Facebooks Mark Zuckerberg testifies about how information was hacked from Facebook users and used in the United Statess 2016 elections. (Brendan Smialowski/AFP)
DATA PROTECTION
With national and provincial elections on the country’s horizon, there is a nagging question that deserves attention in the face of mounting evidence of Russian cyber-meddling in both the United States election that delivered Donald Trump and the Brexit vote that threatens to weaken the European Union: Is the South African electoral system safe from external interference?
Over the past year or so, some senior members of the ANC’s leadership have privately expressed fears that Russia could seek to “capture” their party and that, having interfered with the US’s political system, it would have few qualms about doing so here.
The first line of defence is the Independent Electoral Commission (IEC). Warning against the risk of complacency, the Council for the Advancement of the South African Constitution this week called on the IEC to report to Parliament on the measures it is taking to address such concerns.
But there is a second line of defence that deserves equal attention — the information regulator. This new body, established under the Protection of Personal Information Act, 2013, is not yet in the public eye,though its mandate is of fundamental importance to all South Africans.
It has two key mandates — transparency and data protection. Data protection used to be a highly technical, rather nerdy area of law and policy. Now, it’s big,sexy and highly political, and those charged with the responsibility of protecting the public from abuse are in the limelight.
The Cambridge Analytica-Facebook scandal exposed by The Observer earlier this year has seen to this — a whistleblower revealed how Cambridge Analytica used personal information taken without authorisation from Facebook users to build a system that could profile individual voters, so that the Trump campaign could target them more precisely.
Facebook owner Mark Zuckerberg has since conceded that Facebook failed to alert the 87-million users whose personal information had been harvested and then exploited.
Last month Britain’s equivalent to the information regulator — its information commissioner, Elizabeth Denham — announced that in response to the breach of data protection rights she would be fining Facebook the maximum amount permitted under British law (£50 000), and is pursuing a criminal prosecution of Cambridge Analytica’s parent company.
Zuckerberg has been on the back foot for six months as he attempts to convince the market and regulators that Facebook can address two critical questions that he articulated himself: “Can we get our systems under control, and second, can we make sure that our systems aren’t used to undermine democracy?”
Regulators such as Denham are raising the same questions. But to do so meaningfully in South Africa, the information regulator will need the right in-house capability and an appropriate organisational design —and there is much to be learnt from bodies with equivalent dual mandates in Britain, Germany and Japan.
For example, Britain’s information commission’s office is also responsible for handling appeals against denied requests for access to public information under the freedom of information law (in South Africa’s case, the Promotion of Access to Information Act, 2000). It has a staff of more than 600, with another 200 to be appointed soon to help it to handle the demands imposed by a new European Union regulation —the general data protection regulation.
Anyone who has interacted online with an EU-based company in the past few months is likely to have had to complete a data protection consent form because of the new regulation, which standardises data protection laws across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information — a prime example of the complex, fast-growing governance required to cope with the demands of the digital age.
Denham’s big strategic push is to get ahead of the curve and to shift her office towards being proactive rather than reactive. She’s created an intelligence unit to try to anticipate where the next major data breach may come from and nip it in the bud.
So, how is South Africa’s new body setting itself up in this context? That question cannot be answered yet because, although the five “members” of the regulator have been appointed by Parliament, it has not yet begun to recruit or appoint staff because of a curious delay.
The regulator’s legislative framework states that the chief executive will be the accounting officer. But treasury chose to argue that the Public Finance Management Act requires that the chair of the board of the regulator — Pansy Tlakula — should be the accounting officer.
Tlakula objected and explained the deadlock to Parliament, with no solution forthcoming. The executive agreed that the chief executive of the information regulator will be the accounting officer.
A difference between departments over Pansy Tlakula’s role delayed recruiting for the information regulator. (Paul Botes/M&G)
This impasse has meant a year-and-a-half of gridlock on setting up the regulator. It will only begin to advertise for staff in September, and the bulk of the Protection of Personal Information Act may well only come into operation in January 2019.
Mukelani Dimba, who is chair of the steering committee of global transparency network the Open Government Partnership, believes that it is essential that the information regulator is able to make a robust contribution towards protecting South Africa’s constitutional order and the rights of citizens.
Dimba is hopeful that Tlakula will be alert to the dangers of foreign interference posed to the electoral process, because she previously served as chief executive and then chair of the IEC.
But Dimba also draws attention to the Liberty Life data breach and to the transfer of grant recipients’ personal data from the South African Social Security Agency to third-party commercial service providers as good examples of why the regulator needs to make its presence felt.
In June,financial services company Liberty Life informed its investment clients that its email server had been hacked.There were reports that 40 terabytes of personal data had been stolen from the company’s insurance business, though Liberty did not confirm this figure.
Dimba says this was the biggest data breach ever reported in South Africa, and it revealed in a dramatic way how local entities are vulnerable to cyber crime on a grand scale. Yet all that the regulator could do was to meet Liberty and then issue a statement encouraging South African corporates to be vigilant about cyber crime and to put in place adequate cyber security measures.
Says Dimba: “When we campaigned for the establishment of the information regulator we wanted an institution with strong enforcement powers, not just a structure for gentle persuasion. We wanted an institution that would boldly serve as a shield against egregious violation of rights provided for in South Africa’s data protection law.”
To ram home his point, Dimba cites the case of the JSE-listed company Net1 and its financial services subsidiary Cash Paymaster Services, the controversial holder of an illegal contract for payment of more than 17-million social security grants, which have long been accused of using the personal data of grant beneficiaries to cross-sell services and products from other Net1 subsidiaries such as Smart Life (for funeral policies) and EasyPay (for airtime and electricity, among others).
Social justice groups the Black Sash and the Centre for Applied Legal Studies are litigating the issue of illegal deductions at the Supreme Court of Appeal on behalf of a group of grant beneficiaries. Many grant recipients have complained about illegal deductions from their welfare payments as a result of being signed on to services and products that they have not knowingly authorised.
Given the socioeconomic crisis that is engulfing South Africa, it is tempting to regard data protection as either a “luxury item” or a mere technical spare wheel. But the evidence shows that personal data breaches can strike at the heart of the democratic order and denude the dignity of citizens.
The framework provided by an operational data protection law, overseen by a strong and capable enforcement body, would also allow investors to invest in businesses that process personal data with far more confidence.
Without such a regulatory framework they will continue to have to enter into company-to-company agreements about how EU citizens’ personal data will be processed in South Africa.
Although careful thought must be given to how the information regulator is set up and organised, the sooner it is up and running, the better,for voters, welfare beneficiaries, consumers and for the economy.
Richard Calland, associate professor in public law at the University of Cape Town, has researched the operational models of data protection regulators in Japan, Germany and Britain. Alison Tilley is head of advocacy at the Open Democracy Advice Centre, and a member of the national working group of Right2Know