Menu

Data Privacy

Insights-Artwork-1

Information rights in the digital age: Why we need an effective Information Regulator

, , ,

  • Information rights play a crucial role in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.
  • The Information Regulator, established in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), has yet to be fully operationalised, despite POPIA having been signed into law in 2013.
  • This has led to a protection vacuum over information rights, and runs foul of section 237 of the Constitution, which requires that “[a]ll constitutional obligations must be performed diligently and without delay”.
  • The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated, and that appropriate recourse is available where conduct falls foul of the required standards.

***

Since 2016, the United Nations and the global community have marked 28 September as the International Day for Universal Access to Information (IDUAI).  This is in recognition of the importance of the triad of information rights – freedom of expression, access to information and privacy – particularly in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.

On IDAUI this year, the members of the Access to Information Network issued a call for the full operationalisation of the Information Regulator in South Africa, whose role is critical in the realisation of the triad of information rights.  The Information Regulator, with a key role at the helm of both the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA), is a crucial body in ensuring the protection of our personal data, facilitating PAIA requests, and striking the correct balance between the free flow of information and legitimate restrictions thereon.

The Information Regulator is established by statute in terms of POPIA.  However, despite POPIA having been signed into law in 2013, and the members of the Information Regulator having been appointed in 2016, neither the substantive provisions of POPIA nor the amendments to PAIA have yet been brought into force.  This has resulted in the powers of the Information Regulator being severely hamstrung, and the body being rendered effectively toothless.

This is a fundamental failing in the realisation of the rights to receive and impart information and to have one’s personal information protected.  These are constitutionally-protected rights, which obliges the state to take positive measures to realise them.  Further, section 237 of the Constitution requires that “[a]ll constitutional obligations must be performed diligently and without delay”.  In Khumalo v Member of the Executive Council for Education: KwaZulu-Natal [2013] ZACC 49, the Constitutional Court explained that this provision elevates expeditious and diligent compliance with constitutional duties to an obligation in itself, in recognition of the public interest in having certainty and finality.

However, the state’s approach to the implementation of POPIA and the functioning of the Information Regulator appears to fall foul of section 237 of the Constitution.  The significant delay has led, in turn, to significant uncertainty, and a protection vacuum over information rights that cannot be countenanced.

In a media statement published on June 2018, the Information Regulator itself expressed concern that:

“South Africa has experienced a disturbingly high number of material data breaches in the past few months … Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in POPIA.  These data breaches underscore the urgent establishment of the Regulator.  It is for this reason that the Information Regulator requests the powers that be to assist it in fast-tracking its operationalization.”

A year later, in June 2019, the Chairperson of the Information Regulator stated in an interview published in IT Web that although certain key appointments have recently been made, the process was “going very slowly”, which was attributed to slow processes within government, particularly the Department of Justice.

This, however, is not enough of an answer.  As technological advancements increase at a rapid pace – and are increasingly data-driven and data-dependent – it is unacceptable that South Africans have been left without effective information governance frameworks to vindicate our rights.  The list of commonplace activities that involve the processing of personal information is countless: the filing of tax returns; the collection of a social security benefit; the application for an identity document or driver’s licence; making a telephone call; accessing the internet.

This is all the more complex when dealing with personal information.  Every person has two distinct lives: a public life; and private life.  It is in the inner sanctum of the latter that we are free to fully realise our own autonomy and identity, and truly explore the elements of our personality, sexuality and self-development.  It is precisely for this reason that the right to privacy is a fundamental right: one that is both at the core of who we are as individuals and how we engage with those around us.

In practice, the vast majority of us readily share personal information in order to engage in society, but this gives rise to risk as well.  While this can be beneficial and necessary, there are also risks.  As explained by Access Now, “[y]our personal data reveals a lot about you, your thoughts, and your life.  These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities”.

