
98. Purpose:
Why
To enable and facilitate electronic transactions by
creating legal certainty around transactions and
communications conducted electronically
99. Purpose:
How
By:
> developing a national e-strategy for SA
> ensuring recognition and equivalence between
electronic and paper-based transactions
> promoting confidence in electronic transactions
> providing supervision of certain service providers
100. ECTA and
consumers
Chapter 7: Consumer Protection
Chapter 8: Personal Information & Privacy Protection
101. ECTA:
Chapter 7
Section 43
Must give consumers required information, including:
• the price of the product or service;
• contact details; and
• the right to withdraw from an electronic
transaction before its completion,
or consumer can cancel within 14 days
102. ECTA:
Chapter 7
Section 44
Cooling-off period (7 days):
• for contract for goods, from date of receipt
• for contract of services, from date of contract
103. ECTA:
Chapter 8
Voluntary data protection “Code of Good Practice”
Principles must be adopted in whole; cannot be
adopted in part
104. ECTA:
Chapter 8
Section 51
Principles for collecting personal info
> Must have written consent for processing of
personal information
> May not collect unnecessary information
> Must disclose purpose(s) of processing, and may
only process for such purpose(s)
105. ECTA:
Chapter 8
Section 51
> Must keep record of data and purpose for which it
was processed for 1 year
> Must not disclose data (except as required by law)
> Must delete obsolete data
> May use data to compile statistical profiles for
trade, but must not include personal info
106. ECTA:
Chapter 8
Section 50
If adopted, the principles should be included in
website privacy policy or terms and conditions and
consequences of breach should be clearly stipulated.
Remedies for breach of code are as agreed between
the parties.
108. CPA:
Why?
“To promote a fair, accessible and sustainable
marketplace for consumer products and services
and for that purpose to establish national norms and
standards relating to consumer protection…”
109. CPA:
Who?
The Consumer:
> A person to whom goods or services are
marketed in the ordinary course of business
> A user of goods or a recipient or beneficiary of
services, irrespective of whether that person was
party to a transaction concerning the supply of
those goods or services
110. CPA:
Who?
Excluded from the definition of “consumers” are
juristic persons with an asset value or annual
turnover of more than R2 million
112. CPA:
Goods
Includes any literature, music, photograph, motion
picture, game, information, data, software, code,
or other intangible product written or encoded on
any medium, or a licence to use any such intangible
product
113. CPA:
Consumer
Rights
The CPA recognises 8 fundamental rights of
consumers
114. CPA:
Right #1
Protection against unfair discriminatory marketing (at
any step in the sales process)
115. CPA:
Right #2
The right to privacy:
> Restrictions on direct marketing
> “Opt-out” registry to be established
> Already contained in ECTA
116. CPA:
Right #3
The right to choose:
> The right to select suppliers (supply of
goods/services must not be made conditional
upon supply of other goods/services, unless it
would be to the consumer’s benefit to do so)
117. CPA:
Right #3
The right to choose – fixed term contracts:
> Does not apply to transactions between juristic
persons
> Contracts may not exceed 24 months
> Consumer may cancel at any time on 20 business
days’ notice
118. CPA:
Right #3
The right to choose:
> Pre-authorisation of repairs/maintenance:
where supplier takes possession of consumer’s
property to provide repair/maintenance services,
no cost may be incurred without consumer’s
approval of estimate
119. CPA:
Right #3
The right to choose:
> Cooling-off period (direct marketing): consumer
may return goods within 5 business days from the
date of contract or the date on which goods were
delivered
> This does not apply to electronic transactions
(7 day cooling-off period under ECTA)
120. CPA:
Right #3
The right to choose:
> Right to cancel advance reservation, booking or
order (reasonable deposit and cancellation
charges may be levied)
121. CPA:
Right #3
The right to choose:
> The right to choose/examine goods (must
materially correspond with descriptions/samples)
122. CPA:
Right #3
The right to choose:
> Unsolicited goods may be kept/returned unless:
• supplier advises of error within 10 business days
and collects goods within 20 business days; or
• goods have clearly been misdelivered and
supplier fails to collect after 20 business days
notice by the recipient
123. CPA:
Right #4
The right to plain/understandable language:
> To be aimed at the ordinary consumer of the
class of persons for whom the information is
intended (average literacy skills; minimal
consumer experience of the particular
goods/services)
124. CPA:
Right #4
The right to plain/understandable language:
> Price must be disclosed (subject to s43 ECTA)
> Product labelling and trade descriptions must be
accurate and not misleading
125. CPA:
Right #5
The right to fair/responsible marketing:
> General standards (must not be false,
misleading, deceptive, fraudulent)
> Bait marketing is prohibited
> Negative option marketing is prohibited
126. CPA:
Right #5
The right to fair/responsible marketing:
> Competitions
• Must be conducted fairly
• Promoter may not require consideration to be
paid for entry to a competition
• Promoter must prepare competition rules
• The competition and the draw must be audited
127. CPA:
Right #5
The right to fair/responsible marketing:
> Competitions (ineligibility for prizes)
• A winner to whom it is unlawful to supply the
prize
• A director/employee/consultant of the promoter
• A supplier of goods/services in connection with
competition
128. CPA:
Right #5
The right to fair/responsible marketing:
> Competitions (offer requirements)
• Benefit/prize and entry steps must be identified
• Closing date and basis of draw must be defined
• Must state how results will be announced
• List person, place and date at/from which rules
may be obtained and prize will be received
129. CPA:
Right #6
The right to fair and honest dealing:
> Unconscionable conduct
> False, misleading or deceptive representations
> Fraudulent schemes and offers
> Pyramid schemes
> Over-selling and over-booking
130. CPA:
Right #7
The right to fair, just and reasonable t’s and c’s:
> May not include unfair, unreasonable or unjust
contract terms
> Notice of certain terms is required
> Certain prohibited transactions, agreements, terms
and conditions
131. CPA:
Right #8
The right to fair value, good quality and safety:
> Right to demand quality services
> Right to safe, good quality goods
132. CPA:
Right #8
The right to fair value, good quality and safety:
> Implied warranty of quality (s56)
• Irrelevant whether defect is patent or latent (no
more voestoots for suppliers)
• 6 month return period: repair, replace or refund
• Further 3 month return period if goods or
components have been replaced or repaired
133. CPA:
Right #8
The right to fair value, good quality and safety:
> Liability for damage cause by goods (s61)
• Strict product liability (i.e. no fault necessary)
• Liability is joint and several
• Applies to producer, importer, distributor, retailer
• Relates to death, injury, illness, loss of or
damage to property, and economic loss
134. CPA:
Who can
bring a
claim?
