The amendments to the Companies Act, 2008 (Companies Act), which President Cyril Ramaphosa signed into law on 26 July 2024, bring about significant changes to the balance between privacy and public disclosure, in the context of company records. Specifically, the amendments to section 26 of the Companies Act will allow any person, whether a shareholder in the company or not, to access a wide range of company records, without going through previously existing legal procedures or having to provide a reason for why they should be granted such access. The changes are said to advance the ease of doing business in South Africa and enhance corporate transparency – but at the cost of ending mechanisms designed to balance disclosure interests against privacy rights.

Before the amendments, there were two ways a member of the public could gain access to company records. The first was that non-members were only entitled to inspect or copy the securities register or register of directors of a company, on the payment of a prescribed fee. The second was that if a non-member or person without beneficial interest wanted to access more information than just the securities or directors registers, then such request would need to be made in terms of the Promotion of Access to Information Act, 2000 (PAIA).

The right of access to information and the right to privacy are both rooted in the Constitution of the Republic of South Africa, 1996 (Constitution). PAIA was enacted to give effect to section 32 of the Constitution, the right of access to information, whilst the Protection of Personal Information Act, 2013 (POPIA) was enacted to give effect to section 14 of the Constitution, the right to privacy. These rights must be balanced against one another on the principle that no right is absolute and are subject to limitation, to the extent such limitation is reasonable and justifiable. The purpose of PAIA is to foster a culture of transparency and accountability in public and private bodies by giving effect to the right of access to information, whilst still providing mechanisms to allow for a justifiable and reasonable limitation of this right, particularly where a request for information is not in the pursuit of a right that would otherwise be infringed, should such access not be granted. As such, non-members had to prove a legitimate reason or interest as to why such access was required and even then, the company could refuse such a request should one of the grounds for refusal be met.

However, the amendments to the Companies Act have seemingly cut across these different mechanisms, as now any person, with no beneficial interest in a company, has a right to access a number of company records, without having to go through PAIA. The issue with the amendments is that they do not require a reason for access and provides no grounds upon which a company can refuse. As such, companies will be forced to hand over the prescribed documents when requested, with no right of recourse. One has to wonder whether this has negated the purpose for PAIA to some extent as it now seems that one can bypass PAIA completely when it comes to the prescribed categories of company records provided for by the amendments.

On the other hand, POPIA was enacted to promote the protection of personal information and to guard against the unlawful collection, retention, dissemination and use of personal information. These new amendments to the Companies Act have once again sparked the age-old debate of access to information versus the right to privacy and begs the question as to what personal information of a juristic entity really is and whether the nuances of POPIA have been overlooked.

Amendments in brief

The amendments have brought with them a complete overhaul of section 26(2), now entitling persons who do not have a beneficial interest in a company to request access to a company's (i) Memorandum of Incorporation; (ii) records of directors; (iii) reports to annual meetings; (iv) annual financial statements; (v) notices and minutes of annual meetings; (v) securities or members register (as applicable) and (vi) the register of the disclosure of beneficial interest of the company.

In respect of the annual financial statements, the new section 26(2A) contains a proviso that a person with no beneficial interest in a company may not request access to the annual financial statements of a private company, non-profit company or personal liability company in instances where the annual financial statements have been (i) internally prepared in a company with a public interest score of less than 100 or (ii) independently prepared in a company with a public interest score of less than 350.

POPIA and the Companies Act

Although often overlooked, POPIA is just as applicable to companies as data subjects, as it is to natural persons, when it comes to the protection of personal information. In fact, POPIA is unique in this way, as most international data protection legislation (such as the GDPR) do not afford protection to corporate entities. However, this inclusion has led to much debate as to what exactly the legislature meant by ‘personal information’ of a juristic person, as the definition of personal information in POPIA is focused on that of natural persons.

