Q&A: South African Professor Uche Mbanaso

‘Privacy Means to Be “Left Alone,” But the Context Has Changed’

By Maureen Nkatha

South Africa’s Protection of Personal Information Act (POPIA) took effect in July, becoming one of the few African nations to have adopted effective data-protection legislation.

The act defines how personal information can be collected and shared by public and private-sector organizations. They now must report all data breaches to the country’s information regulator.

Uche Mbanaso, a visiting senior lecturer at the University of Witwatersrand in Johannesburg, told Digital Privacy News that one of the greatest challenges to implementing the law is the fluidity of privacy data, which many infrastructures were not yet designed to handle.

Mbanaso, who holds a doctorate in information and communications security from Salford University in the U.K., also is executive director of the Centre for Cyberspace Studies (CCS) at Nasarawa State University in Keffi, Nigeria.

What is the Protection of Personal Information Act (POPIA)?

The right to privacy is a U.N. declaration.

Traditionally, privacy means to be “left alone,” but the context has changed over the years.

The advent of the internet, and now cyberspace, has redefined and reshaped the concept of privacy.

Some argue that, really, there is nothing like privacy in the digital space.

So, POPIA is intended to promote the preservation of personally identifying information (PII) relating to a natural person.

The aim is to minimize the risk associated with how PII is collected, stored, processed and shared amongst interested parties — in a manner that does not harm the natural person.

In so doing, it designates a regulatory body and sets the conditions on how public and private entities can handle private data.

However, the caveat is the balance between the right to privacy and other rights: the balance between privacy preservation and flow of PII, which —  arguably — is intricate. 

Will the new act bring South Africa’s laws in line with such international data-protection laws as Europe’s GDPR?

There are similarities — and it is a matter of semantics. However, GDPR is broader and more complex.

Interestingly, the regulations themselves cannot protect privacy — but how the rules are interpreted, implemented and enforced by relevant agencies are crucial to the safeguarding of privacy.

How?

We need to appreciate the fact that digital content such as PII is not easy to safeguard.

What do I mean? Once someone grabs your telephone number, you really cannot control the extent it can be shared in practical terms; I can share the number without your consent —and you can’t detect that.

Although I have promised not to share it without your consent, there is no technology yet to monitor and track the propagation of PII.

Only when there is a breach or compromise, it becomes obvious that it has exchanged hands.

So, trust is the key element. Can a party be trusted to keep to the rules and obligations?

This is the crux of the matter.

So, how the rules are interpreted, how the rules are implemented — and, with technological support — the political will are critical elements.

The skills and knowledge of law-enforcement agencies are equally important.

Consequently, privacy protections require a continuum of extensive R&D in technologies that support privacy preservation, human behavior, policies, trust issues, regulatory approaches.

Are there any special obstacles facing South Africa that could make implementing this law a challenge?

Absolutely.

One of the greatest challenges is the fluidity of the privacy data, which many of the infrastructures are not designed to handle.

For instance, how do you monitor and track the sharing of private data? In many instances, it is only when data breaches occur — and the breaking news flashes all over the media.

Skills shortage is another issue: Do we have the skills to understand the technology used to abuse or misuse PII in the first place, let alone how to refactor and provide data-privacy protection by default?

Politics is a fundamental challenge. Governments the world over are the greatest abusers of personal data under the pretext of national security.

But more importantly, is the technology to support the protection of privacy — in its true purpose — yet to be developed?

Will these obstacles delay the implementation of the new law or are they going to make it harder to enforce?

Of course, these challenges will affect the achievement of POPIA.

But what is crucial is building the next generation of workforce that understands the tenets of privacy and the underlying technologies that inherently intrude upon privacy.

So, to answer your question in a straightforward manner, these obstacles are going to delay the full realization of POPIA.

With the enforcement of the act, how difficult will it be to collect personal information?

Frankly, the act in itself cannot make the collection of personal information difficult.

By the way, PII is so huge in landscape — and collecting information that can link to a natural person is not difficult at all.

Footprints of privacy data litter everywhere in the digital space — and much of the PII is collected inconspicuously.

The act is a deterrent; waiting for those such that their breach of the rules is conspicuous.

Can you transfer personal data out of South Africa?

There are conditions to be met before — from the act — “transfer of personal information about a data subject to a third party who is in a foreign country.”

These conditions on face value are appropriate, but how do you determine electronically or digitally in real-time if a party is in compliance before sharing the information?

Consequently, cross-border rules to me are mere decoration or declaration — and enforcement is strictly hard to achieve.

Maureen Nkatha is a writer based in Nairobi, Kenya.

Source (external link):