Consumer Law Review_Jan 2013

Published on: Jan 28, 2013

Go Back

January 2013

Dear Consumer Law Review recipient

This is our first CLR for the new year. It would already seem that this year will be the year of privacy law. All indications are that we can expect the Protection of Personal Information Bill to be promulgated in the first quarter. In light of this we continue with our series of introductory articles on PoPI. This time we look at the role of consent and the disclosure of purpose. If you have missed the first three articles you can find them by clicking on ‘newsletters’ at the website.

Last year the Constitutional Court decided to declare s 89(5)(c) of the National Credit Act unconstitutional. This section precluded credit providers from claiming back the loan amount in cases where they failed to register as credit providers. We take a closer look at the judgments and at the rights of credit providers post-s 89(5)(c).

The National Consumer Commission was quiet after the departure of Chief Commissioner Mohlala-Mulaudzi. We wait to see what 2013 holds for the Commission.

As always we include a plain language tip.

May all of you have a prosperous 2013.

Happy reading!

Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Cape Town ( Her practice consists of general regulatory compliance due diligences; training and workshops on regulatory compliance; opinion work on the CPA, the National Credit Act, banking law, gaming and lotteries, insurance, medical law, marketing law, contract law; and plain language drafting.

She conducts regular workshops and training sessions on the CPA and other consumer legislation for businesses and for Law@work, a unit situated within the Law Faculty at the University of Cape Town. She is the co-author of a consumer law textbook and a guide to plain language legal drafting, both of which are to be published by Juta Law.


Please forward any comments and suggestions regarding the Consumer Law Review to

Kind regards

Juta General Law


— Protection of Personal Information: Is 2013 the year?

— Intro to PoPI (part 4): The role of consent

— Credit Law: Section 89(5)(c) if the NCA declared unconstitutional

— Plain language tip

Protection of Personal Information: Is 2013 the year?

For the last year (at least) people have predicted the imminent enactment of the Protection of Personal Information Bill (PoPI). Will 2013 be the year? Here is a recap of where the Bill is at the moment.

PoPI was ‘tagged’ as a s 76 (of the Constitution) Bill, ie a Bill that affects the provinces. This means that it must go through both the National Assembly (the NA) and the National Council of Provinces (the NCOP) before it can be sent to the President for his assent and signature. This is of course a simplification of the process. More information is available on

PoPI crossed the first hurdle when it was approved by the NA on 11 September 2012. It now awaits approval from the provinces and briefings to this end have started to take place. Once the NCOP has passed the Bill, which it probably will, the President must assent to and sign the Bill. It will only become an Act on a date determined by the President by proclamation in the Government Gazette. This date is normally determined in negotiation with the relevant department, in this case the Department of Justice and Constitutional Development. Bearing in mind that preparation for the Act includes the drafting of a host of regulations and establishing the new Information Regulator, it may be a while still. Given that the Bill will apply to all personal information and not just information gathered after its commencement, suppliers will also be given a year after commencement to conform. To be clear, it will not matter that information was gathered before PoPI came into effect. Its rules will also apply to that information.

The Bill is currently before the NCOP’s Select Committee on Security and Constitutional Development. The Committee has indicated that it expects to finish the processing of the Bill in the first quarter of this year.

There are very few businesses that will not be affected by the Bill in some way or another and for some, the gathering and use of personal information is central to their business. Although it seems that there is a lot of time to achieve compliance this is not the case as it will involve an audit to see what personal information is held, why it is needed and how it is gathered, used and stored. Only then can a system be designed and implemented to ensure compliance. This means that adopting a wait-and-see approach is not advisable as the Information Regulator is not likely to give businesses the time they need to ensure a smooth transition, if they do not make use of the time already given.

To motivate why a pro-active approach is best, see Steve Ferguson’s article on (

Intro to PoPI (part 4): The role of consent

This is part 4 of a series of articles aimed at giving an introduction to the Protection of Personal Information Bill. This is what has been written so far:

  • September 2012: When does PoPI apply? The definitions of ‘personal information’ and ‘processing’.
  • October 2012: When is the processing of information lawful? The factual scenarios which justify the processing of personal information.
  • November/December 2012: the obligation to inform the consumer of the (explicitly defined) purpose for which the data is being collected.

(Back issues of the CLR can be accessed by clicking on ‘Newsletters on the website.)