The answer is not to become afraid of sharing data, but to be conscious of it.  More urgently, however, is the need for the substantive provisions of POPIA and the amendments to PAIA to be brought into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated; and that appropriate recourse is available through the Information Regulator where conduct falls foul of the required standards.

In the absence of this – particularly without an effective and fully operational Information Regulator – the generation and collection of personal information render persons in South Africa vulnerable to this information being improperly exploited and abused, with little to no recourse when this occurs.

The power of information cannot be gainsaid.  It is through the exercise of information rights that the media is able to function freely; that we are able to access relevant information to make informed political choices; that we are able to hold those in power to account; and that we are able to inform ourselves and express who we are as individuals.  It is important and essential that information rights are given meaningful effect.

The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force.  Even once brought into force, POPIA still provides for a further one-year grace period before compliance is required.  A further challenge is that POPIA is already at risk of being outdated, as it is based on the 1995 law of the European Union that has since been replaced by the modernised 2018 General Data Protection Regulation.  That said, POPIA is certainly better than nothing, and as a starting point puts in place an important and much-needed framework for the protection of personal information.

If the state is to meet its constitutional obligations regarding information rights – and to do so diligently and without delay, as section 237 of the Constitution requires – this demands the expeditious and effective enforcement of POPIA and PAIA.  At a very minimum, there should at least be a timeline that provides clarity on when the provisions are to be brought into force, and what protections are available to the public pending that enforcement.  Until then, as South Africans, we are left in the invidious position of a hollow legal framework with inadequate protections to prevent our information from being exploited and used for nefarious purposes.  In this data-driven digital age, this simply cannot be allowed to persist.

BLG-Insight-min

Informed consent as a key element for data protection

, ,

  • In the wake of numerous well-publicised breaches of databases containing personal information, many States have drafted new laws to provide people with greater data protection.  Some of these laws require that consent be given freely for the processing of personal data by companies.
  • The meaning of “informed” consent or consent freely given differs in various jurisdictions, but tech giants seem to favour an approach that makes use of their services conditional on users granting consent to the processing of their personal data for purposes such as targeted advertising.
  • It is likely that information regulators in Europe will soon rule that this practice is contrary to the GDPR.  These findings may positively influence the way that the South African Information Regulator defines “informed” consent.  Moreover, European rulings may have residual benefits as firms change their privacy policies globally to comply with the GDPR.
Consent is one of several stipulated grounds for the lawful processing of personal information; where consent is the ground relied upon, this must be freely given.  Where consent to data processing is made a condition for using a product, this consent, if given, is deemed not to have been given freely. Brynne Guthrie

2018 was dubbed by some as “the year of data protection”.  But perhaps more accurately, it was a year of shocks as consumers realised just how little protection their personal data was afforded.  In June, Liberty Holdings’ email repository was breached by a hostile third party which accessed the personal information of the company’s South African insurance customers.  This came just a month after the personal records of nearly a million drivers were breached via the State’s online traffic fine website.  The subsequent rise of public interest in data protection has forced legislators across the world to revisit and strengthen the laws protecting the privacy of people within their borders.

In May 2018, the EU-wide General Data Protection Regulation (GDPR) came into force.  This was a significant development, as the GDPR expands the rights and protections afforded to European data subjects and applies extra-territorially (meaning that it can apply to organisations based outside of Europe that are processing the personal information of European data subjects).  That same month, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly issued guidelines for obtaining meaningful consent to help private sector organisations obtain legally valid consents to the collection, use and disclosure of personal information.  In 2018 at least 11 American states passed legislation to provide citizens with greater transparency and control over their personal data and there is mounting pressure for the enactment of similar federal protections.  The South African version of a comprehensive data protection law, the Protection of Personal Information Act (POPIA), will likely come into force in its entirety in 2019 with a one-year grace period provided for in the legislation before compliance is required.  These generally promising legislative developments must be tested practically before their efficacy can be assessed properly.

