Prioritising Command-and-Control Over Collaborative Governance: The Role of the Information Regulator Under the Protection of Personal Information Act

Authors

DOI:

https://doi.org/10.17159/1727-3781/2022/v25i0a11661

Keywords:

Internet privacy, GDPR, data protection, POPIA, codes of conduct, data protection impact assessments, regulation, automated processing, profiling, command-and-control regulation, collaborative governance

Abstract

Although the Protection of Personal Information Act 4 of 2013 (POPIA) wholeheartedly adopts the command-and-control features of the EU General Data Protection Regulation (GDPR), POPIA does not include many of the collaborative governance mechanisms in the GDPR. POPIA dilutes the accountability requirements in the GDPR. It rarely requires responsible parties to generate or keep documentation and there is no equivalent of European Data Protection Impact Assessments in the South African Act. This affects the regulation of automated processing that involves profiling. The European system of certifications is also not included in POPIA. POPIA includes a system of codes of conduct but even they have a more peremptory nature. The absence of collaborative governance mechanisms in POPIA constitutes a missed opportunity to build a culture of enhanced data protection in South Africa. The Information Regulator has the task of giving many exemptions and prior-approvals under the Act. The newly constituted Information Regulator will find itself exposed as it faces a particularly difficult mandate.

Downloads

Download data is not yet available.

Author Biography

  • Victoria Bronstein, University of the Witwatersrand

    Professor of Law

    Faculty of Law

References

Bibliography

Literature

Adams R and Adeleke F "Protecting Information Rights in South Africa: The Strategic Oversight Roles of the South African Human Rights Commission and the Information Regulator" 2020 IDPL 146-159 DOI: https://doi.org/10.1093/idpl/ipz022

Adamson C "The Importance of Culture in Driving Behaviours of Firms and How the FCA Will Assess This" Unpublished contribution delivered at the CFA Society UK Professionalism Conference (19 April 2013 Place unknown)

Allan K and Currie I "Enforcing Access to Information and Privacy Rights: Evaluating Proposals for an Information Protection Regulator for South Africa" 2007 SAJHR 570-586

Bhagwat A "Modes of Regulatory Enforcement and the Problem of Administrative Discretion" 1999 Hastings LJ 1275-1332

Black J "Decentring Regulation: Understanding the Role of Regulation and Self-Regulation in a 'Post-Regulatory' World" 2001 CLP 103-146 DOI: https://doi.org/10.1093/clp/54.1.103

Black J and Murray A "Regulating AI and Machine Learning: Setting the Regulatory Agenda" 2019 EJLT 1-21

Blanc FOM From Chasing Violations to Managing Risks: Origins, Challenges and Evolutions in Regulatory Inspections (Doctoral Dissertation Leiden University 2016)

Bradford A The Brussels Effect: How the European Union Rules the World (Oxford University Press New York 2020) DOI: https://doi.org/10.1093/oso/9780190088583.001.0001

Breckenridge K Biometric State (Cambridge University Press Cambridge 2014)

Bronstein V "Drowning in the Hole of the Doughnut: Regulatory Overbreadth, Discretionary Licensing and the Rule of Law" 2002 SALJ 471-483

Bronstein V and Katzew J "Safeguarding the South African Public Broadcaster: Governance, Civil Society and the SABC" 2018 JML 244-272 DOI: https://doi.org/10.1080/17577632.2018.1592284

Casey B, Farhangi A and Vogl R "Rethinking Explainable Machines: The GDPR's 'Right to Explanation' Debate and the Rise of Algorithmic Audits in Enterprise" 2019 Berkeley Tech LJ 143-188

Cobbe J "Administrative Law and the Machines of Government: Judicial Review of Automated Public-Sector Decision-Making" 2019 Legal Studies 636-655 DOI: https://doi.org/10.1017/lst.2019.9

Donovan A Reconceptualising Corporate Compliance: Responsibility, Freedom and the Law (Hart Oxford 2021) DOI: https://doi.org/10.5040/9781509918775

Drahos P Regulatory Theory: Foundations and Applications (Australian National University Press Acton 2017)

Dworkin R Law's Empire (Harvard University Press Cambridge MA 1986)

