If Data Protection is left to the Market, will only the Rich be truely Protected?

I think that it is somewhat unavoidable for a person to protect their data if we are to function in society at the same level of ease as the general populous. By saying this I mean, taking advantage of WiFi hotspots with our mobile devices, buying the latest cars and homes via bank finance (banks are more accepting of people with credit histories when giving credit), using the latest mobile devices with GPS capabilities and even having things like GPS tracking for security purposes in our vehicles; and not to forget, online shopping – even (some may say especially) using Facebook or other social networks.

If you were to avoid using all of these ‘luxury’ convenience items I think your data would be “safer” than if you did use them, but then how well could you function in todays society? Without a bank account, credit history, even internet access you are severely hampered from being able to actively and efficiently perform in today’s fast paced life.

The question of data protection going to the rich, I am not so sure how well the rich are covered in data protection, generally I would assume that the richer you are the more on the ‘government radar’ and ‘marketing radar’ you would be. With large transactions moving in and out of the country/even nationally the local tax authorities are generally flagged on such movements. While there may be ways around these issues I do not think there will be commercially available services to evade the ‘watch dogs’ of society, regardless of price. With many luxury subscriptions and items, your information is generally shared to marketing companies.

While my above point touches on potential ‘grey area’ privacy issues, for general privacy such as email and internet usage and personal data, I do think perhaps the wealthy would have a better chance of remaining ‘private’, with premium email service providers who run on SSL connections and perhaps a more dedicated means of connectivity onto the internet, the wealthier would be able to afford the means in which to encrypt and secure their data.

That said, the Open Source and Freeware Software movement is still fairly rife; while, arguably, sometimes not as ‘good’ – probably more accurate to say, not as comprehensive as the commercial applications; there are tools at no cost for securing the devices you use to access the outside world which may contain your private data.

Referring to my previous post, new laws for anti-spam and opt-in & opt-out communications are helping all areas of society maintain their privacy.

Privacy and Data Protection laws in South Africa

The South African Bill of Rights states that everyone has the right to privacy which includes the right to not have their person, home or property searched, their posessions seized or the privacy of their communications infringed (South African Government, 2009).

The same Bill of Rights states that everyone has the right of access to any information held by the state and “any information that is held by another person and that is required for the excersize or protection of any rights” (South African Government, 2009).

South Africa also has the “ECT Act” (Electronic Communications and Transactions Act), which covers personal information that has been obtained through electronic transactions, which defines a set of rules between the person the information is about and the person/organisation (“data controller”) who is holding that information. This act states that the data controller must abide by all of the following points:

“(1) A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.

(2) A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

(3) The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

(5) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(6) A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

(7) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

(8) The data controller must delete or destroy all personal information which has become obsolete.

(9) A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.” (South African Government, 2002).

In contrast to the UK, South Africa does not specifically have a Data Protection Act, if we look at the Data Protection Act 1998 for the United Kingdom (United Kingdom Government) we see that it’s section on “Rights of access to personal data” are almost the same as South Africa’s but contains a much more comprehensive overview on the subject.

Interestingly enough the U.S does not have a specific Data Protection Act. They have the “Privacy Act of 1974” and the “Computer Matching and Privacy Act” but both of which only apply to personal information held by the government and does not include other entities. The U.S has another act, “The Privacy Act” which can be described as follows: “The act set forth some basic principles of “fair information practice,” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It requires that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The act also requires federal agencies to publish an annual list of systems maintained by the agency that contain personal information.” (Stratford & Stratford, 1998).

References

South African Government (2009) Chapter 2 – Bill of Rights [Online]. Available from: http://www.info.gov.za/documents/constitution/1996/96cons2.htm#14 (Accessed: 14 November 2010).

South African Government (2002) Electronic Communications and Transactions Act, 2002, No. 25 of 2002 [Online]. Available from: http://www.internet.org.za/ect_act.html (Accessed: 14 November 2010).

Stratford, J.S & Stratford, J (1998) ‘Data Protection and Privacy in the United States and Europe’, IASSIST Conference, 21 May, Yale University. New Haven, Connecticut: University of California.

United Kingdom Government (1998) Data Protection Act 1998 [Online]. Available from: http://www.legislation.gov.uk/ukpga/1998/29/contents (Accessed: 14 November 2010).