4. Electronic Theses and Dissertations (ETDs) - Faculties submissions

Permanent URI for this communityhttps://hdl.handle.net/10539/37773

Browse

Subject: search.filters.subject.POPIA

Search Results

Now showing 1 - 6 of 6
  • Thumbnail Image
    Item
    Awareness of cookie deprecation and implications for digital marketing strategies in South Africa
    (University of the Witwatersrand, Johannesburg, 2024) Pillat, Celeste
    The phasing out of third-party cookie tracking in response to regulation to protect personal information, poses a challenge to Digital Marketers and personalised communication to customers. The paradox between privacy and personalisation is a new concept and as such the purpose of this study was to understand whether Digital Marketers are aware of cookie deprecation, the impact on Digital Marketing strategies and the approach to personalisation. An explorative qualitative design was chosen for the research, employing phenomenological methodology. The sample comprised of digital marketers, analysts, and media specialists for diverse perspectives. Data was analysed using interpretative phenomenological analysis, with thematic network analysis helping to find connections in data. The findings suggest that while Digital Marketers are aware of cookie deprecation, many are unaware of the possible impact on their strategies, or how to approach changes. Change was about a common theme with a pervasive undertone of anxiety. Digital maturity was an important factor for evaluating technological change, with gaps in future ready skills identified. The implications of cookie deprecation were extensive, surfacing a heavy reliance on first-party CRM data at the core for personalisation in strategies. Further implications include the ad-tech ecosystem needing to adopt innovative alternate methods of tracking which also impacts publishers, measurement and tracking. Regulation impacts companies and the need to ensure data collection is compliant. The importance of privacy in digital marketing strategies remains crucial as change is constant
  • Thumbnail Image
    Item
    Artificial intelligence and automated decision making under the GDPR and the POPIA
    (University of the Witwatersrand, Johannesburg, 2024) Goldman, Gavin David; Zitzke, E.
    This analysis considers the concepts of AI and machine learning and examines their reliance on the processing of personal data and the challenges this poses from a data- privacy and human-rights perspective, particularly in relation to profiling. It evaluates the effectiveness of the General Data Protection Regulation (GDPR) and the Promotion of Personal Information Act 4 of 2013 (POPIA) in regulating Automated Decision Making (ADM) and considers the limitations of the right to an explanation under these provisions. The analysis proposes that the current framework of the GDPR and POPIA does not clearly address the issue of explainability and that the focus should shift to providing a data subject with a counterfactual to give practical effect to this right which would better serve data subjects
  • Thumbnail Image
    Item
    Protecting South African Employees' Special Personal Information Against Data Breaches
    (University of the Witwatersrand, Johannesburg, 2024) Mampa, Kgothatso Lesetja Simon
    The widespread use of computers and acceleration of online activity have increased the importance of personal information in modern society. Processing personal information has become an indispensable part of daily life. The (mis)management of personal information in the employment context is particularly concerning because employers also process special personal information (SPI). This research report considers the legal treatment of processing SPI in the world of work in South Africa by identifying and evaluating those provisions of POPIA that could offer employees protection in the event of a data breach. Furthermore, the research examines the effectiveness of those provisions against predetermined criteria in order to establish whether the provisions provide direct employee protection, create an opportunity for the responsible independent authority, namely the Information Regulator (IR), to include protective conditions in respect of processing employee SPI; and whether the provisions eliminate or limit threats to breaches of employee SPI. Sheburi v Railway Safety Regulator is the only known POPIA related case and it is referenced to highlight the ease with which POPIA provisions can be misinterpreted in practice. The case also demonstrates the fallibility of the consent requirement and supports the argument that employees need reinforced protection against the ever-looming threat of data breaches. The key finding of this study is that POPIA was not specifically designed to render full protection to employees in the event of a data breach. However, some of the existing provisions in POPIA render some level of protection. The research concludes by suggesting possible ways to improve the legal protection of employee SPI and ultimately calls for specific regulation of employee SPI in the context of data breaches.
  • Thumbnail Image
    Item
    The impact of the Protection of Personal Information Act on online consumers’ privacy concerns
    (University of the Witwatersrand, Johannesburg, 2023) Mosakoa, Panki Patrick
    Globally, consumer privacy remains a major concern when shopping online and merchants are collecting and using personal information. However, many nations have been responding with personal data protection laws to protect individuals’ human rights to privacy. In South Africa, the government introduced the Protection of Personal Information Act (POPIA) in 2013 and fully enacted in July 2020. This study aimed to investigate the impact of POPIA on online shoppers' privacy concerns by examining consumer privacy concerns before and after POPIA was introduced and also determine the extent to which knowledge of POPIA has influenced online privacy concerns. A quantitative methodology using descriptive statistics and hypothesis testing was adopted to guide the analysis of data collected from a random sample drawn from students of one South African university using a pre-designed questionnaire. The results support the hypothesis that online shoppers' privacy concerns have not changed before and after the POPIA enactment. The descriptive statistics revealed that online shoppers lack knowledge of POPIA and still have concerns about the safety of their personal information, credit card and identity information theft, and impostor online organisations. With increased data breaches and deliberate information disclosure, these concerns prevent consumers from shopping online because of personal information safety fears. It is recommended that policymakers introduce more awareness campaigns and case laws of the legislation to the public. Organisations can invest more in employee training and development initiatives on POPIA regulations, POPIA compliance on internal systems, and online platforms to sensitise staff and minimise possible litigation
