Mark Zuckerberg once described data as “the new oil”. What he meant is that data is fast being recognised as one of the biggest assets to a business because it can be commoditised in many ways. But how does this apply in the real world? And what are the pitfalls businesses need to watch out for? To find out, we spoke to Fatima Ameer-Mia, Director in the Technology, Media, and Telecommunications practice of law firm Cliffe Dekker Hofmeyr.
What are the considerations around data and privacy?
AI applications make it possible to collect and analyse large datasets to identify patterns and predict the behaviours of communities or groups of people. And so the risks associated with the use of data in this context must be considered. Not all data which is processed in an AI or big data context involves personal information, but a large spectrum of data has a direct impact on individuals and their rights with regards to the processing of personal information.
What exactly is personal information?
It’s widely defined and includes information relating to an identifiable living natural person and also, where applicable, an identifiable existing juristic person (such as a company). Personal information includes race, gender, education, telephone numbers, biometric information, contact details, and also the correspondence of a person. It must be noted that this is not a closed list. Personal information is literally any information that can be used to identify a data subject.
What is the law around this?
Talking to the current legislative framework, the right to privacy is enshrined in Section 14 of the Constitution, and states that everyone has the right to privacy, which includes the right not to have the privacy of communications infringed. In order to give effect to the right to privacy, the Protection of Personal Information (POPI) Act was promulgated in 2013. On 1 July 2020, President Ramaphosa finally signed POPI into law, although it allows for a grace period of twelve months for responsible parties to comply, which means that companies have until 30 June 2021 to get their house in order (with no enforcement of fines or penalties instituted until then).
What is the essence of this law?
POPI is essentially data protection legislation that’s modelled on the EU data protection laws. It establishes the information regulator and confers various powers, duties, and functions, which includes monitoring and enforcing compliance with regards to contraventions. It also establishes a strict compliance framework and places various obligations on responsible parties with regards to the security of information in their possession or control. POPI imposes various conditions, which responsible parties must comply with in respect to the lawful processing of personal information. Processing is widely defined in under POPI and basically includes any activity or operation, whether it’s done by automatic means or not, which concerns personal information. This includes how the information is collected, how it is shared or disseminated, and also how the information is destroyed, de-identified, or deleted. Non-compliance with POPI will attract fines of up to R10 million and can also attract up to 10 years in prison.
What else is the government doing?
Another development this year is that the Intergovernmental Fintech Working Group (IFWG] released its first fintech landscaping report in January 2020. It analysed the South African fintech market and is intended to support policymakers with regulating this fast-changing field. The IFWG is comprised of stakeholders such as the National Treasury, the South African Reserve Bank, and the Financial Intelligence Centre, as well as the Financial Sector Conduct Authority. They announced the intention to launch an online portal, which will consist of a fintech innovation hub. Part of this is to include a “regulatory sandbox”, which can be described as a semi-controlled test environment similar to that of a clinical trial in the healthcare and pharmaceutical industry. It functions by allowing companies to test fintech or other AI products in a live environment. But it also offers companies temporary regulatory relief by exempting them from compliance for a limited period of time, subject to certain safeguards and security, even though they’re still operating under the supervision of a regulator.
What are the benefits of this?
The existing legal framework, both in South Africa and globally, predates the ascent of fintech and AI in many respects. That’s why compliance with legislative frameworks can be challenging for start-ups and fintech companies: the operating models differ considerably from what is envisaged under the current legislation. Also, the pace at which these companies innovate and grow can also be stunted by the need to adhere to outdated legislation. So a regulatory sandbox is beneficial because it allows the regulator to receive meaningful input from companies. It also facilitates the regulator’s job to ensure that the landscape is sufficiently robust and protects consumers without stifling innovation.
What responsibilities do companies have?
Companies (and in particular the board of directors) need to ensure effective and secure data management when implementing AI and using datasets. Directors have certain fiduciary duties to a company, and they need to understand how data is obtained, stored, and used. So, even though companies are already starting to use AI-enabled technology to improve decision-making and management, it’s important to note is that the ultimate responsibility and oversight duties will always reside with the board of directors.
Vodacom Business
The Internet of Things (IoT) is transforming assets into intelligent devices. Find out more about how our IoT solutions can add value to your business.
