In the wake of “the great growling of change – technology”, as futurist Alvin Toffler so aptly put it, the need for the protection of personal information and reliable security systems has undoubtedly increased.
Two instances in South Africa that exposed the need for a data privacy law included the breach experienced by insurance company Liberty Life in 2018, where it was reported that millions of its customers’ personal information had been leaked, and that of the Department of Justice and Constitutional Development, in 2021, when it experienced a cyber attack that compromised the personal information of numerous civil servants. It is to help counter events like these that South Africa has created the Protection of Personal Information Act (POPIA), which came into effect on 1 July 2021.
South Africa has in recent years experienced an increase in this sort of security breach, at both state and private institutional levels, exposing infrastructural weaknesses in this new digital era and highlighting the need for contingencies to avoid breaches, fraud and the mismanagement or compromising of information.
Among the aims of the Act is to give effect to the constitutional right to privacy in section 14 of the Bill of Rights, promote the protection of personal information processed by public and private bodies, and to set out the parameters for lawfully and responsibly processing personal information, which includes “accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation”.
Public and private bodies must also appoint an information officer who is responsible for ensuring that the organisation complies with the Act. This requires both public and private entities to ensure that efficient security systems are put in place to safeguard the personal information of others against the possibility of cyberattacks.
POPIA recognises that personal information processing includes several elements, including “collection, receipt, recording, organisation, collation, storage, updating, or modification, retrieval, alteration, consultation or use”. The Act also provides people with rights and remedies in instances where the processing of their personal information contravenes the provisions of POPIA.
However, an individual’s right to privacy is subject to justifiable limitations, aimed at: (1) protecting important interests, which includes the free flow of information within South Africa and among international borders, and (2) balancing the right to privacy against other rights, particularly the right of access to information.
These limitations were tested in January this year in the case of Spies and Others v Minister of Basic Education and Others. In this case, South Africa’s Department of Basic Education decided it would not publish the 2021 matriculation results on the basis that this would violate POPIA.
This decision by the DBE prompted the applicants – a matriculant, Anle Spies, NPO Afriforum, and Maroela Media Ltd to institute an urgent application to overturn the department’s decision.
The applicants argued that the DBE had failed to balance the right of privacy against the right to information, the right to freedom of expression and the right to free press and media. The applicants also stated that withholding the publication of the results on public platforms would deprive matriculants of the excitement that accompanies this annual rite of passage.
The judge ruled in favour of the applicants, ordering the DBE to publish the National Senior Certificate results on public (media) platforms as was the practice in previous years. The judgment underscores the point that the right to privacy is not an absolute right.
POPIA also makes provision for transborder information flows. Personal information may not be transferred to a third party in a foreign country unless the recipient is subject to a law or agreement that provides an adequate level of protection. The person whose data it is must also consent to the transfer, including in situations where the transfer is necessary for the performance or conclusion of a contract between the person whose data it is and another “responsible party”.
An important element to note is that “responsible parties” and “data subjects” are two of three parties (the third being an operator), who are bound to comply with both the rules of collection and the processing of personal information. These three, however, are not an exhaustive list, and the responsibility to process personal information lawfully and responsibly extends to all parties who are involved. They must also be aware of the sanctions – a fine or imprisonment (or both) not exceeding 10 years – should they not comply.
There are, to date, no publicised reports of businesses that have been penalised for non-compliance with POPIA, but this should not mean they neglect their legal responsibility to comply.
South Africa is not alone in enacting legislation to protect personal data. By February 2022, 33 African countries had implemented data privacy laws and/or regulations. These legal frameworks share several similarities, including the requirement for organisations to appoint a data protection officer, the imperative to obtain consent from people whose data they are collecting or sharing, the parameters of data retention and destruction, as well as the requirements for transferring personal information across borders.
Aside from South Africa, several other countries last year enacted their own privacy law or regulations: Botswana (October 2021), Rwanda (October 2021), Uganda (March 2021), Zambia (March 2021), and Zimbabwe (December 2021).
Meanwhile, POPIA is only a manual, and the real work requires all responsible parties to adopt preventative measures rather than reactive ones. This applies to all data privacy laws or regulations that have been implemented throughout Africa.
The evolution of technology and the continuous development of legal, social and political discourses demand that businesses adapt the manner in which they collect and process personal information. Not only has the introduction of data privacy laws forced the hand of complacency, it also puts to rest the security concerns of individuals, provides transparency and ensures fair practice in the marketplace.
Privacy, security and trust are intertwined, and individuals will more often than not gravitate towards a company that reassures them that the processing of their personal information is done in a secure, legal and responsible manner. This, in turn, will create a competitive environment.
The risk of cyberattacks will always be present, which is why responsible parties are encouraged, going forward, to continuously conduct internal and external risk assessments, so as to assess and improve any vulnerability of their security systems.
Chante du Preez
Chanté du Preez is a Policy Advisor at the National Employers’ Association of South Africa. She holds an undergraduate Bachelor’s degree in International Relations and Law and a post-graduate Bachelor of Laws degree, both from the University of the Witwatersrand. She is also an admitted Attorney of the High Court of South Africa and is particularly passionate about social and governance issues and their nexus with the law.