ENSafrica's specialist data privacy and cybersecurity law experts are pleased to provide you with our second privacy in brief, a content-rich weekly newsletter dedicated to showcasing various topics and newsworthy stories covering issues related to privacy law and compliance as well as cybersecurity.
Data Colonialism reality or metaphor?
Historic colonialism was based on appropriation of territory and resources where subjects were ruled usually with a profit motive of the coloniser attached. In a connected world, there is an increasingly popular view that a new social order is being constructed fuelled by the unchecked processing of data of individuals and corporations usually with a profit motive attached. This time however, the "coloniser" is not just confined to certain nation states but also to corporations who control vast amounts of the world's data.
Whilst some argue that data colonialism is a reality, others argue that it is merely a metaphor used to encapsulate the increased competition by corporations and governments to access and process big data, often for economic upliftment and technological advancement. Irrespective of how one perceives the nature of data colonialism, what is clear is that data in the wrong hands can lead to abuse and to a new wave of unwelcome influence in the lives of people. As one publication noted: "...the result is nothing less than a new social order, based on continuous tracking, and offering unprecedented new opportunities for social discrimination and behavioural influence...".
So what are some of the fears attached to this perceived colonisation through data?
increased tracking and surveillance of people by nations and corporations; the use of data to generate "social scores" which in turn can be used to influence a
person's access to things like credit, housing, jobs, grants and benefits; discrimination; and foreign control over societies (especially exposed societies with weak or no
regulation) through the processing and manipulation of data.
The commercialisation of data is a reality and is welcomed given that it will accelerate human development and enhance economic prosperity. However, the responsible processing of data and personal information is equally important. The General Data Protection Regulation 2016/679 ("GDPR") in the European Union ("EU") was a proactive step taken to ensure, amongst others, protection of data subjects in the EU from the negative impacts of data colonisation. History will judge whether it will be successful or not in achieving this objective. Africa, however, remains exposed, with only 15 of 54 countries
having some form of legislation in place and with some states having weak or outdated legislation in place. African governments are strongly advised to hasten the adoption of adaptive, practical legislation and regulation.
Businesses should also be cognisant that the same risk facing individuals applies equally to them, especially as businesses increasingly adopt technologies such as cloud computing. For businesses across Africa however, waiting for government intervention is not sufficient and a proactive compliance program is required to safeguard against risk and protect data assets.
POPIA in brief
Condition 2: Processing Limitation
The Protection of Personal Information Act, 2013 ("POPIA") requires that a responsible party ensure that the eight conditions for the lawful processing of personal information are complied with. In this week's edition, we cover processing condition 2, Processing Limitation. We compare this to the relevant corresponding provision under the GDPR which is article 5(1) (a) and (c).
POPIA: sections 9-12
Personal information may only be processed if a data subject consents (and such consent must be an expression of will which is "voluntary, specific and informed"). There are `exceptions' to the requirement of obtaining consent. This includes where the processing complies with an obligation imposed by law on a responsible party, or is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party, or if it is in the legitimate interests of the data subject and if it is necessary for pursuing the legitimate interests of a responsible party or of a third party to whom the personal information is supplied.
Personal information must be collected directly from the data subject, except, among other things, if the personal information is contained in or derived from a public record or has deliberately been made public by the data subject.
GDPR: article 5(1)(a) and (c)
Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (the `lawfulness, fairness and transparency' principle); and
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the `data minimisation' principle).
ENSpired (compliance) tip of the week
The Information Officer should conduct Privacy Impact Assessments ("PIA") to determine whether an organisation has a legal justification for the processing of personal information. The Information Officer should ensure that personal information is only processed for the purpose for which it is collected and that the processing is adequate, relevant and not excessive. Our privacy law experts can assist Information Officers in developing a suitable PIA template and provide further training and assistance to your organisation on all aspects of PIA assessments. In many instances, we conduct PIA assessments for our clients or on their behalf. We can also assist with a risk assessment, gap analysis and risk mitigation plan which should follow the PIA.
Not just voyeurs beware!
