By Kwazi Dlamini

On Monday 28 January the world marked Data Privacy Day, established in 2006 to raise awareness about the importance of personal data protection, especially concerning social media. South Africa is still far behind in terms of the implementation and enforcing of its own regulations relating to the protection of personal data. The Protection of Personal Information Act (POPIA) was signed into law five years ago, but is still only partially in force.

In a statement, the Right2Know Campaign called for an end to this state of affairs. The organisation attributed the lack of enforcement to years of delays in getting the Information Regulator (IR) operational.

“Meanwhile, corporate ‘data breaches’ have exposed tens of millions of South Africans’ personal information. And every day, ordinary South Africans get calls and messages from private companies, political parties, and dodgy lenders that have bought or traded people’s private information in the hopes of getting profit or votes.”

POPIA is a powerful privacy law meant to protect personal information from being stolen, traded or misused. According to this law, personal information cannot be bought or sold to anyone, rather it can only be used for justifiable reasons – such as medical information obtained from a doctor that could be used to treat a person in an emergency – or with the person’s permission.

The types of key information commonly kept by businesses, such as employee records, data collection, customer details and their transactions, need to be protected to avoid that data being used by third parties to commit fraud, such as phishing scams and identity theft. This information can include names, addresses, e-mails, bank and credit card details, telephone numbers or health information. It is important for companies to keep this information protected and ensure that personal data and privacy of customers and citizens is not invaded. 

POPIA contains a set of principles that should be adhered to by organisations, government and businesses in order to keep people’s personal data safe and secure. These bodies must be transparent about the use of personal data and why they are keeping it. They can only use personal information for the purpose they declared, and not for any other unspecified reason. Data subjects – those whose data is being processed – can also demand that their personal information be deleted unless there is another law authorising the data processor to keep the information. The holder of personal information must also ensure protection of such information and they are bound by the law to notify the subject when there is a data breach.

The Information Regulator (IR), established under POPIA to enforce this privacy law is not yet operational. The law itself is also not yet fully implemented although it was signed into law in 2013 – the only section that is effective deals with the IR, which, nearly four years later, is still not able to do its job. The IR last held a media briefing in September 2017.

The organisation is mandated to investigate private companies and government departments for misuse of personal information, the delays leave South Africans exposed to unwanted breaches of their personal data, including calls and short messages from insurance companies, political parties and banks.

Privacy not guaranteed

With the general elections approaching, political parties pull out all the stops in their quest for support and many South Africans will be bombarded with phone calls and messages from parties trying to convince people to vote for them. Such unexpected calls leave users surprised by how these organisations got their numbers.

Social media users have been complaining about this for years and went as far as warning each other and sharing phone numbers that should be avoided when calling.

South Africa has come under intensified cyber-attacks in recent years, with several cases of breached cyber security and stolen personal data, notably the Liberty data breach of June 2018. The financial services company had their clients’ personal data penetrated by hackers who demanded a ransom in return for the data. Liberty did not give in to this demand.

The most documented and talked about breach of the past few years happened in the US. In the two years leading up to the 2016 presidential elections, a company called Cambridge Analytica (CA) acquired Facebook users’ private personal data – collected through an app built by a researcher at Cambridge University and sold illegally to CA – to see trends so they could influence the US elections by sending personalised political adverts to voters, based on their profiles and habits.

It is alleged that CA received investment from wealthy conservative investors who wanted to “reshape” politics – but if this practice can “reshape” politics and influence election results, the absence of proper regulations could lead to disaster. The same company is reported to have also influenced the UK vote for leaving the European Union (Brexit) through improper use of unsuspecting voters’ private personal data. 

Countries like the US and UK have long implemented the data protection regulations but even they still experience data breaches. With the IR taking baby steps throughout the process of implementation, millions of South Africans’ data is exposed and in extreme danger – and since the body is not operational yet, organisations or businesses cannot be punished for selling personal data or exposing it to third parties.