ENSafrica's specialist data privacy and cybersecurity law experts are pleased to provide you with our first privacy in brief focusing on data privacy, a content-rich weekly newsletter dedicated to showcasing various topics and newsworthy stories covering issues related to privacy law and compliance.

feature article

Is privacy and the 4IR compatible?

In this week's feature article we deal with privacy issues emanating from the fourth industrial revolution ("4IR") and consider the impact of the often much-hyped 4IR initiatives on privacy rights.

4IR refers to the current stage of human development where disruptive technologies and trends such as the Internet of Things ("IoT"), robotics, virtual reality and Artificial Intelligence ("AI") are changing the way people in societies live, interact and work. Along with other governments in Africa, such as Ghana, as well as globally, South Africa has embarked on an ambitious programme to harness 4IR for future economic growth and development. The question arises however, just how does a country's 4IR ambitions match with the universally accepted constitutional and human right to privacy and with privacy laws in general; just how compatible is the 4IR development with privacy?

The impact of 4IR technologies on the right to privacy is best illustrated by way of some examples of technologies which raise major privacy (and in some cases, even safety) concerns:

  • The TV that watches you: smart TV's are gaining popularity among consumers. Some Smart TV's not only track what you watch but in some cases listen and record your conversations or can even "watch" you through its built-in camera.
  • Cayla, the Talking Doll: a talking doll named Cayla has been banned in Germany due to the software being easily susceptible to a hack, but more creepily, the doll was said to have recorded conversations of children and their parents
  • Smart Cities: smart cities, or cities where key infrastructure or components of infrastructure are connected to the internet or networks, present a major risk of being hacked or may be subject to cyber terrorism. The impact on citizens and the security of the city as a whole presents major risks, including privacy risks. A good example is the use of surveillance cameras and the potential for abuse thereof to the detriment of the privacy of citizens
  • Healthcare IoT: as technology evolves and IoT devices become more integral to operations and other healthcare solutions, the threat to privacy increases exponentially. The risk of hacking and the impact on human life is even more concerning.
  • Rise of the Machines: as AI becomes increasingly used in the mainstream, coupled with robotics, there is a fear that machines will become more intrusive especially when it comes to privacy.

South Africa has privacy legislation in the form of the Protection of Personal Information Act, 2013 ("POPIA").To date, the most of POPIA is still not in force and effect. In Africa, only 15 of 54 countries have some form of privacy legislation in place. In the absence of active and adaptive legislation (i.e. legislation that can quickly adapt to changes in technological advancements) and more detailed guidelines on the development of 4IR technology, including issuing guidelines and best practices for the ethical adoption of AI and making Privacy by Design a more prescriptive requirement, the privacy rights of individuals and corporations remain at risk.

Companies and government departments investing in the development of 4IR technologies would do well to pre-empt privacy-related issues and ensure that privacy rights of citizens are kept at the forefront of the development process. Training of development teams on privacy laws and rights, including training on Privacy by Design and the ethical and legal implications of AI, is critical.

POPIA in brief

POPIA requires that a responsible party must ensure that the eight conditions for lawfully processing of personal information are complied with. In this week's edition, we cover processing condition 1, Accountability. We also compare this to the relevant corresponding provision under the General Data Protection Regulation 2016/679 ("GDPR"), being article 5(2).

POPIA: processing condition 1. The responsible party must ensure that the processing conditions in Chapter 3 of POPIA, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

GDPR: article 5(2): The controller shall be responsible for, and be able to demonstrate compliance with, the processing principles set out in article 5(1) of the GDPR (referred to as the "accountability" principle).

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.