Before looking at the requirements for valid consent, a recap of the role of consent in the gathering and processing of personal information is appropriate. Here are the basic principles:

  • Personal information may not be processed unless any one of the factual scenarios in s 11 is present in the particular case. One of these factual scenarios is where the consumer has given his or her consent to the processing of the personal information.
  • If any of the other factual scenarios are present, consent is not needed. What are these ‘factual scenarios’? The process of personal information will also be lawful if:

                     (1) it is required to conclude or perform the contract,  

                     (2) the party processing the information (the responsible party) is required to do so ‘by law’,

                     (3) the processing protects a legitimate interest of the consumer,

                     (4) the processing is necessary for the performance of a ‘public law duty’ or

                     (5) it is done in pursuit of the legitimate interests of the responsible party. See s 11(1).

  • Consent is therefore not an absolute requirement for the processing of personal information to be lawful. It is simply one method to ensure that the processing is lawful. The only instance when it will be a requirement is when none of the other factors listed immediately above is present.
  • However, if you do have consent, none of the other factual scenarios in s 11 has to be present. In some cases a consumer can also consent to non-compliance with the requirements of the Bill. See for instance s 18(4) which is discussed immediately below.

The next question is what form this consent must take and what must be in it. Here are the basic principles:

  •  ‘Consent’ is defined. It means ‘any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information’.
  • Section 13 provides that ‘personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. Section 13(2) read with s 18 provides that the consumer must be made aware of this purpose as well as other information listed in s 18. This is what must be disclosed to the consumer. There are exceptions, one being if the consumer consents to the non-disclosure, but if such consent is not obtained and none of the other exceptions in s 18(4) applies, this information must be disclosed to the consumer. For more on this topic, see Part 3 of this series in the November/December edition of CLR.
  • Informed consent, as required by the definition, would entail consent to the ‘specific and explicitly defined and lawful purpose’. So, the disclosure of the purpose and requesting consent will more often than not be part of the same communication.
  •  A blanket consent to the effect that a consumer consents to all processing of personal information which the supplier deems necessary will probably not comply with the provisions of PoPI.

From a practical perspective a responsible party (the party who processes the personal information) would only want to get consent once and not every time something is done with the consumer’s personal information. What if the purpose for which personal information is processed changes over time? Does the responsible party have to obtain consent again?

  • Such processing is governed by the so called ‘further processing limitation’ in s 15 of PoPI. However, it may be in the responsible party’s interest to treat it as independent processing (ie a new purpose) in which case s 11 and 13 will apply to it.
  • Obviously, further processing will be allowed without further consent if the consumer consented to it initially. Therefore, if a responsible party is aware of the possibility of further processing which will take place in the future it would be advisable to obtain such consent from the outset.
  • In the absence of such an explicit consent the further processing will be allowed if the further processing is ‘compatible’ with the original purpose. Several factors are listed in s 15(2) which will be taken into account when assessing whether the new activity is compatible with the original statement of purpose. These factors are:

                      (1) the relationship between the purpose of the further processing and the original purpose for which the information was collected,

                     (2) the nature of the information,

                     (3) the consequences of the further processing for the data subject,

                     (4) the manner in which the information has been collected and

                     (5) the contractual rights and obligations between the parties.

                     Section 15(3) also contains other factual scenarios when further processing will be allowed.

  • Consent is not a requirement for further processing. Sometimes the further processing will be lawful independently of the original processing in terms of s 11 (see above) or it will be compatible with the original processing in terms of s 15(2) or it will fall under one of the other factual scenarios in s 15(3). However, just because consent is not necessarily needed, does not mean that the consumer does not have to be informed of the processing and its purposes (see s 13 again).

What are the implications for the way in which the consent is obtained? All consents must be formulated as an opt-in. In other words, it will no longer suffice to formulate the consent in such a manner that it is automatic unless the consumer opts-out. The consumer must be aware that they are giving permission for the processing of their information and the purpose for which it will be processed.

Here are some examples obtained online with some editorial comment:

  • A company requires the consumer to provide an ID number before concluding a transaction. It did not do so in the past. This is an example of a statement of purpose:

To protect our customers and ourselves from fraudulent credit card use, we now require you to enter your ID Number, which will be checked on delivery. Thank you for your understanding, please contact [insert] with any queries.

The consumer is not asked to consent. It is simply an explanation of why the new field is required to conclude a transaction. If it is treated as a new (independent) instance of processing, the absence of consent does not make the processing unlawful as it meets one of the other requirements of s 11(1) as the ‘processing protects a legitimate interest of the data subject’. If it is treated as ‘further processing’ one may argue that it is compatible with the original purpose (concluding a transaction) in terms of s 15(2).

  • Often the statement of purpose and various consents are included in a so-called ‘privacy policy’. Typically a webpage would include a link to the privacy statement, but consumers will not be specifically alerted to it. This approach will probably not meet the disclosure requirement of s 13 read with s 18. A phrase in the privacy policy like the following will also not be enough to constitute any form of consent or agreement:

By accessing or using our website, you acknowledge that you have read all of the terms in this policy and that you understand, and agree to be bound by, all the provisions of this policy. Please note that by submitting information via this Website, you consent to the collection, collation, processing, and storing of such information and the use and disclosure of such information in accordance with this privacy policy. If you do not agree to be bound by these terms, please exit this page and do not access or use the website. 

