Don’t be deceived by the podium finish. With a score of 3.04 out of five, South Africa may rank third on the list of countries actively protecting the privacy of citizens, but when this figure classifies South Africa as a country with “some safeguards but weakened protections,” it’s clear that the privacy bar isn’t set very high.
These findings were taken from a study published on Tuesday 15 October 2019 by Comparitech, a pro-consumer website that provides the public with access to information and research tools. The study assessed the level of privacy protection and state surveillance in 47 countries with the aim of determining whether governments were doing enough to protect the privacy of citizens.
South Africa scored 3.04 out of five, placing it in joint third position with the United Kingdom and the Netherlands. While this may fare well against surveillance states Russia (2.10) and China (1.76), what this 3.04 entails is a country with “some safeguards but weakened protections”.
The highest score was only 0.16 better than South Africa, with first place going to Ireland at 3.2, classifying it as a country with “adequate safeguards in place”. France, Portugal, Denmark and Norway (tied at 3.1) were the only other countries to meet these standards.
Scores were based on research conducted in 14 categories, including to what extent a country had constitutional and statutory protection and regulatory bodies with investigative powers, as well as the approach to data sharing and the use of biometrics and surveillance in the country.
The study found that South Africa is able to protect privacy rights through our Constitutional Court, and recent landmark court decisions have strengthened privacy rights in the country. South Africa places limitations on data sharing and the country is not party to any invasive international treaties.
Theoretically speaking, South Africa has statutory protection and a regulatory body tasked with enforcing privacy rights; however, neither is fully operational.
“South Africa is in the process of introducing an information regulator and the Protection of Personal Information Act (Popia) which will help to further enforce privacy rights. But these aren’t fully in place, it does create some grey areas,” the study read.
“What this means is that the law is there, but is not yet commenced,” said Mark Heyink, a lawyer who consults and advises on law relating to information and communications technologies.
Popia was promulgated in 2013, which means that while it has been signed into law, the commencement date of many of its sections has not yet been proclaimed.
“The president has only enforced certain sections of the act to allow for the information regulator to be appointed… The executives of the information regulator were appointed four years ago but it is still not fully operational. As soon as they become ‘functionally operational’ they will ask the president to proclaim the commencement of the balance of the act,” Heyink said.
“Only then will the act and all the provisions relating to the protection of data come into being.”
Another issue is the subsequent “grace-period” – from this date of commencement until the date that Popia actually becomes effective, there will still be a transitional period of at least one year.
“These delays are really unacceptable. The way that people should be treating our personal information is not yet law,” said Heyink.
“A law is just a piece of paper until there are institutions that can enforce it,” said Murray Hunter, a researcher on surveillance issues.
“South Africa’s data protection law – the Popia Act – is not yet in force and South Africa’s privacy watchdog, the information regulator, doesn’t have legal powers yet and is operating on a skeleton staff. Until these things change, you can’t say that people’s privacy is adequately protected.”
While there are no official figures, it is estimated that cybercrime is costing South Africans billions of rand.
“The fact that our law has been so tragically delayed – and it is tragic for victims of cybercrime – has contributed significantly to the incidence of cybercrime,” said Heyink.
“Most times, these victims are older people or the less affluent in our society, and they simply cannot recover from these financial setbacks.”
South Africans are not unaccustomed to the day-to-day irritation of spam emails, unwanted phone calls from telecom companies and texts congratulating us on winning big bucks in competitions we didn’t enter.
“But the effect is far more than just the nuisance or the irritation of spam”, Heyink says.
“The effect is very profound. What many do not realise is the extent to which personal information is used in the perpetration of cybercrime.”
Businesses and individuals face cyber-related challenges every day and it is no longer simple internet fraud. Some examples include “business email compromises”, where emails are intercepted, bank account details are changed and money is paid into accounts controlled by criminals as well as “inventory scams”, where cyber-criminals disguised as “suppliers”, are contacted by buyers who pay into an account and wait for a delivery that never comes.
“Cybercrime and frauds are dependent on people having access to personal information and being able to use it. Cyber-criminals can simply do what they like,” said Heyink.
“We have very inadequate legislation around cybercrime and the ability to combat it and I think the government has a great deal to answer for in their failure to recognise how important this is in the 21st century.”
The financial aspect is only one facet of the problem.
“As South Africans, we’re very good at physical security but very poor in cybersecurity and that in part is due to a lack of awareness,” Heyink says.
Heidi Swart is an experienced investigative journalist covering communication interception, surveillance and data privacy issues, security and crime.
She has reported extensively on these issues for Daily Maverick. Her articles can be found here and here. A major concern for Swart is the increasing prevalence of high-surveillance security cameras in South Africa.
“It’s not just about the fact that cameras can be hacked or the question of where that data is going and how secure it is, it’s about the fact that you don’t actually have a choice. They are filming you and thus creating your personal information without your permission,” she said.
There is a widespread acceptance of surveillance cameras in South Africa because they’re installed in the name of security.
“But I would like to know, if I am walking down the street every day and there is a camera filming me, who is actually looking at me? Are they trustworthy?” she said.
This conversation gives rise to a number of other questions, many of which remain unanswered.
Who is the custodian of this data? What is the status of my personal information? What are they doing with it? Are they keeping it safe? Was it really necessary to scan my licence disk, number plate and driver’s licence?
“If you look at the conditions for processing, you’re not supposed to collect more than what is necessary for the purpose. Yes, the argument is to ensure the security of residents, but I don’t believe the collection of all of this data is necessary,” said Heyink.
The more fundamental problem, however, is what are they doing with it?
“In South Africa, we are very careless about what information we are prepared to give away. We don’t even try to understand the purposes and give away far too much information. That’s been a situation we are almost forced into because you can’t argue with the guy at the gate,” said Heyink.
“This information is then stored in places where there is very little security. We honestly don’t know what these companies are doing with it.”
Swart agrees: “The collection of this information is not state-sanctioned and there is no independent oversight body making sure that the public’s privacy is protected. Instead, the data is controlled by private entities.”
“These are private individuals, companies, neighbourhood watches – and you simply have to rely on these private entities to keep your data safe.”
While it is possible that this personal information is being processed unlawfully, this can only be said when the law is actually in place.
“Because of the delays and because of the failure of the information regulator to actually regulate, our data protection legislation is falling behind other countries,” said Heyink.
He believes that there is a worrying lack of professionals who understand cybersecurity and journalists who understand privacy, and until this is addressed, these issues will continue to be swept under the carpet.
While we wait for the enactment of the privacy protection law, South Africans must become more aware of what information they are willing to give and who they are giving it to – especially when this information is used in financial transactions.
“We must be particularly careful with financial transactions: always verify information and do not automatically trust things that are sent via email,” Heyink says.
Kalyani Pillay, CEO of South African Banking Risk Information Centre (Sabric), says, “We also cannot stress enough the importance of not sharing confidential information with anyone or clicking on links in unsolicited emails.”
Sabric has provided the public with a comprehensive list of ways to prevent themselves from falling victim to cybercrime. DM
Sushi is traditionally eaten by hand and not with chopsticks.