News / Legal Brief
When machines make decisions: Understanding the impact of the protection of personal information act, 2013 (“Popia”)
May 1,2019
Companies, when obtaining and processing personal information must not mislead and must also provide certain information to the individual data subjects. The data protection regime in terms of POPIA[1] provides for a number of rights to individuals in relation to their personal information and information privacy. Transparency and consent are very important aspects of respecting and enabling such fundamental rights to be exercised and enforced by data subjects.
When machines make decisions and artificial intelligence informs the outcome in relation to individuals, POPIA cannot be ignored. A fundamental right afforded to a data subject relates to automated decision taking, which relates to automated decisions being taken without human oversight or intervention. The traditional example often used is adverse credit decisions being taken automatically. However, it can equally encompass such adverse decisions and activities as so called neutral algorithmic processing and a range of information and result outputs. Examples could include search rankings and priorities; search suggestions; search prompts; autosuggest; and more. Other examples could arise in relation to profiling and advertising related activities.
The legislature has been alert to the fact that the processing of personal information by automated means may seriously threaten the privacy of a data subject, such as data processing which evaluates a data subject’s performance at work, reliability and conduct. This is often referred to as automatic processing, which provides a profile of a person.
The creation of a profile is potentially extremely damaging, and it is for this reason that the making of a decision, which affects the data subject substantially and is based solely on automated processing of personal information, is prohibited. POPIA provides that subject to subsection (2) (of section 71) a data subject may not be subject to a decision, which results in legal consequences for him, her or it, or which affects him, her or it, to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person, including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.[2]
Section 71(2) provides for exceptions to the prohibition on decision-making based on automated processing. The exceptions do not apply if the decision:
- “(a) has been taken in connection with the conclusion or execution of a contract, and –
- (i) the request of the data subject in terms of the contract has been met; or
- (ii) appropriate measures have been taken to protect the data subject’s legitimate interests; or
- (b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.”[3]
The appropriate measures that are adopted to protect the data subject’s legitimate interests must provide the data subject with an opportunity to make representations about a decision that has been made in terms of section 71(1) (automated decisions, which provide a profile of a person). Further, the responsible party must provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations.[4] This requirement of “underlying logic” is very important to the data subject’s representations, since it will presumably give the data subject a good indication of the purpose of the profiling.
POPIA does not prevent the use of analytics in decision-making or research as such, but it does provide for certain duties and restrictions, which could amongst other relate to the de‑identification of personal information. Practically this might require that certain information will be redacted or in fact removed in totality, or it may require that a separate database will be created for purposes of testing new systems or for purposes of analytics.
It might seem clear, simple and something that can be done with little effort, but what makes this more difficulty is that data, personal information, is often collated from multiple sources. All data and all sources are subject to POPIA and the transfer of personal information between data sources requires both protected, secure channels and encryption. While it might seem straightforward, the potential for errors in collating data, encrypting data, transferring data, and decrypting data for processing makes processing data both complex and highly susceptible to error or breach.
Automated decision making is becoming far easier in today’s world, where algorithms and artificial intelligence enables speedy decision-making. Data subjects have the right to question significant decisions that affect them that have been made on a solely-algorithmic basis. While it’s not yet clear how this right will work in practice, in theory it provides for an objection by a data subject and this should indeed be provided for in case of biased data and poor algorithms.
Pooh looked at his two paws. He knew that one of them was the right, and he knew that when you had decided which one of them was the right, then the other was the left, but he never knew how to begin. Winnie-the-Pooh
In a business world, evolving rapidly, where all companies are confronted with the fourth industrial revolution, new and better ways of doing business and POPIA, it is important to be able to identify the proverbial right hand when evaluating the legal risks that automated processes could create in terms of POPIA.
[1] Protection of Personal Information Act, Act 4 of 2013.
[2] S 71(1).
[3] S 71(2).
[4] S 71(3).