The Bok, the estranged wife and the booting of the cameras
In issue 5, we spoke about the Rugby World Cup win and the players' right to privacy. On a different note, former Springbok lock, Hannes Strydom, who was in the Springbok team that won the World Cup in 1995, has recently been ordered to remove security cameras from his Waterkloof home. This follows after his wife, Nikolie, argued that her constitutional rights to privacy and human dignity were being infringed by the cameras, that Strydom intimidated and harassed her "emotionally, verbally, psychologically and economically" and that there was no reason for her to suffer "ongoing bullying".
At the end of October, Nikolie obtained an urgent interdict in the Pretoria High Court, forcing Strydom to remove all of the CCTV cameras in the house (where the estranged couple still lives together, albeit in bedrooms on opposite sides) and those overlooking the swimming pool and outside areas. It was held that he may not replace them while she still lives there and without her written consent. In her court papers Nikolie claimed that Strydom had installed more than 20 motionactivated cameras inside and outside their house for ulterior purposes, because the property was completely safe and in a safe area. Insofar as Strydom could monitor the cameras from his cellphone, and the camera installers and security personnel would have similar access to the images captured on the cameras on a 24-hour basis, she argued that she would be under continuous surveillance.
Strydom, in opposing the court application, was of the view that he had no intention of spying on her through cameras. If, for example, he wanted to look at her swimming, he could do so in person, "although he tries to have as little contact with her as possible". On his version, the cameras were installed because Nikolie was persistently careless in not locking the house and had no regard for safety. He also denied that they lived in a safe area. He claimed that there were no cameras in the bedrooms or bathrooms, only in the communal areas inside or outside the house and denied ever abusing his wife. According to Strydom, she assaulted and verbally abused him and did not want this behaviour recorded.
As mentioned above, Nikolie relied on her constitutional rights. To this end, section 14 of chapter 2 of the Constitution of the Republic of South Africa, 1996 provides that everyone has the right to privacy, which includes the right not to have the privacy of their communications infringed.
Previously, South Africa did not have legislation dealing specifically and exclusively with data privacy. Hence, to give effect to the constitutional right to privacy, on 20 August 2013, the National Assembly passed the Protection of Personal Information Bill [B9D of 2009], which is largely based on the European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which was replaced by the General Data Protection Regulation ("GDPR") in May 2018 and also has a Commonwealth influence. The Bill was signed into law by the President on 19 November 2013 and was gazetted as the Protection of Personal Information Act 4 of 2013 ("POPIA") on 26 November 2013. POPIA will come into force on a date to be determined by the President by proclamation in the Gazette, which date is yet to be determined. Certain provisions relating to the establishment of the Information Regulator and the making of Regulations under POPIA have however come into force on 11 April 2014. The Regulator was appointed on 1 December 2016 and the final regulations were published on 14 December 2018.
It is interesting to note that once POPIA is fully effective it will apply to both public and private bodies, but excluded from its application is, among other things, the processing of personal information in the course of a purely personal or household activity. It would seem that the Strydoms' argument would have been classified as a purely personal or household activity outside the scope of POPIA.
Likewise, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
POPIA in brief
Condition 5: information quality
An organisation must take reasonably practicable steps to ensure that a data subject is aware of certain matters, including the information being collected and where the information is not collected from the data subject, the source from which it is collected; the name and address of the responsible party; the purpose for which the information is being collected; and the existence of the right to object to the processing of personal information.
GDPR: article 12
The controller must take appropriate measures to provide prescribed information relating to processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. (This is not one of the 7 data protection principles set out in article 5, but is referred to as the data subject's right to "transparent information".)
ENSpired (compliance) tip of the week
Data protection killed the video star
In July 2019, the Romanian National Supervisory Authority for Personal Data Processing imposed a fine of EUR2 500 on an organisation because it could not prove that the data subjects were informed about the processing of personal data/images through a video surveillance system, which the organisation has been doing since 2016 in breach of article 12 of the GDPR.
Similarly, between 2013 and 2017, the French Data Protection Authority received complaints from several employees of a company who were filmed at their workstations. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the Authority carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. A fine of EUR20 000 was imposed on the organisation for breaching article 12 of the GDPR.
How Can You Protect Your Data? Simple Ways to secure your information
Data is extremely important for humans and for computers. Without data (and metadata) there is next to nothing that can be done in your business, thus making it the most important thing on your computer or network. Recently, data has become one of the most talked-about phenomena of our generation and there's no secret why this is the case. When you think about it, the most valuable thing on your computer or network is the data you create. After all, data is the reason for having the computer and network in the first place and it's the bits and bytes that make up that data that are your first priority when putting protective strategies in place. It is everyone's obligation to ensure that they take the necessary measures to protect their data, more so for lawyers who deal with client information on a daily basis. As cyber security experts, we understand this need. Here are a few ways in which you can protect that data from loss and unauthorised access.
