Losing ground in the knowledge economy
South Africa is beginning to lag behind other nations in today's information-driven world. Catching up will require the political will to revise the POPI Act and to get the Information Regulator up to speed.
The modern world has become increasingly connected, so it is no surprise that the protection of privacy and personal data has become a key concern for legislators across the globe.
In South Africa, this has resulted in the formulation of the Protection of Personal Information (POPI) Act, while in Europe, the General Data Protection Regulation (GDPR) is now being enforced. However, this also applies to countries outside Europe; basically, any local business that has ever sold a product or service to someone living in the EU has to comply.
Lawyer Jos Floor, of Floor Inc Attorneys, recently told attendees at VeeamOn Forum, in Johannesburg, that there remain many challenges in the personal data protection space, most notably with the current state of flux relating to the POPI Act.
"POPI is a particularly frustrating situation, as there has been an incredibly lengthy stop-start process involved in even getting it to this point. It's disappointing to note that we have been working on the concept of data privacy regulation since 2000, and yet it seems nearly 20 years later that no one yet knows what's going on with it. Most organisations have been conducting some form of readiness assessment for some time now, and yet no one can actually tell when the Act is going to come into force," he says.
"This is causing numerous problems for enterprises. Not only is policy uncertainty an issue, but there is also the money being expended to prepare for it, yet there is no clarity on when it will officially be in place."
A big part of the problem, says Floor, is South Africa in general does not have the same kind of data privacy culture that exists in Europe. He points out that in the EU, they have been considering data privacy for almost 50 years, meaning there is a great level of awareness and a large body of work around it to draw from. South Africa, on the other hand, has virtually no collateral related to data privacy prior to the first draft of the POPI Act.
"This means that when you look at what exists in other regimes, SA is clearly lagging very far behind in terms of what needs to be done with regard to data privacy. That said, with POPI initially being envisioned in 2000, it has been on the statute books for some time, so an increasing number of organisations are becoming familiar with it. However, the only entities really putting any effort into driving the POPI agenda are the vendors, who are focusing on the security and compliance needs related to it."
Floor explains that the POPI history has been long and varied, with the initial drive in the early 2000s coming off the back of an EU directive in 1995, which was effectively the forerunner to the GDPR. He suggests there was quite a lot of fuss made about POPI in the build-up to the 2010 FIFA World Cup, but since that event, the pressure has died down and there has been no proper follow-through.
"Now we are sitting with an Act that has not yet been made law, which is actually based on and aligned with a European law from nearly a quarter of a century ago. And worse still, POPI hasn't even been tested against the original 1995 EU law, and now, with GDPR, there is new version. This is a massive issue for South Africa if it wants to remain a player in the world," he says.
"After all, I have heard that some 120 countries have already implemented legislation based on the original EU law, and are now aiming to adapt these local laws for GDPR. SA, on the other hand, hasn't even managed to get its legislation based on the original EU law into play yet, so we are in significant danger of being left behind by the rest of the world."
The real cause of the lack of action on POPI, he adds, is a simple but toxic mixture of a lack of both policy certainty from government and of the political will required to make it happen. Floor explains one of the big challenges is that POPI cannot kick off until the country has a functioning Information Regulator, which is currently not the case.
"At present, the regulator has requested a budget of R30 million, but this not been approved by Treasury. While there can be no doubt that there are many other issues impacting the country and for which funds are also needed, I have to question the wisdom of not providing this budget. Getting POPI into play has the potential to seriously stimulate the economy and, perhaps more critically, enable SA to continue to keep pace with the major nations around the globe."
The real issue is that because of the length of time POPI has been in flux, continues Floor, it may need to be updated to match the new GDPR legislation before it is enacted, otherwise it will still leave South Africa with outdated legislation. He suggests a two-pronged approach to this dilemma: a clear desire from government's part to provide the Information Regulator with the required funding and skills, and a solid overhaul of the existing POPI legislation to meet the new GDPR standards.
"There is no doubt that the South African economy needs to be stimulated and sorting our POPI issues out properly is one way to have a significant impact here. However, perhaps the most critical reason for getting the ball rolling as quickly as possible is the simple fact that in the modern knowledge economy, a country cannot afford to fall behind the competition, because catching up after the fact will be more difficult than it has ever been before in history," he concludes.