Twenty years have passed since the right of privacy was enshrined in our constitution. The necessity to address online threats has been obvious throughout that time. The South African Law Reform Commission started its work in 2002 and after researching the issues, consulting with relevant parties and preparing a draft bill, made recommendations to the minister of justice to establish the mechanisms to protect our personal information in 2005. The Protection of Personal Information Act was eventually enacted in 2013, but the operational provisions of the act have yet to commence. These delays are all directly attributable to failures or deliberate obstruction on the part of the government.
Since 2013 there appears to have been stubborn resistance within government to take the necessary steps to appoint the Information Regulator, a critical actor in the protection of personal information framework adopted in the act. Eventually, on May 17 it was announced that five people had been appointed to establish and fulfil the regulatory functions required in the act. The vote to confirm their appointment by the House of Assembly then failed as a result of the ruling party not having enough of its members in Parliament to achieve the overall majority required for the appointment. Consequently, a further three months will be lost while South African citizens are denied protection of their personal information.
The lethargy of the government (whether deliberate or otherwise) is brought sharply into focus, when contrasted against the fact that between early 2012 and May 24 the EU managed to draft, negotiate, finalise and “enact” the General Data Protection Regulations applicable across 28 countries. This has strengthened the privacy protections necessary in the face of global threats to privacy and deficiencies in the enforcement of privacy laws. During that same period the task of appointing a regulator has seemingly proved beyond government’s capability.
The funding allocated to the regulator by the Department of Justice seems woefully meagre if the regulator is to achieve the aims required in the act and give effect to the constitutional right of privacy.
The sums of R10 million for the 2016/17 financial year, R26m for 2017/18 and R27m for the 2018/19 financial year are simply insufficient to establish the operational functionality that is demanded of the regulator.
Fiscal restraint
No doubt fiscal restraint will be trotted out as a reason for the underfunding of the regulator. But this argument bears little scrutiny against the well documented wasteful expenditure of the government. How can citizens be expected to accept that quarter of a billion rand is spent on the security of the president’s home, millions are spent on vehicles for his wives and millions are incurred in legal fees by government defending the indefensible and money cannot be found to protect the constitutional right of 50 million citizens?
So why is the government turning a blind eye to the issues that countries around the world recognise and are addressing as critical to their future prosperity in the information society and economy? Is it because government is the primary culprit in failing to provide access to information when requested, and redress against these failings will now lie in the hands of the regulator?
The government’s aversion to oversight or accountability has been very much to the fore in recent times.
From an information security perspective its information systems are notoriously porous and it is unlikely that across the board it can provide the security safeguards demanded by the act. The fact is that the Minimum Information Security Standard, against which security in the government is gauged, was first published in 1996. It was already inadequate in our then nascent internet society and has not been amended to meet the challenges of the 21st century since its publication.
Having witnessed the contempt shown by the ANC for the office of public protector, can we expect a different attitude to the regulator, which – if allowed to perform its job properly – must promote appropriate safeguards for personal information?
Developing a right to privacy will inhibit the securocratic aims of the justice, crime protection and security cluster hawks. While the need to protect our citizens in cyberspace is a clear and present imperative, a responsibility in respect of which government has been in dereliction of its duty for years, suddenly with almost indecent haste, considerable energy and with extremely limited consultation with other important players, government is pushing for the enactment of cybercrime and cybersecurity legislation this year.
Cybersecurity
The need for cybersecurity is recognised and has been called for by many commentators for years. However, the view of several commentators is that the bill is badly defective and there has been no effort in its drafting to establish the proper balance between civil liberties and law enforcement powers. On the contrary, it grants almost unfettered powers to law enforcement and security agencies that threaten civil liberties. It also introduces the draconian penalties that chill civil debate in the same manner the government sought to achieve with the notorious Secrecy Bill.
If it respects the constitution, the government owes citizens an explanation as to why it has been so dilatory in protecting our online security and privacy of personal information and why, despite ignoring calls for it to act urgently, it suddenly seems intent to, with indecent haste, establish a law that simply disregards the balance that must be struck between our civil liberties, particularly privacy, and security?
Mark Heyink is an information attorney and an information security consultant. His opinion does not necessarily reflect that of Independent Media.
BUSINESS REPORT