1. Use file-level and share-level security
The first step is to set permissions on the data files and folders. If you have data in network shares, you can set share permissions to control what user accounts can and cannot access the files across the network. However, these share-level permissions will not apply to someone who is using the local computer on which the data is stored. If you share the computer with someone else, you will have to use file-level permissions (also called NTFS permissions, because they are available only for files/folders stored on NTFS-formatted partitions). File-level permissions are set using the security tab on the properties sheet and are much more granular than share-level permissions. In both cases, you can set permissions for either user accounts or groups, and you can allow or deny various levels of access from read-only to full control.
2. Password-protect documents
More common in today's world is password protection. This method is not entirely secure as our adversaries are now into phishing passwords, however, if used in conjunction with other security measures, it can be very useful. Many productivity applications allow you to set passwords on individual documents. To open the document, you must enter the password.
3. Make use of a public key infrastructure
A public key infrastructure (PKI) is a system for managing public/private key pairs and digital certificates. Because keys and certificates are issued by a trusted third party (a certification authority, either an internal one installed on a certificate server on your network or a public one), certificate-based security is stronger. You can protect data you want to share with someone else by encrypting it with the public key of its intended recipient, which is available to anyone. The only person who will be able to decrypt it is the holder of the private key that corresponds to that public key.
4. Back up early and often
One of the most important steps in protecting your data from loss is to back it up regularly. How often you should back up depends on the nature of your business and the importance of the data. Daily backups become tedious but may be warranted. There are various third party programs you can use to automatically back up your files at frequent and scheduled intervals. Whatever program you use, it is important to store a copy of your backup offsite in case of an emergency. This is where the cloud becomes important because even the cloud would need a backup of the backup for emergencies.
Acceptable Use Policy
An acceptable use policy (AUP) is a set of guidelines imposed by an owner or administrator of a service, website or network that specifies how users may use the service, website or
network. An acceptable use policy is also known as a fair use policy. This policy is different from a Bring Your Own Device (BYOD) Policy in that the guidelines and prohibitions extend beyond the use of a person's device to a person's actual use of a service, website or network (see our previous issue about this).
The purpose of an acceptable use policy is to limit an organisation's risk and it forms a contract between the user and the organisation in respect of the applicable service, website or network. Common items covered in an acceptable use policy, includes among others:
prohibitions on using the service, website or network for unlawful purposes; information security requirements or a reference to the policy/ies dealing with
security; the extent to which applicable, consent from users to enable monitoring of the
service, website or network; restriction on sending unsolicited or unwanted communications; a responsibility to respect privacy; limitations in respect of the purpose for which the service, website or network may
be used; appropriate and lawful disclaimers; and consequences of non-compliance with this policy.
After all, it is a privilege for a user to have access to a service, website or network and not a right.
Data Protection and Cybersecurity in M&A Transactions (Part 3 of 4)
In our latest article in this series, we focus on data protection and data sharing during the due diligence process, and particularly focus on the various stages of the acquisition process. We set forth below some interventions and considerations during the various phases of the M&A transaction.
Pre-Transaction: It is common for parties to enter into a Non-Disclosure Agreement ("NDA") at the pre-transaction phase . While the traditional NDA remains a must have, going forward, parties are strongly advised to conclude a Data Sharing Agreement in addition to the NDA. This Data Sharing Agreement should set forth, inter alia, the details of personal information (and data) to be shared, the extent of processing activities which the recipient may engage in with suchinformation, details of parties and advisors who may have access to such information, security safeguards and requirements in respect of the information disclosed and posttransaction (or abandonment of transaction) activities that parties have to engage in related to the information disclosed.
During Transaction: Data protection legislation such as POPIA is based on certain principles or conditions, some of which include obtaining consent of data subjects to disclose personal information, or in the absence of consent, relying on a recognised ground of sharing or processing personal information (eg legitimate consent) and
also on the condition of data minimality (which requires that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive). In the context of an M&A transaction, this raises a number of issues including:
o obtaining consent may not always be practical or advisable given the sensitivity of a transaction or the fact that there may be too many data subjects. In the circumstances, parties should ensure that a legitimate interest opinion is drafted and kept on file in order to be able to justify why personal information was disclosed in the absence of consent;
o relying on legitimate interest as a ground to disclose personal information is generally valid in M&A transactions however the condition of data minimality still needs to be met. This raises a number of questions including: is sharing too much personal information risky (eg why would a target need to know the names and details of each and every employee when perhaps only key employees names and details are required? Exactly how much personal information can be shared without it being considered as excessive? Will the disclosing party be required to restrict access to certain types of personal information only to specific advisors of the recipient or to a "confidentiality club"? To what extent would the disclosing party need to redact, anonymise or pseudonymise personal information?);
o the requirement to ensure compliance with the data minimisation condition in turn raises the concern of whether the acquirer is at risk if it does not have full access to information and further raises concerns that a target may "hide behind" this condition and not disclose some key information to the acquirer; and
o when sharing personal information, parties should also consider engaging in Privacy by Design in structuring how and to whom access is granted.
In next week's edition, we focus on post-transaction considerations from a data privacy perspective.