Some commentators believed that the introduction of data protection laws, such as those described above, would force big tech firms like Amazon, Twitter, Google, LinkedIn and Facebook to change the way that they collect and analyse users’ personal data, effectively undercutting their advertising businesses and empowering their smaller competitors.  However, it appears, at least in the short term, that the opposite has occurred.  The complexity of the data protection laws, particularly the GDPR, is such that advertisers have channelled the little business that they were not already giving to the big tech firms to the tech giants, which are assumed to be far better equipped than their smaller counterparts to prove that their data processing is done with the consent of users and in compliance with the law.  The correctness of this assumption has been rocked in recent days as the French data protection authority has given its interpretation of the meaning of “consent” under the GDPR and found big tech firms’ policies lacking.

The meaning of consent

Different regulatory frameworks attribute different content to “consent”.  For instance, article 7 of the GDPR mandates that requests for consent be presented in an intelligible and easily accessible form, with the purpose of the data processing attached to that request.  Further, it provides that the request for consent is clear and distinguishable from other matters and that it must be provided for using clear and plain language.  Moreover, it requires that the withdrawal of consent is as easy as the granting of it.  POPIA, on the other hand, merely states that consent is “any voluntary, specific and informed the expression of will in terms of which permission is given for the processing of personal information”.

In December 2018, the South African Information Regulator published its POPIA Regulations.  According to these, a party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must complete a specified form which is attached to the Regulations.  This form creates a wholly impractical procedure that must be followed to obtain consent, not least because it requires the physical signature of both the data subject and the person responsible for processing the data.  This process will be particularly unwieldy in the context of multi-national tech companies such as Facebook and Google which process huge amounts of data, on a nearly constant basis, for targeted advertising.  While the GDPR specifies conditions that must be met for consent to be “informed” or “meaningful”, the South African Information Regulator and courts only have an unworkable consent form to draw from and will still have to decide what POPIA means by “informed” consent.

There are a few ways that this interpretive exercise could go:

  1. The first is to emulate the European approach and use the consent requirements established in the GDPR as guidelines for determining the meaning of “informed” consent.  These guidelines include specifications of when consent is freely given, the proper use of tick-boxes and the impact that power imbalances may have on the validity of consent given.  On 21 January 2019, the French data protection authority, CNIL, fined Google €50million for failing to provide users with transparent and understandable information on its data use policies.  This was because consent was essentially forced as data protection settings were scattered over various locations requiring users to actively search for opt-out options.  Moreover, some data-use consent boxes were automatically checked, meaning that users had to opt-out of their data being processed for those purposes rather than opt-in.  This finding points to the fact that “informed” consent is consent given after easily accessing privacy and data usage policies and must be consent that is given and not assumed.
  2. The other way that “informed” consent could be interpreted would be less expansive and based on the approach of some US Courts.  In August 2018, the U.S. District Court for the Southern District of New York investigated alleged breaches of data protection laws by a company which accessed personal data for the purpose of clearing spam from consumers’ email inboxes.  The Court ruled that, based on the California Invasion of Privacy Act and the Electronic Communications Privacy Act, if a party consented to the processing of their personal data there could be no violation of data protection laws.  The Court reasoned that a privacy policy that requires consumers to consent or not use the product at all was neither legally nor procedurally unconscionable.  This is because the Court held that a consumer’s choice to simply close their browser and not use the product is a meaningful one.

The consent-or-leave-the-service approach should be treated with caution as it may create problems when regulators deal with consent in terms of some of the privacy policies of the tech giants.  These companies have captive markets and users who cannot afford not to consent to the processing of their data.  Refusal could mean losing access to its biggest platform for news and communication or might hinder the day-to-day use of their smartphones (remembering that Google owns Android).  Unsurprisingly, big tech companies seem to favour the consent-or-leave-the-service approach.

For example, just days after being fined by the French data protection authority, Google updated its Terms of Service and Privacy Policy for Europe.  While acknowledging that further updates will be necessary to address the reasons for their fine, the new policy strikingly notes that “if you don’t want to accept these changes in our terms and Privacy Policy, you can choose to stop using the applicable services”.  Basically, this would seem to be a consent-or-leave-the-service, or conditional consent, approach.

