South Africa is now putting the finishing touches on its first comprehensive data protection laws, aligned closely with those currently under debate in Europe.
The proposed European laws give online consumers the right to withhold personal information while using websites — which presents a challenge to the businesses who have based their revenue model on garnering exactly this kind of data.
These laws, if introduced in South Africa, could have far-reaching implications for both individuals and businesses.
1. Why is it so important to lawmakers to provide protection for this kind of data? What are the risks of having it out there?
I don’t think people appreciate how valuable their privacy is until it is lost. People give away their most valuable asset via an asymmetrical value exchange with online companies. If you sign up to have your personal data accessed through, for instance, Facebook, something as simple as the searches you are carrying out can be sold to a marketer. You may trust the news or retail company that you have given permission to access your data, but you don’t know who else they may share your data with.
Sharing this kind of data already opens consumers up to a wealth of spam, but there is also the very real risk that it can open them up to identity theft – something that seems like a plot from a bad action movie, until it happens to you. This kind of information could make its way into the hands of untrustworthy individuals, businesses or governments. And remember that internet giants cannot and should not be automatically trusted, regardless of who they are or what their slogan is.
2. What will the implications of the legislation be?
The spirit of the European legislation — with which the South African legislation in its current form is closely aligned – is to hand back a measure of control to consumers. It requires companies to have an extra opt-in level, alerting consumers to what information they are giving and what will be done with that information.
It will also require companies to be more responsible with the data they’ve collected – the standards for compliance have to be higher. They will need stronger systems and updated human and evaluation processes in place.
3. How will this affect the consumer’s browsing experience?
It shouldn’t cause too much inconvenience to the user. Behind the scenes there will be greater security, and when you’re browsing on Amazon, you won’t be getting book recommendations based on something you’ve told your friends on Facebook – but each portal will still be able to make recommendations or advertise to you based on your preferences and activities within their site.
4. What about businesses. How will this affect them?
Of course there will be implications for businesses in Europe and in South Africa. The extra opt-in level and the tighter data controls will be costly. This may put a squeeze on smaller e-commerce businesses, but the larger companies will just have to budget around these necessary measures.
At this point, it remains to be seen what will happen in South Africa because global business groups are lobbying the lawmakers, and they have a powerful voice, so the European laws in their final form might not look anything like the current proposals.
5. Will this give South African consumers greater recourse if their data is passed on to spammers?
South African consumers should already be able to demand information on how their personal information was accessed by marketers or other companies. In reality, this is an onerous process and there is very little compliance or enforcement.
In the US and the UK, the power of class action makes it possible for consumers to fight back at big companies, and these actions act as a deterrent for further wrongdoing. In South Africa, for now, we’ll have to wait and see.
6. Does this have any implications for cloud service providers in South Africa?
Remember that there’s a distinction between the kind of information that consumers voluntarily offer to free cloud services like Gmail, Facebook and Dropbox, versus paid-for local cloud providers to business. While providers in both scenarios should be ethical and put every measure in place to safeguard data, when companies or individuals are paying for a service, they have far greater control over the service level agreements and will probably scrutinise every line of the contract to ensure that they are not at risk in any way.
7. Are the potential changes to legislation are a good thing or a bad thing?
We absolutely welcome this law. I think it’s been a long time coming. It’s a pity that the law that ends up being passed will most likely be an extremely watered down version, but we’ll take what we can get. Privacy is a paramount.