The full implementation and enforcement of the Protection of Personal Information Act 4 of 2013 (or POPIA) will kick in on 1 July 2021. Both private and public organisations are rushing to get acquainted with its provisions to make sure that they don’t fall foul of the new legislation and risk incurring the infamous R10 million fine that POPIA imposes.
In May 2021, UCT’s LawTechLab and the Cape Town chapter of Legal Hackers hosted Adv. Alison Tilley for an in-depth but straight-forward discussion about POPIA. Adv Tilley is poised to provide a unique viewpoint on POPIA, as she was personally involved in its drafting as well as the Law Reform Commission project that gave rise to POPIA. She is currently a member of South Africa’s Information Regulator, which is tasked with, among other things, monitoring and enforcing compliance by public and private bodies.
There is certainly a lot of anxiety around POPIA and various organisations and individuals have begun marketing and selling compliance packages. Some software packages are also being marketed as ‘POPIA-complaint’. However, Adv Tilley explained that there is still a lot of jurisprudential development that needs to take place before anyone will have a perfectly clear idea of what POPIA compliance really looks like.
Personal information, the right to personality and the need to balance competing rights
According to Adv Tilley: ‘Your personality, in the sense of your cyber-personality, is something that you have the right to. You don’t own your own data in the same sense that you own a tangible object… but you have a right to your personality. The idea is that people who are compiling and distributing personal information create a threat to people’s privacy and to their right to personality, and the acquisition or disclosure of false or misleading information can lead to an infringement of your identity’.In a constitutional democracy such as ours, the right to privacy must be balanced against competing rights and interests. On one side, we are concerned with having an open, accountable and transparent society; on the other, we are concerned about the right to privacy and the right to be left alone.
The origins of data protection in South Africa
POPIA was borne of a recognised need for specific rules governing the collection and handling of personal information, which becomes increasingly pertinent with advances in technology and the development of powerful computer systems with surveillance potential. ‘The intention was that POPIA would form part of a package of laws which were originally called the Open Democracy Bill,’ explained Adv Tilley. This package had four parts: access to information (which became PAIA); whistleblowing (which became the Protected Disclosures Act); open government (which has not yet given rise to new legislation); and data protection (which became POPIA).
‘The question is no longer whether you can get the information, but rather whether it should be gotten and where it is obtained, how it should be used. If you can protect information on which decisions are made about individuals, you can also protect fairness, integrity and effectiveness of decision-making processes.’
POPIA was influenced by European models of data protection. The use of technology itself to protect privacy was considered, as well as the argument that technical standards rather than legal principles should be relied upon. However, it was recognised that certain core principles needed to be set out in legislation due to the pace at which new technology would be developed.
The Information Regulator has already received many questions about POPIA. Although the Information Regulator cannot fulfil requests for legal opinions on more complicated issues, it is currently sharing information through various channels, including its website and its social media platforms. In her presentation, Adv Tilley addressed several key questions the Information Regulator had to deal with, including the following:
How will compliance be monitored by the Information Regulator?
This is difficult but not impossible to do proactively, such as by assessing Codes of Conduct, but, as Alison explained, ‘the rubber hits the road where there’s a big data breach’. Many data breaches involve cyber crime, but the Regulator would step in only where a data breach is a result of a violation of POPIA and it does not have a mandate to prosecute cyber crime. The Regulator’s main role will thus be handling reported POPIA violations on a case-by-case basis. Where there is a violation of POPIA, the Regulator has a wide range of powers by which to respond, including the imposition of fines and the implementation of dispute resolution processes.
When can children participate in platforms where their personal data is processed?
Section 34 of POPIA prohibits the processing of the personal information of children (specifically, anyone under the age of 18), but s 35 creates various ways around this, including parental consent. Adv Tilley pointed out that children are already using apps that use personal data all the time, so this issue is likely to become a very vexed one. Further remaining concerns that Adv Tilley raised are that the portal for registration of information officers is not yet operational, and that the Regulator does not yet have all of the staff that it needs to perform its work.
In addition, Adv Tilley posed another important question for organisations and individuals who hold existing databases: where did your information come from, and for what purpose was it gathered at all? ‘If you can’t answer that question, you’re already in somewhat murky waters’, she said. Codes of Conduct are going to become very important in the coming months, and organisations are urged not to rely solely on getting consent from their users to gather their information.
You can watch a video of the full event here.
This seminar was co-hosted by the newly launched Law Tech Lab, an initiative by the iNtaka Centre for Law & Technology at the University of Cape Town, and Law For All. The two organizations operate the Cape Town chapter of global movement Legal Hackers.
The LawTech Lab aims to provide a space for exploration, experimentation and the development of legal tools at the intersection of law and technology. (Missed the Law Tech Lab launch? Watch it here.) Rebecca Cameron, a scrum master and agile coach at Law For All, introduced Legal Hackers as a global movement of lawyers, policymakers, designers, technology and academic stakeholders who want to explore and develop solutions for the problems at the intersection of law and rapidly changing technology.
Legal Hackers Cape Town will host one event each month. Sign up for news here.