The Facebook–Cambridge Analytica data scandal involved the unauthorised collection of personally identifiable information of up to 87 million Facebook users. The personal data was allegedly used to attempt to influence voter opinion on behalf of politicians. Amid public outcry, Facebook apologized and decided to implement the European Union's General Data Protection Regulation (“GDPR”) in all areas of operation and not just the EU. The scandal was significant for promoting the awareness of data protection in online media and the right to privacy generally.
One of the most significant data breaches in South Africa was the Jigsaw Holdings ‘’masterdeeds.sql’’ leak. The personal data of millions of South Africans was compromised when a database backup file titled “masterdeeds.sql” was leaked publicly online. The data contained millions of ID numbers, as well as contact details, addresses and income of a large number of individuals and had been undetectedly publicly available for over seven months. This data breach highlighted the need for an overarching regulatory framework addressing data protection.
The Protection of Personal Information Act 4 of 2013 (“POPIA”) was enacted to give effect to the constitutional right to privacy by safeguarding personal information and to align South Africa’s laws with international legislation addressing data protection.
POPIA has been in legislative limbo for a few years in that to date, only limited sections of POPIA (predominantly which relate to the office of the Information Regulator) came into effect on 11 April 2014. The remaining provisions of POPIA will come into effect on a date to be determined by the President. It is unclear when this will be.
The GDPR, which came into effect on 25 May 2018, applies in EU member states as well as where data is transferred to or from the EU. This means that businesses operating in South Africa which engage in business with persons in EU member states will fall within the ambit of the GDPR, and will have to comply with South African law as well as EU law.
The GDPR and POPIA mirror each other in many ways. Transparency is a key requirement under both the GDPR and POPIA. Individuals or “data subjects” own their personal information and have the right to be informed about the collection and use of their personal information. Personal information is information which relates to a living identifiable person (termed the “data subject”).
Data-protection conditions or principles govern the lawful processing of personal information. These principles ensure that the data subject is aware and in control of the processing of the information that the processing is limited to the extent necessary without unjustifiably infringing on the privacy of the individual and that it is subject to secure processes.
Other than in a few limited instances, personal information must be collected directly from the data subject. However, this requirement does not apply if the data subject has deliberately made the personal information public. The rules that collection should be directly from the data subject will result in the practice of companies selling their databases to other companies being problemmatic unless the data subject has consented thereto.
Personal information must be regularly reviewed, and where necessary, updated. Any new uses of an individual’s personal data must be brought to their attention before processing. Under the GDPR, as under POPIA, individuals have a right to request the deletion of their data or request a limitation of the processing of their data in certain circumstances.
In terms of both the GDPR and POPIA, all organisations have a duty to report any data breach to the Regulator within 72 hours of becoming aware of the breach, where feasible.
The penalties for a breach under the GDPR can be a fine of up to 4 percent of annual global turnover or €20 million (whichever is greater). POPIA’s penalty for non-compliance is a fine of up to ZAR10 million and/or 10 years' imprisonment. A data subject whose privacy has been infringed may also institute a civil action for damages against the responsible person.