Vodacom and MTN can be held liable for the abuse of their location-based services by third parties to plot the murder of top cop Lieutenant-Colonel Charl Kinnear, legal expert Jos Floor said.
The police investigation into Kinnear’s assassination on 18 September lifted the veil on the widespread unlawful use of location-based data from Vodacom and MTN.
Wireless application service providers (WASPs) were given full access to subscribers’ sensitive location data in “good faith”, with the understanding that they will not abuse this data.
While WASPs signed contracts which required them to get consent before they can track a person, Vodacom and MTN did not put adequate controls in place to prevent abuse.
This allowed numerous individuals and private investigators to use location-based services to track the movement of South Africans without their knowledge or consent.
What this means, in simple terms, is that your sensitive location information was available to anyone, including criminals, for a fee.
It is currently not clear for how long this abuse has been happening and for how long Vodacom and MTN exposed their subscribers’ sensitive data to criminals.
What is of particular concern is that the two mobile operators were unaware of this abuse until it was brought to their attention by the South African Police Service (SAPS).
This points to a complete lack of controls to protect their subscribers’ sensitive personal data and ensure WASPs abide by their contracts.
How Vodacom and MTN reacted to the abuse
There is a stark difference in how Vodacom and MTN reacted to the abuse of their location-based service.
After MTN was alerted to the abuse, it immediately asked all nine WASPs with which it has contracts to prove that the people they tracked gave them permission to allow it.
When they failed to produce this information, MTN cut all access to location-based services for these WASPs.
MTN was also completely transparent around the number of companies which had access to this highly sensitive data.
MTN also played open cards about the information it shares with third parties and what went wrong to expose its subscribers’ data without their permission.
Vodacom refused to state how many companies have access to the location data of their subscribers.
Vodacom only suspended the location-based services of a single company pending further investigation.
There is also no indication that Vodacom, like MTN, has launched a wider investigation into the abuse of location-based services on its network.
Vodacom also refused to state what personal information about its subscribers it shares with third parties.
Considering the risks associated with giving third parties access to their subscribers’ personal information, one would expect Vodacom to inform subscribers on what data it shares.
Vodacom’s secrecy around the abuse of its subscribers’ personal data by third parties justifiably raised serious concerns about the operator’s conduct.
With various legal frameworks in place to protect subscribers’ personal information, it raises the question of whether Vodacom and MTN are legally liable for what happened.
To answer this question, MyBroadband contacted Floor Inc Attorneys director Jos Floor, a corporate lawyer focusing on the technology and financial services industries.
Floor is one of South Africa’s foremost experts in technology, privacy, and data protection law, which includes the Protection of Personal Information Act (POPI).
Question: In the current legal framework, including POPI, were Vodacom and MTN allowed to provide their subscribers’ location information to third parties in “good faith”?
No – as a rule it was not allowed to supply such information to third parties. There are certain exceptions, but “good faith” is not one of them.
When personal information is collected by a data subject, it must happen for a specific purpose. The purpose for which Vodacom and MTN is to collect the personal information is to provide cellular services directly to the person involved. If the information is collected or used for any other purpose, the customer must be informed about that other purpose.
The cell phone service providers therefore had to notify their customers that their location based data gets collected and that the data is being used for another purpose, namely selling that data on commercial terms to third parties to use for whatever other purpose they wish.
The only other way around this purpose restriction was for the customer to give consent to use his location data for in the way it was used. Given the nature of his work and his and his family’s reported awareness of the threats that was associated with his work, I think it is reasonable to assume that he would never have given consent for his location data to be shared with third parties in the manner which has happened.
A second possible exception would be that making this information available to third parties was compatible with the original purpose for which it was collected. Given the nature of the location based information and the subsequent consequences that resulted from making this information available to third parties it is clear that the subsequent selling of location based data to a third party on a commercial basis is not compatible with the original purpose of providing cellular services.
Is it the responsibility of Vodacom and MTN to protect the privacy of their users?
Yes, Vodacom and MTN are responsible to protect the privacy of their customers personal information.
Section 9(b) of POPI is explicit about this and provides that processing of personal information may not infringe on the privacy of a customer.
Acting in supposed good faith is not a recognised exception to the duty of responsible parties to protect the privacy of their users information and it is not a recognised justification to share personal information with third parties or to use that information for any other purpose than for which it was collected in the first instance.
Claiming good faith is not a defence by a far stretch. Claiming that this type of information was shared in good faith while a statute like POPI is in place, sounds rather more like taking the ostrich approach: “we didn’t look and we didn’t ask, and no-one complained”. Taylor Swift’s song Bad Blood springs to mind, “…band-aids don’t fix bullet holes…”.
Other than POPI it is also possible that the practice was a contravention of the RICA Act, which includes a prohibition on the monitoring of indirect communication, which covers data. If Kinnear has not given consent to the MNOs, then Vodacom or MTN have assisted their third-party commercial partners to contravene RICA. Under section 56 of RICA, a second offence can lead to the telecoms providers losing their telecoms licence.
Can Vodacom and MTN be held liable for the abuse of the location-based services they provided to third parties which were abused?
Yes. POPI introduced a new remedy to our law where individuals can claim compensation for damages against a responsible party if the damages resulted from a breach of the provisions of POPI. This is a new remedy in South African law and has an easier burden of proof. It is not necessary to prove negligence or fault on the side the responsible party.
Once again, to claim to have acted in “good faith” will not be a defence to this remedy. Furthermore, besides being a no-fault remedy, the courts are also entitled to make a reward for aggravated damages, which is something akin to punitive damages we hear about in the legal series airing on television. Such a claim could potentially be brought by Kinnear’s family for having lost their provider.
There is, however, one proviso before such a claim can be successful – the question to what extent has POPI entered in force? POPI states that all processing of personal information must within 1 year be made to conform with POPI. This grace period expires on 30 June 2021.
The wording of section 114(1) does not explicitly suspend the entire act, any of the processing principles or the faultless remedy for damages. The wording of section 114(1) is very general, and its application is not clear at all. The proclamation by the President is very clear that the substantive provisions of the act has come into force on 1 July 2020.
In my view, based on the principles on the interpretation of statutes, there is a good argument to make that clause 114(1) does not suspend the substantive provisions of POPI and could be interpreted to only mean that the Information Regulator should not issue compliance notices for non-compliance before the 12 months grace period has expired.
Should Vodacom and MTN alert users that they are tracked?
Yes, and they must be notified of all information about them that gets collected. See below re section 18.
Should Vodacom and MTN inform users with which third parties their data is shared, and what data is shared?
Yes. Section 18 of POPI contains an extensive list of data collection about which responsible parties must notify their customers. This includes all the purposes for which the service provider collects and use the personal information, the sources from which the personal information is collected and the recipients of the information. The latter in this instance would cover both the third party location based service providers and the users to whom the third party location based service providers sold the location based data.
The Information Regulator has been quiet on this specific matter and needs to play a far more active role. It is the duty and function of the Information Regulator in terms of section 40 of POPI to educate the public on matters like these and to make public statements to bring our information rights to everyone’s attention.