This consent is invalid both in terms of PoPI and the common law:

  • The consent contained in this privacy policy is not ‘specific’ nor is the purpose ‘specific’ and ‘explicitly defined’.
  • Simply including a link to a privacy policy without indicating (at least) that it contains a consent to the use of personal information would not constitute reasonable steps to ensure that the data subject is aware of the processing and the purpose for processing personal information or any of the other information which must be disclosed in terms of s 18(1).
  • If the consumer is not aware of the fact that he or she is consenting and what her or she is consenting to the consent can hardly be informed.The average consumer will not know that a privacy policy contains terms & conditions and a consent.
  • It must be kept in mind that this is a contract, which means that the common-law requirement of consensus must be met. If the consumer is not aware that a link leads to contractual terms, no consensus was reached.

Credit Law: Section 89(5)(c) of the NCA declared unconstitutional

By Elizabeth de Stadler and Paul Esselaar (a partner at Esselaar Attorneys (

In the May/June edition of CLR Paul Esselaar wrote about a decision by the Western Cape High Court in which s 89(5)(c) of the National Credit Act was declared unconstitutional for being inconsistent with the right to property in s 25(1). In other words it was found that the section infringes the lender’s right not to be arbitrarily deprived of property; the property in this case being the right to reclaim the loan amount. This decision was confirmed by the Constitutional Court on 10 December 2012 (National Credit Regulator v Opperman and Others (CCT 34/12) [2012] ZACC 29 (10 December 2012)). See ‘Section 89(5)(c): Breaking the NCA’s big stick’ by Paul Esselaar in the May/June edition of CLR.

It is not necessary to rehash the facts here. Suffice it to say that it involves a loan between two individuals and that the consumer reneged on the loan.

Section 89(5)(c) prescribes that a court must give a particular order in cases where a credit agreement was entered into by an unregistered credit provider; the court has no discretion in the matter. Firstly, the credit agreement must be declared void. Secondly, the credit provider must refund the consumer any money paid. Lastly (and the section says ‘and’), the court must order that ‘all the purported rights of the credit provider under that credit agreement to recover any money paid or delivered to, or on behalf of, the consumer in terms of that agreement are either (i) cancelled, unless the court concludes that doing so in the circumstances would unjustly enrich the consumer; or (ii) forfeit to the State, if the court concludes that cancelling those rights in the circumstances would unjustly enrich the consumer.’

There are many interpretive difficulties arising from the section which are discussed in detail in the judgment (see paras 25 to 56). In the end the court held the following (para 55):

[t]he most plausible meaning of s 89(5)(c) is the one the High Court gave it. The interpretation reflects what common sense tells one the aim of the provision is, in view of the NCA as a whole: consumers have to be protected against uncontrolled credit providers and therefore credit providers are required to register; credit providers who do not register in contravention of the NCA face severe consequences; courts must declare the agreement void and order either that all rights perceived to follow from the agreement (including restitution) are cancelled or forfeited to the state.

According to the credit provider the effect of this provision is to prevent the lender from recovering the money lent thereby limiting the common-law right to restitution. See paras 14 to 18 for a recap of the relevant private law principles, but in short, the right to restitution may already be limited under the common law when a party acted wrongly (the par delictum rule).

The question is whether depriving the lender of his right to claim restitution, in this case to claim the money lent, constitutes an ‘arbitrary deprivation of property’ in terms of s 25 of the Constitution. The court held that the right to claim restitution of the money lent is indeed a form of property (see paras 57 to 64). A deprivation of property is arbitrary ‘when the law does not provide sufficient reason for the particular regulatory deprivation in question, or when it is procedurally unfair’ (para 68). The fact that the court is denied any discretion ‘to decide on a just and equitable order’ due to the peremptory formulation (ie the court must…) results in an arbitrary deprivation of property (para 69). As a result s 89(5)(c) results in the arbitrary deprivation of property in breach of the right set out in s 25(1) of the Constitution (para 72).

Of course, the enquiry does not stop there. The section could have been saved had the court held that the limitation was reasonable and justifiable in terms of s 36(1) of the Constitution. When considering this, the court has to, amongst other things, take into account whether the section uses disproportionate means to achieve its purpose and whether less restrictive means to achieve its purpose are available. The purpose of s 89(5)(c) is obvious. It is a punitive measure which must serve as a deterrent and it must ‘protect the public against unscrupulous lenders’ (see para 70). The court held that s 89(5)(c) is disproportional because it fails ‘to allow a court a discretion to distinguish between credit providers who intentionally exploit consumers and those who fail to register because of ignorance and lend money to a friend on an ad hoc basis’ (para 76). The court pointed out that the common law allows a court a discretion in this regard.

