Prioritising Command-and-Control Over Collaborative Governance: The Role of the Information Regulator Under the Protection of Personal Information Act
DOI:
https://doi.org/10.17159/1727-3781/2022/v25i0a11661Keywords:
Internet privacy, GDPR, data protection, POPIA, codes of conduct, data protection impact assessments, regulation, automated processing, profiling, command-and-control regulation, collaborative governanceAbstract
Although the Protection of Personal Information Act 4 of 2013 (POPIA) wholeheartedly adopts the command-and-control features of the EU General Data Protection Regulation (GDPR), POPIA does not include many of the collaborative governance mechanisms in the GDPR. POPIA dilutes the accountability requirements in the GDPR. It rarely requires responsible parties to generate or keep documentation and there is no equivalent of European Data Protection Impact Assessments in the South African Act. This affects the regulation of automated processing that involves profiling. The European system of certifications is also not included in POPIA. POPIA includes a system of codes of conduct but even they have a more peremptory nature. The absence of collaborative governance mechanisms in POPIA constitutes a missed opportunity to build a culture of enhanced data protection in South Africa. The Information Regulator has the task of giving many exemptions and prior-approvals under the Act. The newly constituted Information Regulator will find itself exposed as it faces a particularly difficult mandate.
Downloads
References
Bibliography
Literature
Adams R and Adeleke F "Protecting Information Rights in South Africa: The Strategic Oversight Roles of the South African Human Rights Commission and the Information Regulator" 2020 IDPL 146-159 DOI: https://doi.org/10.1093/idpl/ipz022
Adamson C "The Importance of Culture in Driving Behaviours of Firms and How the FCA Will Assess This" Unpublished contribution delivered at the CFA Society UK Professionalism Conference (19 April 2013 Place unknown)
Allan K and Currie I "Enforcing Access to Information and Privacy Rights: Evaluating Proposals for an Information Protection Regulator for South Africa" 2007 SAJHR 570-586
Bhagwat A "Modes of Regulatory Enforcement and the Problem of Administrative Discretion" 1999 Hastings LJ 1275-1332
Black J "Decentring Regulation: Understanding the Role of Regulation and Self-Regulation in a 'Post-Regulatory' World" 2001 CLP 103-146 DOI: https://doi.org/10.1093/clp/54.1.103
Black J and Murray A "Regulating AI and Machine Learning: Setting the Regulatory Agenda" 2019 EJLT 1-21
Blanc FOM From Chasing Violations to Managing Risks: Origins, Challenges and Evolutions in Regulatory Inspections (Doctoral Dissertation Leiden University 2016)
Bradford A The Brussels Effect: How the European Union Rules the World (Oxford University Press New York 2020) DOI: https://doi.org/10.1093/oso/9780190088583.001.0001
Breckenridge K Biometric State (Cambridge University Press Cambridge 2014)
Bronstein V "Drowning in the Hole of the Doughnut: Regulatory Overbreadth, Discretionary Licensing and the Rule of Law" 2002 SALJ 471-483
Bronstein V and Katzew J "Safeguarding the South African Public Broadcaster: Governance, Civil Society and the SABC" 2018 JML 244-272 DOI: https://doi.org/10.1080/17577632.2018.1592284
Casey B, Farhangi A and Vogl R "Rethinking Explainable Machines: The GDPR's 'Right to Explanation' Debate and the Rise of Algorithmic Audits in Enterprise" 2019 Berkeley Tech LJ 143-188
Cobbe J "Administrative Law and the Machines of Government: Judicial Review of Automated Public-Sector Decision-Making" 2019 Legal Studies 636-655 DOI: https://doi.org/10.1017/lst.2019.9
Donovan A Reconceptualising Corporate Compliance: Responsibility, Freedom and the Law (Hart Oxford 2021) DOI: https://doi.org/10.5040/9781509918775
Drahos P Regulatory Theory: Foundations and Applications (Australian National University Press Acton 2017)
Dworkin R Law's Empire (Harvard University Press Cambridge MA 1986)
