Hands off our data!
How well is South Africa doing in protecting data privacy? Terribly. The culture of handing over information unquestioningly needs to change. This will involve a big shift in consciousness both for ordinary citizens and for data controllers.
Data Privacy Day falls on 28 January. Its purpose is to raise awareness about privacy issues online and the importance of data protection.
How well is South Africa doing in protecting data privacy? Terribly. It is open season on people’s personal data, leading to massive data breaches, and this problem is likely to intensify. The fourth industrial revolution — which we are told we need to promote if we’re going to stay relevant as a country — is premised on the exploitation of data. The technology optimists have been allowed to dominate the debate.
One reason why so many government and private companies have their snouts in our data, beyond what is necessary or appropriate, is that the much anticipated Information/Privacy Regulator does not appear to be fully operational yet. Consequently, its founding law, the Protection of Personal Information Act, is not fully in force. These are urgent problems that need to be addressed.
Yet, perhaps more urgent is the need for a massive public education campaign on what peoples’ data rights are. This campaign needs to be similar to that waged against the Protection of State Information Bill, which transformed freedom of information from an arcane, elitist issue, into a popular issue.
Basic data protection principles need to become part of the national conversation, on the streets and in the media. Many people do not even know that they are generating data, much less what their rights are in relation to this data.
These rights and principles are as follows:
Collection limitation principle — you have a right to insist that data controllers (or people who have control over your personal data) should limit the collection of personal data, which should be collected using lawful means and with your consent;
Data quality principle — you have a right to insist that data controllers must ensure that your data is as complete and up to date as possible, and should serve the purpose for which it was collected;
Purpose specification principle — you have a right to insist that when data is collected, data controllers must state the purpose for collection, and they should limit themselves to that purpose;
Use limitation principle — you have a right to insist that data should not be collected, or once collected, should not be used for a purpose for which it was not intended without your consent;
Security safeguards principle — you have a right to insist that data controllers must protect your personal information using reasonable safeguards against loss, disclosure, alteration or destruction;
Openness principle — you have a right to insist that data controllers should be open about the policies and practices impacting on personal data;
Individual participation principle — you have right to know if data is being kept about you in a reasonable time and at an affordable cost and in a format that is intelligible, and if the request is refused, you should be given reasons; and
Accountability principle — the data controller should be responsible for complying with these principles.
These are rights that all of us should be aware of, and we should insist that they are respected, as South African institutions, public and private, are shockingly non-compliant. It doesn’t take much thinking to realise that these rights are being violated all the time.
When these institutions insist on people handing over their personal information, then people need to know that they can question why their information is being collected, how it is going to be stored and used, who is going to access it and for what purposes, and when is it going to be destroyed. Doing so is part of exercising data sovereignty or control over the data that you generate.
The culture of handing over information unquestioningly needs to change. This will involve a big shift in consciousness both for ordinary citizens and for data controllers.
There are some key data protection issues that we need to look out for in 2019. People who care about their privacy should get out in front and shape the agenda of the Information/Privacy Regulator.
There are likely to be important struggles around the exceptions to data protection rules. The South African Police Service and the State Security Agency may well argue that these rules don’t apply to them.
Police and intelligence agencies around the world try to exempt themselves from data protection rules with varying degrees of success. This is in spite of the fact that these agencies are likely to violate privacy in excess of what is needed to fight crime or protecting national security, leading to abuses.
For instance, the growing use of intelligence-led policing and predictive policing models is seeing policing relying less on reasonable suspicion of criminality as a basis for policing work, and more on fundamental intelligence principles of prediction and forewarning. As a result, the risks of profiling politically inconvenient people, and reinforcing stereotypes about who the main criminals are in society, are high.
Data protection exemptions risk making these rules irrelevant in sectors where they are most needed. South Africa’s law has a caveat, though, implying that the law doesn’t apply to police and national security, only if it can be proved that existing data privacy protections are adequate, which they aren’t.
But we should watch out for these agencies trying to argue for blanket exemptions from data protection rules. They shouldn’t be allowed to, and any exceptions should be narrowly tailored and serve a legitimate public safety purpose.
Then there are data protection issues at local and street level. Increasingly, South African cities are incorporating facial recognition and automatic number plate recognition technologies into “smart” closed circuit television (CCTV) camera networks. Signage is non-existent in areas where these smart tools are active, which is wrong. The regulator needs to issue a practice note about CCTV roll-out.
Drones are likely to be acquired more frequently for public safety purposes and they have indisputable benefits. However, the safeguards on their abuses are inadequate, largely because the Civil Aviation Authority (CAA) is privacy insensitive and concerned only about airspace safety — and the regulator needs to engage the CAA about this.
The increasing scope of public surveillance makes the argument that people do not have a reasonable expectation of privacy in public spaces, much more problematic. Also, if people do not know that their personal information is being collected in public spaces, then they cannot enforce their data rights and demand accountability for how their money is being spent.
