Data protection and beneficial ownership transparency
The right to privacy in South Africa
South Africa’s right to privacy is enshrined in the Constitution  and has, over the years, been developed and enunciated through case law. It has been made clear that a person’s privacy is breached when, subjectively construed, there is an infringement which is contrary to the person’s will and objectively unreasonable in the sense of being against the general sense of justice of the community, as perceived by the courts.  The scope of an individual’s constitutional right to privacy extends to aspects of their life for which there is a “legitimate expectation of privacy”.  The Constitution extends this right to juristic persons, although not to the same extent as natural persons; this is because juristic persons are not the bearers of human dignity and this right is based on human dignity.  For both juristic and natural persons, courts have considered several factors in determining whether the right to privacy had been infringed, including how the information was obtained; the nature of the information; the purpose for the initial collection of the information and the subsequent purpose for which it was used; the manner and nature in which the personal information is disseminated; and, finally, whether the data subject reasonably expected that the information would not be divulged to a third party without the data subject’s consent. 
POPIA was promulgated to safeguard the right to privacy, especially with regard to the processing of personal information.  Personal information is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”.  The scope of personal information in terms of POPIA includes information relating to the financial history of the person; an identifying number; email address; location information; and a person’s name if it appears with other personal information relating to the person, or if disclosing the person’s name would reveal information about the person.  POPIA also defines what constitutes “processing” as “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information”, including collection, storage, and disclosure of personal information. 
To achieve its purpose, POPIA prescribes eight conditions to be adhered to for processing of personal information to be lawful and, therefore, protect the right to privacy. These are: accountability;  processing limitation and further processing limitation;  purpose specific;  information quality;  openness;  security safeguards;  and data subject participation.  Further to regulating how personal information is processed, POPIA also regulates how special personal information, such as information relating to children, religion, and sexual preferences, should be processed.
Much of the personal information that is kept by responsible parties is kept in the form of databases, as records. Generally, POPIA dictates that records are captured, kept, and maintained:
- only for the purpose for which the data was originally collected;
- only for the length of time for which they are required kept up to date; and
- only used for the purpose for which they were gathered.
It also specifies the disposal of the records. A disposal programme needs to be implemented and then rigidly followed. It is highly risky under POPIA to keep records and not destroy them when their purpose has finished. To help mitigate risk, a structured classification scheme may be developed so that records can be easily identified, stored, retrieved, and managed. This should be designed to cater to records in all formats and in all locations. This is essential if records are to be managed according to POPIA’s terms.
Access to company records
As mentioned above, BOT measures include, amongst other things, collecting and providing access to BO data upon authorised request as well as the FATF’s revised Recommendation 24 requiring that information be collected in a centralised register or an alternative mechanism.  In South Africa, there are laws  that provide access to company records and public disclosure of company information, such as director and shareholder information, which would be classified as personal information in terms of POPIA. Section 26 of the Companies Act grants access to a company’s share register by the public because, according to the Constitutional Court, “the establishment of a company as a vehicle for conducting business on the basis of limited liability is not a private matter”.  There are currently no laws providing for the establishment of a centralised BO register, however, at the time of writing, such policies and legislation are in the process of being drafted and discussed.
South Africa already has jurisprudence supporting access to company records in the spirit of transparency and accountability. During 2016, the Supreme Court of Appeal (SCA) ruled that the shareholding of private companies is not private information.  The SCA considered this case without regard to the application of POPIA because it had not yet fully come into effect. Instead, the court took into account the fact that, in Section 7, the Companies Act gives specific recognition to a culture of openness and transparency, as well as the interaction between Section 26(2) of the Companies Act and the provisions of the PAIA.  Section 26(2) provides that a company’s Memorandum of Incorporation may stipulate additional information rights of any person with respect to information pertaining to the company, however, these rights may not diminish protections of any record, as provided in Part 3 of PAIA. That is, the right conferred by Section 26(2) is additional to the rights conferred by PAIA and does not need to be exercised in accordance with PAIA. Part 3 of PAIA provides for access to records held by private bodies and stipulates the manner in which the information may be provided or when it can be refused. 
