Privacy: Important International Developments
The General Data Protection Regulation (“GDPR”), adopted by the European Parliament on the 14th April 2016, was published in the European Union Official Journal on the 4th May 2016. This amounts to promulgation in the same manner as publication in the Government Gazette in South African. The Regulation will come into force on the 24th May 2016 and member countries have until the 25th May 2018 to ensure that they comply with the provisions of the Regulation.
The GDPR provides a new framework governing the processing of personal information applicable to members of the European Union. The GDPR includes provisions such as the “right to be forgotten”, express consent requirements, requirements for the establishment of personal data protection officers for certain organisations, a mandatory breach notification and increased penalties for organisations that break the law. An important implication of the GDPR is that it will affect anyone processing personal information of EU citizens regardless of where that processing occurs. Thus, South African persons (whether natural or juristic) who conduct business in countries who are members of the European Union will need to take into account the GDPR in considering any personal information of European citizens that may be processed in doing so.
Equally important is the fact that the Information Regulator (once appointed) has a duty to research and report to Parliament on any international instrument relating to the protection of personal information and where necessary recommend legislative amendments. Even in the absence of legislative amendments, in interpreting the Protection of Personal Information Act it is likely that the Information Regulator will take into account this international development to align the development of South African Privacy Law with what is happening globally, in rulings that may be given by the Information Regulator.
It is beyond the scope of this article to address the GDPR in detail, but some of its pertinent aspects will be addressed in greater detail in future articles.
Safe Harbour and the Privacy Shield
As dealt with in previous articles, the revelations of Edward Snowden led to Max Schrems, at the time a 28 year old law student, challenging the Safe Harbour Accord concluded between the European Union and the United States of America on the basis that the personal information of European citizens was not adequately protected. Schrems challenge was successful and the European Court of Justice struck down the Safe Harbour Accords. This has led to a flurry of activity to reinstate the governance of personal information processed in the USA. During February 2016 it was announced that a framework governing data flows between the USA and the EU, called the EU-US Privacy Shield, was to be agreed. The underlying principle is identical to the Safe Harbour Accord but it demands greater restriction on the processing of personal information of EU citizens by federal and state agencies in the USA, the strengthening of the monitoring of parties processing personal information of EU citizens and more severe penalties if provisions of the Privacy Shield are breached. It has also been agreed that the Privacy Shield will be subject to annual review.
What the striking down of the Safe Harbour Accord illustrates is that the protection of privacy of citizens in the EU, and in other countries around the world, is being viewed as paramount in the relationship between countries where personal information is processed across borders. The economic implications of the striking down of the Safe Harbour Accord are significant. In the absence of the Safe Harbour Accords replacement by the Privacy Shield, the processing of personal information by USA companies, including global giants such as Google and Facebook, in breach of appropriate protections prescribed by the EU, would render them subject to significant sanctions. Despite the economic implications the EU has taken a hard line in protecting the personal information of its citizens.
It is also important to note that large USA-based tech companies have not been able to escape the reach of EU courts. In this regard the development of the “right to be forgotten” and enforcement against Google of this right about 2 years ago serves to illustrate that while information has no borders it is recognised that the processing of information cannot remain unregulated. Both the GDPR and the negotiation of the Privacy Shield demonstrate the growing trend to international cooperation in the protection of personal data.
Apple® versus the FBI
Recent months have seen the balance between law enforcement and privacy rights receiving considerable debate in the widely publicised dispute between Apple®, the most valuable company in the world, and the FBI, a law enforcement agency of the most powerful country in the world.
In essence the FBI sought from Apple® a mechanism, or backdoor, to decrypt encrypted messages stored on an iPhone. Apple® refused to do so citing privacy and the fact that the provision of a mechanism to “unlock” the single phone to the FBI would create a vulnerability for all iPhones. Apple® were not alone in their objection to the FBI warrant. They were joined by many of the larger tech companies in the USA in the legal proceedings.
As it turned out the FBI claimed to have found an alternative method to unlock the phone, rendering legal proceedings unnecessary but the legal debate continues, and will no doubt continue for some time, as to the appropriate balance between law enforcement and the protection of privacy. In this regard it is interesting to note that in the last week in the USA there was an amendment to the Electronic Communications Privacy Act intended to bring the provisions in this 1986 legislation into line with modern trends. The amendment prescribes that any electronic communication that is stored for a period of more than 180 days can only be divulged to law enforcement agencies under a warrant whereas before these communications could be demanded by law enforcement agencies by notice.
Since 2012 when the Bill was finalised prior to its enactment as the Protection of Personal Information Act there have been significant developments in legal approaches to privacy and the protection of personal information. Our Constitution, and indeed our Constitutional Court, requires that in interpreting our legislation we take into account international developments. Companies seeking to prepare themselves to comply with the Protection of Personal Information Act would therefore do well to consider the general trends in privacy law globally as well as rulings of data protection authorities governing the specific spheres of processing of personal information in which they may be engaged.
©Mark Heyink 2016