Who Really Owns Your Personal Data?
Cyberattacks and data leaks make headlines almost weekly, leaving internet users in South Africa and around the world concerned that their personal information may be at risk.
Investing in high-end digital security, including secure cloud storage, is a great way to keep your information safe.
But have you ever considered the possibility that what you think is your data might not legally belong to you at all?
South Africa’s Protection of Personal Information Act (POPIA) offers wide-ranging protections for privacy and sensitive data. However, one thing it does not do clearly is define ownership of personal data.
Legal expert Professor Donrich Thaldar from the University of KwaZulu-Natal recently published an extensive research paper on this issue, with a simplified version appearing in media reports.
According to Thaldar, POPIA regulations (which are situated at the intersection of privacy and property law) present a complex web of rights and obligations.
This legal obstacle course must be navigated by both the originators of sensitive information and those who think they own it, in order to establish any rightful claim to the data in the first place.
The Legal Ambiguity Around Data Ownership
The word ownership is usually associated with some kind of property, be it a business, a home, a vehicle, or financial assets like cash and investments.
For tangible assets like these, property law lays out the rules for possession, trading, and consequences for unlawful acquisition through theft or fraud. But when it comes to data, the legal waters become murkier. What kind of asset is it, exactly, who does it belong to, and who can claim it?
Thaldar’s research explores the dual nature of data, as both a type of information and a form of property that can be owned, sold, or stolen.
The study points out that POPIA doesn’t provide an explicit definition of data ownership, a fact that further complicates matters.
- While POPIA is extremely detailed when it comes to data protection, distribution, and the penalties for mishandling personal information, it remains vague on the issue of who actually owns that data.
- According to Thaldar, data in its raw form-as information – likely cannot be owned by any one person, just as no one can claim ownership of the entire ocean.
- However, a specific instance of data like a file created by an individual or organisation can be viewed as a unique item of possession. This is similar to someone owning a single bottle of water, rather than the ocean itself.
The Impact on Your Data Security and Bottom Line
The ambiguity around data ownership has real implications for organisations that generate data containing client information.
Does the data belong to the company, since it created the file? Or does the client have a claim to it, because the file contains their personal information?
While POPIA clearly states that individuals have a right to data privacy and that companies are obligated to take reasonable steps to secure this data, ownership of the actual file or dataset may still reside with the company that created it.
As with many newer laws, a clear legal definition of data ownership under POPIA may only emerge once the matter is brought before a higher court.
In the meantime, both companies and individuals need to remain vigilant and take steps to ensure that sensitive data doesn’t end up in the wrong hands.
Find The Perfect Solution For Your Business Data
With cybersecurity incidents on the rise and hefty fines or even jail time associated with violations of POPIA, every South African business should make the protection of its sensitive files a top priority.
Our range of secure cloud storage solutions, including Total Data Protection, can help your business stay safe and compliant. Click the button below to learn more.