Issue: June - Aug 2013


When personal privacy collides with public interest

PoPI is a law of unintended consequences. The bill should be amended not to defeat disclosure principles of shareholder information.

There appears to be a crazy dichotomy between the Companies Act on the one hand and the Protection of Personal Information (PoPI) Bill on the other. While the Companies Act obliges information on shareholders to be recorded in share registers, where their details are publicly accessible, PoPI seeks to remove “personal information’’ from the public domain.

What then is supposed to be public, and what is considered personal? Is the requirement for transparency trumped by the right to privacy? If not, how are the Companies Act and PoPI to

The answer is a mishmash. Under the Companies Act, any shareholder and any member of the public is entitled to inspect and obtain a copy of the company’s share register directly from the issuer or the company concerned. It’s an offence for the issuer or the company not to accommodate a request for access or unreasonably to refuse it.

There’s a rationale. Ownership of a public company is public information, essential for the public operation of a public market. That’s why, by law, on the register of each company will be each shareholder’s:

  • Name and business, residential or postal address;
  • E-mail address if available (unless the person has declined to provide it);
  • Unique identifying number;
  • Dates on which the securities were bought and sold, with their respective prices;
  • Total number of securities held.

So far, so good. These details are unaffected by PoPI or the Financial Markets Act (FMA). But the disclosure obligation is on the issuer or company. It will presumably have to make a call on the information that’s “personal” and therefore prohibited from disclosure. Selective disclosure, however, could defeat the purpose of having these details recorded in share registers.

Especially worrisome, then, is whether issuers and companies are between a rock and a hard place. When a member of the public requests a copy of a share register, can the issuer or company invite a contravention of PoPI by supplying the full record or a contravention of the Companies Act by supplying only part of it?

Strate, the central securities depository, has an obligation under s52(1) of the Companies Act and s30(2)(s) of the FMA to disclose share-register information only to the issuer or company. This, points out Strate legal counsel Stan Ndleleve, means that Strate’s disclosure of personal information in the share registers to the issuers or companies will not be restricted by PoPI or the FMA.

But it’s clear, Ndleve adds, that Strate does not have a similar legal obligation to disclose personal information in a register to data vendors: “Strate has therefore embarked on an exercise to determine line-by-line our beneficial download (BND) files to ensure that we will not be in contravention of either PoPI or the FMA. As a result, Strate has held numerous workshops with the market to come to a possible solution. It must be understood that there are penalties, which include huge fines and jail terms, for contraventions.”

Data vendors, commonly used by professional investment managers, make Strate information easy to access. Users of their service don’t need to approach the issuer or company directly, but have on tap the full record that share registers provide.

Through this, they can track market-sensitive information; for example, where a big shareholder is buying or offloading, or where a new shareholder appears to be building a strategic stake. They can also drill down through nominee companies to find the beneficial shareholders on the BND files; for example, to solicit proxies for voting at a shareholders’ meeting.

In a nutshell, PoPI and the FMA do not prevent Strate from exercising its functions. But they will influence how Strate distributes it information to data vendors.

At best, it can make the process of accessing shareholder information a whole lot more circuitous and cumbersome. At worst, it can undermine the whole purpose of requiring pertinent information from being disclosed in the share register.

Perhaps it’s not forlorn still to hope that the PoPI drafters, in their wisdom, will hit upon a simple remedy. It’s to exclude from PoPI any provisions that conflict with the requirements of other acts.

Preventing spam and disrupting stockmarket transparency are hardly one and the same.