Earlier in May, Facebook reported that 96,134 South African Facebook users were potentially impacted by the recent Cambridge Analytica data breach – which means that their personal information may have been harvested without their consent if they used a personality quiz app called “thisisyourdigitallife”.
In February 2018, Zulu King Goodwill Zwelethini received a phone call on his private number from an employee of insurance company MiWay who addressed him by his first name and attempted to sell him insurance premiums. The taped conversation was subsequently posted on social media.
All year round, South African marketers and political parties make unsolicited phone calls, and send unsolicited texts, to people who are not customers or party members and have never knowingly given permission for this contact.
These three situations all represent breaches of privacy that South Africa’s Information Regulator should be able to act against.
But as Parliament heard on Tuesday, the only forms of action the watchdog can currently take are limited to writing letters and asking for meetings with the bodies responsible for these privacy breaches.
In the presentation made to the Justice Committee by Information Regulator Pansy Tlakula, the problem was expressed starkly:
“Regulator does not have the powers to enforce and settle complaints.”
That there is clearly a need for the regulatory service which should be provided by the Information Regulator, however, is evidenced by the fact that the regulator has already received over 180 complaints to date.
This is despite the fact that, as lobby group Right2Know points out, awareness of the existence of the Information Regulator is minimal.
“In the communities in which we are present and amongst the different constituencies with whom we work, there is no visible sign of the existence of the Information Regulator,” Right2Know said in a statement issued earlier in May.
It added that “in the past year there has been a deafening silence from the Information Regulator regarding issues of national significance in relation to the abuse of personal information of people”.
President Jacob Zuma appointed Tlakula in the newly created role of Information Regulator in October 2016. More than 18 months later, what’s the hold-up?
“We are stuck,” Tlakula told MPs candidly on Tuesday.
The problem, it appears, is twofold. One issue is that South Africa’s Protection of Personal Information Act (POPIA), despite being promulgated in 2013, is yet to come into full force. Another is that the Information Regulator cannot make appointments – such as that of CEO – without the approval of National Treasury.
But when the regulator’s members approached Treasury in this regard, they were sent to the Department of Public Service and Administration. There, department officials advised that the regulator’s organisational structure could only be approved when the Information Regulator is listed as an approved entity as envisaged by the Public Finance Management Act.
It is, in short, a bureaucratic mess – which Tlakula assured MPs she is working to resolve as soon as possible. It is envisaged, however, that permanent executive positions will only be filled in the fourth quarter of 2018 at the earliest.
The Information Regulator does not even have an office at present. It was explained that it is currently being housed in the Department of Justice, but that “proper accommodation” would be sourced later in the year.
There was some sympathy for Tlakula’s situation among the MPs of the Justice Committee, with chair Mathole Motshekga commenting that Tlakula and her handful of colleagues had been “hitting the ground running with their hands tied behind their back”.
But the importance of the office was also made clear.
“This regulator is to perform a vital function in our maturing democracy,” said the DA’s Werner Horne.
In October 2017, Australian researcher Troy Hunt found that the personal records of more than 60 million South Africans – both living and dead – could have been harvested as a result of a data breach stemming from a real estate company. The data breach, believed to be the largest in South African history, included records such as ID numbers, email addresses and phone numbers.
At the time, it was pointed out that if the Information Regulator had been up and running, those responsible for the data breach could have faced massive fines or even prison time. But as things stood, said Tlakula, it remained a “free-for-all situation”.
In that situation, all that the currently embryonic regulator was able to do was convene a meeting of government institutions such as the Hawks and the National Credit Regulator which were independently investigating the data breach.
In the case of the recent Facebook breach, all the regulator was able to achieve was a letter from Facebook indicating the extent of the South African exposure to the breach.
And when it came to the Miway-Zwelethini matter, an exchange of letters was again the extent of the regulator’s powers.
On Tuesday, Tlakula told MPs that evidence of South African institutions’ cavalier attitude to personal data was right on their doorsteps.
When she had entered Parliament’s visitor centre, she explained, she had been asked – as is routine – to supply all sorts of private information.
“Why is Parliament asking for my cell number?” Tlakula demanded to know.
“I think Parliament has to lead by example.” DM
"Don't tell me the sky's the limit when there are footprints on the moon." ~ Paul Brandt