In July 2019, the Austrian Data Protection Authority imposed a fine of EUR11 000 on a soccer coach who had for years secretly filmed female players while they were naked in the shower. Clearly, the coach had an insufficient legal basis for data processing in violation of article 6 of the GDPR, which (like section 11 of POPIA) requires persons who process personal data to have a lawful basis for such processing, such as consent.
This case makes it clear that private individuals may also be found guilty of data privacy breaches. The same principles would, however, apply to organisations making use of videography, cameras, CCTV cameras and the like, and to staff members and company officers using smartphones unwisely.
Hackers and scammers are working overtime to find new ways to gain access to your personal details, accounts and information. An attack can come from any source, device or communication as there are numerous ways to gain access to your personal information without your knowledge. Given that people are often the weakest link in cybersecurity, as part of any privacy compliance initiative and as part of good business practice, educating people on cybersecurity scams is becoming mandatory. In this week's segment, we touch on some common scams and tools used by criminals to gain access to your personal information and data:
Malware is a term used to describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a
user clicks a dangerous link or email attachment which infects the network. USB sticks are also popular entry points for malware, so much so that hackers often drop a USB in a company parking lot knowing full well that a well-meaning employee will pick up the USB, insert it into his or her device with a view to finding the owner.
The classic definition of social engineering is "attacks employed to exploit human psychology and susceptibility to manipulation with the aim to trick victims into revealing information that will allow an attacker to gain access to the network". These attacks include techniques such as phishing, spear phishing, whaling, pretexting, quid pro quo, vishing, scareware baiting and tailgating. In the coming editions of privacy in brief, we will focus more in depth on some of these techniques and the risk represented by each to your organisation.
Man-in-the-middle attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. The attacker would then alter the communications between the two parties so that they believe that they are communicating directly with each other
A denial-of-service attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests.
A Structured Query Language ("SQL") injection occurs when an attacker inserts malicious code into a server that uses SQL (SQL is a computer programming language that allows databases to communicate with each other) and forces the server to reveal information it normally would not. An attacker could carry out an SQL injection simply by submitting malicious code into a vulnerable website search box.
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. This in turn allows the system to be infiltrated because the vulnerability is known to the criminal.
Deepfakes are an AI-based technology used to produce or alter video content so that it presents something that did not actually occur. The attacker may alter a video to impersonate a person such as a CEO in order to get the finance manager to transfer funds into an account.
Social engineering exploits human behaviour and cognitive bias. Individuals and organisations can strengthen their defences through some simple techniques including channelling an individual's inner sceptic, training of staff coupled with ongoing awareness campaigns, as well as various technological means. Even if an organisation chooses to ignore compliance with privacy laws, cybersecurity training and awareness simply makes sense. Our experts can assist in putting in place an educational and entertaining training and awareness programme for your organisation.
BYOD (Not, Bring Your Own Drinks) As more employers begin to embrace new ways of work, largely driven by cloud computing, improved connectivity and cost pressures, more and more organisations are allowing staff to utilise their own personal devices for work purposes. But what happens when an employee leaves the organisation? What rights does the employer have to access a personal device of an errant employee or an employee who leaves under questionable circumstances? Where does an organisation draw the line between accessing records (images, videos, documents and the like) contained on a personal device that was used for business purposes? Who bears the responsibility for any personal information and data on such devices?
Whilst there is no doubt that there is an immense benefit in allowing staff to use their own personal devices for work purposes, the risk in doing so requires mitigation and intervention. This is why a Bring Your Own Device ("BYOD") Policy is becoming increasingly critical from both a privacy and a cybersecurity perspective. A BYOD Policy is intended to protect the security and integrity of an organisation's data and technology infrastructure. It provides rules and guidelines under which employees may use their portable storage devices, smartphones, tablets, media player and even Smart TV technologies for work purposes and also regulates access (including deletion) rights of the employer.
