/ 25 October 2013

Joe Public and his privacy

Julian Assange has had to seek asylum in the Ecuadorian embassy after Wikileaks evelations.
Julian Assange has had to seek asylum in the Ecuadorian embassy after Wikileaks evelations. (AFP)

Privacy as we knew it is dead. We live in an era where any form of interaction with a computer, tablet, smartphone or mobile phone network enables the harvesting of personal information.

In such a world, the recent revelations about the US National Security Agency (NSA) keeping tabs on citizens’ email accounts shouldn’t raise an eyebrow.

Edward Snowden, the NSA whistleblower, and Wikileaks’ Julian Assange are both in exile and fear for their safety.

They have attained a kind of global celebrity for their principled stand.

What they, and others such as Chelsea Manning, have done is reveal the barely-concealed secret that supposedly democratic governments routinely flout the supposedly democratic rights of their own citizens to privacy.

South Africa’s approach to privacy and the protection of consumer information, at least from a government point of view, is representative of most democratic countries.

In fact our newly minted Protection of Personal Information Act (POPI) is closely modelled on similar European legislation.

The right to privacy here is constitutionally enshrined, but is also balanced against other rights entrenched in the constitution – especially those related to state security.

Protecting a person’s personal information may take a back seat in light of some of these competing interests, such as the administering of national social programmes, maintaining law and order, and protecting the rights, freedoms and interests of others, including the commercial interests of industry sectors, such as banking, insurance, direct marketing, health care, pharmaceuticals and travel services.

Concern about the protection of personal information has ramped up with the expansion of the commercial internet, e-commerce and direct marketing.

The rise of globalised and massive banking, credit and insurance industries that manage vast computerised databases have given a new urgency to the need to protect personal information, since database records can often be sold to third parties.

But Joe Public doesn’t think at the global level, and really just wants some safeguard against spam and direct marketing, or in the worst case scenario, financial fraud and identity theft. Since the Act will soon be signed into law, direct marketing and consumer companies are mobilising to quickly put safeguards in place to protect personal client information that previously may have been available to third party marketers and companies buying databases.

Protecting consumers
The key component of the new legislation that protects consumers is that consumers now have to actively opt-in to allow companies to use their personal information.

Previously they would have to actively opt-out, so companies could assume people could by default be contacted for marketing purposes.

For the direct marketing and junk mail industries, the biggest bugbear for most of the general public, this will place the responsibility on them to ensure they are targeting individuals who have explicitly stated that they would like to be contacted.

And if they don’t comply, consumers have much more legal clout.

Complying with the new Act, and ensuring consumer privacy, can be onerous on some companies, however.

Many companies are caught in a tangled web of third party marketing relationships fuelled by the e-commerce environment.

One such is the market leading global health club chain Virgin Active, which holds marketing relationships with many healthcare and insurance providers, where consumer information is shared between the businesses.

Corporate relations manager Hilary Lumb describes the company’s commitment to consumer privacy: "Virgin Active has partnerships with Discovery Vitality and Momentum Multiply as well as relationships with other incentive and rewards programmes.

"We do not have access to the health data of these members, other than the personal information collected by Virgin Active for the purpose of signing the member up to a gym membership.

"Although the POPI legislation has not come into effect as yet, we already have in place a privacy policy, which is available on our website. We would never divulge any members’ details to a third party without consent from the member."

Most companies would say the same – which makes it puzzling how phone spammers and other direct marketers manage to access thousands of consumer information records.

Perhaps the most South Africans can hope for is to avoid having bank accounts siphoned and identities stolen.

And, if enough people actually take unprincipled businesses to court under the new legislation for using personal information without consent, then perhaps companies might become more ethical.

But with global internet penetration on an ever-upward curve, and information becoming more global and less national every day, this is highly unlikely.


POPI and you
The Protection of Personal Information Bill (POPI) has serious consequences for organisations dealing in any way with personal information.

POPI is a widely respected and progressive piece of legislation, and makes provision for different conditions with which a company, organisation or person has to lawfully comply if dealing with personal information.

The Bill is made necessary by the encroachments made on personal privacy by advances in information technology and internet-based communication.

Phenomena such as geographical location and tagging systems, IP address identification, cookies, social media and cloud computing have made personal information much more readily available to corporations and other businesses targeting sales through direct marketing techniques.

Thus the need for some form of State protection. The original bill drafted to protect consumer information, which is about to become the POPI Act in law, focused on the following principles, among others:
• To promote the protection of personal information processed by public and private bodies
• To introduce information protection principles so as to establish minimum requirements for the processing of personal information
• To provide for the establishment of an Information Protection Regulator
• To provide for the rights of persons regarding unsolicited electronic communications and automated decision making.

In South Africa, given that most people access online data and services through mobile devices and phones, the mobile phone industry and its associated service providers have become major exploiters of personal information for selling purposes.

POPI will try to intervene in this kind of exploitation, by providing legislation that enforces appropriate information security standards.

Companies in general will have to actively ensure compliance. The Information Regulator will enforce the Act and will deal with consumers' complaints.

The Regulator, according to the Bill awaiting signing into law, will be able to issue major fines – up to R10-million – and jail terms for abuse of personal information.

While POPI applies to all public and private organisations dealing with personal information, there are certain exclusions, such as state security and intelligence agencies, journalists, writers and artists.

It is, however, being speculated that the Act will be difficult to implement, especially if there is a flood of applications to the Regulator to deal with breaches.

And, given that Joe Public’s details are fair game for eager South African marketers, there may well be a flood of disgruntled objections to spammers and cold callers.

Although this article has been made possible by the Mail & Guardian's advertisers, content and photographs were sourced independently by the M&G supplements editorial team. It forms part of a larger supplement