Considering POPIA’s inclusion of juristic entities as data subjects, where applicable, public disclosure of a company’s shareholder’s information may be an infringement of the provisions of POPIA. On the other hand, publishing a shareholder’s personal information may in itself be an infringement of the provisions of POPIA. However, it can be argued that Section 11(1)(c) of POPIA permits the processing of personal information where it is necessary to comply with a legal obligation of a responsible party. Because Section 26 of the Companies Act confers on any person other than a shareholder a right to inspect the securities register of a company, it by implication imposes a duty on the juristic person to afford such a person access to allow them to exercise the right. Simply put, the responsible party in POPIA is legally obligated to make this personal information available, and the granting of access to the personal information would have been made in terms of a lawful basis — that is, in terms of the Companies Act. Accordingly, if all other processing conditions stipulated in POPIA are met, then the right to privacy of that person is not infringed upon.
On the other hand, it can be argued that becoming a director of a company does not automatically relinquish a reasonable expectation of privacy regarding one’s identity number and home address. Section 3(2)(a) of POPIA contemplates such a conflict and provides that where other legislation applies to the processing of personal information but is inconsistent with the objectives of POPIA, then the provisions of POPIA would apply. Section 3(3)(b) further provides that the provisions of POPIA should not “…prevent any public or private body from exercising or performing its powers…”. The practical application of this is that Strate,  the CIPC, the deeds office, and other government departments would need to take into account their enabling legislation to determine whether — notwithstanding their enabling legislation — more privacy should be accorded to data subjects than is currently provided.
Further, Chapter 4 of POPIA provides for exemptions from certain processing conditions for the processing of personal information, these being where the Information Regulator grants an exemption in terms of Section 37 when the processing is in the public interest; for national security reasons; and for prevention and detection of criminal offences, or when the processing is in accordance with certain functions as envisaged in Section 38. Important to note is Section 38(2), which defines “relevant function” as the relevant function of a public body or, when conferred on a person, to perform the relevant function with the view of protecting the public from, amongst other things, financial loss, malpractice, or other seriously improper conduct in the provision of banking, insurance, or other financial services or management of bodies corporate. In essence, it is in the public’s interest to be protected from from financial misconduct as envisaged by Section 26 of the Companies Act; ergo, it could be argued that BO disclosure in public registers is, in fact, in the public interest, as has been the legal basis for (public) registers in other countries. However, the question remains as to whether a beneficial owner of a company ought to automatically relinquish a reasonable expectation of privacy regarding all the data typically collected in a BO declaration.
 Section 14 of the Constitution of the Republic of South Africa, 1996.
 Financial Mail v Sage 1993 (2) SA 451 (A), https://www.saflii.org/za/cases/ZASCA/1993/3.html.
 Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) td: In re Hyundai Motor Distributors (Pty) Ltd v Smith NO 2001 (1) SA 545 (CC) at par 16, https://collections.concourt.org.za/handle/20.500.12144/2097; Bernstein and Others v Bester and Others NNO 1996 (2) SA 751 (CC), https://collections.concourt.org.za/handle/20.500.12144/1997.
 Section 8(4) of the Constitution of the Republic of South Africa, 1996.
 1998 (4) SA 1127 (CC) 1145.
 Section 2 of POPIA.
 Section 1 of POPIA.
 Section 1 of POPIA.
 Section 1 of POPIA.
 Section 8 of POPIA.
 Sections 9, 10, 11, and 12 of POPIA.
 Sections 13 and 14 of POPIA.
 Sections 15 and 16 of POPIA.
 Sections 17 and 18 of POPIA.
 Sections 19, 20, 21, and 22 of POPIA.
 Sections 23, 24, and 25 of POPIA.
 International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation: The FATF Recommendations, FATF, 22.
 Section 26 of the Companies Act, 2009.
 Bernstein and Others v Bester and Others NNO 1996 (2) SA 751 (CC).
 Nova Property Group Holdings v Cobbett 2016 (4) SA 317 (SCA).
 Promotion of Access to Information Act No.2 of 2000, https://www.gov.za/documents/promotion-access-information-act.
 Strate is South Africa’s principal central securities depository and central collateral platform. See: “Strate home page”, Strate, n.d., https://www.strate.co.za.