It has emerged that after it was revealed that some South Africans could have possibly been victims of Cambridge Analytica harvesting Facebook users' data, South Africa's Information Regulator sent a letter to Facebook Africa's head office in Johannesburg requesting clarity. Several days after receiving the letter, Facebook responded to South Africa's Information Regulator on a "voluntary basis" and also revised the number of South Africans affected up from 59,777 to 96,121.
Interesting to note also is that Facebook makes it clear that "Facebook Ireland is the appropriate entity to provide you [South African Information Regulator] with information regarding these matters", making it clear that their South African representatives wouldn't possibly be the relevant people to speak to from a legal perspective.
Amenda Makhetha, Attorney and Director at Lelo Privacy Compliance Consultants.
Despite this, Amanda Makhetha who is an attorney and a Director at South Africa's Lelo Privacy Compliance Consultants, believes that South Africa's Information Regulator does have legal recourse to make Facebook account, although she has reservations.
"There are 8 principles in POPIA and one of them is Consent. The requirements are very similar to the requirements of the stringent GDPR, this is Facebook’s main issue, 'did you have consent to process the personal information of the data subjects in the manner that you did'. As a Data Owner, Facebook bears the responsibility of ensuring that the data of its users is secure and used only for the purpose for which it was acquired. There is no tacit consent," said Makhetha to iAfrikan.
Makhetha further explained that the only challenge the regulator might encounter is that this particular principle in South Africa's Protection of Personal Information Act (POPIA) has not been implemented yet.
"We await an implementation date (for POPIA). This then answers your question in respect of recourse and the answer is, for now, not necessarily. Unless sⁿthe regulator will be reliant on the constitutionally entrenched right to privacy."
The tacit consent issue that Makhetha raises has to do with how third party apps on Facebook, similar to the one developed by Dr. Aleksandra Kogan for Cambridge Analytica, use implicit trust to collect not only data from Facebook users who use them, but also from Facebook friends of those users. The concept is known as collateral information collection and it allows the profile information of a Facebook user to also be acquired when a friend of a user installed an app effectuating privacy interdependence on Facebook.
Based on South Africa's POPIA, when any one or any organisation collects people's data, it needs to prove that they consented to it.
"This is a problem because now they have to prove that those friends, which form the bulk of the data that was processed, consented to such processing by Facebook," said Makhetha.
"Facebook is basically saying that Facebook users consented to the App developer accessing and processing their information. But what they are not saying is that this consent was explicit to the degree of allowing for the transfer of such data to Cambridge Analytica."
Not only is this a problem Facebook will face with South Aftican regulators but also with the Europen Union's upcoming General Data Protection Regulation (GDPR), as Makhetha elaborated.
"The incoming GDPR requires “explicit consent” for these very reasons, as just the term consent could be widely interpreted by Companies that profit on the use of the personal data of individuals, like Facebook and their partners. Facebook is consenting to the information belonging to the friends of the users having been accessed as well, and they are in a similar boat to TrueCaller in this instance, because there is no consent from the friends in question," said Makhetha.
Since the Cambridge Analytica saga has been reported on, Facebook has announced several measures it has taken to simplifying their user's privacy settings. Also, the social media platform has indicated that it has an ongoing investigation into the matter. However, Makhetha is not confident the internal Facebook investigation will yield much.
"At this point, the outcome of Facebook’s supposed investigation will be telling of a lot of things and also the final verdict of the Senate. This will serve to give precedent for the regulator. But to get a thief to prosecute his own case is a no-brainer (not that I am saying Facebook is a thief). Facebook will never find against themselves," concluded Makhetha.