Does PoPI offer adequate legislation in the digital age?
My view is that the law is not, at present, up to the task. It is true that South Africa started recognising electronic communications as legally valid early in the 21st century, but there have been few developments since then. In this context, the most important piece of legislation passed since the Electronic Communications and Transactions Act came into effect is the Protection of Personal Information Act. This prescribes, in essence, the conditions under which 'personal information' can be collected, processed, stored and reused and ascribes responsibility for the protection of personal information between the parties that come into contact with such information.
But there is an argument that even PoPI (as it is known) is somewhat lacking in the nuance and sophistication needed to tackle the type of issues that might arise in the digital world.
Personal information, which is the key ingredient needed to trigger the application of PoPI, is defined as information relating to an identifiable, living person, including (but not limited to) information about such a person's age, race and sex; his/her biometric information; information about his/her educational or medical history; information about his/her personal opinions, views and preferences; and information that is routinely collected by apps and websites, like online identifiers and location information. It is not clear, for example, that this definition captures images or video of a person when there is no other identifier present (other than the person's face and physical features).
Furthermore, 'big data' is not necessarily concerned with identifying individual users; it routinely aggregates information to give insights into the collective desires, motivations and preferences (both explicit and implicit) of various groups, thereby allowing companies to tailor their products and services and, importantly, their marketing efforts to these groups accordingly.
The recent American elections featured some discussion about the way in which the Democrats and Republicans targeted campaign messaging to sections of the populace using aggregated big data. There was a general unease about the extent to which this sort of practice was socially acceptable.
PoPI is potentially too narrowly framed to deal with either of the examples given above. Recognition of the insights which aggregated data provides, and the uses to which those insights can be put, is fundamental to ensuring that law and policymakers are better equipped to make decisions about the extent to which the legal framework does require amendment or extension.
My intention is not to make some normative claim about the value of technological advances and developments, but rather to draw attention to the fact that our current legal infrastructure has shortcomings in this regard that have not necessarily been appreciated until now. We need a robust debate about these issues, so that we can, if necessary, enact policy to deal with whatever is deemed socially undesirable.