By Russel Luck
In South Africa, the much anticipated Protection of Personal Information Act 4 of 2013 (POPI) was promulgated in Gen 912 GG 37067/26-11-2013. Its commencement date shall be determined in accordance with s 115 of POPI by the President and its provisions will come into effect one year thereafter.
What is the paradigm of personal information and privacy legislation?
The internet allows data transactions to occur from one country to another seamlessly. Paradoxically, this is one of the greatest benefits of the technology era but also one of the greatest challenges to its effective regulation. Citizens bound by data privacy laws in their country could transfer data to countries that are less regulated than their own and by-pass the protection that is offered by that state to its citizens.
European Union laws such as European Union Data Protection Directives of 1995 ((23-22-95) Official Journal of the European Committees No 281/31), 2002 (OJ L 201, 31.7.2002, p 37) and 2006 ((13.4.2006) Official Journal of the European Union L 105/54) (the EUDPD) have been highly influential on the drafters of POPI. A detailed discussion is beyond the scope of this article, save for mentioning that the EUDPD aims in art 1 to provide for economic and social progress of European Union (EU) members and art 25 prohibits transborder information flows to countries with less data privacy protection than member states. The EUDPD has been successful in creating uniform standards of data privacy for all member states with the result that businesses within the EU that are reliant on data can easily transact with one another. This, in turn, has assisted economic and social progress among signatories of the EUDPD.
The challenge arises when EU members conduct business in jurisdictions that have less data privacy regulation than their own. Article 25 of the EUDPD prohibits data transfers necessary for such business to occur. The United States (US) has not adopted uniform data protection standards equivalent to the EUDPD. Data-reliant industries such as direct marketing, insurance, banking, travel, finance and pharmaceuticals all rely on data profiles in order to operate business. Should European businesses wish to transact with US companies and gain the economic and social progress mentioned in art 1 of the EUDPD, art 25 of the EUDPD prevents them from doing so.
Ostensibly, the US adopted the United States Department of Commerce Safe Harbor Privacy Principles 2000 (Safe Harbor Agreement) that allow US businesses to self-certify that they are compliant with the standards of data protection adopted by EU nations through the EUDPD. The problem with self-certification is obvious, there is very little practical control or enforcement the EU citizens would have over American companies who received their personal information. According to the Safe Harbour Decision Implementation Study (http://export.gov, accessed 11-4-2014) conducted in 2004, a prevalent minority of US entities complied with EUDPD principles. Non-compliance ranged from lack of privacy policy displayed on websites to lack of clarity regarding ‘onwards transfers’ of data and disclosing the ‘intended use’ of processing that data.
It appears that the current paradigm of personal information legislation is that individual privacy seems to rank below the economic interests of global business. This international paradigm is important when understanding how POPI might be interpreted by our courts and function practically in the global economy.
How does POPI balance the international privacy paradigm?
POPI was drafted largely on the recommendations of the South African Law Reform Commission (SALRC) in discussion paper 109 of project 124 (2005) (www.justice.gov.za/salrc/dpapers/dp124.pdf, accessed 11-4-2014). The SALRC expressly recognised the importance of privacy in terms of the constitution and pre-existing common law. It noted that while privacy is a fundamental right, it can be limited and balanced against economic and trade considerations looking at data privacy not only as a domestic policy issue but as part of the global community. A comprehensive analysis of POPI is beyond the scope of this article. Some of POPI’s key features are dealt with below:
Challenges and analysis
Technology evolves faster than law makers can regulate it
A recent incident in the US demonstrates the need for data protection and the manner in which current practices ‘fudge’ technology matters regulated by statute. The Wall Street Journal reported (Dana Mattioli ‘On Orbitz, Mac Users Steered to Pricier Hotels’ The Wall Street Journal 23-8-2012, (http://online.wsj.com, accessed 2-4-2014)) that a search engine powered by Orbitz Worldwide Inc suggested more expensive hotels to users visiting the site with a Mac Computer than a personal computer.
The details relating to this scandal are varied and it is not clear what information was processed by Orbitz. It was traditionally believed that an internet protocol (IP) address is not ‘Personally Identifiable Information’ (American definition) because it relied on a dial-up connection to access the internet, each time a user dialed-up, a new IP address was assigned to that computer. However, according to PM Schwartz and DJ Solve, the mass movement away from dial-up and towards broad-band internet use has resulted in fixed IP addresses being assigned to certain computers as unique identifiers (‘The PII Problem: Privacy and a new concept of personally identifiable information’ (2011) 86 New York University Law Review 1814). Whether an IP address reveals a user’s ‘identifying number, symbol … online identifier’ sufficient to trigger subs (c) under the ‘personal information’ definition in POPI has yet to be evaluated by our courts. As always, clarity will be established on a case-by-case basis.
In the above, the concept of ‘de-identified personal information’ had its vulnerabilities exposed. In 2006, America Online (AOL) released 20 million search queries for research purposes, which it believed to be sufficiently de-identified. Reporters at the New York Times exposed the ease with which such information could be re-identified using techniques that tracked searches for landscape gardeners in a specific area with a host of circumstantial information to reveal the identity of a user.
Clearly technology evolves at a speed that exceeds our law maker’s ability to regulate it in its entirety. It is hoped that the information regulator and industry leaders will dialogue over the provisions of POPI to ensure our system of data protection is coherent and in keeping with current technology practices.
First world laws and third world problems
POPI’s place in the international privacy paradigm is promising. Its provisions match the EUDPD’s standards of data protection with the effect that South African businesses could engage in transactions with European businesses that are heavily reliant on data. What has yet to be seen is whether the US’s standards of data protection will satisfy South Africa in the same way that the EU has accepted the Safe Harbour Agreement despite its imperfections. The SALRC in its discussion paper 109 of project 204 sought to balance the right to privacy against economic and social progress. This aspiration is reflected in the preamble of POPI. South Africa is a developing economy and strives to attract foreign investment that is critical for its future development and growth.
Many of South Africa’s technology industries are in their infancy, despite having solid legal regulations in place. Amazon.com Inc opened its customer service centre in Cape Town in 2010 and software development centre thereafter. It forecasted that 1400 new jobs would be created when operations are at their peak. Similarly, Google Inc’s expansion of its office in Johannesburg is an encouraging sign of foreign business interest in South African opportunities. POPI should be interpreted in a manner that is friendly to foreign business yet protective of unscrupulous information practices. There is every reason to be optimistic that it will achieve both these aspirations.
Russel Luck BA LLB (UCT) is a legal adviser in Thailand.
This article was first published in De Rebus in 2014 (May) DR 44.