#HumanRightsDay 2020: A spotlight on the right to data privacy in SA
For Human Rights Day 2020, the IAB SA is shining a spotlight on the importance of the right to data privacy for our members and the industry more broadly.
This is a constitutional right, enshrined in the Constitution of the Republic of South Africa, 1996 (the Constitution), as well as through the common law and legislation, including the Protection of Personal Information Act 4 of 2013 (POPIA). The right to privacy is of fundamental importance – both as a self-standing right and as an enabler of the full range of fundamental rights.
As noted by the Constitutional Court, the right to privacy is central to identity, dignity, personal integrity and autonomy. In the current data-driven era, the importance of the right to data privacy has gained increasing recognition. This is given effect through comprehensive data protection frameworks, such as POPIA.
As explained by Privacy International:
Every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal data. Even without your knowledge, data and information about you is being generated and captured by companies and agencies that you are likely to have never knowingly interacted with. The only way citizens and consumers can have confidence in both government and business is through strong data protection practices, with effective legislation to help minimise state and corporate surveillance and data exploitation.In South Africa, at present, the substantive provisions of POPIA are not yet in force, and the enforcement date remains unclear.
The IAB SA recognises the challenges that this poses to the industry and commends the proactive measures that have already been taken by various organisations to give effect to the data privacy rights of the persons with whom they engage.
POPIA provides that a data subject – this being the person to whom the personal information pertains – has the right the have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information.
Furthermore, subject to certain exceptions, data subjects are entitled to the following rights:
- To be notified that personal information about them is being collected;
- To be notified that personal information about them has been accessed or acquired by an unauthorised person;
- To establish whether a responsible party holds personal information about them, and to request access to that personal information;
- To request, where necessary, the correction, destruction or deletion of their personal information;
- To object to the continued processing of their personal information;
- Not to be subject to a decision which is based solely on the automated processing of their personal information intended to provide a profile of such person;
- To submit a complaint to the Information Regulator regarding the alleged interference with the protection of personal information of any data subject.
POPIA also deals specifically with the use of personal information for the purposes of direct marketing. As a general position, section 69(1) of POPIA provides that the processing of personal information for the purpose of direct marketing by means of any form of electronic communication – including automatic calling machines, SMSes or emails – is prohibited, unless the data subject has consented to such processing or is a customer of the responsible party.
Looking at direct marketing
In respect of direct marketing, data subjects have the right to object to the processing of their personal information for the purposes of direct marketing, as well as the right not to have their personal information processed for the purposes of direct marketing by means of unsolicited electronic communications.
While these requirements are subject to certain exceptions, it is important to pay close attention to these provisions, as a ‘business-as-usual’ approach can no longer be followed.
Privacy authorities are taking the issue of direct marketing seriously: for example, earlier this month, the Information Commissioner’s Office (ICO) in the United Kingdom issued a £500,000 fine to a Scottish company for its non-compliant practices regarding automated nuisance calls.
As explained by the ICO: “This company affected the lives of millions of people, causing them disruption, annoyance and distress. The volume of calls was immense and to add to people’s frustrations attempting to opt-out of those calls simply compounded their receipt of further calls.
The directors of CRDNN knowingly operated their business with a complete disregard for the law. They did all they could to evade detection, from changing and not updating address details to transferring their operation abroad and attempting to go into liquidation. That’s why their conduct called for the maximum fine possible under the law.
But through the cooperation of the public who brought their complaints to us, we were able to identify those responsible and take action against them.”
Realising data privacy
It is clear that privacy authorities and the public alike are demanding the safeguarding and realisation of data privacy rights.
While this may seem daunting, it also presents exciting opportunities for the industry.
As noted in a Google blog post: “We can do a better job of creating an ecosystem that works for everyone. Users should be able to access free, ad-supported content in full faith that their online privacy will be respected. Publishers should get fair compensation for their work. And marketers should be able to connect with people who are interested in what they have to offer.”
The post goes on to advise the following three-step approach:
- Collect data responsibly: Move to a first-party measurement system if you haven’t already. Ask for consent directly from your users to collect and use their data, and avoid any solutions that aren’t compatible with people’s expectations for privacy.
- Be resourceful with how you reach audiences: Place ads with publishers who’ve built a consent-driven, first-party relationship with their users. And if audience signals are restricted because of cookie limitations, use the context of the ad to tailor your message instead.
- Hire and train for privacy: Build a team or partner with agencies who are well-versed in regulatory requirements and have experience with responsible marketing approaches, like first-party data collection and cloud-based measurement. Train your teams to be thoughtful about their analyses and recognise when to segment reporting by browser and operating system to draw conclusions about your marketing.
This Human Rights Day, it should be remembered that data privacy is so much more than a compliance issue: it is a constitutional requirement; a public demand; and a business imperative.
Going forward, the IAB SA will be working with members of the industry to find effective and rights-based ways to give meaningful effect to the data privacy rights contained in POPIA.
We will be publishing guidance notes, holding workshops, and providing ad hoc assistance as may be needed. It should also be remembered that, in order to get this right, it cannot be the sole responsibility of one executive or department – it requires an organisational and industry shift in order to hold each other to account.
*Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.