Throw into the mixing bowl: The burgeoning sophistication of radical terror groups; Moore's law (the number of transistors in a dense integrated circuit doubles about every two years); section 14 of the Constitution (everyone has the right not to have the privacy of their communications infringed); "The Great Hack" (a docufilm about the Cambridge Analytica scandal and harvesting of personal information by companies and governments as a tool for targeted marketing); the drive for enhanced international security; and Edward Snowden's reveal of global surveillance programs (many run by the NSA and the Five Eyes Intelligence Alliance with the cooperation of telecommunication companies and European government).
Whisk, bake at 180°C for 20 minutes and hey presto, you get a traditional matzo pudding which recognises the threats, understands the need for security, embraces constitutional rights, hates any breach of privacy, any manipulation of people and in all of that struggles to find a compromise position. The cherry on the top is that you were almost certainly directed to this article by some form of targeted marketing, based on the harvesting of your personal information and internet behaviour.
If you now have indigestion, chew on this legislative antacid but beware its side effects. The Protection of Personal Information Act 4 of 2013 (POPIA) gives effect to the right to privacy by safeguarding personal information when processed by a responsible party. To monitor and enforce compliance with POPIA and information laws generally, POPIA creates the Information Regulator who issues binding codes of conduct for the lawful processing of personal information. These codes must regulate the use of personal information in specific sectors and as a first step in the process, the Information Regulator has published proposed Guidelines on Drafting Codes of Conduct.
Unfortunately, the complaints process in the Guidelines, focussed on alternative dispute resolution (ADR), can cause mild schizophrenia when read with the regulations to POPIA, which require complaints to be adjudicated by the Information Regulator who can levy administrative fines for breaches of POPIA. The Guidelines by contrast prescribe a mandatory ADR process, with no power to levy fines, where the complaint "must first be raised with the party that you believe has compromised your personal information. This party must be afforded the opportunity to respond to the complaint". Then an independent adjudicator must be assigned to address the complaint. If either party is aggrieved by the outcome, that party must refer the matter to "a certified alternate dispute resolution entity that is competent to handle the complaint". The guidelines provide for different types of ADR, such as mediation/conciliation leading to arbitration or, coming full circle, that the Information Regulator itself determines the dispute. It isn't clear if the Information Regulator can participate in the ADR proceedings or whether it has some type of appellate jurisdiction over decisions from ADR proceedings. Before the Guidelines were published for comment we had POPIA and the Information Regulator. After the Guidelines, the answer is not so clear anymore. But these are draft Guidelines and hopefully in final form, there will be more clarity.
Ultimately though, there is still a balance to be found. The Constitution, POPIA and other means of protecting personal information will always be juxtaposed with national and international security, clever computing and the massive power of greed.
Suggest you find a way to enjoy that matzo pudding as you're going to be chewing on it for generations to come.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