  • Thumbnail Image
    Item
    Adequacy of Data Protection Regulation in Kenya
    (University of the Witwatersrand, Johannesburg, 2023-10) Laibuta, Antony Mugambi; Zitzke, Emile
    Article 31 of the Kenyan Constitution provides for the right to privacy. The Kenyan Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution. This study is about whether data protection regulation in Kenya would inspire any confidence in data subjects who enjoy protection of their right to privacy under Article 31 of the Constitution. Kenya, going with the global trend, in November 2019 enacted the Data Protection Act. Before the enactment, Kenya had debated data protection Bills for over a decade. But even with the enactment of the Data Protection Act, the question remains whether this was sufficient to guarantee the right to privacy and specifically data subject rights. The main aim of this study is to determine the adequacy of data protection regulation in Kenya by responding to five questions: How has data protection evolved in Kenya? What framework should be used to determine the adequacy of data protection regulations? To what extent is the legal framework on state surveillance adequate? To what extent is the legal framework on commercial use of personal data adequate? How adequate are the available remedies in relation to data protection in Kenya? To wit, no comprehensive academic discussion has explored the history of privacy and data protection in Kenya. This study fills this gap in the academic literature. It has established, through highlighting constitutional and statutory provisions, that the right to privacy in Kenya has been in existence since Kenya gained independence from colonial rule. Conversations during the clamour for constitutional reforms shaped the current text that provides for an individual right to privacy which has been the springboard for data protection rights to be introduced. There is no immediately obvious framework that would be ideal to determine the adequacy of data protection regulation in Kenya. In light of this gap, this study has presented a simple set of questions used in day-to-day legal practice to be used as the determination-of-adequacy framework. The questions, “who?”, “why?”, “what?”, “when?”, “where?”, and “how?” are iv posed on State surveillance, surveillance capitalism, and access to effective remedies. Responses to these questions are juxtaposed with provisions of the European Union’s General Data Protection Regulation and South Africa’s Protection of Personal Information Act. The responses reveal the level of adequacy of data protection regulation in Kenya. On adequacy in State surveillance, surveillance capitalism, and availability of effective remedies, the study has revealed that while there are provisions of the law that adequately regulate the three issues, there are gaps and ambiguities that must be addressed to raise the level of adequacy and inspire confidence in data subjects. For the gaps and ambiguities, this study recommends law reforms in the form of amendments to provisions of the Kenyan Data Protection Act, Data Protection (General) Regulations, Competition Act, National Intelligence Service Act, and the Data Protection ADR Framework. This study also recommends enactment of new law including an Artificial Intelligence Act, Data Protection (Statutory Database) Regulations, and Regulations on interception of communications under the Prevention of Terrorism Act and other enabling statutes.
  • Thumbnail Image
    Item
    The protection of personal information act: a critique through the lens of libertarian legal theory
    (University of the Witwatersrand, Johannesburg, 2022-10-31) Meyer, Jonathan Alan; Zitzke, Emile
    This paper offers a critical analysis of the Protection of Personal Information Act 4 of 2013 (POPIA) and its impact on freedom of trade, occupation and profession (freedom of trade) as found under s 22 of the Bill of Rights in the Constitution of the Republic of South Africa, 1996 (the Constitution) from a libertarian legal theory perspective. Owing to a lacuna in South African law, the provisions of POPIA that seem to impede free trade will probably not result in an unconstitutional infringementof the section 22 right. Those provisions in POPIA that restrict free trade may nevertheless be critiqued from the perspective of libertarian legal theory. More specifically, libertarian legal theory’s rejection of over-regulation. In this research report, the ultimate finding is that the cardinal issue with POPIA is that, paradoxically, and despite POPIA’s proclamation to promote a free-flow of information in balancing such purpose with the Constitutional right to privacy found under s 14 of the Constitution, POPIA serves to limit, over- restrictively, the free flow of information between businesses and business, and businesses and natural persons. The research report conducts a cursory analysis of the right of freedom of trade and investigates certain important provisions of POPIA through a libertarian-legal lens. There are three weaknesses in POPIA that are identified in this research report. Firstly, POPIA has a negative impact on trade because both natural and juristic persons receive data protection in terms of th e Act, whereas in jurisdictions where the GDPR operates, only natural persons receive such protection. It will be shown how this aspect of POPIA is potentially overly onerous on businesses. Secondly, the security requirements under POPIA are not only unreasonably onerous on, and expensive for, companies, to implement, but they are cumbersome, contradictory and vague. It will be shown how this could negatively affect free trade. Thirdly, POPIA’s sections dealing with civil liability are too far- reaching in their consequences of business, while also providing for defences to responsible parties which are prejudicial to data subjects. This amounts to an over- regulation, which is antithetical to libertarian legal theory