SA waits on information regulator

DATA PROTECTION

With national and provincial elections on the country’s horizon, there is a nagging question that deserves attention in the face of mounting evidence of Russian cyber-meddling in both the United States election that delivered Donald Trump and the Brexit vote that threatens to weaken the European Union: Is the South African electoral system safe from external interference?

Over the past year or so, some senior members of the ANC’s leadership have privately expressed fears that Russia could seek to “capture” their party and that, having interfered with the US’s political system, it would have few qualms about doing so here.

The first line of defence is the Independent Electoral Commission (IEC). Warning against the risk of complacency, the Council for the Advancement of the South African Constitution this week called on the IEC to report to Parliament on the measures it is taking to address such concerns.

But there is a second line of defence that deserves equal attention — the information regulator. This new body, established under the Protection of Personal Information Act, 2013, is not yet in the public eye,though its mandate is of fundamental importance to all South Africans.

It has two key mandates — transparency and data protection. Data protection used to be a highly technical, rather nerdy area of law and policy. Now, it’s big,sexy and highly political, and those charged with the responsibility of protecting the public from abuse are in the limelight.


The Cambridge Analytica-Facebook scandal exposed by The Observer earlier this year has seen to this — a whistleblower revealed how Cambridge Analytica used personal information taken without authorisation from Facebook users to build a system that could profile individual voters, so that the Trump campaign could target them more precisely.

Facebook owner Mark Zuckerberg has since conceded that Facebook failed to alert the 87-million users whose personal information had been harvested and then exploited.

Last month Britain’s equivalent to the information regulator — its information commissioner, Elizabeth Denham — announced that in response to the breach of data protection rights she would be fining Facebook the maximum amount permitted under British law (£50 000), and is pursuing a criminal prosecution of Cambridge Analytica’s parent company.

Zuckerberg has been on the back foot for six months as he attempts to convince the market and regulators that Facebook can address two critical questions that he articulated himself: “Can we get our systems under control, and second, can we make sure that our systems aren’t used to undermine democracy?”

Regulators such as Denham are raising the same questions. But to do so meaningfully in South Africa, the information regulator will need the right in-house capability and an appropriate organisational design —and there is much to be learnt from bodies with equivalent dual mandates in Britain, Germany and Japan.

For example, Britain’s information commission’s office is also responsible for handling appeals against denied requests for access to public information under the freedom of information law (in South Africa’s case, the Promotion of Access to Information Act, 2000). It has a staff of more than 600, with another 200 to be appointed soon to help it to handle the demands imposed by a new European Union regulation —the general data protection regulation.

Anyone who has interacted online with an EU-based company in the past few months is likely to have had to complete a data protection consent form because of the new regulation, which standardises data protection laws across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information — a prime example of the complex, fast-growing governance required to cope with the demands of the digital age.

Denham’s big strategic push is to get ahead of the curve and to shift her office towards being proactive rather than reactive. She’s created an intelligence unit to try to anticipate where the next major data breach may come from and nip it in the bud.

So, how is South Africa’s new body setting itself up in this context? That question cannot be answered yet because, although the five “members” of the regulator have been appointed by Parliament, it has not yet begun to recruit or appoint staff because of a curious delay.

The regulator’s legislative framework states that the chief executive will be the accounting officer. But treasury chose to argue that the Public Finance Management Act requires that the chair of the board of the regulator — Pansy Tlakula — should be the accounting officer.

Tlakula objected and explained the deadlock to Parliament, with no solution forthcoming. The executive agreed that the chief executive of the information regulator will be the accounting officer.

A difference between departments over Pansy Tlakula’s role delayed recruiting for the information regulator. (Paul Botes/M&G)

This impasse has meant a year-and-a-half of gridlock on setting up the regulator. It will only begin to advertise for staff in September, and the bulk of the Protection of Personal Information Act may well only come into operation in January 2019.

Mukelani Dimba, who is chair of the steering committee of global transparency network the Open Government Partnership, believes that it is essential that the information regulator is able to make a robust contribution towards protecting South Africa’s constitutional order and the rights of citizens.

Dimba is hopeful that Tlakula will be alert to the dangers of foreign interference posed to the electoral process, because she previously served as chief executive and then chair of the IEC.

But Dimba also draws attention to the Liberty Life data breach and to the transfer of grant recipients’ personal data from the South African Social Security Agency to third-party commercial service providers as good examples of why the regulator needs to make its presence felt.

In June,financial services company Liberty Life informed its investment clients that its email server had been hacked.There were reports that 40 terabytes of personal data had been stolen from the company’s insurance business, though Liberty did not confirm this figure.