Edelman LB and Talesh SA "To Comply or Not to Comply - That Isn't the Question: How Organizations Construct the Meaning of Compliance" in Parker C and Nielsen VL (eds) Explaining Compliance: Business Responses to Regulation (Edward Elgar Cheltenham 2011) 103-122
Erdos D "Ensuring Legal Accountability of the UK Data Protection Authority: From Cause for Data Subject Complaint to a Model for Europe?" 2020 EDPL 444-454 DOI: https://doi.org/10.21552/edpl/2020/3/15
Graham G and Hurst A "GDPR Enforcement: How are EU Regulators Flexing their Muscles?" 2019 IQ: The RIM Quarterly 20-24
Hart HLA The Concept of Law (Clarendon Press Oxford 1961)
Kaminski M E "The Right to Explanation, Explained" 2019 Berkeley Tech LJ 189-218 DOI: https://doi.org/10.31228/osf.io/rgeus
Kaminski M E "Binary Governance: Lessons from the GDPR's Approach to Algorithmic Accountability" 2018 S Cal L Rev 1529-1616 DOI: https://doi.org/10.2139/ssrn.3351404
Kamocki P et al "Toward a CLARIN Data Protection Code of Conduct" in CLARIN Annual Conference Proceedings (CLARIN Utrecht 2018) 49-52
Molnár‐Gábor F and Korbel JO "Genomic Data Sharing in Europe is Stumbling: Could a Code of Conduct Prevent Its Fall?" 2020 EMBO Molecular Medicine 1-7 DOI: https://doi.org/10.15252/emmm.201911421
Murphy K "Procedural Justice and Its Role in Promoting Voluntary Compliance" in Drahos P Regulatory Theory: Foundations and Applications (Australian National University Press Acton 2017) 43-58 DOI: https://doi.org/10.22459/RT.02.2017.03
Ogus AI Regulation: Legal Form and Economic Theory (Hart Oxford 1994)
Politou E, Alepis E and Patsakis C "Forgetting Personal Data and Revoking Consent Under the GDPR: Challenges and Proposed Solutions" 2018 Journal of Cybersecurity 1-20 DOI: https://doi.org/10.1093/cybsec/tyy001
Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37 DOI: https://doi.org/10.25159/2522-3062/7985
Roos A "Data Privacy Law" in Van der Merwe DP et al (eds) Information and Communications Technology Law (LexisNexis Durban 2016) 363-487
Tyler TR "The Psychology of Self-Regulation: Normative Motivations for Compliance" in Parker C and Nielsen VL (eds) Explaining Compliance: Business Responses to Regulation (Edward Elgar Cheltenham 2011) ch 4
Yeung K and Bygrave LA "Demystifying the Modernized European Data Protection Regime: Cross‐Disciplinary Insights from Legal and Regulatory Governance Scholarship" 2021 Regulation and Governance 137-155 DOI: https://doi.org/10.1111/rego.12401
Zuboff S The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books London 2019)
Film
Amer K and Noujaim J (directors) The Great Hack (The Others 2019)
Case law
R (on the Application of Edward Bridges) v the Chief Constable of South Wales Police [2020] EWCA Civ 1058
Legislation
European Union
European Union General Data Protection Regulation, 2016 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1)
Directive 95/46/EC, 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data)
South Africa
Promotion of Access to Information Act 2 of 2000
Protection of Personal Information Act 4 of 2013
United Kingdom
Credit Rating Agencies (Amendment etc.) (EU Exit) Regulations, 2019 (SI 2019/266)
Data Protection Act, 2018 (Ireland)
Data Protection Act, 2018 (UK)
Government publications
Gen N 209 in GG 44459 of 16 April 2021
GN 560 in GG 44761 of 25 June 2021
International instruments
African Union Convention on Cyber Security and Personal Data Protection (2014)
Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981)
Internet sources
Article 29 Data Protection Working Party 2017 Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 https://ec.europa.eu/newsroom/article29/items/612053 accessed 23 July 2022
BCCSA 2009 https://bccsa.co.za/wp-content/uploads/2015/12/BCCSA_
Broadcasting Complaints Commission of South Africa 2009 Free-to-Air Code of Conduct for Broadcasting Services Licensees https://bccsa.co.za/wp-content/uploads/2015/12/BCCSA_Broadcasting_Code_NEW.pdf accessed 25 April 2022
Constantinescu M 2021 AI, Moral Externalities, and Soft Regulation (Preprint) https://www.researchgate.net/publication/356612427_AI_moral_externalities_and_soft_regulation accessed 23 April 2022