Common terms found in BYOD policies, include:
type of devices that may and may not be used; obligations to conform to the security requirements of the company, which could
entail downloading applications onto the device enabling remote wiping, encryption, anti-virus software, or having a lock-pin or password; restrictions on portals or websites that can be accessed; restrictions on data and systems that may be accessed or copied to the device; categories of company functionality that may be installed on personal devices, such as calendars, email accounts or contacts; device support that the company will provide; access and deletion rights of the employer; and steps to take when a personal device is lost, damaged or stolen to ensure that business information is protected.
Technology has improved to such an extent that it allows companies to install applications that enable business information on personal devices to be ring-fenced on the personal device. This ensures that an employee's privacy is protected so that the employee's own private information is not wiped when the employee leaves, and that companies have control over the security of business-related information. While some organisations remain sceptical of allowing employees to use their own devices for work purposes due to the perceived risks, a well-defined BYOD Policy coupled with the use of great technology can assist in mitigating such risks and moving the organisation into the digital age.
For assistance with your BYOD Policy, please contact us.
Show me the money
It is common knowledge that South African businesses are burdened with a deluge of laws that they are required to comply with. Compliance with privacy laws such as POPIA and GDPR adds to this burden, and it goes without saying that compliance comes at a cost. But very rarely does a law come into place which actually presents businesses with more opportunity than the cost of compliance. If compliance with privacy laws is viewed as just another burden and a tiny legal and IT budget is allocated to comply, your business is missing out on the bigger picture and on an enormous economic opportunity.
Apart from the obvious benefits of risk mitigation, including the avoidance of fines, jail time for directors and Information Officers, damages claims and, more crucially, reputational loss, a well-structured and managed privacy compliance programme will lead to numerous financial benefits for organisations including:
creating operational efficiencies; improved communication; generating cost savings; safeguarding of data, being an economic asset (which some refer to as "the new
oil"); increasing a business's competitive edge; increasing brand loyalty; the ability to engage in data philanthropy (a topic which we will cover in more detail
in our next edition of Privacy in Brief) which in turn results in reputational enhancement; and critically, the ability of businesses to start generating new revenue streams from data mining utilisation and monetisation.
It simply does not make business sense for CEOs as well as Boards to ignore or pay lip service to privacy compliance and to make it an "IT department problem" or "legal counsel problem", especially when the economic benefits of compliance far outweigh the cost of compliance. A well-structured privacy compliance programme guided and aided by
commercially-minded privacy lawyers and the use of technology will do more than just help businesses avoid fines and jail time, it will ultimately result in financial benefit for the business. For CEOs and boards, compliance with privacy laws is an economic opportunity too good to ignore!
In this section we focus on data privacy across the African continent. This week, we look at the Republic of Uganda. The Data Privacy and Protection Act ("the Act") was passed into law this year and aims to protect the privacy of Ugandan citizens. The Act is broad in application and extends to the persons, institutions and bodies collecting, using, processing or holding data, not only inside Uganda but also outside Uganda. The extraterritorial application is particularly important to note for multinationals doing business in Uganda.
The Act establishes a regulatory authority and makes provision for a data protection officer and is largely modelled on global data privacy law standards.
Where a corporation is guilty of contravening the Act, it may be liable for a fine of up to two percent of its annual gross turnover. In addition, the Act imposes personal liability on officers of the corporation.
Is your personal information on the dark web?
Picture the internet as an iceberg. The part above the water is the "tip"; this is where you will find webpages using search engines such as Google. The part of the iceberg under the water is the "deep web". This is where content behind paywalls is accessed, for example when you log into your bank account. The "dark web" is a small part of the deep web. To access the dark web you need a special browser, for example Tor. One of the features of Tor is that it disguises the computer that is being used to reach the Internet, providing a high degree of privacy, making it an attractive option for criminals online.
Despite its bad reputation, the dark web is not only used for nefarious activities. However, when it comes to selling your personal information it can be assumed that the purchasers are up to no good. It is a well-known fact that the dark web has a large market for stolen data and personal information.
