School of Law (ETDs)

Permanent URI for this communityhttps://hdl.handle.net/10539/37938

Browse

Filters

2023 - 20243

Settings

Subject: search.filters.subject.GDPR

Search Results

Now showing 1 - 3 of 3
  • Thumbnail Image
    Item
    Artificial intelligence and automated decision making under the GDPR and the POPIA
    (University of the Witwatersrand, Johannesburg, 2024) Goldman, Gavin David; Zitzke, E.
    This analysis considers the concepts of AI and machine learning and examines their reliance on the processing of personal data and the challenges this poses from a data- privacy and human-rights perspective, particularly in relation to profiling. It evaluates the effectiveness of the General Data Protection Regulation (GDPR) and the Promotion of Personal Information Act 4 of 2013 (POPIA) in regulating Automated Decision Making (ADM) and considers the limitations of the right to an explanation under these provisions. The analysis proposes that the current framework of the GDPR and POPIA does not clearly address the issue of explainability and that the focus should shift to providing a data subject with a counterfactual to give practical effect to this right which would better serve data subjects
  • Thumbnail Image
    Item
    Protecting South African Employees' Special Personal Information Against Data Breaches
    (University of the Witwatersrand, Johannesburg, 2024) Mampa, Kgothatso Lesetja Simon
    The widespread use of computers and acceleration of online activity have increased the importance of personal information in modern society. Processing personal information has become an indispensable part of daily life. The (mis)management of personal information in the employment context is particularly concerning because employers also process special personal information (SPI). This research report considers the legal treatment of processing SPI in the world of work in South Africa by identifying and evaluating those provisions of POPIA that could offer employees protection in the event of a data breach. Furthermore, the research examines the effectiveness of those provisions against predetermined criteria in order to establish whether the provisions provide direct employee protection, create an opportunity for the responsible independent authority, namely the Information Regulator (IR), to include protective conditions in respect of processing employee SPI; and whether the provisions eliminate or limit threats to breaches of employee SPI. Sheburi v Railway Safety Regulator is the only known POPIA related case and it is referenced to highlight the ease with which POPIA provisions can be misinterpreted in practice. The case also demonstrates the fallibility of the consent requirement and supports the argument that employees need reinforced protection against the ever-looming threat of data breaches. The key finding of this study is that POPIA was not specifically designed to render full protection to employees in the event of a data breach. However, some of the existing provisions in POPIA render some level of protection. The research concludes by suggesting possible ways to improve the legal protection of employee SPI and ultimately calls for specific regulation of employee SPI in the context of data breaches.
  • Thumbnail Image
    Item
    Adequacy of Data Protection Regulation in Kenya
    (University of the Witwatersrand, Johannesburg, 2023-10) Laibuta, Antony Mugambi; Zitzke, Emile
    Article 31 of the Kenyan Constitution provides for the right to privacy. The Kenyan Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution. This study is about whether data protection regulation in Kenya would inspire any confidence in data subjects who enjoy protection of their right to privacy under Article 31 of the Constitution. Kenya, going with the global trend, in November 2019 enacted the Data Protection Act. Before the enactment, Kenya had debated data protection Bills for over a decade. But even with the enactment of the Data Protection Act, the question remains whether this was sufficient to guarantee the right to privacy and specifically data subject rights. The main aim of this study is to determine the adequacy of data protection regulation in Kenya by responding to five questions: How has data protection evolved in Kenya? What framework should be used to determine the adequacy of data protection regulations? To what extent is the legal framework on state surveillance adequate? To what extent is the legal framework on commercial use of personal data adequate? How adequate are the available remedies in relation to data protection in Kenya? To wit, no comprehensive academic discussion has explored the history of privacy and data protection in Kenya. This study fills this gap in the academic literature. It has established, through highlighting constitutional and statutory provisions, that the right to privacy in Kenya has been in existence since Kenya gained independence from colonial rule. Conversations during the clamour for constitutional reforms shaped the current text that provides for an individual right to privacy which has been the springboard for data protection rights to be introduced. There is no immediately obvious framework that would be ideal to determine the adequacy of data protection regulation in Kenya. In light of this gap, this study has presented a simple set of questions used in day-to-day legal practice to be used as the determination-of-adequacy framework. The questions, “who?”, “why?”, “what?”, “when?”, “where?”, and “how?” are iv posed on State surveillance, surveillance capitalism, and access to effective remedies. Responses to these questions are juxtaposed with provisions of the European Union’s General Data Protection Regulation and South Africa’s Protection of Personal Information Act. The responses reveal the level of adequacy of data protection regulation in Kenya. On adequacy in State surveillance, surveillance capitalism, and availability of effective remedies, the study has revealed that while there are provisions of the law that adequately regulate the three issues, there are gaps and ambiguities that must be addressed to raise the level of adequacy and inspire confidence in data subjects. For the gaps and ambiguities, this study recommends law reforms in the form of amendments to provisions of the Kenyan Data Protection Act, Data Protection (General) Regulations, Competition Act, National Intelligence Service Act, and the Data Protection ADR Framework. This study also recommends enactment of new law including an Artificial Intelligence Act, Data Protection (Statutory Database) Regulations, and Regulations on interception of communications under the Prevention of Terrorism Act and other enabling statutes.