A thousand private surveillance cameras have been rolled out in Johannesburg. They watch every person and car that moves near them. If their algorithms pick up something strange — such as a licence plate known to be linked to crimes — the security companies that rent the data can react.
Vumacam, one of the companies responsible, says a total of 16 000 cameras will be in place in the next 12 months.
Thanks to their security abilities, the cameras have been warmly welcomed by some as a way to curb crime, but others view them as an invasion of privacy and have questioned whether such surveillance is lawful.
Information regulator Pansy Tlakula says her office has already received complaints.
Under current legislation it is all probably legal. But the law is changing and with it will come stronger protections of the data.
The system uses fibre network infrastructure from Vumatel and other providers in the city to connect the cameras and provide a live feed and a licence-plate recognition service. Access to the feed is then sold to neighbourhood security companies.
Tlakula says her office — whose job it is to monitor and enforce compliance with information laws — is finalising its position paper on the surveillance cameras and would be adopting it on June 6.
But experts agree that the law in this area is complicated. The Protection of Personal Information Act (Popia) — which was enacted to govern the collection and sharing of information in the digital age — is yet to come into force.
For now, our common law privacy laws are weak in situations such as this, says Webber Wentzel partner and information law expert Dario Milo: “Vumacam may not be doing anything that could result in a legitimate complaint at this stage.”
When Popia does come into force, however, it will give very strong protection to people’s personal information, says Milo.
But he also says: “The Act is riddled with exceptions — consent of the ‘data subject’ [the person being surveilled] is the golden rule, but there are exceptions. Informing the data subject that information is being collected is the golden rule; but again, there are exceptions. And so on. That’s what makes it complicated. And there are many questions which will have to be grappled with by our courts and the regulator over the coming years.”
Vumacam says it is compliant with Popia. But, it is difficult because it is a new law, yet to be interpreted by the courts. Ashleigh Parry, its chief commercial officer says: “There is also no predecessor legislation for interpretative guidance … For now, the best we can do is to interpret Popia according to the general language-context-purpose framework for statutory interpretation in South African law.”
She says Vumacam had also looked at the laws from jurisdictions with more developed data protection laws, such as the European Union.
Public interest lawyer Avani Singh of Power Singh Inc says the Act allows for the collection and distribution of information under very strict conditions — all of which Vumacam would be required to meet.
She says the two underlying principles of the Act — when it comes to the collection and sharing (called “processing” in the Act) of data — are justifiability and proportionality: you may process data where is it justifiable and where the intrusion into someone’s privacy is proportional to what you are seeking to achieve.
However, the proportionality requirement includes a “principle of minimality — that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive”.
Singh is concerned about whether Vumacam would be fully compliant with Popia, “particularly without full and transparent disclosure being made by Vumacam”.
“Having 15 000 cameras placed indiscriminately, recording everything about all persons in its vicinity, may be difficult to justify as proportional and ‘not excessive’, which is what Popia requires,” says Singh.
The Act also requires that, if someone is going to collect information without people’s consent, the personal information must be collected for a “specific, explicitly defined and lawful purpose”, which as a general principle should be made known to data subjects.
Vumacam says on its website that it installs the cameras to protect people’s safety. Singh agrees that people’s safety would arguably fall within the Act’s “legitimate interests of the data subjects” justification .
But she suggests that this is not the only purpose: there is a profit motive also. Any further processing — such as the selling of this information to security companies — would also need to be compatible with the purpose for which it was originally collected and made known to the affected data subjects.
Milo adds that one of the questions that remains to be answered is what the legitimate interest of the “responsible party”, such as Vumacam, is when processing information for security purposes.
Parry says the Act does not say which purposes are acceptable. It only requires a purpose be “specific, explicitly defined and lawful” and be “related to a function or activity of the responsible party”.
“This indicates that there is nothing to prevent Vumacam from using footage for ‘commercial purposes’ provided those requirements are met”. Vumacam would still, however, need to comply with the rest of Popia, she says.
Safeguarding information is also a consideration. Vumacam says it is only stored for 30 day and security companies may not download it.
Thirty days appears to be a reasonable period, says Singh. Yet there are also Popia requirements for how the information is stored, shared and subsequently destroyed she says — including that these measures constitute “appropriate, reasonable technical and organisational measures”.
Parry says the latter is the overarching principle. “The nuts and bolts of appropriate safeguards depends on ‘general accepted information security practices and procedures’.” She says Vumacam has taken guidance from the EU and United Kingdom in this regard.
Parry provides a list of the security companies that are clients, which include Tracker, MiWay and CAP Security. She and Milo both say that, under the Act, Vumacam remains responsible and liable for the information collected.
The clients are subject to a vetting process and enter into a contract with Vumacam, which includes periodic audits by a third party to ensure adherence, says Parry.
The company puts up notices in the areas where there are cameras. Singh says the notice should include telling people who the information will be shared with and make clear what the purpose is.
But Parry says the law requires that it must take “reasonably practical steps” to inform members of the public about all this.
“Vumacam does not need to comply with this requirement if compliance is not reasonably practicable. However, we do put public notices on all active poles with indication on where to find processing, storage and data-use information.”
Parry says the company’s research showed people are more concerned about their safety then their privacy.
“But we are aware of the philosophical argument on privacy. And that is why we have taken so much care to ensure we comply with the law”.