Category : Personal Data
Cape Town – It’s a case of individual responsibility with regard to protecting your personal data despite the Protection of Personal Information Act (Popi) because it only has force with companies operating in South Africa.
Popi was promulgated in 2013 after several delays and is meant to regulate how companies can collect, retain and disseminate personal information.
However, the global internet environment renders geographic borders null and void as many South Africans willingly hand their personal data over to international companies not bound by South African law.
“If you are a company operating in South Africa – either locally owned or internationally owned – you’d have to abide by the local laws which are associated with local data,” Andrew Kirkland, regional director for Trustwave Africa told News24.
Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.
The law specifies that specific consent must be obtained if companies would like to collect and process personal data.
“Personal information may only be processed if, given the purpose or which it is processed, it is adequate, relevant and not excessive,” says the act.
The lines become blurred when one introduces popular social networking platforms like Facebook, which operate under US law, but have a worldwide audience.
Data uploaded to the giant company’s servers are not subject to Popi, and though Facebook promises privacy, it is not an absolute.
The company warns that some data uploaded may become public domain, meaning that it can be disseminated without specific user consent.
“Because Pages are public, information you share with a Page is public information. This means, for example, that if you post a comment on a Page, that comment may be used by the Page owner off Facebook, and anyone can see it,” Facebook says in its terms and conditions.
Facebook also says that liking a company page on the network is public information and liking a corporate page may mean that content the company creates on its Facebook page may give it access to personal information.
“Because this content comes directly from the Page owner, that Page may be able to collect information about you, just like any website,” said Facebook.
Also, personal data of South Africans on Facebook may be given to US authorities. The social network revealed on Monday that between 9 000 and 12 000 demands for information were made in the year ended June 2013.
Microsoft and Yahoo also had to hand over personal data relating to 15 000 and 30 000 accounts respectively.
However, the act specifies that personal data may not be transferred to international parties unless specific permission has been obtained.
“A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country…” the law says, adding that it is subject to a range of provisions and consent by the affected party.
These matters indicate that the appointment of a regulator is critical to ensure that the prescriptions of the act, as well as remedies, can be applied for companies who may flout the law.
“We are waiting for the regulator to be appointed to get a better understanding of this [company accountability]. Non-compliance will at some point be penalised but to what extent can only be speculated at this point,” said Kirkland.