Every piece of technology that connects people to the Internet collects their personal data, building elaborate profiles on what they are doing, where they are and even who they are. Smartphone applications have the added risk of linking to centralised distribution online marketplaces that could be hacked. Criminal usage of technology such as cybercrime, identity theft, phishing, hacking, fake identities are increasing as more and more organisational and personal data is stored online [i][ii]. The responsibility for data security lies somewhere between the program designer, the website or app developer and the owner of the smartphone. Smartphone users have the option to protect their data through password and personal identification numbers (PINs), but these are often undercut by users preferring the convenience of not entering passwords each time they want to use their device. Smartphone users in South Africa are mostly complacent, displaying high levels of trust towards smartphone application repositories, rarely considering privacy and security considerations when installing new applications, and not adequately protecting themselves by adopting smartphone application controls[iii].
Data can also be legally accessed and used without the explicit consent of the data subject despite the European Union’s General Data Protection Regulation (GDPR) granting data subjects rights such as, the right of access and the right to be forgotten, while requiring some forms of transparency and accountability. However, in most cases, users’ data are still used without their knowledge. It is important to recognise that the digital economy is based on collecting and selling personal data. Commercial, academic and governmental organisations purchase data, combine data from all aspects of daily life and create algorithms that are routinely used to classify people, which impacts every aspect of daily life. At the time of writing even the United States’ Health Insurance Portability and Accountability Act (HIPPA), which is meant to protect patient’s health information, does not cover patient-generated data from apps which are collected by firms and services that receive, store, analyse and sell data. For smartphone apps, the only protection provided to users are those included in the privacy policy which are increasing but vary internationally and by app store. These are often based on a notice and consent model that most people just agree with without scrutinising the exact wording, which is often unclear, technical and embedded in legal language. Privacy policies for apps are therefore able to routinely authorise the sale, transfer, analysis and disclosure of consumer data to third parties [iv].
In South Africa, data subjects are protected by the Protection of Personal Information Act (POPIA) that came into full effect in 2021 and provides conditions for the processing, use, quality, transparency and security of personal data that are similar to those by the GDPR. Furthermore, South African businesses that have a presence in the European Union will need to comply with the GDPR, and local companies that are affiliated with international brands registered in the United States, United Kingdom and Europe may be expected to adopt some of their data governance and risk policies and practices.
Stronger regulation on data protection is evidently required and signs are that this is on the cards. (See how South Africa measures up in the Global Index On Responsible AI). The South African Department of Communications and Digital Technologies (DCDT) published its AI Policy Framework for stakeholder consultation in August 2024. Legal firm Bowmans points to the following strategic pillars in this Framework that many inform the AI policy:
- Ethical AI guidelines development: The Framework proposes the development of wider guidelines to ensure responsible and ethical AI use, addressing issues such as bias, fairness, transparency and accountability. These objectives would be achieved not only through guidelines, but also through regulatory compliance and governance policies.
- Privacy and data protection: To ensure the safeguarding of personal information, the Framework sets out three key objectives – to establish standardised data generation and utilisation practices across the public and private sectors, to strengthen data protection regulations, and to ensure transparency in AI data usage and storage practices.
- Safety and security: To protect citizens and infrastructure, the Framework proposes the implementation of robust cybersecurity protocols and the development of risk management measures.
- Transparency and explainability: Recognising the need to build public trust in AI, the Framework proposes the implementation of public awareness campaigns to educate the public on AI technologies and their implications. To achieve transparency, the Framework proposes ensuring clear and open operation of AI systems, making AI input and decision-making processes, and outcomes understandable and accessible to users and stakeholders. Further, the Framework aims to develop trust, accountability, and bias detection and mitigation by promoting AI systems that provide clear and easily understandable outputs.
- Fairness and mitigating bias: By ensuring that AI systems are trained on inclusive and diverse data sets and developing methods to identify and mitigate biases in AI systems, the Framework proposes the promotion of equitable AI deployment.
Therefore, Chief Digital Officers, Chief Technology Officers and Chief Risk Officers would do well to increase data governance literacy amongst their workforce in anticipation of the policy being formulated and enacted.
The onus is also on individuals to protect their own data. Here are some steps to take:
- Use strong, unique passwords for each account (ideally 12+ characters, mix of symbols, cases, numbers).
- Don’t store passwords on browsers, rather use password managers to generate and store them securely.
- Enable multi-factor authentication (MFA) especially for banking, email and social media. See more information on how to do this here.
- Keep software updated (OS, browsers, apps) as patches close security holes.
- Avoid using public WiFi but if you do, use a virtual private network (VPN). See more information on how to do this here.
- Check privacy settings and limit app permissions
The responsibility over personal data should not burden data subjects but should be shared with all stakeholders that benefit from personal data. Digital distribution services such as Google Play and Apple Store, website owners and app developers should include more transparency about data collection, provide easy to understand privacy policies, include in-app security checkpoints, and educate users on secure usage.
[i] Buccafurri, F., Lax, G., Migdal, D., Musarella, L., & Rosenberger, C. (2024). Combining trust graphs and keystroke dynamics to counter fake identities in social networks. IEEE Transactions on Emerging Topics in Computing, Pp(99). https://doi.org/10.1109/TETC.2023.3346691
[ii] Wong, J. (2020). The ‘personal’ in personal data: Who is responsible for our data and how do we get it back? Legal Information Management, 20(2), 103-105. https://doi.org/https://doi.org/10.1017/S1472669620000249
[iii] Ophoff, J., & Robinson, M. (2014, 13 – 14 August). Exploring end-user smartphone security awareness within a South African context [Conference paper]. 2014 Information Security for South Africa (ISSA), Johannesburg, South Africa. http://dx.doi.org/10.1109/ISSA.2014.6950500
[iv] Bauer, M., Glenn, T., Geddes, J., Gitlin, M., Grof, P., Kessing, L. V., Monteith, S., Faurholt-Jepsen, M., Severus, E., & Whybrow, P. C. (2020). Smartphones in mental health: A critical review of background issues, current status and future concerns. International Journal of Bipolar Disorders, 8(2). https://doi.org/10.1186/s40345-019-0164-x