On Friday, 8 November 2019, Kenya's president assented to the Data Protection Act of 2019 ("the Act"). The Act gives effect to Kenya's constitutional right to privacy. The Act applies to the processing of personal information of both public and private organisations. Penalties for non-compliance may result in a term of imprisonment of up to two years or a fine up to KES3-million which is about USD29 000. The Act is said to be in line with the GDPR standards and establishes a Data Protection Commissioner who will be responsible for oversight of the Act.
Data really is the new oil
Completely autonomous or self-driving cars have been the topic of conversation for quite some time. When one thinks about self-driving cars you cannot help but imagine the endless possibilities and massive changes this will bring about. A number of ethical debates are on-going about where liability should rest in the event of a collision or how artificial intelligence should be developed to make difficult decisions. However, considering that the most reported statistic is that 90% of all motor vehicle collisions are as a result of human error, would it not be more unethical to allow us humans to continue driving?
At present, level 5 autonomous cars are not available on the market and it will probably be some time until they are. A level 5 autonomous car is one which can drive anywhere and in any conditions and is the highest form of autonomy in that it would mimic an actual human driver (although we would hope an exceptional one). We all understand that these autonomous cars would be driven by a highly sophisticated system of artificial intelligence, but just where does this artificial intelligence come from and how is it taught? The answer: data.
Big data is a focus area for many industries and the automotive industry is no exception. However, with the advent of self-driving cars the automotive industry will not only be a consumer of data but also a major generator of data. A single self-driving car could generate as much as 100GB of data every second. A self-driving car will use data to "see" and "think", but while driving it will also be generating data about its surroundings, where it has travelled, the speed at which it travelled and so on.
The data generated by the automotive industry in the era of self-driving cars will have great value to carmakers, mobile operators, insurance companies, restaurants, hotels and probably any other service providers or product developers that hope to interact with a self-driving car or its user. One only has to consider the phenomenal success experienced by Google to imagine the valuable insights that will be generated by observing billions of consumers' behaviour in cars for extended periods of time every day. The potential for monetisation will be almost limitless.
Quite clearly there are great benefits to be harnessed not only from the innovation of a selfdriving car, but from the wealth of data such innovation will bring about. However, there is no doubt this will raise serious concerns around privacy. When consumers and regulators realise how much data and personal information these vehicles will generate, use and record about users and the surrounding environment, these concerns will escalate. Selfdriving cars will be synonymous with data factories. Such mobile surveillance will mean that privacy will be compromised just about anywhere one travels.
It will be essential in the coming years to regulate privacy concerns without stifling innovation and the huge benefits that may be reaped through the introduction of selfdriving cars that rely on data to perceive the complex world around them.
in the news
Austria: Following from last week's story in issue 5, the postal service in Austria was issued with an EUR18-million fine for violations of the GDPR which included the processing of data subjects' political information. One data subject felt particularly disturbed by this practice and sued the postal service for emotional harm. The court granted the claimant EUR800 as "compensation for feeling disturbed by the unlawful processing of their political personal information."
Kenya: The Kenyan President has recently approved a data protection law which is in line EU standards. Read more about the new law in the ENSide Africa section.
Google: Google has partnered with Ascension, a U.S healthcare provider, on a health-data project called "Project Nightingale". The office for Civil Rights in the U.S has opened an inquiry amidst privacy concerns relating to Google's collection of health data. Google has stated that it is "happy to cooperate" and is following industry regulations concerning patient information disclosures.
We will be hosting an Advertising and Marketing seminar on Thursday 21 November 2019. Please click here for more information.
ENSafrica has a highly specialized team of privacy and cybersecurity lawyers with deep expertise and experience in assisting clients with all aspects of POPIA compliance, GDPR assistance, cybersecurity and insurance, and data commercialisation. Our unique services includes the provision of a POPIA Toolkit, which contains data protection policies and other documentation which can be tailor-made for your organisation and help fast track your organisation's POPIA compliance journey. We also provide training on awareness initiatives, risk assessments, privacy impact assessments, policy and procedure implementation, and also provide a helpful service to Information Officers requiring support in implementing POPIA.
Ridwaan Boda Executive | Technology, Media and Telecommunications +27 83 345 1119 rboda@ENSafrica.com
Era Gunning Executive | Banking and Finance +27 82 788 0827 egunning@ENSafrica.com
Wilmari Strachan Executive | Technology, Media and Telecommunications +27 82 926 8751 wstrachan@ENSafrica.com
Nicole Gabryk Executive | Dispute Resolution +27 82 787 9792 ngabryk@ENSafrica.com
Rakhee Dullabh Senior Associate | Technology, Media and Telecommunications +27 82 509 6565 rdullabh@ENSafrica.com
This email contains confidential information. It may also be legally privileged. Interception of this email is prohibited. The information contained in this email is only for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying and/or distribution of the content of this email, or the taking of any action in reliance thereon, or pursuant thereto, is strictly prohibited. Should you have received this email in error, please notify us immediately by return email. ENSafrica (ENS and its affiliates) shall not be liable if any variation is effected to any document or correspondence emailed unless that variation has been approved in writing by the attorney dealing with the matter.
ENSafrica | Africa's largest law firm
info@ENSafrica.com | ENSafrica.com privacy statement | unsubscribe