One of the major criticisms of the amendments is that they fail to take into consideration the right to privacy, particularly when it comes to the annual financial statements, securities registers and registers of beneficial interest. Annual financial statements generally contain strategic information of the company, as well as the remuneration of directors, who as a result of the amendments, are now required to be named. Competitors will now be able to access what should be confidential and proprietary information of a company and the fact that salaries can now be linked to specific individuals as a matter of public knowledge could potentially pose a threat to their personal safety. Securities registers are now also required to contain beneficial ownership information, and as a result even more personal information relating to shareholders and other beneficial owners, may be accessible by the general public, which is in direct conflict with the objectives of POPIA.

These issues, as well as a number of other potentially detrimental consequences for companies and the economies within which they operate were submitted to the Department of Trade, Industry and Competition (DTIC) however, the responses and justifications offered by the DTIC on these submissions left much to be desired.

In their responses, the DTIC relied on the judgment of Nova Property Group Holdings vs. Cobett and stated that "section 26 provides an unqualified right of access and that it was enacted with the objectives of openness and transparency in mind". The DTIC also relied on an opinion prepared by senior counsel that section 26(2) is not an infringement on the right to privacy, which opinion has ironically not been made public in the DTIC responses. If one reads the Nova Property Group Holdings judgment, it is apparent that the court was commenting on a specific scenario wherein only the securities register could be requested and it would be absurd to import the logic of the court to the very different landscape that we are now faced with, in light of the amendments. The DTIC's use of this judgment may be misplaced as it gives the impression that the court held that the entirety of section 26 confers a general unqualified right of access, whereas the court's comments were limited to an unqualified right of access to the securities register of a company only. The argument that an unqualified right of access to the securities register would violate shareholders' right to privacy, as it contains their sensitive and personal information, was not accepted by the court on the basis that their rights of privacy and dignity were only minimally implicated, as section 26(2) conferred a narrow right of access. This is clearly no longer the case in light of the amendments. Further, the court held that "where a shareholder's identity number and e-mail address are entered into a securities register then such information may be regarded as confidential and in light of regulatory safeguards aimed at ensuring confidentiality and non-disclosure of such information, there could be no room for abuse".

We note that POPIA was not yet in force when the Nova Property Group Holdings case was decided, however given that it now is in force, and on the basis of the principle set in the Nova Property Group Holdings case, does it mean that companies can redact whatever they consider to be personal information from the records being requested by third parties? If they can, then what information qualifies as personal information in this context? Is it purely information relating to the juristic entity itself, such as its registration number or does the personal information of its directors or employees also qualify? And does redacting this information defeat the object of allowing these records to be requested? Whilst the intention behind transparency and accountability of entities is a commendable one, it is submitted that this should not come at the expense of other rights protected under the Constitution (and POPIA), and the mechanisms available for balancing these rights against one another. It seems logical that the personal information of individuals, such as directors, shareholders and public officers of a company would be subject to protection but what happens when that personal information forms part of a company record that is open for access? At what point is that information considered personal information of a juristic person?

Concluding remarks

Although an effective date is yet to be announced, these amendments will clearly have a significant impact on how companies do business in South Africa going forward. In a recent briefing by the DTIC it was stated that most of the amendments are ready to be implemented but that some may come into effect later than others, due to concerns raised by stakeholders during the parliamentary process and other sections requiring regulations. It is possible that the regulations still to be promulgated in respect of section 26 will provide clarity as to what information can be withheld, if anything, and whose responsibility it will be to ensure such information is redacted, if redaction is allowed.

POPIA imposes stringent requirements when it comes to the security of personal information and where there is a failure in this respect, the responsible party should be held to account. It is therefore surprising that the DTIC has advocated for such unfettered access to information, without ensuring any mechanisms are available to corporate entities to refuse such access, even in circumstances where doing so would be in the pursuit of safeguarding its personal information. It seems that only the right of access to information was at the forefront of the legislature's mind when crafting the amendments and not enough has been shared as to its rationale in satisfying itself that individuals’ and companies’ rights to privacy has been protected.

Written by Ashlin Perumall, Partner and Refentse Chuene, Senior Associate, Baker McKenzie