Edelman LB and Talesh SA "To Comply or Not to Comply - That Isn't the Question: How Organizations Construct the Meaning of Compliance" in Parker C and Nielsen VL (eds) Explaining Compliance: Business Responses to Regulation (Edward Elgar Cheltenham 2011) 103-122

Erdos D "Ensuring Legal Accountability of the UK Data Protection Authority: From Cause for Data Subject Complaint to a Model for Europe?" 2020 EDPL 444-454 DOI: https://doi.org/10.21552/edpl/2020/3/15

Graham G and Hurst A "GDPR Enforcement: How are EU Regulators Flexing their Muscles?" 2019 IQ: The RIM Quarterly 20-24

Hart HLA The Concept of Law (Clarendon Press Oxford 1961)

Kaminski M E "The Right to Explanation, Explained" 2019 Berkeley Tech LJ 189-218 DOI: https://doi.org/10.31228/osf.io/rgeus

Kaminski M E "Binary Governance: Lessons from the GDPR's Approach to Algorithmic Accountability" 2018 S Cal L Rev 1529-1616 DOI: https://doi.org/10.2139/ssrn.3351404

Kamocki P et al "Toward a CLARIN Data Protection Code of Conduct" in CLARIN Annual Conference Proceedings (CLARIN Utrecht 2018) 49-52

Molnár‐Gábor F and Korbel JO "Genomic Data Sharing in Europe is Stumbling: Could a Code of Conduct Prevent Its Fall?" 2020 EMBO Molecular Medicine 1-7 DOI: https://doi.org/10.15252/emmm.201911421

Murphy K "Procedural Justice and Its Role in Promoting Voluntary Compliance" in Drahos P Regulatory Theory: Foundations and Applications (Australian National University Press Acton 2017) 43-58 DOI: https://doi.org/10.22459/RT.02.2017.03

Ogus AI Regulation: Legal Form and Economic Theory (Hart Oxford 1994)

Politou E, Alepis E and Patsakis C "Forgetting Personal Data and Revoking Consent Under the GDPR: Challenges and Proposed Solutions" 2018 Journal of Cybersecurity 1-20 DOI: https://doi.org/10.1093/cybsec/tyy001

Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37 DOI: https://doi.org/10.25159/2522-3062/7985

Roos A "Data Privacy Law" in Van der Merwe DP et al (eds) Information and Communications Technology Law (LexisNexis Durban 2016) 363-487

Tyler TR "The Psychology of Self-Regulation: Normative Motivations for Compliance" in Parker C and Nielsen VL (eds) Explaining Compliance: Business Responses to Regulation (Edward Elgar Cheltenham 2011) ch 4

Yeung K and Bygrave LA "Demystifying the Modernized European Data Protection Regime: Cross‐Disciplinary Insights from Legal and Regulatory Governance Scholarship" 2021 Regulation and Governance 137-155 DOI: https://doi.org/10.1111/rego.12401

Zuboff S The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books London 2019)

Film

Amer K and Noujaim J (directors) The Great Hack (The Others 2019)

Case law

R (on the Application of Edward Bridges) v the Chief Constable of South Wales Police [2020] EWCA Civ 1058

Legislation

European Union

European Union General Data Protection Regulation, 2016 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1)

Directive 95/46/EC, 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data)

South Africa

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 4 of 2013

United Kingdom

Credit Rating Agencies (Amendment etc.) (EU Exit) Regulations, 2019 (SI 2019/266)

Data Protection Act, 2018 (Ireland)

Data Protection Act, 2018 (UK)

Government publications

Gen N 209 in GG 44459 of 16 April 2021

GN 560 in GG 44761 of 25 June 2021

International instruments

African Union Convention on Cyber Security and Personal Data Protection (2014)

Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981)

Internet sources

Article 29 Data Protection Working Party 2017 Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 https://ec.europa.eu/newsroom/article29/items/612053 accessed 23 July 2022

BCCSA 2009 https://bccsa.co.za/wp-content/uploads/2015/12/BCCSA_

Broadcasting Complaints Commission of South Africa 2009 Free-to-Air Code of Conduct for Broadcasting Services Licensees https://bccsa.co.za/wp-content/uploads/2015/12/BCCSA_Broadcasting_Code_NEW.pdf accessed 25 April 2022

Constantinescu M 2021 AI, Moral Externalities, and Soft Regulation (Preprint) https://www.researchgate.net/publication/356612427_AI_moral_externalities_and_soft_regulation accessed 23 April 2022

