South Africa's first data protection authority is in the process of setting up shop, but local legal professionals are skeptical about how well-resourced it will be.
Africa's third-largest economy passed its Protection of Personal Information (POPI) Act in 2013, but the data protection law is not yet fully operational. Before that happens, the country's Information Regulator needs to get going.
The regulator's chairperson, former Independent Electoral Commission chief Pansy Tlakula, was only officially confirmed at the end of last year. She and four other board members (two of whom are part-time) are currently the authority's only employees, and the regulator is currently housed on the 25th floor of the justice ministry in Pretoria. The justice ministry has loaned the fledgling regulator two staff members to help it get started.
"We do intend having our own building," said Sizwe Snail ka Mtuze, a part-time Information Regulator board member and a lawyer with Snail Attorneys at Law.
The Information Regulator is currently drafting its procedural rules for things like handling complaints about privacy violations, and mapping out its future committees for education and outreach, enforcement, and dispute resolution.
However, while the watchdog is authorized by the POPI Act, it won't only be responsible for that law. It will also take over enforcement of South Africa's Promotion of Access to Information Act, which was passed back in 2000. This will give it a dual role that's analogous to the functions carried out by data protection authorities in some European countries.
"We don't want to be focused just on data protection itself, but also access to information," said Snail ka Mtuze. "A country we would be considering as a typical benchmark is Germany, because they also have a dual function like that. We're also looking at the U.K. One of our members also went and saw the information regulators in New Zealand and Singapore.
"Our objective would be that, once the act is in place, we have a minimum standard of compliance for what countries in the EU, for instance, would require. The EU is one of our biggest trading partners. The intention here is to have uniformity with international best practice."
Indeed, the South African law is largely similar to the EU's General Data Protection Regulation, according to John Giles of law firm Michalsons. However, there are some differences, notably the fact that the POPI Act protects the information of "juristic persons" – things like companies and trusts – as well as actual people.
"In South Africa, they have to protect the personal information of juristic persons, which is probably the only country in the world that requires that," said Giles.
The South African data protection law puts a lot of emphasis on the protection of account numbers. It also includes explicit limits on the activities of the direct marketing industry, which in Europe is rather covered by e-privacy legislation. "The other big difference is that, in other countries, freedom of information just relates to public bodies, whereas in South Africa it relates to public and private bodies," Giles explained.
The maximum punishment for violations will be weaker in South Africa than in European countries under the upcoming GDPR, at least in monetary terms – fines are capped at 10 million rand (roughly $770,000), although serious offences can also earn a jail term of up to 10 years.
All this will be quite a change for a nation of 55 million people that has, so far, not had a broad data protection law (some sectors, such as healthcare and financial services, already have privacy-related regulations). A lot of industry and public education will be needed to make people aware of their rights and responsibilities.
Under the terms of the POPI Act, there will be a grace period of one year after the act is fully implemented before enforcement begins. However, it's still not clear when the act will be fully implemented — a task that's down to President Jacob Zuma.
At the start of this year, experts were hoping for implementation in May. However, that's unlikely.
"I don’t want to give an indication as to when the president will make the rest of the act applicable, but from our perspective we would like to at least have the office up and running by the beginning of next year," said Snail ka Mtuze. "Once that has been done, then we can talk about having consideration as to when the remaining sections of the Act will become operative." He suggested enforcement may be "anything from 18-24 months" away.
"I've given up trying to guess what the timeline will be," said Giles.
Giles stressed that "the individuals that have been appointed are competent people who I think are going to do a good job," but expressed concerns about the amount of resourcing that the regulator will receive. Its budget allocation in the current financial year is just 10 million rand, although that will rise to 25 million rand in the next financial year.
"If you consider the role of this regulator and how important it is, 10 million rand is way under what it should be," Giles said. He added that the Information Regulator will be able to benefit from the existing work of other regulators around the world, some of whom (like the U.K.'s Information Commissioner's Office) offer their content under an open government license. However, the South African watchdog would still need to adapt this content to its local environment.
"One of [the Information Regulator's] jobs is to check that government and public bodies are protecting personal information, so there's no real incentive for political parties or for government, or maybe the executive as a whole, to give them a huge budget and help them to get set up," Giles noted. "For me that’s the biggest concern, that they haven’t been given a big enough budget, and I don’t know they're getting the cooperation they should have in order to get set up and operational as quickly as possible."
photo credit: diana_robinson Umbrella thorn acacia tree (Vachellia tortilis) at sunrise in Amboseli National Park, Kenya, East Africa via photopin (license)