Governments and surveillance companies tend to overpromise and under-deliver on crime-fighting using data-driven surveillance devices. These smart devices are also leading to particular types of crime becoming prioritised — such as crime in public spaces — while white collar, corporate crime becomes less and less visible, except when leaks happen.
Surveillance is likely to become even more of an issue as cities go smart (in other words, as they incorporate data collection and processing tools into their everyday activities, such as traffic control).
Smart cities present communications companies with massive markets for their wares, with a company such as Huawei offering municipalities “smart cities in a box”. Smart cities have become controversial for commodifying digital spaces, exploiting citizens’ data without their consent, reinforcing spatial inequalities and undermining their “informational right to the city”.
Giving us a taste of what is to come if citizens are not vigilant, Edwin Diender, vice president, government and public utility sector, Huawei Enterprise Business Group, has said:
“Europe is almost over-regulated, making it very difficult to proceed swiftly, compared to South Africa… In fact, if Amsterdam and Johannesburg were to compete in implementing a particularly smart solution, I believe Johannesburg could easily win the race.”
Johannesburg and Cape Town have signalled their intentions to become smart cities, in spite of the fact that the roll-out of smart technologies is running far ahead of data protection policies and practices. Right now there is nothing to prevent companies such as Huawei from cashing in on in our practically unregulated market for data.
In fact, as they are shut out from providing fifth generation communication networks in countries with stronger data protection regimes, apparently for security reasons, they are likely to concentrate even more on markets in the global South. Our data is vulnerable and that is a real security issue.
In the absence of a functioning data protection regime, more government and private companies are also likely to exploit smart data-generating devices connected to digital networks through the Internet of Things (IoT). Data generated by smart electricity meters, for instance, qualifies as personal information and shouldn’t be exploited without a person’s consent. Citizens need to keep a close eye on municipalities in this regard, as they may be tempted to monetise these datasets without the permission of residents.
The relatively unchecked expansion of data-driven security powers leaves people vulnerable to being profiled or even falsely accused of a crime. This is especially so when databases containing peoples’ personal information are linked with one another and used to track their travel and banking habits, who they communicate with and what they search about and even what they read. Citizens must demand to know when databases that are set up for one purpose, are used for another purpose, or where data is shared among data controllers.
Overall, state and private surveillance capabilities are expanding all the time; yet accountability for how they are used isn’t. This means that we cannot yet speak about an appropriate balance between security and privacy. In fact, it has become too easy for politicians to hide behind the cloak of security to evade accountability, abuse power and maintain unsustainable societies.
There is clearly much work to be done, globally and locally. We need to start to demand accountability from the politicians who exploit our data in the name of security. We also need to demand performance from the smart devices that are collecting and processing our data. For instance, no public surveillance system should be rolled out without privacy impact assessments having been conducted and public consultation processes having been undertaken.
There are several other international developments that we need to keep an eye on. One of the most important is around repeated attempts to weaken encryption in the name of security. How this will happen is still a matter of debate, but the fight for security may be harmed more than it may be helped by weakening encryption, including the fight for information security.
In the dying days of 2018, an important battle for encryption was lost in Australia. This defeat has international implications, including for South Africa. Australia is part of a global signals intelligence alliance, the Five Eyes. Now that it has become the weakest link in the alliance from a data protection point of view, it is likely that more intelligence data will be collected and processed through Australia in future, including of South Africans.
The developing standards around bulk communication surveillance are crucially important, as are the attempts to address the cavalier approach with which metadata has often been handled. Intelligence-sharing and the ease with which intelligence agencies elsewhere have shared personal information according to nebulous, ill-defined and secretive intelligence-sharing agreements is another major concern.
In South Africa, the data exploiters have been having a field day. Data privacy day should be the day when ordinary citizens start to take back control of their data. If effective campaigns are to be mounted against data exploitation using modernisation, efficiency, safety and security as reasons, then we need to “do” data protection work differently. These campaigns cannot become the property of specialist NGOs, which are often good at making well-thought-out arguments, but which typically do not exercise much social power.
In fact, data privacy needs to become a mass issue. This means emphasising the social content of online privacy and its relationship to political rights (such as the right to organise). Once this happens, then perhaps we will we start to see data becoming a force for social progress and a public good, rather than yet another means of exploitation, oppression and dispossession. DM
Jane Duncan is a professor in the Department of Journalism, Film and Television in the Faculty of Humanities at the University of Johannesburg. Her most recent book is Stopping the spies: constructing and resisting the surveillance state in South Africa (Wits University Press). The Right2Know Campaign has launched a petition calling for the Protection of Personal Information Act to be implemented fully, and has also produced a popular education guide to the act. DM
Daily Maverick © All rights reserved