All is not lost

There are numerous complaints currently before data protection regulators around Europe on the exact issue of conditional consent – something that is explicitly prohibited by Article 7(4) of the GDPR.  In November 2018, the Information Commissioner for the United Kingdom ruled that the Washington Post’s offering of three access options on their website, with only the most expensive one allowing readers to switch off location tracking and cookies, was contrary to the GDPR.  The Washington Post claimed that readers consented to the use of cookies and tracking for advertising purposes by choosing the lower-cost access options.  However, the Information Commissioner held that this amounted to tying consent to access to the website and was invalid because no free alternative to accepting cookies was available.

Consent is one of several stipulated grounds for the lawful processing of personal information; where consent is the ground relied upon, this must be freely given.  Where consent to data processing is made a condition for using a product, this consent, if given, is deemed not to have been given freely.  Aside from facilitating the provision of Facebook and Google’s basic service, these companies process data and sell it to advertisers which then target consumers’ needs as identified in that data.  Google’s latest privacy policy seems to make use of its products conditional on consent being given to them to process users’ personal information.  To hold tech giants accountable for this behaviour it will be necessary to disassociate the advertising businesses, from which massive profits are derived, from the core businesses or products that these firms, and their platforms, provide.

The finding of cookies, mentioned above, is useful here because in it the Regulator found that even though profits were derived from the advertising facilitated by data processing, this was not related to the core performance of the news website.  The core performance was the publication of news stories and this could be done without the processing of readers’ personal information.  Resultantly, access to the website was made conditional on consent to the processing of data to be used for a purpose other than the performance of the core function of the business and was invalid.  If previous rulings and the efforts of privacy activists are anything to go by, Google’s new consent-or-leave-the-service policy may not withstand scrutiny, and big tech firms may soon be forced to restructure their advertising-based business models to the benefit of consumers’ privacy.

And what about POPIA?

By the time POPIA becomes fully operational, the South African Information Regulator should have a wide variety of foreign case law to draw from to inform the meaning of “informed” consent.  Given that POPIA was based on the EU Data Protection Directive – the predecessor to the GDPR – the rulings from Europe will be particularly persuasive.  The European approach arguably fits far better into South Africa’s jurisprudential tradition of progressive and transformational understandings of concepts such as consent and privacy – as well as the spirit and objects of POPIA – than the American approach which strictly follows the agreed-upon contractual terms between data providers and controllers.

However, the South African Information Regulator may not have to get to the point of having to interpret “informed” consent in the context of data processing by the big tech companies (some of which have their African offices headquartered in South Africa).  This is because, in order to comply with the GDPR, some firms have changed their global privacy policies to apply to all users, not just the European-based users.  This means that even though South African users are not directly protected by the GDPR, we can still enjoy some of the effects of its more stringent privacy requirements.  If this trend continues, then policy changes sparked by findings by European data protection watchdogs will result in similarly useful global protection.  Even where firms do not voluntarily introduce GDPR-compliant global policies, the protection of EU residents’ data creates a unique lobbying tool for activists hoping to pressure firms into providing equal protection for their consumers.  This is because, if successful, firms will have to raise their policy positions to meet the highest standard of protection to the benefit of all users.

If 2018 was the year of data protection, then 2019 will be the year that those protections are tried and tested.  In particular, judging by the complaints that are currently before various regulatory bodies, it will be a year which clarifies the content of “meaningful” and “informed” consent.  This clarification will likely come from both local and foreign sources but will hopefully be reflective of the public calls for the progressive, purposeful and effective protection of personal information.

Brynne Guthrie is the 2019 Google Policy Fellow at ALT Advisory. 

Brynne writes in her personal capacity and the views expressed herein do not necessarily represent the views of ALT Advisory.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.  For any enquiries, please contact us at [email protected].

Skip to content