Your article of April 11 (Information regulator contacts Facebook over data breach) appears to represent that the Protection of Personal Information Act, SA’s data protection framework law, is in operation. This is not the case.

Despite being on the statute books for several years, and the regulator being appointed and having a budget, the act has not been brought into operation. We have seen egregious data breaches in the past year, of which Facebook is only one. Second, and perhaps more importantly, SA lags behind in the race to provide a proper framework for the processing of personal data in the era of Facebook.

The General Data Protection Regulation is a regulation by which the EU intends to strengthen and unify data laws for all within the EU and addresses the export of personal data outside the EU. It becomes enforceable from May 25. Many countries are upgrading their legislation in view of this, as it provides a gold standard by which all would hope to favourably compare. The ability to process large amounts of data while safeguarding privacy issues has been termed "the new oil" in terms of its economic value.

It would seem that SA’s failure to implement the Protection of Personal Information Act means this country does not comply with the requirement of "adequacy" in terms of the EU regulation. This means we will have to rely on company-to-company agreements, standard contractual clauses, or binding corporate rules. This will create an unnecessary impediment to doing business that relies on the exchange of personal data with the EU.

Nor do we meet our own standards in terms of the constitutional right to privacy, or those that relate to the right to information, both of which fall within the mandate of the regulator.

The act amends the access to information law and gives the regulator powers to order the release of information. The failure to bring the law into operation must be remedied by the Department of Justice immediately.

Alison Tilley
Head of advocacy, Open Democracy Advice Centre