Can SA learn anything from the Safe Harbour decision?

I received a letter this morning at my home in Cape Town from the Dept of War and Pensions in the UK (they deal with State Benefits). The letter did not bear my name (nor any addressee ) but the address was correct, including the postal code. However, the contents alarmed me as it refers to me receiving a carer’s allowance for a named individual. I do not know that individual and he is not and never has been a member of my family. In other words this is an error. However it is an important error because it means that somehow some of my private information i.e. my SA address is on a UK government database referring to a matter which has nothing to do with me. This is a small example of why privacy of personal information is so important to all of us.

Now I am sure that you will have read something today about the decision yesterday by the EU Court of Justice concerning the case of Schrems, whereby the Court ruled the Safe Harbour (I refuse to spell it Harbor!) to be invalid. Everyone and their grandmother is writing about it or publishing stuff and lawyers across the world are considering it and summarising the Judgment. I tend to share the view of my friend Chris Dale in his blog this morning.

Silence for now is Chris’s decision and as I say I feel like that too (almost!) - there are plenty of people writing about it, many with more knowledge than me on the subject. Some of you may have seen on LinkedIn that I joined in what is perhaps described as a “spat” with a US lawyer on the subject of Safe Harbour before this Judgment was pronounced. Good manners prevent from me saying “ we told you so”.

Having said all of that, it is big news in our industry globally and I am motivated to make a brief comment on a general basis and more specifically South Africa which is where I live and work. SA is my adopted country and I care very deeply about what goes on here, as I hope is evident from the posts that I write.

In my 15 years working in this industry in the UK I had numerous discussions, sometimes arguments, with US lawyers and service providers about collecting private data then transferring that data to the USA. To be more precise it would be about the possible inclusion of an individual’s private data in a legitimate collection for a case. Sometimes they would have a Safe Harbour certificate but many times they did not and they just could not see what the fuss was about. Many of us in the UK and other parts of the EU did not feel altogether comfortable even with Safe Harbour. The truth is that it is (or was) a USA certificate to be applied for in the USA for USA companies to use, and my information was that it was very inexpensive and easy to obtain. I know that it was part of the Directive from the EU but it still made many of us feel uncomfortable and there were ways of dealing with this data properly within our own jurisdictions. You see, the reason that some USA lawyers etc. did not get it was because in the USA they do not have rules regarding privacy and data protection which are anything as strong as in the EU. I also did a great deal of work for a major global pharmaceutical company with its Head Office in the USA, but laboratories and offices in various countries in EU, including the UK. They did get it. Not only did they cover themselves within their contracts of employment with their employees but they were registered as Data Controllers in the relevant countries. Like Chris, I really do not want to comment further on the decision at this stage 

However, I want to add the briefest of comments about South Africa. We have the Protection of Personal Information Act (POPI) which became law on 27 November 2013 and is modelled on the EU Directive. It is not complete and in full force as yet although there are encouraging signs. I would, respectfully, urge those in power to take note of what is happening now, following the Safe Harbour decision and the likely mayhem that will follow it within the USA and EU. Let us advance POPI, strengthen it, and make sure that it is enforceable so everyone knows where they stand. Now I will be silent on this decision and simply read some of the backlash - oh, and I have to write to the UK DWP to find out how and why they have breached my personal information rights!