Data Protection Commission (Ireland) date unknown Accountability Obligation https://www.dataprotection.ie/en/organisations/know-your-obligations/accountability-obligation accessed 29 June 2021

European Commission date unknown What Rules Apply If My Organisation Transfers Data Outside the EU? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en accessed 29 June 2021

European Parliament 2022 Press Release: Digital Services Act: Agreement for a Transparent and Safe Online Environment https://www.europarl.europa.eu/news/en/press-room/20220412IPR27111/

digital-services-act-agreement-for-a-transparent-and-safe-online-environment accessed 25 April 2022

Finck M 2017 Digital Regulation: Designing a Supranational Legal Framework for the Platform Economy - LSE Law, Society and Economy Working Papers 15/2017 http://eprints.lse.ac.uk/87568/1/Finck_Digital%20Co-Regulation_Author.pdf DOI: https://doi.org/10.2139/ssrn.2990043

Greenwald G, MacAskill E and Poitras L 2013 Edward Snowden: The Whistleblower Behind the NSA Surveillance Revelations https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance accessed 30 June 2021

Gunningham N and Sinclair D date unknown Designing Smart Regulation https://www.oecd.org/env/outreach/33947759.pdf accessed 23 April 2022

Hao K 2020 We Read the Paper that Forced Timnit Gebru out of Google. Here's What It Says https://www.technologyreview.com/2020/12/04/1013294/google-ai-ethics-research-paper-forced-out-timnit-gebru/ accessed 22 July 2022

Hodges C 2015 Corporate Behaviour: Enforcement, Support or Ethical Culture? Oxford Legal Studies Research Paper No. 19/2015 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2599961 accessed 23 July 2022

Information Commissioner's Office (UK) date unknown Codes of Conduct https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/codes-of-conduct/ accessed 29 June 2021

Information Commissioner's Office (UK) date unknown Do We Need to Consult the ICO? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/do-we-need-to-consult-the-ico/ accessed 29 June 2021

Information Commissioner's Office (UK) date unknown When Do We Need to Do a DPIA? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/ accessed 29 June 2021

Information Commissioner's Office (UK) 2019 Opinion on the Use of Live Facial Recognition Technology by Law Enforcement in Public Places https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf accessed 29 June 2022

Information Regulator (South Africa) 2021 Guidance Note on Information Officers and Deputy Information Officers https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf accessed 1 August 2022

Kloza D et al 2017 Data Protection Impact Assessments in the European Union: Complementing the New Legal Framework Towards a More Robust Protection of Individuals https://www.prio.org/publications/10579 accessed 23 July 2022

Meltzer JP 2020 The Court of Justice of the European Union in Schrems II: The Impact of GDPR on Data Flows and National Security https://voxeu.org/article/impact-gdpr-data-flows-and-national-security accessed 23 July 2022

McDougall S 2021 Blog: What's Next for Data Ethics? https://ico.org.uk/about-the-ico/media-centre/blog-what-s-next-for-data-ethics/ accessed 30 June 2021

Myers SL 2022 Obama Calls for More Regulatory Oversight of Social Media Giants https://www.nytimes.com/2022/04/21/technology/obama-stanford-tech-regulation.html accessed 2 July 2022

United Nations Conference on Trade and Development 2020 Data Protection and Privacy Legislation Worldwide https://unctad.org/page/data-protection-and-privacy-legislation-worldwide accessed 29 June 2021

Vale SB, Demetzou K and Matheson L 2022 Brussels Privacy Symposium 2021: The Age of AI Regulation: Global Strategic Directions -

Symposium Report https://fpf.org/wp-content/uploads/2022/03/FPF_Brussels_Privacy_Symposium-2021.pdf accessed 23 July 2022

Published

13-12-2022

Issue

Section

Articles

How to Cite

Bronstein, V. (2022). Prioritising Command-and-Control Over Collaborative Governance: The Role of the Information Regulator Under the Protection of Personal Information Act. Potchefstroom Electronic Law Journal, 25, (Published 13 December 2022) pp 1 - 41. https://doi.org/10.17159/1727-3781/2022/v25i0a11661

Similar Articles

1-10 of 1152

You may also start an advanced similarity search for this article.