Artificial Intelligence (AI) has seen significant growth across various industries, driven by machine learning and fuelled by data. As the importance of data rises, so do the associated legal issues. In South Africa, businesses need to ensure that their AI systems are compliant with the Protection of Personal Information Act, 2013 (POPIA).
AI and Data Privacy Regulations in South Africa
Despite the numerous advantages of AI, its rapid development is surpassing South Africa’s existing regulatory framework, resources, and capabilities.
This gives rise to two main issues: firstly, the concerns surrounding data privacy as AI platforms gather and process vast amounts of user data; and secondly, the challenge of ensuring data compliance with data protection regulations such as POPIA.
Complexities of AI Technologies
AI technologies, particularly those based on deep learning, have continuous learning capabilities. They gather and process data sourced from the internet, encompassing large sets of data derived from books, articles, and other online resources. This data processing is where the complexities arise, especially when it involves personal information.
Processing Personal Information in South Africa
In South Africa, the regulation of personal information is governed by POPIA. POPIA’s primary objective is to protect and uphold the right to privacy for all natural persons. It strikes a balance between safeguarding personal data and facilitating the seamless transfer of information within and beyond South Africa’s international borders.
A company “processes” personal information if it collects, receives, records, organises, combines, stores, updates, modifies, retrieves, alters, consults, uses, transfers, distributes, makes available, merges, links, restricts, degrades, erases or destroys the information. Thus, any personal information that a company merely collects, for example, and where information can be linked to a natural or juristic person, must meet the requirements for processing personal information.
POPIA does not prohibit the processing of personal information that has been ‘de-identified’. De-identification of personal information under POPIA means that the data must undergo a process that removes any identifying details relating to the data subject. Any information that could, by using a ‘reasonably foreseeable method,’ be linked or combined with other data to identify the individual, would not be considered as de-identified and will be covered by the provisions of POPIA.
Protection Provided by POPIA
Section 71(1) of POPIA contains a general prohibition against the processing of personal information by automated means and determines that a data subject may not be subject to a decision that results in legal consequences for them or which affects them to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including their performance at work, or their creditworthiness, reliability, location, health, personal preferences, or conduct.
Section 71(2) of POPIA is the exception to the general rule and provides that such prohibition does not apply if the decision has been taken in connection with the conclusion or execution of a contract; and
- the request of the data subject in terms of the contract has been met;
- or appropriate measures have been taken to protect the data subject’s legitimate interests; or
- is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
The appropriate measures, referred to in subsection (2)(a)(ii) of POPIA, must:
- provide an opportunity for a data subject to make representations about a decision referred to in sub‐section (1);
- and require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).
Evolution of the AI and POPIA Relationship
While POPIA addresses aspects of data privacy, it falls short of adequately addressing the complex ethical and societal concerns raised by AI. South Africa currently lacks comprehensive legislation specifically governing AI. As AI continues to evolve and its applications become more widespread, it is likely that further regulations will be needed to address these issues.
The relationship between AI and data privacy regulations in South Africa is complex and evolving. Businesses must navigate this landscape carefully, ensuring that their use of AI complies with POPIA while also considering the broader ethical and societal implications of AI. As AI continues to develop and become more integrated into society, it is likely that the relationship between POPIA and AI will continue to evolve.
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this article are for general informational purposes only. Readers of this article should contact us or any other attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this article should act or refrain from acting on the basis of information on this article without first seeking legal advice. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. The content on this posting is provided “as is;” no representations are made that the content is error-free.