> Consumer in personal capacity
> Groups of interested consumers (class actions)
> A person acting in the public interest
> Association acting on behalf of members
> Authorised person acting on behalf of an
incapacitated person
135. CPA:
Penalties
> Damages claim
> Fine
> Imprisonment – up to 12 months (10 years for
disclosure of private information)
> Administrative penalty: up to R1 million or 10% of
annual turnover, whichever is greater
137. POPI
Why?
> To give effect to the Constitutional right to privacy
> To regulate the collection/processing of personal
information
> To provide individuals with rights and remedies
> To establish an Information Protection Commission
138. POPI
Who?
“Data Subject” - a person to whom personal information
relates
“Responsible Party” – any person which, alone or with
others, determines the purpose of and means for processing
personal information
139. POPI
What?
“Personal Information” includes:
> race, gender, sex, pregnancy, marital status, national, ethnic or social
origin, colour, sexual orientation, age, physical health, disability,
religion, belief, culture, language and birth;
> education, or medical, financial, criminal or employment history;
> identifying number, symbol, e-mail address, physical address,
telephone, number or other particular assignment;
> personal opinions, view or preferences (or opinions about individual)
> confidential correspondence
140. POPI
Principles
Like the CPA, POPI is based on 8 fundamental principles of
data protection
141. POPI
Principle 1
Accountability
Responsible party must ensure compliance with Principles
and measures in Act.
142. POPI
Principle 2
Processing Limitation
> Processing must be lawful and be done in a reasonable
manner which doesn’t infringe privacy of data subject
> Processing must, for given purpose, be adequate, relevant
and not excessive
143. POPI
Principle 2
Processing Limitation
Personal information may only be processed (broadly):
> with the data subject’s consent
> if processing is necessary for completion of a contract
> if it protects a legitimate interest of the data subject
> if in compliance with an obligation imposed by law
144.
145. POPI
Principle 2
Processing Limitation
Information must be collected from the data subject,
except:
> where info is contained in public record or has been made
public by the data subject;
> data consents to collection from another source;
> collection from another source would not prejudice
legitimate interest of the data subject
146. POPI
Principle 3
Purpose Specification
> Information must be collected for specific, explicitly
defined and lawful purpose
> Data subject must be made aware of purpose
> Records of information must not be retained longer than
is necessary for achieving purpose of
collection/processing
147. POPI
Principle 4
Further Processing Limitation
> Must be compatible with purpose of collection (Principle 3)
> Must consider relationship with data subject, the purpose
and the further purpose, the consequences of further
processing and the nature of the information
148. POPI
Principle 4
Further Processing Limitation
Will be compatible with purpose of collection if:
> Data subject consents or info is publicly available
> Further processing is necessary to comply with law
> Information is used for historical, statistical or research
purposes and will not be published in identified form.
149. POPI
Principle 5
Quality of Information
Responsible party must take reasonably practicable steps
to ensure that information is complete, accurate, not
misleading and updated where necessary
150. POPI
Principle 6
Openness
Responsible party must notify the Information Protection
Regulator before collecting information (need only be
given once)
151. POPI
Principle 6
Openness
Responsible party must ensure data subject is aware of:
> information being collected and purpose of collection
> name and address of responsible party
> whether collection is voluntary or mandatory
> consequences of failure to provide information
152. POPI
Principle 6
Openness
Responsible party must ensure awareness:
> where information is collected direct from data subject,
before collection (unless data subject is already aware);
> in any other case, before information is collected or as
soon as reasonable practicable after it has been
collected
153. POPI
Principle 7
Security Safeguards
> Responsible party must secure integrity of personal
information in its possession or under its control
> Operators (who process personal information on behalf of a
responsible party) must process information only with
knowledge of responsible party and treat it as
confidential
154. POPI
Principle 8
Data Subject Participation
Data subject has the right:
> to request details of information held by a responsible party
> to request correction or deletion of personal information that is
inaccurate, irrelevant, excessive, incomplete, out of date,
misleading or unlawfully obtained
> to request deletion of a record that responsible party is no longer
authorised to hold