Data Protection Commission (Ireland) date unknown Accountability Obligation https://www.dataprotection.ie/en/organisations/know-your-obligations/accountability-obligation accessed 29 June 2021
European Commission date unknown What Rules Apply If My Organisation Transfers Data Outside the EU? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en accessed 29 June 2021
European Parliament 2022 Press Release: Digital Services Act: Agreement for a Transparent and Safe Online Environment https://www.europarl.europa.eu/news/en/press-room/20220412IPR27111/
digital-services-act-agreement-for-a-transparent-and-safe-online-environment accessed 25 April 2022
Finck M 2017 Digital Regulation: Designing a Supranational Legal Framework for the Platform Economy - LSE Law, Society and Economy Working Papers 15/2017 http://eprints.lse.ac.uk/87568/1/Finck_Digital%20Co-Regulation_Author.pdf DOI: https://doi.org/10.2139/ssrn.2990043
Greenwald G, MacAskill E and Poitras L 2013 Edward Snowden: The Whistleblower Behind the NSA Surveillance Revelations https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance accessed 30 June 2021
Gunningham N and Sinclair D date unknown Designing Smart Regulation https://www.oecd.org/env/outreach/33947759.pdf accessed 23 April 2022
Hao K 2020 We Read the Paper that Forced Timnit Gebru out of Google. Here's What It Says https://www.technologyreview.com/2020/12/04/1013294/google-ai-ethics-research-paper-forced-out-timnit-gebru/ accessed 22 July 2022
Hodges C 2015 Corporate Behaviour: Enforcement, Support or Ethical Culture? Oxford Legal Studies Research Paper No. 19/2015 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2599961 accessed 23 July 2022
Information Commissioner's Office (UK) date unknown Codes of Conduct https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/codes-of-conduct/ accessed 29 June 2021
Information Commissioner's Office (UK) date unknown Do We Need to Consult the ICO? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/do-we-need-to-consult-the-ico/ accessed 29 June 2021
Information Commissioner's Office (UK) date unknown When Do We Need to Do a DPIA? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/ accessed 29 June 2021
Information Commissioner's Office (UK) 2019 Opinion on the Use of Live Facial Recognition Technology by Law Enforcement in Public Places https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf accessed 29 June 2022
Information Regulator (South Africa) 2021 Guidance Note on Information Officers and Deputy Information Officers https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf accessed 1 August 2022
Kloza D et al 2017 Data Protection Impact Assessments in the European Union: Complementing the New Legal Framework Towards a More Robust Protection of Individuals https://www.prio.org/publications/10579 accessed 23 July 2022
Meltzer JP 2020 The Court of Justice of the European Union in Schrems II: The Impact of GDPR on Data Flows and National Security https://voxeu.org/article/impact-gdpr-data-flows-and-national-security accessed 23 July 2022
McDougall S 2021 Blog: What's Next for Data Ethics? https://ico.org.uk/about-the-ico/media-centre/blog-what-s-next-for-data-ethics/ accessed 30 June 2021
Myers SL 2022 Obama Calls for More Regulatory Oversight of Social Media Giants https://www.nytimes.com/2022/04/21/technology/obama-stanford-tech-regulation.html accessed 2 July 2022
United Nations Conference on Trade and Development 2020 Data Protection and Privacy Legislation Worldwide https://unctad.org/page/data-protection-and-privacy-legislation-worldwide accessed 29 June 2021
Vale SB, Demetzou K and Matheson L 2022 Brussels Privacy Symposium 2021: The Age of AI Regulation: Global Strategic Directions -
Symposium Report https://fpf.org/wp-content/uploads/2022/03/FPF_Brussels_Privacy_Symposium-2021.pdf accessed 23 July 2022
Published
Issue
Section
License
Copyright (c) 2022 Victoria Bronstein
This work is licensed under a Creative Commons Attribution 4.0 International License.
.png){kind=spacer}