During the last couple of months information about the European Union’s new General Data Protection Regulation (GDPR) have dominated professional networks, blogs, websites and emails.
Although it has been a law for a while now, the 25th of May 2018 marked the day when businesses and entities could now be fined for non-compliance.
Even though the GDPR does not directly affect most people living on the southern tip of Africa, people subscribing to websites and services that have to comply with GDPR received emails like this:
As someone involved in the software industry, I can just imagine all the millions of man-hours that were burned by architects, developers, consultants, database administrators, business analysts and marketing departments from thousands of businesses to make this a reality.
GDPR in a nutshell
The main thing to know about GDPR is that it now gives users the:
• Right to permanently delete accounts that gathers personal information,
• Right to object how your data is used (as well as the right to opt out)
• Right to access your personal information
• Right to amend your personal information
Companies must also:
• Be transparent in how the data will be used
• Be able to export your data (even to other companies or third party entities) should you request it
Facebook data leak
GDPR is really good news for consumers. It kicks in barely a month after the now infamous leak of Facebook users’ data by the UK-based company, Cambridge Analytic. Personal information gathered from millions of Facebook users were used to potentially influence the 2016 US Presidential Election as well as Brexit (the UK’s referendum to leave the European Union).
The Facebook leak showed just how vulnerable (and sought-after) your personal data is and how little control you really have over it.
POPI and PAIA
In South Africa we have the Protection of Personal Information Act (POPI or POPIA) and Promotion of Access to Information Act (PAIA). These laws are supposed to ensure that consumers and companies conduct themselves in a responsible manner when collecting, storing and using personal data.
According to the South African Government Gazette, the purpose of POPI is to “…regulate, in harmony with international standards, the processing of personal information by public and private bodies…”
These bodies may not process personal information concerning “… the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject…”
Although it all sounds good on paper, it covers a very broad spectrum and may not be specific enough to ensure peoples’ safety on the Internet. As we have seen with the Facebook incident, the definition of personal data and personal data custody is murky when it comes to information that a user is required to give (name, surname, email address) and information that is uploaded freely (photos of holidays, loved ones or children).
One of the most visible outcomes of POPI for consumers is the protection against direct marketing unless you have specifically given consent (opt-in). However, companies are not forced to delete your personal data as with GDPR. For example, Takealot, South Africa’s biggest on-line shopping website, offers no direct way for customers to completely remove their account. And even if a service offers this feature, can you really be sure that all your historical data is also deleted in the process?
And as with most laws it as just good as the enforcement thereof. The sensitivity of the data also varies. Your medical data in the wrong hands can be much more harmful than your DVD-rental history. How much money will someone be willing to spend in order to convict and prosecute the DVD shop vs. the medical aid company?
PAIA in action
The most famous South African case that involved PAIA was the so-called “spy tapes saga” where the investigation spearheaded by the opposition party, the Democratic Alliance, turned to the courts in order to gain access to these tapes. They allegedly contained information of political interference in the corruption charges against (former) president Jacob Zuma. The allegations about interference were the main reason that the National Prosecuting Authority (NPA) originally dropped the charges against Zuma.
Although the court case dragged on for years, it proofed that nobody is above the law and that PAIA can indeed be used as an effective investigative and prosecuting tool.
But although POPI and PAIA can be effective against South African citizens and companies, dealing with international privacy laws can be a different ball game. Take the Oscar Pistorius murder case for example. (Pistorius is the double amputee Paralympics athlete known as the “Blade Runner”).
Police investigating the case wanted access to his iPhone because it was used on the night of the murder of Reeva Steenkamp and they believed it contained vital information. But Oscar conveniently “forgot” the 4-digit passcode necessary to unlock the phone. The South African investigators were forced to seek help from the FBI in America in order to authorise Apple to unlock the phone.
The FBI was accused of dragging their heels in approving the request for help. They apparently demanded to see the original versions of the documents that had been signed off by the South African magistrate and director of public prosecutions. A team of South African officials eventually had to fly to California in order to request help from Apple directly.
Both these two cases evoked strong opinions with the general public – for and against. Although it is a no-brainer that access to private information is necessary to investigate corruption, murder and even terrorism for that matter, the law also state that people are innocent until proven guilty. It is in the best interest of everyone that the legal process has to take its course. Under no circumstance should we allow that individuals or states have such power as to have free access to our private information.
Step in the right direction
GDPR, POPI and PAIA are all steps in the right direction. Individuals should have more control over their personal data and companies must be held accountable for the way the use, store and share it. Although the South African laws are by no means perfect and might not be of the same caliber as GDPR, it is better than to have nothing at all. But with the fast pace of technological change these days, any law that deals with privacy issues will constantly have to adapt in order to stay relevant.