In Johannesburg, experts discussed the need to improve the existing legislation on personal data protection taking into account the development of AI technologies.
As South Africa marks the 10th year of the Protection of Personal Information Act’s (POPIA’s) existence, law-makers should shift the focus to aligning its principles with the governance of artificial intelligence (AI) applications.
This was the sentiment shared by data protection experts, speaking yesterday during a roundtable discussion at the 10 Years of POPIA Symposium, hosted by the Information Regulator, in Johannesburg.
The event created a platform for information officers, legal professionals and data privacy specialists to reflect on the implementation of POPIA since it was enacted in SA on 19 November 2013.
Speaking under the theme “The journey thus far, and the journey ahead”, the panellists acknowledged the strides made by the office of the Information Regulator in revolutionising data protection in SA, and highlighted the need to chart a way forward for better implementation.
POPIA aims to bring SA in line with international standards for the protection, collection, recording and storage of personal information, giving individuals control over their personal information.
The Act is touted as a world-class piece of legislation that is on par with similar laws, such as the European Union’s General Data Protection Regulation (GDPR).
However, panellists agreed that certain statutes should be amended or extended to govern the AI technologies used by organisations in the collection, processing and storage of personal data.
Advocate Tshepo Boikanyo, executive member of the Information Regulator and executive of POPIA, explained:
“I think that we have lagged behind with regards to the regulation of artificial intelligence, and this is an area that we may need to look at. During a recent session on artificial intelligence, what we picked up was there are so many responsible parties that have advanced in this space and, as the regulator, we need to catch up and beef up our Act in relation to technological advancement.”
According to Boikanyo, regulatory changes are unfolding in other parts of the globe; for instance, the move towards extending certain elements of the GDPR to expand its reach for effective AI regulation.
Local organisations are increasingly using AI, generative AI and machine learning to gather and process the personal data of customers and stakeholders to gain competitive advantage and influence consumer behaviour.
However, there are growing concerns over the potential risks of such emerging technologies, relating to infringement of user rights, data protection and manipulation, as organisations across the globe race to rollout AI systems.
The panellists raised concerns around other complexities associated with regulating data protection compliance processes, as they relate to the various ways in which AI can be trained and deployed to handle personal data.
According to some experts, current developments in the European Union could serve as a good example for South Africa to revise some elements of POPIA, beyond AI, to include various other emerging technologies.
The panellists also weighed in on whether SA should establish a standalone AI Act, as other nations such as Brazil are doing, or if tweaking existing laws would be better suited to the local context.
“Amending the current legislation to include AI, and then incrementally changing that as new technologies advance, is better than creating a standalone artificial intelligence Act which may turn out to be irrelevant in a few years’ time,”
asserted Boikanyo.
Experts noted that POPIA had adopted a ‘privacy by design’ principle, and the key now is to ensure the methodology is geared up towards artificial intelligence.
Source: ITWeb