AHMORE BURGER-SMIDT: Are data protection laws stifling technological innovation?

It has been four years since the EU’s flagship data privacy legislation, the General Data Protection Regulation (GDPR), came into force. Similarly, July 1 2022 marked the first anniversary of the implementation of SA’s Protection of Personal Information Act (Popia); and SA crossing of the proverbial “data privacy Rubicon” in respect of the compliance deadline imposed by the legislation. 

Both pieces of legislation are groundbreaking to the extent that they represent governments’ recognition of the need to establish comprehensive data protection regimes that facilitate the protection of the fundamental right to privacy at both the national and international levels. 

The fourth industrial revolution (Industry 4.0) is characterised as an exponential pace of technological change that has and will continue to facilitate a rapid and fundamental disruption that affects the way we work and live. Unsurprisingly, it is against this backdrop of fast-paced technological development that questions about the longevity of data protection legislation such as the GDPR and Popia are starting to arise.

The GDPR, as well as national data protection legislation such as Popia, were instituted to accommodate developments in new technologies such as artificial intelligence (AI), machine learning and cloud computing. However, in implementing such legislation it appears that data protection authorities around the world have taken the position that once principles of lawfulness, fairness and transparency are incorporated into data protection legislation, such legislation will be “future-proof” insofar as it addresses concerns relating to the protection of user privacy. 

The data-privacy compliance journey is not an idle one. For example, Popia triggers various ongoing obligations that necessitate a constant review of the application of Popia. Instead of setting hard-and-fast rules regarding the manner in which an individual’s right to privacy is protected, the legislator has chosen to focus more on establishing general principles that underpin data protection. This approach is understandable given the multitude of contexts within which an individual’s personal information may be processed in Industry 4.0. Accordingly, there is little of what technology could make possible that data protection legislation would outright prohibit.

Be that as it may, there appears to be a lack of clarity on how such data protection principles may be applied when considered in the context of the enforcement of data protection legislation. A study conducted by the National Bureau of Economic Research reported that just more than 32% of apps available on the Google Play Store were induced to exit the market, while the entry of new apps in the market fell by half between 2016 and 2019 as a result of compliance concerns with data privacy legislation and the risk of large fines. 

Part of the problem might be that both developers and users are uncertain as to what practices would be tolerated under their domestic data protection regimes and, where applicable, cross-border interactions between such regimes. For example, in Europe several businesses have faced penalties for violating citizens’ data rights when using new technology. In 2019 the Dutch Data Protection Authority imposed a fine of €725,000 on a company that processed biometric fingerprint data when less intrusive means of processing were available.

In Hungary, Budapest Bank was fined about €650,000 for using voice analysis AI systems to assess the emotional state of customers who telephone the bank’s call centre and monitor its handling of customer complaints. More recently, the UK Information Commissioner’s Office fined Clearview AI more than £7.5m for collecting people’s images from internet and social media sites without their knowledge or consent, to create a global online database that could be used for facial recognition in criminal investigations.

The SA approach to conducting data-related investigations and the imposition of fines is even more uncertain given the infancy of the Office of the Information Regulator. It is yet to show its teeth in respect of its handling of data breaches (and complaints related thereto) and willingness to set precedents relating to what the enforcement of Popia will look like from a practical perspective. 

From a business development perspective, companies need to develop a deeper understanding of how to mitigate risks and/or violations related to the protection of personal information. In other words, processors of personal information need to improve their awareness of regulatory and legislative enforcement trends to understand the impact of their own organisations, and whatever technological developments that may arise therefrom.

One way to achieve this is to carry out data impact assessments that evaluate the new technology in the context of compliance with Popia. After all, being able to justify business decisions from a data privacy perspective, as opposed to implementing new technologies without considering data protection legislation, is integral to not only ensuring compliance but also defending claims. 

Be that as it may, companies and organisations cannot improve their awareness of the “why and how” of data protection without input and guidance from the regulator. To this end, the regulator needs to adopt a proactive approach to helping companies and individuals understand Popia beyond the implementation of generic privacy policies. This can be done via the implementation of new regulations and/or publishing of directives that provide further guidance as to, inter alia, what is expected of data processors and operators during the course of their collection and processing of personal information. 

When data protection rules are difficult to understand and/or apply in practice, organisations tend to either fall into the trap of believing that avoiding such rules is more pragmatic; or adopt the view that the mere adoption of a privacy policy is sufficient to guard against the infringement of data privacy rights. “Think privacy” ought to become the mantra informing all business procedures and processes today, tomorrow and every day thereafter.

• Burger-Smidt is head of data privacy & cybercrime practice at Werksmans Attorneys.