POPI and privacy: important recent developments

Introduction

As the world wrestles with legal and practical implications of novel technologies and their application in the processing of personal information the past two weeks have seen important developments on the privacy front, says Condyn. These are addressed, in summary, in this newsletter and links to documentation which may be of interest to you are provided.

Right to be forgotten

One of the rights supplementary to the right of privacy and protection of personal information that has been evolving is the "Right to be Forgotten". This right allows, among other things, an individual to have data deleted, particularly where it is accessible on the Internet, so that third persons can no longer trace data to the individual concerned. While considered a novel development in human rights law and the concept has not yet been universally accepted, the European Union's Court of Justice has established this as a right for all European citizens in a recent finding against Google. The court ordered Google to remove links to data which may be accessible through its search engine that appear to be "inadequate, irrelevant or no longer relevant or excessive in the light of the time that has elapsed".

This demonstrates Europe's determination to protect the personal information of its citizens, which is also reflected in the European Union's addressing the establishment of a far stricter privacy regime amongst its members. The decision of the European Court has been criticised by some, but the fact that in the first four days after the judgment was handed down Google received more than 40 000 requests from Europeans for their "right to be forgotten" to be implemented, illustrates the importance the Europeans attach to the privacy of their personal information.

The Regulator (once established) in South Africa is not bound by the European court decisions. However, it is possible, and even probable, that if required to rule on these issues, the Regulator will find rulings of Data Protection Authorities and courts in Europe persuasive.

As indicated in previous newsletters the legal and regulatory landscape on the processing of personal information (and, it is submitted, information generally) is likely to be sculpted by decisions of the Regulator, which in many instances will take into account the approaches that may be adopted in other jurisdictions. Particularly in light of the fact that we have fallen behind other jurisdictions and have yet to develop a body of law governing the protection of personal information, important decisions such as the one under discussion need to be taken into account by South African enterprises determining how they will protect personal information.

Big data and data brokers

Two important reports relating to big data and data brokers were published in the United States during the course of May 2014.

The first, entitled "BIG DATA: Seizing opportunities, preserving values" is in response to President Barack Obama's request in January of this year that issues of big data and privacy be investigated.

The second, entitled "Data Brokers: A call for transparency and accountability" is a comprehensive report by the Federal Trade Commission into the practices of data brokers.

The reports examine both the benefits of big data and the risks that the unregulated processing of big data poses to the privacy of individuals. Both recommend legislative intervention in the regulation of big data and the practices of data brokers.

In considering these reports it is important to note that they have been provided against the more liberal approach of the United States to the processing of personal information than is the case in the European Union. Nonetheless, they call for stricter legislation and are important milestones in addressing the search for an appropriate balance between the undeniable benefits of big data and the equally undeniable fact that the right of data subjects to control their information are often disregarded by unscrupulous data brokers and others.

Cyber essentials

On the 5th June 2014 the Department for Business, Innovation and Skills in the United Kingdom published three documents which provide guidance to establishing appropriate information security, particularly in small and medium-sized enterprises.

These documents, entitled "Cyber Essentials Scheme: Summary", "Cyber Essentials Scheme: Requirements for basic technical protection from cyber-attacks" and "Cyber Essentials Scheme: Assurance Framework" will assist UK businesses in establishing appropriate information security (or cybersecurity) in the conduct of their business.

In welcoming this scheme, the Information Commissioner (UK), Christopher Graham, said:

"Protecting personal data depends on good cybersecurity, and the threats and challenges are getting ever more sophisticated. All too often organisations fail at the basics. This scheme focuses on the core set of actions that businesses should be taking to protect themselves, customers and their brand.

Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks."

In South Africa one of the challenges of the Protection of Personal Information Act will be the obligation on responsible parties to properly protect personal information and apply Generally Accepted Information Security Practices in doing so. It is suggested that guidance on a similar basis to that contained in the Cyber Essentials Scheme will be of enormous assistance to small and medium enterprises in South Africa. While its approach may differ, the Regulator will be well advised to take a lead from this UK initiative (possibly in conjunction with other government departments) to assist responsible parties in complying with their obligations in terms of the Act.