For this interview series, we spoke with privacy experts who looked beyond the obvious, expected, and attention-grabbing privacy issues, to the mundane issues that average people face—but may not recognize. South African privacy expert Nerushka Bowan shows us that privacy is truly an everyday issue, from haphazard use of common social applications; to hard copies of documents left unsecured on desks; to selfies inadvertently showing important documents. Read on for an eye-opening interview about common privacy matters.
What is your role and how is it related to privacy law?
I am a technology and privacy lawyer. I focus on training on the new South African data protection legislation, the Protection of Personal Information Act, 2013 (POPIA), which finally becomes fully enforceable on July 1, 2021. I also help clients navigate complex privacy law questions arising from the Act, as well as providing comparisons with other global data protection legislation, such as the GDPR.
What prompted your interest in privacy law?
Privacy law was a fairly new area of specialization and it was exciting to be one of the first in South Africa to venture down this path. I was lucky to work in a global law firm, Norton Rose Fulbright, and spent some time during 2014 learning from global data protection specialists in the UK and Australia. Privacy law, just like tech law, is ever-changing and you must continuously upskill yourself on the latest developments. Nothing is ever straightforward—and the challenge of this area of specialization definitely prompted my interest.
What are some red flags in privacy policies of consumer apps?
Everyone knows that we all download applications without ever reading the detailed T&Cs that come with it (if you do—you are one of the few!). However, transparency is a key requirement of most comprehensive data protection laws. Most of the information that the app provider is required to share with you is buried deep in these terms. The app providers feel like they have complied with their transparency and notification obligations, as all of this information is accessible to the user (if they have the time and interest to take a deep dive into the terms). In practice, however, it can be argued that the end user has no idea what they are agreeing to when they tick the box. Can this box-ticking exercise amount to notifying the end user of various pieces of information, or does it amount to specific, informed consent by the user?
With the rise of plain language and legal design, we are starting to see some innovative privacy policy designs that do actually inform the end user in a quick and easy to understand manner. In addition, Apple’s latest changes to the App Store empowers users by prompting apps to request consent for use of data in certain instances, for example, for purposes of targeting ads, as well as highlighting what the app will be doing with your data once downloaded (a privacy nutrition label). This has resulted in Facebook firing back at Apple stating that Apple is preventing small business owners from getting access to affordable, targeted advertising by requiring users to opt-in to this feature (therefore implying that if users have the choice, they would choose against their data being used for targeted ads).
Whatsapp also made headlines this year when it attempted to update its privacy policy. Apps update their policies regularly without anyone really noticing. However, this time Whatsapp tried to be more transparent by summarizing the key changes in the policy, as well as requiring users to consent to these changes in order to continue using the app. Usually app policies are updated in the background and state, “Your continued use of the app signifies your acceptance to these updated terms” (or something along those lines). Whatsapp’s approach was met with much pushback as end users were not happy with Facebook’s increased sharing of information between the Facebook group of companies (i.e. Facebook, Instagram and Whatsapp). Users also disliked the lack of an option to continue using the app without consenting to the updated terms. Furthermore, there was pushback against the perceived privacy law hierarchy: Users in the EU that are subject to the GDPR were given a separate policy to agree to (with less data sharing), compared to the policy that the rest of the world had to agree to.
This resulted in various data protection regulators further interrogating the Whatsapp policy changes, as many data protection laws in various jurisdictions have been based on EU data protection laws (the GDPR and the previous EU Directive) and share many of the same principles and protections. The South African Information Regulator is also currently investigating the Whatsapp policy and has briefed lawyers to assist. Facebook was also requested to appear before the South African Parliament on May 25, 2021 but did not do so.
People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
In the digital world that we live in, people are very concerned about cyber criminals and being hacked, and sometimes forget that privacy and data security considerations apply equally to physical information and documents. This could include a data breach by leaving documents lying on a table where unauthorized parties could view them, keeping client files in your car boot parked on the street (instead of returning them to a secure storage in your office), or taking a selfie at your desk with client documents lying in the background (I have seen fellow lawyers do this multiple times on social media—with the powerful zoom features that phones have, you are able to read some of the writing on the documents).
What should lawyers know about the new privacy laws from the past few years? Do they apply to law firms? If so, how?
Lawyers have always been subject to client confidentiality. However, data protection legislation adds a new element to the mix, and the impact shouldn’t be underestimated. In addition to protecting personal data, law firms may also be requested to share personal data on receipt of a data subject access request. Each of these requests will have to be dealt with carefully to ensure that legal professional privilege and client confidentiality is not infringed, while also ensuring that the data subject is able to enforce their data privacy access rights.
About Nerushka Bowan
Nerushka Bowan is the Director for Technology and Innovation at Norton Rose Fulbright South Africa Inc. She is an emerging technology and privacy law specialist, legal innovator, and international speaker based in South Africa. She has a background as a technology and privacy lawyer for an international law firm in Johannesburg, and she has work experience in London and Melbourne. Her clients include regulators, banks, law firms, technology companies, conference producers, and training academies.
Nerushka is the founder of the L.I.T.T. Institute (Law. Innovation. Technology. Tomorrow.), aimed at catalyzing change in the legal industry and creating lawyers of the future. She is the co-founder & Chairperson of VoLT (Voices of Law & Tech), which will amplify the voices behind legal innovations. She was selected as an #InspiringFifty winner in 2020 (Inspiring Fifty is an initiative aimed at showcasing successful women in STEM). During 2020, Nerushka was selected as one of six judges globally for the IAPP Annual Innovation Awards. She was also a co-chair of the Johannesburg IAPP KnowledgeNet chapter from 2016 to 2019 (the International Association of Privacy Professionals is the largest association of privacy professionals in the world).
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.