The right to privacy is a constitutional and common law right in South Africa. The Protection of Personal Information Act (POPIA) Act recognises that right and regulates the processing of personal information.
POPIA makes provisions for regulation of direct marketing, automated decision making and processing of cross-border flows of information. It covers eight principles (Michalsons):· Personal information must be obtained in a lawful and fair manner.
· Information can only be used for the specified purpose it was originally obtained for.
· Further processing of personal information is prohibited except if the subject agrees.
· The person who processes the information must ensure the quality of the information.
· The person processing personal information should be transparent.
· There must be proper security measures to safeguard against loss, damage, destruction, and the unauthorised or unlawful access or processing of the information.
· The subject must be able to participate and access the information.
· The person processing the data is accountable to ensure measures are complied with.
The WhatsApp debacle where it compels users to consent to its privacy policy that shares contact information and meta-data with Facebook companies or else they’d be disconnected is an egregious example of the abuse of customers’ personal information for profit-making, business and nefarious purposes.
South Africa’s Information Regulator Adv. Pansy Tlakula is concerned about the WhatsApp situation. Quoted in MyBroadband, she said “On the face of it, the new WhatsApp privacy policy looks like it requires involuntary consent because it says you should leave the platform if you do not give consent. That can never be voluntary consent.”
WhatsApp is not the only business abroad or locally that mines user and customer information. In most cases, people don’t know their information has been shared. Many including me receive unsolicited texts, emails, calls and the worst, robocalls, from insurance, mobile and other companies that have our information. Our personal information – name, ID number, phone numbers, etc – is already out there on the legal and illegal markets.
This brings me to the reason for writing. On Friday February 26 I called Outsurance for a car insurance quote (I fired my existing one for misconduct, breach of contract and poor service). I had not used them before.
The salesman asked for my name, ID and mobile numbers and a couple of questions about the car. Then he asked if I would consent for my personal information to be “shared” with other organisations for “marketing” and other reasons. I replied I didn’t consent especially since we might not do business. And sharing information is prohibited by the Act (POPIA).
He curtly replied, “We are aware of the privacy act”. I reiterated I did not give my consent to which he responded, “Then I cannot give you a quote”.
Like WhatsApp, they offer a service conditional on their terms despite customers keeping them in business. Involuntary consent can never be voluntary. Contrary to the Act, there is no fairness and transparency over how, when, where, for what purposes and with whom they share information. Customers don’t have control or access to the process or end user of this information, and they don’t benefit financially or with better service.
By giving consent, customers indemnify the entities processing and sharing the information should they be prejudiced by it. A couple of years ago Standard Bank’s customers were hit by fraudsters – I was one – who apparently gained access to customer information. Apart from alerting customers, the bank never answered how criminals got the information. Customers are at risk – not companies – if the information is used for nefarious purposes.
Outsurance’s salesman told me they know POPIA but he and his company appear to be ignorant or don’t care about its objectives and principles. Further, they’re ignorant or don’t care about the South African Insurance Association’s, of which it is a member, code of conduct. They’re paying lip service only.
The code of conduct inter alia speaks of confidentiality of customer information, fairness, transparency, and so on. Then why is Outsurance willing to violate the code as if it means nothing? I suspect, though, they’re not the only ones given the questionable and controversial nature of the short-term insurance industry.
Outsurance’s and WhatsApp’s conduct is identical: blackmail or extortion, synonyms for involuntary consent because those at the receiving end seldom have a choice. While those are crimes, involuntary consent under POPIA carries no penalty. And anyway, as Michalsons notes, penalties for violations are limited. (I suggest POPIA be amended for firm penalties – criminal and/or civil – for those who unlawfully and without permission share information.)
One of POPIA’s principles states data holders must use customer and potential customer information only for the specified purpose it was originally obtained. Outsurance and others like them are not in the business of gathering and selling information, their euphemism for “sharing”, like WhatsApp/Facebook and Google. If they are, their corporate missions and objectives must reflect the change so customers know.
The practice of sharing information and forcing or tricking customers to consent to it is widespread. Most people don’t know their rights or don’t care so companies like Outsurance are not challenged. Companies circumvent privacy laws either by demanding consent, and provide vague, nebulous details about who they share the information with. And when customers refuse, they either cut service like WhatsApp threatened to do and Facebook recently did in Australia, or refuse to take lawful business. (Outsurance’s adverts urge potential customers to call for a quote as they “always get something out” but they don’t disclosure customers will lose privacy if they choose them.)
My request is SAIA and the Information Regulator have a conversation with Outsurance. Ask them if they don’t believe in the principles of the Act and SAIA’s code of conduct or if it doesn’t apply to them. And using this as a test case, extend the conversation to the industry.
The code of conduct is non-binding which makes it weak and ineffective, like self-regulation in general, so Outsurance can opt out. But it would be outside the mainstream industry.
But neither they nor any entity can opt out of the requirements of legislation. So the Information Regulator’s quiet word or instruction to adhere to the principle and letter of the law would be far more effective than that of a voluntary association like SAIA.
Postscript: I still don’t have insurance cover. And I’m migrating from WhatsApp.
Comments
Post a Comment