Last year, an Australian information security expert revealed that the personal information of nearly every living South African, and some dead ones too, had been dumped on the open internet. This means that in time to come, many South Africans may be facing demands from credit companies to pay accounts they never opened.

How could the culprit play so fast and loose with the personal information of millions of people? Quite easily, actually, as the regulator responsible for protecting our personal information is still being set up. This is a problem, because the state and private sector are invading our privacy all the time, and the new regulator will have to play catch-up.

South Africa’s regulator will play a dual role of an information regulator and a privacy regulator. It remains to be seen whether it will be successful in balancing these roles. In fact, these roles could well pull in opposite directions, as the first involves releasing information and the second protecting it.

Cyril Ramaphosa’s government needs to give this new regulator the resources and power to do its job, to prevent the sorts of regulatory failures that we’ve seen time and again in other areas of life.

There is another reason why the proper resourcing of the new regulator is so important. On balance, privacy regulators elsewhere have been pretty useless at protecting privacy.

Privacy regulators are meant to stop state entities and private companies from abusing our personal information. This they do by developing privacy policies and guidelines and hearings complaints from people whose privacy has been violated.

Typically, the work of privacy regulators is governed by data protection laws. Ours is the Protection of Personal Information Act (POPI), passed in 2013. It is shocking but unsurprising that five years later, the regulator mandated by this act still isn’t fully functional.

Countries that were ahead of the privacy curve began to enact data protection laws in the 1970’s and 1980’s. By 2018, over 100 countries had passed data protection laws, and over 40 countries were developing draft legislation.

Increasingly, privacy is being recognised as a fundamental right, and as India’s Supreme Court noted recently, not a luxury for the chattering classes only. All these developments are wins for the global privacy movement.

Many of these laws incorporate basic principles of data protection outlined in the Fair Information Practice Principles (FIPPS). These principles were developed by the US Government in the 1970’s, and were incorporated into the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy.

It is well worth setting out these data protection principles in full, so that we’re all clear about what our rights are. They are as follows:

• Collection limitation principle – data controllers (or people who exercise control over our personal data) should limit the collection of personal data, which should be collected using lawful means and with the data subject’s consent;
• Data quality principle – data controllers must ensure that data that is kept should be as complete and up-to-date as possible, and should serve the purpose for which it was collected;
• Purpose specification principle – when data is collected, data controllers must state the purpose for collection, and they should limit themselves to that purpose;
• Use limitation principle – data should not be collected, or once collected, should not be used for a purpose for which it was not intended without the consent of the data subject (the person who’s data is collected and processed, or you and I);
• Security safeguards principle – data controllers must protect personal information using reasonable safeguards against loss, disclosure, alteration or destruction;
• Openness principle – data controllers should be open about the policies and practices impacting on personal data;
• Individual participation principle – a data subject has a right to know if data is being kept about him or her in a reasonable time and at an affordable cost and in a format that is intelligible, and if the request is refused, reasons should be give;
• Accountability principle – the data controller should be responsible for complying with these principles.

Now that you know what your rights are, think about how many times they have been violated. All those times that government departments or private companies have shared your information without your consent. All those times when they’ve collected and stored your information without your knowledge. All those times when they’ve stored inaccurate personal information in insecure databases and continued to use it.

In fact, you’ll be hard pressed to think of situations where your personal information has been used fairly. This is because the exploitation of our personal data has run far ahead of privacy policy and law.

Other Fair Information Practice Principles have been developed, that range from minimalist to maximalist. However, the ones aligned to the OECD Guidelines have become the most prominent. They serve as foundational principles for data protection or privacy commissioners around the world, including in South Africa.

However, when put into practice, these high-minded principles have not necessarily served the struggle for privacy very well. This is because they have prioritised individual control over personal data, while failing to address broader societal pressures on the right.

In other words, these principles have individualised the problem of data protection. They have often reduced protections to narrow, technical formulae that may not work well in the real world, and may even become dysfunctional.

Privacy commissioners tend to base their actions on the control theory of privacy, which emphasises the right of individuals to exercise control over their personal information. In terms of this theory, data subjects are asked to make choices (and often very few at that) about what happens to their data. But these individuals often have little understanding of the real issues at stake, as data controllers skilfully bury them in legalese.

As the underlying theory is premised on individual behaviour to enforce privacy safeguards, they fail to consider the massive obstacles that individuals face when attempting to enforce this right.

Privacy regulators often focus on ensuring that data controllers release privacy notices informing data subjects of their rights. Then, they spend huge amounts of energy on ensuring procedural compliance with these notices.

But very few people are able to understand these increasingly complex, opaque, notices, leading to them skipping over the notices in order to access a service.

These complexities skew individual decision-making towards those with more resources or higher levels of education. People who can access legal advice are also more advantaged, which in turn makes this form of privacy one that only a select few can and do enjoy.

Consumers are also unlikely to know if information in possession of a data controller has been misused, which calls into question the effectiveness of complaints mechanisms.

By creating the impression that individuals do, in fact, have control over their own data, the principles ignore the power differentials between institutions and individuals that may make the exercise of this control difficult.

Often, privacy regulators also fail to address whether particular forms of surveillance should be taking place in the first place. Broad-ranging carve-outs (or exclusions) on grounds such as national security render data protection principles all but useless in the most controversial areas of data governance, where protections are often the most needed.

In fact, the most serious flaw in data protection laws is that they often fail to hold governments to account for data breaches in the same way that they do private sector companies. Even when privacy regulators attempt to do the right thing, their efforts are often thwarted by governments that smack the regulators back into place.

For example, former advisor to Canada’s Privacy Commissioner, Michael Geist, argued that the Canadian government shared intelligence with other governments that went far beyond what was needed to investigate terrorism or other serious crimes. He claimed that the government lacked the political will to address the privacy implications of these practices.

While large communications companies like Google and Vodaphone are releasing annual transparency reports about the number of times they had been approached to share personal information, governments are not doing the same.

According to documents leaked by Edward Snowden, in the United States (US), an internal audit found that the US government’s signals intelligence agency, the National Security Agency (NSA) broke privacy rules thousands of times.

To all intents and purposes, national security has trumped privacy laws. Happily, South Africa’s law is quite progressive on these issues, though. It states that POPI doesn’t apply to national security or criminal justice matters, except if it can be proved that existing privacy protections in these areas are inadequate.

There is little doubt that many of the data processing practices of our police and intelligence agencies violate privacy unduly (we shouldn’t be worried about those that don’t). This is because existing privacy protections in these areas are inadequate, and consequently POPI will apply.

It remains to be seen if the new regulator will have the stomach to take the spy agencies on, and whether the Ramaphosa administration will respect it if it does.

What we learn from global experiences is that when privacy regulators overemphasise procedural protections for privacy, rather than substantive ones, they make little difference to the overall protection of the right.

In such situations, privacy commissioners can create the illusion of information control, rather than actual control. Will South Africa’s new regulator repeat these mistakes? Watch this space…

South Africans need to become much more aware of their data protection rights and insist on their enforcement in meaningful ways. We must not rely on data protection laws and regulators as the main goal of privacy struggles. Otherwise we may land up being very disappointed indeed. DM

Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. Her new book is called Stopping the spies: constructing and resisting the surveillance state in South Africa (forthcoming from Wits University Press)

Photo: Dayne Topkin/(Unsplash)