After a data breach or hacking incident, personal information is often bought and sold on the dark web. There are a number of articles which claim to know what the going rate for personal information is on the dark web. Without the writer having accessed the dark web personally (for various reasons), we have found that the most common types of personal information available for sale on the dark web relate to: identity numbers, passport numbers (or the passport itself), driver's licence details, credit card information, online
payment service login details and general loyalty program and non-financial institution login details. It can be safely assumed that the purchasers of this information would likely use this for identity theft and other online scam purposes. Experian have estimated that a passport on the dark web may sell for between USD1 000 to USD2 000, while credit card or debit card information may be sold for between USD5 to USD110. Clearly the trade in data and personal information is lucrative.
Is your personal information on the dark web? Well, most probably. Forbes has reported that data breaches have exposed 4.1 billion records in the first six months of 2019 alone, and that's only the reported data breaches for the first half of one year. Where does all this data go? Well, most probably to the dark web. Even if your information was stolen years ago, some cyber thieves repackage old data and sell it again. Once your personal information is out there, you will not be able to stop the spread of it. This does not mean you are helpless, you just need to be smart and alert.
Our recommendation would be to use different email addresses as online user identifications for the various platforms you access. Furthermore, always ensure that you use different, unique and difficult to crack passwords for each of these (and please do not share these passwords or write down passwords on a sticky note attached to your device). Keeping an eye on your credit reports and statements would also give you a good indication as to whether your personal information has been used to access credit in your name or your accounts.
While we cannot help you to access the dark web, nor do we encourage you to do so, the privacy and cybersecurity law experts at ENSafrica will gladly assist you with drafting best practices with regard to passwords and the use of devices.
in the news
EU's new cookie rules: The European Court of Justice has ruled that where a website uses tracking cookies (tracking cookies are a specific type that can be shared by more than one website for the purpose of gathering information or potentially to present customised data to you) that a pre-ticked checked box is not sufficient as it does not amount to specific and explicit consent.
China: China has developed a camera that is five-times more detailed than the human eye and is capable of singling out an individual among a crowd of tens of thousands of people. The camera will be used as part of China's extensive surveillance network to keep track of its population as part of its social credit system which surveils citizens and ranks them based on their behaviour.
Brazil: The Brazilian government announced its plans to create a single citizen database which will document information ranging from its citizens' date of birth to gait. The database is intended to improve public policy and data sharing between government departments.
ENSafrica will be hosting POPIA, GDPR and Information Officer training workshops in Durban, Cape Town and Sandton. For more details and to register, please click here.
ENSafrica has a highly specialized team of privacy and cybersecurity lawyers with deep expertise and experience in assisting clients with all aspects of POPIA compliance, GDPR assistance, cybersecurity and insurance, and data commercialization. Our unique services includes the provision of a POPIA Toolkit, which contains data protection policies and other documentation which can be tailor-made for your organisation and help fast track your organisation's POPIA compliance journey. We also provide training on awareness initiatives, risk assessments, policy and procedure implementation, and also provide a helpful service to Information Officers requiring support in implementing POPIA.
Contacts Ridwaan Boda Director | Technology, Media and Telecommunications +27 83 345 1119 rboda@ENSafrica.com
Era Gunning Director | Banking and Finance +27 82 788 0827 egunning@ENSafrica.com
Wilmari Strachan Director | Technology, Media and Telecommunications +27 82 926 8751 wstrachan@ENSafrica.com
Senior Associate | Technology, Media and Telecommunications
+27 82 509 6565
This email contains confidential information. It may also be legally privileged. Interception of this email is prohibited. The information contained in this email is only for the use of the intended recipient. If you are not the intended recipient, any disclosure, copying and/or distribution of the content of this email, or the taking of any action in reliance thereon, or pursuant thereto, is strictly prohibited. Should you have received this email in error, please notify us immediately by return email. ENSafrica (ENS and its affiliates) shall not be liable if any variation is effected to any document or correspondence emailed unless that variation has been approved in writing by the attorney dealing with the matter.
ENSafrica | Africa's largest law firm
info@ENSafrica.com | ENSafrica.com privacy statement | unsubscribe