Data regulations can play an important role in creating trust between data providers and data users. The chart below summarises estimates by the World Bank that measure how different countries’ regulatory environments enable data use for market players while safeguarding the rights of data subjects (higher scores better). South Africa ranks very low on both enablers and safeguards. With respect to safeguards, South Africa achieved low scores for personal and non-personal data. With respect to enablers, South Africa was also assessed to be far off regulatory best practices regarding e-commerce and public and private data.
Specifically, the survey detail suggested some surprising survey results. With respect to personal and non-personal data, the survey suggested that South Africa did not:
- have sufficient legal frameworks for governing private data;
- have court or administrative decisions that form the basis of or clarify privacy or data protection rights
- provide exceptions to limitations on the collection or processing of data by government
- Legally require data processors to incorporate technical and organizational privacy-by-design or privacy-by-default principles or use privacy-enhancing technologies in the design and implementation of processing systems;
- Provide individuals the right to challenge the accuracy of information and have it rectified, completed, amended and/or deleted
- provide rights to limit the making of decisions about individuals solely as a result of automated processing of personal data (i.e. without any human intervention)
- provide individuals a right to object to the use of personal data about them, file complaints and seek redress
- The law/regulation does not provide for the creation of a data protection authority/office
Among the questions that touch on Cybersecurity and Cybercrime, the survey suggested South Africa has
- Insufficient safeguards on anonymization/ pseudonymization of personal data
- Does not provide for ongoing tests, assessments and evaluation of security of systems that use or generate personal data
With respect to Cross-Border Data Flow, the survey suggested:
- Insufficient detail around conditions under which local personal data may be transferred to non-domestic third parties
- That the country does not have arrangements with foreign countries or multinational entities or schemes, including decisions of domestic and foreign bodies or agencies, to require, permit or limit transfers of personal data between countries
Under enablement arrangements, South Africa is found not to have:
- Sufficient data that define characteristics of certain valid data products or services, such as a digital ID or electronic signature
- An enabling regulatory environment that promotes the use and reuse of public intent data, such as open data laws, common technical standards, open licensing regime,
- the ability for individuals to obtain their data processed by a controller in a structured, commonly used and machine-readable format
- the ability for standard-setting organizations to mandate patent/intellectual property right holders to provide voluntary licensing access to “standard essential” data or applications on FRAND (fair, reasonable and non-discriminatory) terms.
A score of 75–100 confers an advanced level for enabling/safeguarding; a score of 50–75 confers a moderate level; a score of 25–50 indicates an evolving regulatory level; while a score below 25 is considered basic.