Information rights in the digital age: Why we need an effective Information Regulator
- Information rights play a crucial role in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.
- The Information Regulator, established in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), has yet to be fully operationalised, despite POPIA having been signed into law in 2013.
- This has led to a protection vacuum over information rights, and runs foul of section 237 of the Constitution, which requires that “[a]ll constitutional obligations must be performed diligently and without delay”.
- The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated, and that appropriate recourse is available where conduct falls foul of the required standards.
Since 2016, the United Nations and the global community have marked 28 September as the International Day for Universal Access to Information (IDUAI). This is in recognition of the importance of the triad of information rights – freedom of expression, access to information and privacy – particularly in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.
On IDAUI this year, the members of the Access to Information Network issued a call for the full operationalisation of the Information Regulator in South Africa, whose role is critical in the realisation of the triad of information rights. The Information Regulator, with a key role at the helm of both the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA), is a crucial body in ensuring the protection of our personal data, facilitating PAIA requests, and striking the correct balance between the free flow of information and legitimate restrictions thereon.
The Information Regulator is established by statute in terms of POPIA. However, despite POPIA having been signed into law in 2013, and the members of the Information Regulator having been appointed in 2016, neither the substantive provisions of POPIA nor the amendments to PAIA have yet been brought into force. This has resulted in the powers of the Information Regulator being severely hamstrung, and the body being rendered effectively toothless.
This is a fundamental failing in the realisation of the rights to receive and impart information and to have one’s personal information protected. These are constitutionally-protected rights, which obliges the state to take positive measures to realise them. Further, section 237 of the Constitution requires that “[a]ll constitutional obligations must be performed diligently and without delay”. In Khumalo v Member of the Executive Council for Education: KwaZulu-Natal  ZACC 49, the Constitutional Court explained that this provision elevates expeditious and diligent compliance with constitutional duties to an obligation in itself, in recognition of the public interest in having certainty and finality.
However, the state’s approach to the implementation of POPIA and the functioning of the Information Regulator appears to fall foul of section 237 of the Constitution. The significant delay has led, in turn, to significant uncertainty, and a protection vacuum over information rights that cannot be countenanced.
In a media statement published on June 2018, the Information Regulator itself expressed concern that:
“South Africa has experienced a disturbingly high number of material data breaches in the past few months … Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in POPIA. These data breaches underscore the urgent establishment of the Regulator. It is for this reason that the Information Regulator requests the powers that be to assist it in fast-tracking its operationalization.”
A year later, in June 2019, the Chairperson of the Information Regulator stated in an interview published in IT Web that although certain key appointments have recently been made, the process was “going very slowly”, which was attributed to slow processes within government, particularly the Department of Justice.
This, however, is not enough of an answer. As technological advancements increase at a rapid pace – and are increasingly data-driven and data-dependent – it is unacceptable that South Africans have been left without effective information governance frameworks to vindicate our rights. The list of commonplace activities that involve the processing of personal information is countless: the filing of tax returns; the collection of a social security benefit; the application for an identity document or driver’s licence; making a telephone call; accessing the internet.
This is all the more complex when dealing with personal information. Every person has two distinct lives: a public life; and private life. It is in the inner sanctum of the latter that we are free to fully realise our own autonomy and identity, and truly explore the elements of our personality, sexuality and self-development. It is precisely for this reason that the right to privacy is a fundamental right: one that is both at the core of who we are as individuals and how we engage with those around us.
In practice, the vast majority of us readily share personal information in order to engage in society, but this gives rise to risk as well. While this can be beneficial and necessary, there are also risks. As explained by Access Now, “[y]our personal data reveals a lot about you, your thoughts, and your life. These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities”.
The answer is not to become afraid of sharing data, but to be conscious of it. More urgently, however, is the need for the substantive provisions of POPIA and the amendments to PAIA to be brought into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated; and that appropriate recourse is available through the Information Regulator where conduct falls foul of the required standards.
In the absence of this – particularly without an effective and fully operational Information Regulator – the generation and collection of personal information render persons in South Africa vulnerable to this information being improperly exploited and abused, with little to no recourse when this occurs.
The power of information cannot be gainsaid. It is through the exercise of information rights that the media is able to function freely; that we are able to access relevant information to make informed political choices; that we are able to hold those in power to account; and that we are able to inform ourselves and express who we are as individuals. It is important and essential that information rights are given meaningful effect.
The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force. Even once brought into force, POPIA still provides for a further one-year grace period before compliance is required. A further challenge is that POPIA is already at risk of being outdated, as it is based on the 1995 law of the European Union that has since been replaced by the modernised 2018 General Data Protection Regulation. That said, POPIA is certainly better than nothing, and as a starting point puts in place an important and much-needed framework for the protection of personal information.
If the state is to meet its constitutional obligations regarding information rights – and to do so diligently and without delay, as section 237 of the Constitution requires – this demands the expeditious and effective enforcement of POPIA and PAIA. At a very minimum, there should at least be a timeline that provides clarity on when the provisions are to be brought into force, and what protections are available to the public pending that enforcement. Until then, as South Africans, we are left in the invidious position of a hollow legal framework with inadequate protections to prevent our information from being exploited and used for nefarious purposes. In this data-driven digital age, this simply cannot be allowed to persist.