In South Africa, Privacy and POPI are stress-tested by CCTV and elections

By Sagwadi Mabunda, Frej Thorgren & Jonatan Jakobsson

As the General Data Protection Regulation (GDPR) celebrates its first anniversary, it is fitting to consider some issues concerning data protection and privacy. This post will consider privacy in the context of the South African Protection of Personal Information Act 4 of 2013 (POPI) and the issues surrounding Vumacam surveillance cameras in Johannesburg and the use of the voters roll by electioneering politicians.

The Protection of Personal Information Act 4 of 2013 (POPI)

Although POPI was enacted in 2013, it has not come into force because the Information Regulator is not yet fully operational. POPI seeks to promote the protection of personal information that is processed by private and public entities. The right to privacy is enshrined in the Bill of Rights, therefore giving POPI its mandate.

It is common knowledge that Personal information accessed through data collection can be the source of valuable resources for companies, governments, organizations and individuals. Thus, it seems desirable to regulate the collection of personal data in order to protect people from harm or exploitation as result of the data collection.

One of the rights provided for in POPI is the right for one to be notified that ones personal information is being collected and thereafter, have access to that information should one wish to have it. However, it is important to note that POPI does not forbid responsible parties from handling personal data. Rather, it sets out limits on how, why and by who such data can be processed.

Vumacam Camera Surveillance

Vumacam, a subsidiary of the fibre infrastructure company Vumatel is reportedly installing CCTV surveillance cameras all over the city of Johannesburg. What makes this newsworthy is that is comes with serious privacy concerns that have been raised by data protection and privacy advocates. Vumacam intends to install about 15 000 cameras in public spaces.

Vumacam operates by entering into contracts with private security companies for access to the feed produced by the Vumacams and transferred via Vumatel fibre. The cameras have motor vehicle licence plate recognition software which would allow those that handle the data to check vehicles against certain databases. The idea is that this will decrease crime by tracking forged licence plates, suspicious, and stolen cars amongst other things. The Vumacam privacy policy obliges the security companies to comply with POPI and any other relevant laws.

Furthermore, the security companies are not able to download the footage obtained from the cameras. If they need footage, they need to present official documentation to the South African Police Services (SAPS). Ultimately the sensitive footage can only be accessed by law-enforcement agencies. Managing Director of Vumacam, Ashleigh Parry says Vumacam is POPI compliant.

The deployment of this monitoring capabilities, however is far from being uncontroversial. Thami Nkosi from Right2know Campaign expressed concerns about the amount of data that is being generated. He asserts that it is not necessarily going to assist in dealing with crime. There is an obvious question about whether CCTV cameras are indeed successful in deterring crime or whether they only displace crime to a different location. He furthers argues that the CCTV camera system is an invasion of privacy. On the other hand, Ahmore Burger-Smidt from Werkmans Attorneys states that there is no absolute right to privacy for the data subject, just that data subject has rights and Vumacam has responsibilities.

At the end of the day, it all comes down to a balancing act between security and privacy. Many questions arise such as whether South Africa recognises a reasonable expectation for privacy in public spaces, and if so, to what extent? Does the right to privacy trump the need for safety and security in a country with a high crime rate? And if Vumacam is operating within the parameters of POPI, is there a need for concern? In any case, this is a topic that definitely needs more public debate by South Africans.

Elections and Personal Data

The second issue concerning privacy and data protection in South Africa relates to the calls and SMS, which South African voters received from a wide range of politicians leading up to the 2019 general election.

To vote, citizens must register on the national voters roll with the Independent Electoral Commission (IEC). The voters roll takes one’s personal information such as ones name and surname, identity number, cell phone number, address, date of birth and the voting district in which one votes. Ahmore Burger-Smidt from Werksmans Attorneys states that those who are interested in obtaining the information on the voters roll would be able to do so by the mere payment of a fee. It is unclear how electioneering politicians obtained the information but what is clear is that data subjects were not notified or consulted.

The IEC, as the data controller in this case, has responsibilities towards the data subjects. POPI requires that the processing of personal information must be done with accountability. The data controller must ensure that the processing of that information is done lawfully and in a reasonable way that does not infringe on the rights of the data subject. It is clear that the privacy rights of the data subjects were not taken into consideration when their personal information was transferred from the stewardship of the IEC to (unauthorized) third parties. There is also no way to determine whether the data was obtained due to a security breach, a financial transaction or any other way.

According to POPI, the rights of the data subject include, but are not limited to: the right to be informed when one’s data is being processed, compromised or hacked; the right to know if a responsible party holds one’s personal data as well as getting a copy of the personal data being held by the responsible party; the right to object about one’s data being processed and to not be subject to direct marketing.

Unfortunately, due to the fact that POPI has not yet come into effect, it cannot be enforced retrospectively, therefore, the violation of privacy will go unpunished.

In reality, complying with data protection regulations can be both complex and expensive. The duty to comply with the data protection regulations might sometimes even fall on individuals unaware or uneducated with the rules. Failure to process the personal data lawfully does not only have consequences for the individual or entity whose personal information has been mishandled, it can also damage the public trust for the responsible party.

This scenario leads to questions such as what happens when the government is the responsible (offending) party and have mishandled the private information of citizens? So far, there seem to be no single answer for this pressing question in South Africa but it is clear that this is not a problem that will go silently into the night.