Industries

All industries Agriculture Automotive Construction & Engineering Education Energy & Mining Entrepreneurship ESG & Sustainability Finance Healthcare HR & Management ICT Legal Lifestyle Logistics & Transport Manufacturing Marketing & Media Property Retail Tourism & Travel

Special Sections

BizTrends Pendoring IMC Conference Loeries Women's Month Cannes Lions Orchids and Onions #StartupStory More Sections..

In the news

Capital LegacyEnquire about a company Biz Press Office

News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Ads & Rates

Submit content

My Account

Cyber Law News South Africa

Subscribe

Trending

2 days 7 days 30 days By Industry

Elections 2024

Advertise your job ad
    Submit a job ad >>
    Search jobs

    What does Facebook's data breach mean for personal information and businesses in SA?

    Ahmore Burger-SmidtBy Ahmore Burger-Smidt
    14 Jun 2018
    14 Jun 2018
    The millions of Facebook profiles analysed by Cambridge Analytica constitute one of the biggest breaches of personal information to date.
    What does Facebook's data breach mean for personal information and businesses in SA?
    © Oleksandr Omelchenko – 123RF.com

    The data was collected through an application accessed by Facebook users in terms of which these users agreed to have their data collected for academic use. What was also collected by the application was information from the Facebook users’ friends.

    Facebook has acknowledged that more than 87 million of the 2.2 billion Facebook users’ personal information may have been shared with Cambridge Analytica. It is estimated that almost 93,000 South African Facebook users’ personal information could potentially have been shared with Cambridge Analytica.

    The question to consider is, to what extent Facebook users and businesses in South Africa are aware of the impact of the Protection of Personal Information Act, 2013 (“POPIA“) on their daily actions and interactions.

    The Preamble to POPIA clearly sets out the aims and objectives of the Act, which are to protect personal information processed by public and private bodies and to introduce certain conditions detailing the minimum requirements for the processing of personal information.

    The establishment of minimum requirements for the lawful processing of personal information requires all responsible parties (the parties responsible for the processing of information) to comply with conditions 1 to 8 of POPIA.

    The definition of processing personal information as set out in POPIA, clearly shows that information sent or received by a user of social media is subject to the statutory provisions of POPIA. This means that:

    • the collection, receipt, recording, organisation and other methods of processing set out in section 1 of the POPIA, must be in compliance with the provisions of the Act;
    • personal information must be lawfully processed in a reasonable manner that does not infringe the privacy of the data subject (the person to whom the data relates);
    • personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive;
    • the requirement of consent. This is probably the most important question regarding the lawfulness of processing – whether the data subject has consented to the processing of his, her or its personal information;
    • the personal information must be collected directly from the data subject;
    • personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;
    • the further processing of personal information must be in accordance or compatible with the purpose for which it was collected;
    • a responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated, where necessary;
    • the notification of the collection of personal information must be communicated to the data subject; and
    • the responsible party must comply with certain security safeguards.

    The requirements for the lawful processing of personal information set out in conditions 1 to 8, apply to social media users and Facebook as a social network. It also applies to public and private entities that process information.

    In other words, when processing personal information of individuals, Facebook is a responsible party in terms of POPIA. This means that Facebook may only collect/receive the personal information of its users if all the requirements for the lawful processing of personal information have been complied with. Also, it will be deemed problematic in instances where Facebook forwards the personal information to third parties, without the consent of the user. POPIA expressly excludes the transfer of personal information about a data subject to a third party who is in a foreign country, unless the recipient of the information is subject to an adequate level of protection which effectively upholds the principles of reasonable processing of information that are substantially similar to the South African conditions for lawful processing.

    However, POPIA has not been fully enacted as yet. This will only happen once promulgated by the President. The Information Regulator issued draft Regulations during the latter part of 2017 and it is anticipated that the final Regulations will be published over the next few months. Despite this vacuum, the Information Regulator proactively and voluntarily engaged with Facebook with regards to the alleged data breach, and Facebook has responded with answers to the questions posed.

    This however does not mean that companies can ignore POPIA. Companies should review their business operations and determine and understand the applicable legal obligations in terms of POPIA. In addition, the EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018, and will have implications for South African companies in many instances. The GDPR places onerous accountability obligations on companies processing information.

    Facebook is a warning to all. Now is the time to fully unpack POPIA and understand your rights, obligations and duties. Not only as far as it relates to South Africa, but at least to Europe, if not the world.

    Read more: POPI and social media, Ahmore Burger-Smidt, POPI compliance, Cambridge Analytica, Facebook data scandal
    NextOptions

    About Ahmore Burger-Smidt

    Director at Werksmans Attorneys. Main Practice areas: • Africa • Competition Focus: • Competition Law and Data privacy • Appearances before Competition Commission, Competition Tribunal and Competition Appeal Court • Obtaining approval for mergers and takeovers from the competition authorities • Former Deputy Commissioner of the South African Competition Commission • Named as a recommended lawyer in Competition by Chambers Global (2017 and 2018). Education: • BCom (University of North West) • LLB (University of North West) • MBL (UNISA) Received Old Mutual medal

    Related

    Image source: weerapat kiatdumrong –
    The cost of no antivirus software? R5m, says SA Information Regulator
     4 Jul 2023
    Image source: sebastien decoret –
    Is ChatGPT yet another hurdle for data privacy?
     1 Mar 2023
    Image source: © nicoelnino –
    Hands up! Icasa wants your biometrics
     28 Mar 2022
    The metaverse and data privacy: Will regulation keep up?
    The metaverse and data privacy: Will regulation keep up?
     3 Dec 2021
    Image source: Nagy-Bagoly Arpad –
    Online activities that can now put you in prison
     2 Dec 2021
    Source: © Gleb Shabashnyi –
    We've had a data breach - who do we have to tell?
     13 Oct 2021
    President Cyril Ramaphosa signs Cybercrimes Bill into law
    President Cyril Ramaphosa signs Cybercrimes Bill into law
    2 Jun 2021
    How to ensure PoPIA compliance among BYOD remote workforces
    How to ensure PoPIA compliance among BYOD remote workforces
     4 May 2021
    More industry news

    Next
    Let's do Biz