ALISON TILLEY: Evaluating privacy law in a world of AI and cybercrime

The regulation of artificial intelligence (AI) has been exercising the minds of data protection authorities around the world. In March a privacy watchdog in Italy temporarily outlawed OpenAI’s ChatGPT because it lacked age verification safeguards and a “legal basis” for collecting online user data to train the AI tool’s algorithms.

The regulator gave OpenAI time to tackle these issues, but OpenAI declared that it had already made many of the needed improvements. Italy has lifted the restriction, according to a statement from OpenAI to the Associated Press. 

SA does not have an AI law as yet, but an indication of the approach that might be taken lies in the Protection of Personal Information Act (Popia). The act provides that a data subject (to whom the personal information relates) may not be the subject of a decision that has legal repercussions for him, her or it that significantly affects him, her or it, which is made solely on the automated processing of personal information intended to create a profile of that person, including his or her performance at work, creditworthiness, reliability, location, health, personal preferences or conduct. 

However, these provisions do not apply if the decision was made in connection with the conclusion or execution of a contract and the data subject’s request was fulfilled under the terms of the contract, appropriate measures were taken to protect the data subject’s legitimate interests, or the decision was made in accordance with a law or code of conduct that specifies appropriate measures for protecting data subjects’ legitimate interests. 

This follows closely the EU General Data Protection Regulation (GDPR), which provides for automated decision-making. Article 15(1) states that EU member states shall grant the right to every person not to be subject to a decision that produces legal effects concerning him or her or significantly affects him or her and which is based solely on automated processing of information intended to evaluate certain personal aspects relating to him or her, such as their performance. 

The regulator responsible for the implementation of this legislation is the Information Regulator, created by Popia, which was passed in 2013. Ten years later the act is now being tested as new technologies are being created all the time, relying on the mass processing of data.

One of the responsibilities of the regulator is to examine proposed legislation and all proposed policy that may affect the protection of personal information of data subjects and to report to parliament from time to time on any policy matter affecting the protection of the personal information of a data subject, including the desirability of taking legislative administrative or other action to give protection to the personal information of a data subject.

Are the provisions of Popia sufficient for now? Developments in other jurisdictions indicate that AI regulation in SA must at least be considered. The regulator has other mandates to fulfil, also related to data protection and access to information. The mandate relating to security compromises (data breaches) is probably the one that is getting the most attention, given the high-profile data breaches we are experiencing at this point.

The regulator has made a number of findings in relation to violations of Popia, and started to build the jurisprudence on how and why the regulator will make decisions. Many data breaches are the result of a cybercrime. This is not always the case — people leave confidential data behind on buses and in public bathrooms — but certainly the bulk of breaches are by criminal actors. Some are “white-hat” hackers, testing systems to see if they have vulnerabilities. But cybercrime is very often part of a data breach.

In a recent matter Grapevine, a third-party service provider for Dis-Chem, experienced a brute force attack by an unauthorised person between April and May 2022. The goal of a brute force attack is to break a password by repeatedly trying different character combinations until the appropriate one is discovered. Through SMS messages sent to some of its workers on May 1 2022, Dis-Chem learnt of the data breach. On May 5 it notified the regulator in writing. 

The regulator then did an own-initiative assessment of the security compromise after Dis-Chem’s failure to notify data subjects, as we call the people whose personal data is concerned, as required by Popia. After the assessment the regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information. An enforcement notice was issued by the regulator ordering Dis-Chem to remedy its processing of personal data. 

The mandate in relation to access to information is perhaps the least well-known of the regulator’s powers. Once someone has made a request in terms of the Promotion of Access to Information Act (Paia) and exhausted the appeals process, they are entitled to approach the regulator for an order in relation to that information.

In the past 10 years, and even in the past 10 months, we have seen considerable changes in the possibilities of the use and abuse of information. Our privacy and access to information legislation is being stress-tested by events, and we will have to see whether they are fit for the next 10 years. 

• Tilley is a part-time member at the Information Regulator.