Uncertainty around companies’ disclosure duties in South Africa under amended Companies Act

The updated section 26 provisions aim to improve public access to company information and enhance corporate transparency in private companies. However, the effective date of the updated provisions and implementing regulations of section 26 has not yet been provided. This is likely due to the contentious nature of the amendments which appear to be in conflict with existing privacy and access-to-information laws. 

In complying with any requests in terms of section 26, companies will need to carefully consider balancing corporate transparency with data protection, handling public requests for company records in a compliant manner, and protecting commercially sensitive information under the newly expanded disclosure obligations. Pending the effective date of the amendments and the publication of the implementing regulations, companies that receive requests in terms of section 26 of the Act should adopt the existing regime, as the amended section 26 is not yet enforceable. Legal advice should be sought to mitigate any potential risks. 

Key changes to disclosure duties

The amendments to section 26 expand the range of company information a third party can request access to such as its memorandum of incorporation, director records, annual financial statements, and the register of disclosure of beneficial interests in the company. In terms of the audited annual financial statements (AFS), the recent amendment to section 30 provides that companies must include the remuneration and benefits received by each individual director and prescribed officer, each of whom must be named. Additionally, the amendments to section 30 introduce a comprehensive remuneration report within the AFS detailing, amongst other things, the company’s pay gap together with the highest and lowest employee earnings.

The disclosure obligations only apply if the company in question is below a certain public interest score.  Companies falling below the public interest score will be exempt from the disclosing their audited annual financial statements. By way of illustration, companies with a score of less than 100 could refuse a third party’s request to inspect their internally prepared financial statements, while companies with a score of less than 350 could refuse to disclose their independently prepared financial statements to third parties. This means that smaller private companies will likely not be affected by the changes to section 26. However, to the extent that a smaller private company is above the public interest threshold, any party – including a competitor – has an unqualified right to access the relevant information.

The amended section 26 also imposes an obligation on companies to respond to requests for access to company records within 10 business days. It is a tighter timeframe compared to the current requirement of 14 business days. Failure to comply within this timeframe may constitute an offence and could result in penalties or legal action.

Conflicts with other laws

The effect of the amendments is that a person without a beneficial interest in a company can, without justification, access an array of company records which may include confidential and proprietary information of private companies. The amendments also appear to bring into question the efficacy of the Promotion of Access to Information Act (PAIA) and Protection of Personal Information Act (POPIA).

Prior to the updated section 26, a company could refuse a request for its memorandum of incorporation, director records, annual financial statements, and the register of disclosure of beneficial interests in the company on the basis that the information was deemed confidential and proprietary under PAIA. PAIA requires a non-member or person without beneficial interest to provide a legitimate reason for requesting such access and allows companies to refuse access based on certain grounds.

The amended section 26 puts into question the efficacy of PAIA which confers additional rights on those requesting access to company records. Section 68 of PAIA provides that a request for company information may be refused by the company if the information requested includes, amongst other things, financial or commercial information other than trade secrets of the company, the disclosure of which would likely cause harm to the commercial or financial interests of the company and information, the disclosure of which could reasonably be expected to put the company at a disadvantage in contractual or other negotiations and/or prejudice the company in commercial competition. Competitors could use information such as individualised remuneration to gain an advantage in the market. The amendments to section 26 of the Act allow any person to obtain the information and companies have no grounds to refuse a request made in terms of the Act.

There are also contentions regarding privacy issues. POPIA was enacted to give effect the right to privacy by safeguarding personal information processed by a responsible party. Personal information is defined as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. In achieving its purpose, POPIA lists certain conditions for the processing of personal information by or for a responsible party. Importantly, personal information may only be processed if, amongst other things, the processing complies with an obligation imposed by law on the responsible party.

Applying the relevant provisions of POPIA against the amended section 26, it is apparent that the two laws may be in conflict. The disclosure of a director’s name, address and identity number may constitute a breach of the provisions of POPIA. Whilst it can be argued that personal information may be processed to comply with section 26 – an obligation imposed by the law – section 3(2)(a) of POPIA provides that POPIA applies to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or specified provision, of POPIA.

The implementing regulations of section 26 must offer guidance on how personal information, such as a director’s or public officer’s identity number or address details, can be protected or whether such information is deemed confidential. Whilst protection is expressly provided for shareholders in the company security register by regulation 32(6), this must be addressed in the implementing regulations as it pertains to directors.  The potential risk is that the disclosure of the personal information in a company’s annual financial statements can result in individuals being targeted by criminals if the information is used improperly.

It is anticipated that the implementing regulations, once promulgated, will provide much-needed guidance on how companies should reconcile these overlapping laws while achieving compliance and operational efficiency. The regulations must balance safeguarding the public’s interest in accountable and transparent corporate governance against the need for businesses to protect their commercial interests and privacy.