Dimba says this was the biggest data breach ever reported in South Africa, and it revealed in a dramatic way how local entities are vulnerable to cyber crime on a grand scale. Yet all that the regulator could do was to meet Liberty and then issue a statement encouraging South African corporates to be vigilant about cyber crime and to put in place adequate cyber security measures.

Says Dimba: “When we campaigned for the establishment of the information regulator we wanted an institution with strong enforcement powers, not just a structure for gentle persuasion. We wanted an institution that would boldly serve as a shield against egregious violation of rights provided for in South Africa’s data protection law.”

To ram home his point, Dimba cites the case of the JSE-listed company Net1 and its financial services subsidiary Cash Paymaster Services, the controversial holder of an illegal contract for payment of more than 17-million social security grants, which have long been accused of using the personal data of grant beneficiaries to cross-sell services and products from other Net1 subsidiaries such as Smart Life (for funeral policies) and EasyPay (for airtime and electricity, among others).

Social justice groups the Black Sash and the Centre for Applied Legal Studies are litigating the issue of illegal deductions at the Supreme Court of Appeal on behalf of a group of grant beneficiaries. Many grant recipients have complained about illegal deductions from their welfare payments as a result of being signed on to services and products that they have not knowingly authorised.

Given the socioeconomic crisis that is engulfing South Africa, it is tempting to regard data protection as either a “luxury item” or a mere technical spare wheel. But the evidence shows that personal data breaches can strike at the heart of the democratic order and denude the dignity of citizens.

The framework provided by an operational data protection law, overseen by a strong and capable enforcement body, would also allow investors to invest in businesses that process personal data with far more confidence.

Without such a regulatory framework they will continue to have to enter into company-to-company agreements about how EU citizens’ personal data will be processed in South Africa.

Although careful thought must be given to how the information regulator is set up and organised, the sooner it is up and running, the better,for voters, welfare beneficiaries, consumers and for the economy.

Richard Calland, associate professor in public law at the University of Cape Town, has researched the operational models of data protection regulators in Japan, Germany and Britain. Alison Tilley is head of advocacy at the Open Democracy Advice Centre, and a member of the national working group of Right2Know

Subscribe to the M&G for R2 a month

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

And for this weekend only, you can become a subscriber by paying just R2 a month for your first three months.

Richard Calland
Richard Calland is an associate professor in public law at the University of Cape Town and a founding partner of the Paternoster Group.

Related stories

A litmus test for the 2021 election

In this week’s 96 by-elections, the trend was the ANC held its ground and grew, while the DA lost big, with minority parties eating into its voter base

‘Super-Wednesday’ by-elections: all the data and who is contesting what

In this week’s by-elections, the ANC has the highest number of wards being contested. However, the turnout in some communities in areas in the Vaal district has been low — even after the electoral commission said it was ready to welcome voters

IEC all set for ‘super Wednesday’ by-elections

By-elections on super Wednesday are due to go ahead as scheduled this week. The electoral commission told the media that it is now ready for the elections, which have been put on hold since March.

You can get fired for bad tweets even when you’re not at work

The law has extended the disciplinary arm of employers — posts made on personal social media accounts may constitute a sufficient enough reason for dismissal

Financial conduct body slaps Jooste with R162-million fine

The former Steinhoff chief executive and three others have been fined by the FSCA for insider trading in the days leading up to the company’s 2017 share price crash

Facebook, Instagram indiscriminately flag #EndSars posts as fake news

Fact-checking is appropriate but the platforms’ scattershot approach has resulted in genuine information and messages about Nigerians’ protest against police brutality being silenced
Advertising

Subscribers only

ANC: ‘We’re operating under conditions of anarchy’

In its latest policy documents, the ANC is self-critical and wants ‘consequence management’, yet it’s letting its members off the hook again

Q&A Sessions: ‘I think I was born way before my...

The chief executive of the Estate Agency Affairs Board and the deputy chair of the SABC board, shares her take on retrenchments at the public broadcaster and reveals why she hates horror movies

More top stories

DRC: Tshisekedi and Kabila fall out

The country’s governing coalition is under strain, which could lead to even more acrimony ahead

Editorial: Crocodile tears from the coalface

Pumping limited resources into a project that is predominantly meant to extend dirty coal energy in South Africa is not what local communities and the climate needs.

Klipgat residents left high and dry

Flushing toilets were installed in backyards in the North West, but they can’t be used because the sewage has nowhere to go

Nehawu leaders are ‘betraying us’

The accusation by a branch of the union comes after it withdrew from a parliamentary process
Advertising

press releases

Loading latest Press Releases…