Popi Act delay may leave your data vulnerable
The Protection of Personal Information Act (Popia) was signed into law in 2013 but is still not fully in effect. Last month, Information Regulator Pansy Tlakula asked the president to proclaim the Popia commencement date as April 1, which means the compliance deadline will be April 1 next year.
Until then, the public’s data remains vulnerable to exploitation by the private sector, and parties will not be held liable for contraventions of the act because the regulator’s powers are not yet effective.
Tlakula says, since their appointment in December 2016, the regulator’s five members have established a new organisation “from scratch”.
“The members felt that there was no point in requesting the president to bring the remaining sections of Popia into effect before establishing the administration,” she says.
They took a strategic decision to accept complaints of alleged unlawful processing of personal information and to encourage compliance with Popia by both public and private bodies.
“From this work, trends are already emerging. The complaints we have received are on surveillance and unsolicited receipt of direct marketing messages, particularly through mobile phones. There is also a large number of data breaches which come to our attention either through the media or through self-reporting by companies that have been breached. The latter is more prevalent.”
Ahmore Burger-Smidt, the head of data privacy at Werksmans Attorneys and co-author of A commentary on the Protection of Personal Information Act, believes the office has done remarkably well, with limited resources.
“The Information Regulator has followed up diligently on every data breach in the country, and parties or companies have started proactively notifying her office of breaches,” Burger-Smidt says.
“You can’t look at protection of personal information in a vacuum. You have to look at all security and data infrastructure-related breaches, in light of the enactment of the General Data Protection Regulations (GDPR) in Europe and the obligation to report data breaches. The GDPR obligations resulted in companies reporting breaches to our office in South Africa too.”
One of the duties of the regulator is linked to awareness of the legislation, and Tlakula has sent a strong message to the market that compliance is important and her office takes it seriously.
But a researcher in the Department of Strategic Studies at Stellenbosch University, Noelle Cowling, says the National Treasury must start prioritising digital security.
“The discourse around cybersecurity seems to be driven by the legal fraternity and not technical experts. Without more tech capacity, you won’t be able to secure the fortress. The Cybercrimes Bill has been substantially adjusted, but the police’s hands are tied in terms of acting against cybercrimes. Many hacks of data, such as the Nedbank and Master Deeds, are hard to pursue until legislation is in force.”
She says, in the absence of the legislation, there’s no way to prosecute negligence.
“The impact of this Master Deeds breach will be felt for years to come, with millions of people’s information leaked online. This is ultimately a human and technological problem. The World Economic Forum estimates cybercrime 0.8% of GDP per annum - in an economy like ours, that’s really scary.”
Uncertainty in the market
Brian Pinnock, cybersecurity expert at Mimecast, adds the lengthy delay has created uncertainty in the market. “One concern is Popia will not be taken seriously by organisations because of the extended delay in bringing Popia into force from 2013 until today. Businesses are likely to be justifiably sceptical because of the continuing policy uncertainty surrounding Popia’s commencement.”
Organisations that invested heavily in privacy compliance processes and technology to prepare for Popia in 2013 have still not seen a real return on that investment, but Pinnock says it can take years to implement an effective data privacy compliance programme.
“Many organisations who have not yet invested in privacy programmes will not be prepared and ready to comply with the act.”
Popia, though, already imposes duties and obligations on businesses, says Russel Luck, technology attorney at SwiftTechLaw, because it requires them to do what is “reasonably practicable” under the circumstances which means steps towards compliance should already commence.
Businesses would be foolish to wait for the legislature’s enforcement of Popia to take steps towards compliance, as this would not be considered “reasonably practicable” under the circumstances.
Cowling says bureaucrats have done their work - it’s time for the regulator and the cybersecurity hub to be capacitated.
“People in SAPS are trying unbelievably hard, but their hands are tied. The private sector is more to blame for the vicious data breaches. The Nedbank breach came via a third-party supplier that was engaged to do SMS marketing for them. They passed over their database of clients. There has to be responsibility within the supply chain. In the EU, the onus is on the company, not the client. Here, the private sector is taking very little responsibility.
“Truth is, South Africa lacks cyber resilience and awareness within its population. Until more is done to protect personal information, such breaches will remain commonplace,” Cowling says.