Artificial intelligence (AI) systems collect an unimaginable amount of data for the use of training algorithms and improving performance. This data also includes personal information (names, addresses, and financial information), and sensitive information (medical records and identification numbers).1 There are concerns regarding the collection and processing of this data and how it is used as well as who has access to it. This vast amount of data can be easily misused by cybercriminals to steal a person’s identity.
With the aim of protecting people against such data breaches, South Africa promulgated a few laws to protect both natural and juristic persons. In 2020, South Africa already had policies and frameworks in place to regulate activities occurring in cyberspace. This was a necessary course of action due to the increase in broadband access which led to a corresponding increase in internet users.2 This in turn has led to a surge in the usage of digital technologies and processing of personal data, and subsequently, increases in cyberattacks and cybercrimes such as data breaches, identity theft and cyber fraud.
The South African government enacted laws to supplement the existing legal framework. In June 2021, President Cyril Ramaphosa, signed the Cybercrimes Act into law. This Act criminalises certain illegal activities occurring in cyberspace. Before this, common law was used to criminalise some online activities such as loading malware on a computer, which was considered as the common law crime of malicious damage to property.2 The application of common law to criminalise certain online activities is, however limited, which is why promulgation of the Cybercrimes Act was paramount. Prior to that, the Electronic Communications and Transactions (ECT) Act was put into effect in 2002; with Chapter 13 of the Act dealing specifically with matters relating to cybercrimes.2
Improving cybersecurity in an effort to mitigate and prevent data breaches is crucial, as the Constitution of the Republic of South Africa, 1996, states that “everyone has the right to privacy”3. The state must secure the privacy of its citizens (both natural and juristic persons) including in cyberspace. In addition to the Cybercrimes Act and the ECT Act, there are a number of other legislative measures in place in aid of reinforcing this right through data privacy, namely:
- The Consumer Protection Act 68 of 2008 (CPA) which applies to telephonic direct marketing of goods and services to consumers.
- The Promotion of Access to Information Act 2 of 2000 (PAIA) which regulates access to information held by both public and private bodies.
- The Protection of Personal Information Act 4 of 2013 (POPIA) which impacts all individuals processing personal information within the country.
- The Information Regulator, which was specifically established for the purpose of data protection; and is responsible for the oversight and enforcement of POPIA.4
According to the IBM Cost of a Data Breach Report, based on March 2022 to March 2023 data breaches experienced by 553 organisations globally (including 21 in South Africa); “the global average cost of a data breach reached $4.45 million in 2023…a 15% increase over the last 3 years. The average data breach cost for South African organisations reached R49.45 million in 2023…an 8% increase over the last 3 years”.5
In South Africa, the financial sector is targeted the most, and has the highest average cost of data breaches. The Development Bank of Southern Africa, FNB, TransUnion, and Experian are among some of the organisations which have reported data breaches in South Africa. 6
If there are reasonable grounds to believe that a data breach has occurred, and an unauthorized party has gained access to personal information; the responsible party processing said personal information is obligated to notify the Information Regulator, through the completion and submission of a Security Compromise Notification Form provided in terms of section 22 of POPIA. The responsible party must also notify the data subject thereof, in writing, as soon as reasonably possible.7
References:
- https://economictimes.indiatimes.com/news/how-to/ai-and-privacy-the-privacy-concerns-surrounding-ai-its-potential-impact-on-personal-data/articleshow/99738234.cms?from=mdr
- https://link.springer.com/article/10.1365/s43439-023-00089-8#:~:text=These%20are%20the%20Criminal%20Procedure,Financial%20Intelligence%20Centre%20Act%2038
- https://www.justice.gov.za/legislation/constitution/SAConstitution-web-eng-02.pdf
- https://www.dataguidance.com/notes/south-africa-data-protection-overview
- https://www.ibm.com/reports/data-breach?_gl=1*1ydur9s*_ga*MTEzNTI2MTk1LjE2OTY5MzY0NjQ.*_ga_FYECCCS21D*MTY5NjkzNjQ2NC4xLjAuMTY5NjkzNjQ2NC4wLjAuMA
- https://www.itweb.co.za/content/Olx4zMkazYQv56km
- https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013popi.pdf
