The safety of people’s data was central to a panel discussion hosted by the Information Regulator (IR) – South Africa’s regulatory authority on access to information and data protection rights – in commemoration of  International Data Privacy Day on Thursday 28 January. 

“They are the most valuable public corporations in the world as measured by their market capitalisation. What makes them rich is our personal information,” said Alison Tilley, a senior attorney, seasoned campaigner for socioeconomic justice, and newest member of the IR. 

Tilley is referring to the likes of Facebook, WhatsApp and Twitter, whose “big corporation” status is derived from users’ private information. 

She further explained that the idea that personal information gathered and used by these social networks is left behind by people like a trail of breadcrumbs is not correct.

“That would describe personal data as a small, low-value thing that you can leave behind for someone else to pick up. Personal data is not a product of yours, it is you,” she said. 

In the case of WhatsApp, users were concerned about the extent to which the app will share their data. While WhatsApp’s policy says it will share users’ data with its parent company, Facebook, and subsidiaries of Facebook, the information shared will be limited to when the user registered to use the company’s services, the groups they are part of, their status, profile picture and whether they are online.

This feature, according to the social network, will enable businesses to advertise their products and services directly to WhatsApp. 

“What is changing with WhatsApp’s privacy policy, doesn’t significantly change the amount of data that is collected of you by WhatsApp. What it obscures is that WhatsApp is already collecting too much data about you,” said digital rights activist Murray Hunter. 

Hunter added that this latest discussion about the app’s policy changes brought to a head people’s growing frustration and discomfort with the way that the social app has been seen drifting towards a particular direction; becoming less respectful of users’ data. 

For practising attorney of the High Court of South Africa, Avani Singh, users are increasingly demanding agency and autonomy over their personal information. 

“People want to know what’s being collected about them, who it’s being shared with, how long it’s being used and for how long,” she said. 

What is metadata?

According to Tilley, “metadata is extremely important and perhaps one of the most under-recognised aspects of [our] personal information”. 

However, when people express concern over their data, it is mostly about the privacy of their messages, “but that is not the only data generated during communication”, Hunter said. 

Using the analogy of a letter in an envelope, Hunter said metadata can be regarded as the information written outside the envelope of a letter. 

“The content of my communication is what goes inside the letter. The metadata, the information bound by the communication, is everything that goes outside of the envelope,” he said. 

This includes information about who is sending the message; the recipient of the message; the location of the sender and recipient, and the time and date when it was sent. 

“That doesn’t sound controversial when talking about a single envelope. But when you have two billion users, as WhatsApp does, and many of us are exchanging dozens and thousands of messages every day, that builds up an incredibly detailed sense of who we are, who our networks are, who we communicate with and when. To create a very detailed insight into who we are,” he added. 

Is regulation the silver bullet?

The establishment of the information regulator in 2016 was SA’s first step towards strengthening its mandate to protect personal information per the prescripts of the Protection of Personal Information Act (Popi Act). 

The act gives the regulator teeth to investigate and fine public and private parties for the violation of the act – a function that it will start fully enforcing once it has firmly established its structures. 

“Increasingly, there is a recognition that the right to privacy needs to be respected, protected and promoted. Across Africa, a number of countries are adopting data protection legislation,” Singh said. 

Data legislation facilitates the flow of information reasonably and responsibly and makes it possible for the information to be protected. 

Fundamental conditions for lawful processing of information by social media companies, according to the Popi Act, are characterised by processing limitations, purpose specification (the amount of time the information will be collected for), openness about how the information will be used, and securing the integrity and confidentiality of the information in its processing. 

However, Hunter argues, “There’s a bigger question about whether what they [social media companies] do is right and that’s the challenge with data protection regulation; it can enforce some rules very well, but it can only go so far.

“A lot of that then comes to ordinary users and what we are willing to stand for and what we are willing to stand up against.” DM