POPIA principles must align with AI governance, say experts
As South Africa marks the 10th year of the Protection of Personal Information Act’s (POPIA’s) existence, law-makers should shift the focus to aligning its principles with the governance of artificial intelligence (AI) applications.
This was the sentiment shared by data protection experts, speaking yesterday during a roundtable discussion at the 10 Years of POPIA Symposium, hosted by the Information Regulator, in Johannesburg.
The event created a platform for information officers, legal professionals and data privacy specialists to reflect on the implementation of POPIA since it was enacted in SA on 19 November 2013.
Speaking under the theme “The journey thus far, and the journey ahead”, the panellists acknowledged the strides made by the office of the Information Regulator in revolutionising data protection in SA, and highlighted the need to chart a way forward for better implementation.
POPIA aims to bring SA in line with international standards for the protection, collection, recording and storage of personal information, giving individuals control over their personal information.
The Act is touted as a world-class piece of legislation that is on par with similar laws, such as the European Union’s General Data Protection Regulation (GDPR).
However, panellists agreed that certain statutes should be amended or extended to govern the AI technologies used by organisations in the collection, processing and storage of personal data.
Advocate Tshepo Boikanyo, executive member of the Information Regulator and executive of POPIA, explained: “I think that we have lagged behind with regards to the regulation of artificial intelligence, and this is an area that we may need to look at.
“During a recent session on artificial intelligence, what we picked up was there are so many responsible parties that have advanced in this space and, as the regulator, we need to catch up and beef up our Act in relation to technological advancement.”
While POPIA was signed into law in 2013 (section 1, Part A of Chapter 5, section 112 and section 113), the commencement date of the other sections was 1 July 2020 and the one-year grace period to comply ended on 30 June 2021.
According to Boikanyo, regulatory changes are unfolding in other parts of the globe; for instance, the move towards extending certain elements of the GDPR to expand its reach for effective AI regulation.
Local organisations are increasingly using AI, generative AI and machine learning to gather and process the personal data of customers and stakeholders to gain competitive advantage and influence consumer behaviour.
However, there are growing concerns over the potential risks of such emerging technologies, relating to infringement of user rights, data protection and manipulation, as organisations across the globe race to rollout AI systems.
The panellists raised concerns around other complexities associated with regulating data protection compliance processes, as they relate to the various ways in which AI can be trained and deployed to handle personal data.
Ahmore Burger-Smidt, director at Werksmans Attorneys and data privacy lawyer, pointed out POPIA already makes provisions for automated decision-making, and the important question that lawmakers need to answer is: how should it be enhanced for further developments aligned to the digital economy?
“The reality is that the compliance environment is so complex, that you need to consider to what extent you can make your compliance processes more robust through the utilisation of artificial intelligence tools.
“Yes, there are advancements and amendments that we require in terms of the legislation, but not only POPIA, because we can't have one piece of legislation existing in isolation. The legislation is 10 years old and the world has moved on at a rapid pace. So, our legislation is lagging behind in certain aspects but it's not a complete failure or a complete gap in the legislation,” she stated.
According to Burger-Smidt, current developments in the European Union can provide a good case study for SA, in terms of reconsidering certain elements of POPIA beyond AI, to include various other emerging technologies.
Professor Sizwe Snail ka Mtuze, professor of cyber law at the Nelson Mandela University and MD of Snail Attorneys, added: “Personally, I believe that with technological changes, the law also needs to change. We should not imitate what is happening around the world in terms of compliance; however, I am a fan of international best practice.
“This is to say let us regularly review our own laws, and let us see what is happening on the outside and not have our head in the sand like an ostrich. This is a space for the regulator and for Parliament to have vigorous discussions about possibly amending the POPIA and advancing some of the provisions therein, as some of them may have changed with the times.”
The panellists also weighed in on whether SA should establish a standalone AI Act, as other nations such as Brazil are doing, or if tweaking existing laws would be better suited to the local context.
“Amending the current legislation to include AI, and then incrementally changing that as new technologies advance, is better than creating a standalone artificial intelligence Act which may turn out to be irrelevant in a few years’ time,” asserted Boikanyo.
Advocate Mamoneuwa Maduna, executive head of privacy at Vodacom, noted that rather than introducing a new AI Act, considerations should be made to advance POPIA’s current ‘privacy by design approach’.
“Yes, there are improvements that we need to adopt given what's happening in the European Union and the new AI Acts that are being introduced. POPIA has adopted a ‘privacy by design’ principle and I don’t think we are completely lagging behind global counterparts.
“One of the things that we need to start looking at, regarding technological advancements, is the fact that the legislation has matured so much and how can we ensure our current privacy by design methodology is geared up towards artificial intelligence,” noted Maduna.