South Africa may be decades behind most European countries regarding implementing privacy laws to protect citizens from the likes of data leaks, says an information attorney.

Speaking at a cloud computing briefing in Johannesburg, information attorney and information security consultant Mark Heyink said last month’s cyber-attack on a South African Police Service (SAPS) database, which exposed over 16,000 whistleblowers’ details, is an “outrage”.

He also said the 2011 leak of South Africa’s Direct Marketing Association (DMASA) database, in which over 30,000 people who signed up for a “do not contact” list then had their details allegedly made known to companies not part of the DMASA, was also an “outrage”.

But Heyink says these two incidents caused “little more than a ripple on the newscasts” in South Africa. (Heyink said this despite the likes of technology press in South Africa such as ITWeb having extensively reported on both of these incidents: see links below.)

Heyink went on to say that the South African reaction to the SAPS and DMASA hacks has paled in comparison to the UK phone hacking scandal, which caused an “outcry” in that country.

The UK hacking scandal centred around employees of publications such as Rupert Murdoch’s News of the World being accused of phone hacking and police bribery in compiling some stories. Subsequently, News of the World was shut down, and a judicial public inquiry -- dubbed the ‘Leveson Inquiry’ -- was launched into the culture, practices and ethics of the British press following the scandal.

“In South Africa we are probably 30 years behind most of the European countries relating to the implementation of privacy law and the education of our citizens about the importance of the protection of their personal information,” said Heyink.

“Because we don’t yet have laws in place, and because citizens are not properly aware of their personal information rights...we don’t seem to take the same notice of it in South Africa,” he said.

South Africa’s government, though, is in the process of preparing the Protection of Personal Information Act (POPI), which plans to bring the country in line with international data protection laws and help enact citizens’ constitutional right to privacy.

The latest draft of POPI has been approved by South Africa’s national assembly. But it needs to be passed by South Africa’s National Council of Provinces and signed off by President Jacob Zuma to become law.

Heyink says that if and when this Act is passed, it will “close the gap” in terms of privacy laws between that of South Africa and European countries.

However, he notes that an unanswered question is as to “how long it takes for that culture in South Africa to take root.”

Gary Moore, a legal consultant from the Free Market Foundation who was also speaking at the cloud computing event in Johannesburg alongside Heyink, said though there is no guarantee that POPI could be passed this year, as some government proposed Acts have stalled for up to over a decade.

Moore also raised concerns about aspects of the drafted POPI Act.

Proposed regulation in the bill says businesses must provide notice in advance if they move company records onto a third party server in the cloud. Another term in the proposed bill is that if businesses keep their accounting records electronically, they must provide a senior tax official from the South African Revenue Service (SARS) a manual describing how their software works.

Moore says propositions such as these are problematic and need to be reconsidered by lawmakers as they could hinder business.

“The government’s heart is in the right place, but some things were never thought of when they were writing it,” says Moore.

If signed into law, POPI is expected to require that companies have one year from the commencement date to comply with it.