Top-level UN human rights role gives Tlakula extra digital power

Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

Advocate Pansy Tlakula believes her position as SA's Information Regulator will complement the way the United Nations (UN) human rights committee tackles hate speech and racism incidents on digital platforms.

This week, the Department of International Relations and Cooperation confirmed Tlakula has been elected to be part of the UN’s 18-person Committee on the Elimination of Racial Discrimination (CERD).

The CERD’s mandate is to monitor the implementation of the International Convention on the Elimination of All Forms of Racial Discrimination by UN state parties, as well as investigate racial discrimination complaints as defined by the convention. Further powers include issuing urgent letters of appeal where there are serious incidents of racism and racial discrimination.

Tlakula’s appointment, which is effective for the period 2020 to 2023, will see her meet with the other members three to four times a year at the UN’s offices in Geneva, Switzerland.

“I will still be based here in SA fulfilling my role as the chairperson of the Information Regulator,” she told ITWeb. “What excites me about this appointment…as you know racism manifests itself these days as hate speech, mainly occurring on digital platforms like social media.

“As it happens, during the elections there was a lot of disinformation on digital platforms and personal information of voters was being abused. Therefore, I’m hoping my position as the Information Regulator will enable me to make a substantial contribution to the committee.”

‘Baby steps’

Establishing the Information Regulator is one of the conditions set out in the Protection of Personal Information (POPI) Act. The purpose of the POPI Act is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise personal information in any way.

In other words, POPI will enable SA to be globally competitive on privacy matters and international data exchange laws. It also serves to give the Information Regulator teeth.

However, despite the POPI Act being signed into law on 19 November 2013, and Tlakula taking office on 1 December 2016, getting the Information Regulator operational has been painfully slow.

The advocate concurs the process is “going very slowly”, noting that is the case with most things in government. “We rely on the Department of Justice to assist because we still fall under them. Their processes are very slow but we are happy to confirm we now have a CEO that started on 1 June.

“We will have our CFO starting on 1 July, and we have also appointed an executive for legal policy research and IT analysis, starting on 1 August. We are also waiting for competency results for an executive for POPIA [POPI Act].”

“It’s baby steps, but we had to plough through 400 CVs because we had no staff. From the beginning of the year, we’ve been looking at those CVs, short-listing and conducting interviews.

“We are now at a point where we are finalising the second tier of the organisational structure and will be taking it to the minister of finance.”

Africa’s own GDPR?

Tlakula says her office has a dual mandate, which is to deal with access to information and protection of personal information.

As a result, there is an expectation, especially on the African continent, for the Information Regulator to take a leading role, she points out.

“In March, the international conference of information commissioners was held and we established the network of African information commissioners, for which I’m the interim chairperson.

“Being someone who has worked on the continent for 12 years in the African Commission for Human Rights, I am very keen to see Africa have its own instruments on cyber security and personal data.

“In fact, the African Convention on Cyber Security and Personal Data was adopted by the African Union a couple of years ago but it has not come into effect, because it requires 15 African countries to ratify it. As we speak, only four have ratified. South Africa has also not ratified and yet we have legislation.

“The absence of an African standard is not good because the Europeans have the GDPR, and we don’t. One of the areas that we are keen to do is ensure the countries that have data protection authorities and laws on the continent push for the ratification of that important protection standard,” she concludes.