Has POPIA adequately prepared people to exercise their right not to be subject to automated decision-making?

September 1st, 2022
x
Bookmark

Picture source: Gallo Images/Getty

Transparency and accountability are enduring principles of any healthy system of governance and regulation. The Protection of Personal Information Act 4 of 2013 (POPIA) ostensibly seeks to regulate the personal data processing economy and it, too, muses over the ‘constitutional values of democracy and openness’ in its preamble. In fact, accountability and openness are necessary conditions for lawful processing. To that end, POPIA provides data subjects with various procedural and substantive rights in relation to their personal information. However, in a statute that is almost entirely concerned with lawful processing and the establishment of enforcement mechanisms thereto, s 71 of POPIA is notably peculiar. This provision is not primarily interested in data processing per se, but it rather takes aim at a subsequent step, namely, the decision which flows from automated data processing.

In general, and subject to a couple of derogations, s 71(1) prohibits the making of a ‘decision’, which affects the data subject in a legal or substantial manner where such a decision is based solely on the automated processing of personal information intended to provide a profile of the data subject (automated decision making is commonly referred to as ‘ADM’). Importantly, POPIA frames the regulation of ADM not merely as a prohibition, but also an enforceable right in terms of s 5(g).

Considering the stated ideals of transparency and accountability, I question – in this article – whether the legislature has properly placed data subjects in a position to exercise their right not to be subject, under certain circumstances, to ADM. To verbalise my main gripe in plain terms: A data subject cannot exercise a right without knowing that they are entitled to enforce the right in the first place. In other words, for a data subject to exercise the right not to be subject to ADM, it must logically follow that the data subject must know that she or he has been subject to an ADM.

This piece argues that the POPIA does not provide data subjects with an express right of notification when they have been subject to an ADM. That is to say, the decision-makers (machine or otherwise) are not duty-bound to notify the data subject when they have been subject to a decision based exclusively on automated processing. This, in my view, is a textual oversight and it will likely render the data subject completely oblivious to the ‘black box’ of an ADM and, as a result, s 71 will be left to languish in obscurity.

A right to know

It is trite that knowledge of the existence of a right must come a priori to the exercise of that right. In context, without first informing the data subject that a given decision emanates from the automated processing of their personal information, then the data subject cannot utilise the accompanying entitlements or safeguards in s 71. So, is there a duty of notification in respect of ADM?

Section 71 of POPIA

From an overview of s 71, it is clear that there is no express duty of notification. Perhaps it can be read-in from an interpretation of ‘appropriate measures’ intended to protect the data subject’s legitimate interests as specified in s 71(2)(a)(ii) and 71(2)(b)? I will deal with each in turn.

First, an ‘appropriate measure’ in terms of s 71(2)(a)(ii) is conveniently fleshed out in subs (3). Read together, it states that the prohibition against ADM will not apply if the decision has been taken in connection with the conclusion or execution of a contract when there are appropriate measures in place to safeguard the data subject. ‘Appropriate measures’, in this context, require the responsible party to provide –

  • an opportunity to make representations about the decision; and
  • ‘sufficient information about the underlying logic of the automated processing’ in order to make the aforementioned representation.

In my view, there is nothing to indicate that a responsible party is required to notify the data subject of the ADM. At most, the responsible party is only compelled to provide for the occasion to make representation with sufficient knowledge of the underlying logic of the system. However, this certainly does not imply a duty to first notify the data subject that she or he may be entitled to make representation at the given opportunity.

Secondly, ‘appropriate measures’ in respect of s 71(2)(b) appears to have a comparatively wider meaning than in the contractual context. Accordingly, the prohibition against ADM will not apply when the given decision is governed by a law or a code of conduct, which contains appropriate measures to safeguard the data subject. Unlike s 71(3), which is applicable to contracts only, there is no further guidance (other than a circular cross-reference back to s 71) as to what is meant by ‘appropriate measures’ for codes of conduct in terms of s 60(4)(a)(ii). This, however, may aid the interpretation that could give rise to a duty of notification for ADM. I argue that absent undue interpretative constraints, a duty of notification is amenable to, and may be derived from, an ‘appropriate measure’ to safeguard the legitimate interests of the data subject. This is because if the overall purpose of the measure is to safeguard the data subject’s legitimate interests, then it is surely axiomatic that the data subject should also know about the existence of these protective measures to utilise it. I echo the same view for an ADM, which is ‘governed by a law’ that specifies appropriate measures in this respect.

At the same time, however, we must be mindful that this duty of notification may only arise if we adopt a charitable approach to a purposive exercise of interpretation. Unlike the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), which expressly provides that the data controller should inform the data subject about the ‘existence of automated decision-making’ in Article 13(2)(f), such a duty is not inherent in the POPIA’s text. This may raise doubts as to whether or not a responsible party, or the decision-maker, is obliged to give notice that the given decision is an ADM and that the data subject may be entitled to alternative measures in terms of law or a code of conduct. Given this ambiguity, does the POPIA have any other explicit provisions to regulate notification duties?

Section 18 of the POPIA

Under the openness condition of lawful processing, s 18 deals directly with the responsible party’s duties of notification. This provision sets out a multitude of instances in which the responsible party is required to take reasonably practicable steps to ensure that the data subject is aware of the collection of their personal information. Notably, s 18 is concerned with an early stage of data processing, namely the collection of personal information. Consequently, this provision is designed neither to give notification ex-post a decision, nor can it be used in instances when personal information is automatically processed in a way other than by its collection.

Understood correctly, the problem is self-evident: Notification in terms of s 18 is limited to a time where the personal information is collected or as soon as reasonably practicable after its collection. Whereas s 71 is framed further along the timeline; after the personal information has been processed and a decision made. It seems to me that the two provisions cannot be reconciled in a manner that would compel the decision-maker to provide notification regarding ADM. Therefore, in my view, s 18 does not provide a duty of notification in respect of an ADM.      

Conclusion

It appears that to discover a duty of notification for ADM, a broad approach to ‘appropriate measures’ in terms of s 71(2)(b) of the POPIA needs to be adopted. However, even with such an approach, a duty of notification will be limited only to instances where the decision is governed by a code of conduct and/or by a law that provides for such measures. In all other cases of ADM, and particularly where contracts are the source of the automatic processing, there is no obligation on the responsible party to inform the data subject of the ADM. In the era of ubiquitous automation and machine learning, this raises serious threats to people’s fundamental rights. None more so than to the basic rights concerning procedural fairness and the audi alteram partem doctrine.

In the end, responsible parties and decision-makers in South Africa are not required to disclose whether the decisions they have made are an ADM. Without, at the very least, a right of notification in respect of ADM, a data subject cannot rely on s 71 of the POPIA for protection. A legislative amendment may be necessary to release the true potential of s 71. For the time being, it remains all dressed up, but with no way to know.

Gilad Katzav BCom LLB LLM (Wits) is a candidate legal practitioner at Norton Rose Fulbright in Johannesburg.

This article was first published in De Rebus in 2022 (Sept) DR 11.

X
De Rebus