Consequently, s 89(5)(c) was declared unconstitutional and therefore invalid with immediate effect. The court declined the opportunity to read a discretion into the provision as it held that ‘[i]t is preferable for the legislature to address the problematic content of the provision comprehensively, because it is part of an important piece of legislation with laudable objectives, rather than for a court to venture into patch-work legislating.’ (para 84)

So what is the position now? Credit agreements entered into by an unregistered credit provider are still void in terms of s 89(5)(a). In terms of s 89(5)(b), the credit provider must still refund any money paid by the consumer under that agreement with interest. Given that s 89(5)(c) is invalid, the credit provider would be able to claim the amount lent back from the consumer in cases where the requirements for a claim based on unjustified enrichment are met. The success of such a claim would depend, in part, on ‘the circumstances of each case and especially the degree of blameworthiness of the unregistered credit provider’ (see para 85 and the discussion of the common law principles in paras 14 to 18). See Van der Merwe et al Contract General Principles 4 ed (Juta 2012) at page 179 for a comprehensive discussion of the principles which are applied to determine whether a party is entitled to restitution.

This means that unscrupulous credit providers are not necessarily off the hook. A court may still find that the unregistered credit provider is not entitled to recover its performance based on common law principles. This case dealt with a loan between two (presumably now ‘ex’) friends and the lender in this case was not aware of the requirement to register as he was not in the business of lending money (see para 4 of the judgment). If one applies the common law, it is likely that Mr Opperman would be able to claim the loan amount back. The person who is completely bona fide in not knowing that his actions may lead to an illegal contract is not considered blameworthy and is therefore entitled to restitution (see Bhyat’s Departmental Stores (Pty) Ltd v Dorklerk Investments (Pty) Ltd 1975 (1) SA 267 (T) and Wylock v Milford Investments (Pty) Ltd 1962 (4) SA 298 (C) 319). It is likely that a court will be less forgiving in cases where the lender is a juristic person who engages in the business of lending money. 

Whatever the case may be, s 89(5)(c) is no longer valid and any argument that a credit provider is not entitled to restitution will have to be based on the common law.

As an aside: Cameron J gave a dissenting judgment. He faults the majority judgment for ignoring the phrase ‘rights of the credit provider under that credit agreement’ and found that s 89(5)(c) cannot refer to the right to claim restitution as that right does not arise from the agreement. In fact, no rights can arise from the agreement in any event, as it is void and consequently there are no rights that can be forfeited to the state. Thus s 89(5)(c) has no ‘effective punitive force.’ He declined to declare the provision unconstitutional as it is preferable to ‘acknowledge the drafting error, and to leave Parliament to correct it.’ The effect of this decision is much the same as declaring the sub-section unconstitutional. 

Plain language tip

Refer to the parties to an agreement by name

It is often very confusing to refer to the parties other than by their names. Typical pairings would be the ‘Seller’ and the ‘Buyer’ or worse, ‘Lessor’ and ‘Lessee’.

You can improve the readability of a contract significantly by referring to the parties by name. In standard form agreements this will not be possible as the agreement cannot be amended every time a transaction is concluded. There, the same effect can be achieved by referring to the supplier by name and addressing the consumer as ‘you’. An even more direct formulation can be achieved by using ‘we’ and ‘you’. In addition to improving the readability of the document, it creates less distance between the parties and makes it clearer where obligations lie.

The names of the parties or ‘we’ and ‘you’ can still be defined contractual terms in order to ensure that the identities of the parties can be established and to provide for the use of shortened names. We have retained the traditional capitalisation of definitions in the example below even though it creates problems in practice. The use of definitions will be discussed in next month’s CLR.

Here is a simple example:

The original

The Lessor will provide the Lessee with receipts for payments made.

Variation 1

The Landlord Company will provide Mr Van der Merwe with receipts for payments made.

Variation 2

The Landlord Company will provide You with receipts for payments made.

Variation 3

We will provide You with receipts for payments made.

© Elizabeth de Stadler and the Unit for Document Design at the Stellenbosch University Language Centre.




> Click here to opt-in to continue to receive these newsletters.

> Click here to unsubscribe from this communication


> Jutastat e-publications user helpdesk

> Juta Customer Services

> Juta Law Marketing


Jutastat electronic subscribers and print subscribers may receive important service-related information relating to their Juta publications from time to time.

Visit the Juta Law Website

2019 © Juta and Company Ltd