COVID-19 has created a level of state engagement with many of the world´s citizens that was perhaps unimaginable before 2020 in many democracies. Who would have imagined that, in freedom-loving UK, the police would be arresting individuals for sitting on a park bench, or walking across the countryside one metre distant from a friend, as happened during the crisis?
It may also have come as a shock that Germany’s much-loved Christmas markets were restricted due to a surge in cases during the Winter months, or that China imposed a strict lockdown for millions just weeks before it hosted the Winter Olympics, which is usually a time where the host country expects an influx of visitors.
The complexities of compliance with the rules has affected even those in the highest positions in the land in many countries, including senior officials and ministers, with, on occasion, career-ending results.
The stakes for conduct in a global health crisis are high, private behaviour is exposed, perhaps in the public interest, and the spotlight is now on the checks and balances around our data more than ever before. Where does that leave us as citizens and customers, and what do corporates need to do as trustees and also businesses to protect us and themselves?
One merely needs to consider the example of something as simple as attending a theatre production or concert. Pre-COVID-19, the requirement for each and every attendee to provide proof that their general vaccinations are in order as a pre-requisite for entry would have been absolutely preposterous. Whilst post-COVID-19, providing third parties with exactly this type of personal information regarding your health has become common place.
The good news is that, on a global level, all the direction is in favour of the protection of the citizen-consumer, and that responsibility is with the data holder, not its subject. We see this in three main areas:
- GDPR, the EU directive which came into force in May 2018, has become the benchmark standard, even emerging in the US with forthcoming state and federal legislation. We also see China, among other countries, bringing forward their own equivalent legislation. The UK has adopted it into law, and, post Brexit, there are no signs that the UK will be seeking to weaken it. By the implementation of their Protection of Personal Information Act (“POPIA"), South Africa has extended the principles applied in the GDPR to encompass individuals as well as juristic persons, such as companies.
- The protection of data is seen now as intrinsic to the moral and legal rights of an individual, and in most jurisdictions the onus is on the data holder to handle it in a secure manner, garner the minimum needed for agreed purposes, and to destroy material as and when it ceases to be specifically relevant. The licence to operate of a company or government is rightly scrutinised on how it fulfils its duties in this area; failure risks being fatal for a company or administration.
- Lastly, jurisdictions are coming to terms with the consequences of data breaches, the ability to recover the economic damage done from the responsible party, and the integrity of data being maintained in M&A situations where control is ´handed over’ to a new party.
Expanding on the above, the acquisition of Yahoo by Verizon, completed in September 2021, became a big catalyst on many of these issues. Yahoo, it emerged in the post-deal announcement, had suffered three substantial data breaches, reducing the final acquisition value by some $300m, from around $4.8bn to some $4.5bn. This brought home the liability potential of a data breach, however inadvertent and planned against. The final terms left a residual 50% of the potential future liability of the breach with Yahoo as the vendor of its internet business.
In the following period, Brazil, China, the US, and others, announced new measures and laws to reflect these challenges. Some Commonwealth legal jurisdictions, including South Africa and Canada, adopted legislation akin to the GDPR, in some cases with even tighter restrictions.
In terms of government and corporate responsibility, we are seeing that individuals are bundles of data that can be accessed too easily, and not always with their best interests in mind. We have, for example, witnessed catastrophic data breaches in recent years, involving organisations as respected as the FBI, UK social security, and famous companies worldwide, perhaps as the result of state or parastatal players, but even so, unacceptable and concerning to us all.
However, the use of personal data can help people too; the mass tracking of anonymised phone data became an acknowledged tool in the fight against COVID-19. Even in the UK, where the NHS is a dominant data holder, individuals became used to being alerted individually that they had come into contact with an infected person and must self-isolate as a result.
The question, therefore, becomes one of redress, and, if so, in which jurisdiction? The governing principle is that the liability is with the organisation which has allowed or has been party to the breach in the territory in which it occurred and people suffered. In major jurisdictions such as the US (federal and state), or EU/UK (the latter being grouped together for data purposes in approach and practice), we will see class actions, and remediations pursued in multiple jurisdictions, as well as high-profile individual case law. For a corporate in South Africa, remedying a breach, even against a non-South African resident or citizen, needs to be pursued locally. For an EU citizen, breached by a US data holder, the first step will likely be under GDPR in their country.
For corporates, data protection and due diligence is a central part of their proper governance when acquiring other businesses, as they will effectively acquire the liability of proper handling of data, as well as the asset of what it may represent in terms of customer acquisition or analysis.
The conclusion is that none of this is straight forward. We are in a brave new world. Private testing companies hold more of the world´s DNA on file than we could previously have imagined. Most are destroying it properly, and, in so doing, perhaps losing evidence of mortal illness indicators. So, the moral balance will not always be easy. Should they have told me first I had prostate cancer, for example, before binning the evidence?
Consent, and the frameworks around that, is of course going to be key, and we are all here to promote, assist, and ensure that corporate behaviour reaches a good level of excellence, and compliance, in this regard.
Philip Kruger, Director of RSM Legal in South Africa, and is a statutory Director of RSM SA Consulting (Pty) Ltd. He leads for the legal team on data protection issues, as well as being expert in M&A, and other aspects of corporate structure and compliance.