The Speed of Money: Ensuring Data Privacy in South Africa’s Instant Payment Systems

Instant payment systems, like South Africa’s PayShap, are gaining popularity by allowing money to move between accounts almost instantly, any time of day. While these systems offer convenience and efficiency, their reliance on the seamless flow of data introduces new challenges related to privacy and security. Every instant payment involves sensitive personal information, including account details and transaction history. The widespread use of this data creates privacy risks, such as potential misuse for targeted advertising or price discrimination. The speed of these transactions also makes them attractive to cybercriminals for fraud and money laundering. Therefore, robust data privacy legislation is essential to counter these risks.

Navigating the Regulatory Landscape: POPIA and GDPR

South Africa’s primary data privacy law is the Protection of Personal Information Act, 2013 (POPIA), which has been fully enforced since July 2021. POPIA aims to protect individuals and legal entities from harm by safeguarding their personal information. The act is built on principles of accountability, transparency, security, and data minimisation. This means that organisations must be transparent about the data they collect, why they collect it, how long they keep it, and how they protect it. Non-compliance with POPIA can result in significant fines, with serious offenses carrying penalties up to R10 million (South African Rands) for serious offences.

Several sections of POPIA are particularly relevant to payment processing:

• Chapter 3 – Conditions for Lawful Processing[1]: This chapter outlines the foundational principles for the lawful processing of personal information, including payment details.
  • Consent (Section 11(1)(a)): While POPIA is not always consent-driven, consent is crucial for payment-related activities that go beyond the direct necessity of a transaction. However, it outlines several other justifications for processing personal information. This means that under POPIA, organisations must get explicit consent for payment-related activities that go beyond what is directly necessary to complete a transaction, as other legal justifications for processing personal information don’t apply.

• Necessity for Contract (Section 11(1)(b)): An organisation can process your personal information, such as payment details, if it’s essential for fulfilling a contract you are a party to. This means an organisation can use your personal information, such as your payment details, to complete a purchase you’ve made because it is essential for fulfilling the agreement between you and the organisation.

• • Compliance with Legal Obligation (Section 11(1)(c)): Processing is allowed if required by law, such as a bank processing your identity documents for FICA (financial intelligence centre act) compliance.

• Legitimate Interest (Section 11(1)(f)): Organisations can process personal information for their own legitimate interests or a third party’s, if it does not unfairly infringe on your rights and interests. This means an organisation can process your personal information if it’s necessary for their own reasonable business activities or for a third party they’re working with, as long as it doesn’t unfairly infringe on your rights and privacy as the individual whose information is being used.

• Section 19 – Security Safeguards: This section is critical for protecting payment data. It requires responsible parties to secure the integrity and confidentiality of personal information in their possession or under their control. This involves implementing “appropriate, reasonable technical and organisational measures” to prevent loss, damage, unauthorised destruction, and unlawful access or disclosure of personal information. For payment systems, this translates to robust cybersecurity, encryption and access controls.
• Section 20 – Information Processed by an Operator: This section mandates that payment service providers, who often act as “operators,” must process personal information only with the authorisation of the “responsible party” (e.g., a bank or merchant) and must treat the information as confidential.
• Sections 105 and 106 – Unlawful Acts in Connection with Account Numbers: These sections address the misuse of unique identifiers used in payment transactions. Section 105 outlines offences for responsible parties who unlawfully process account numbers, while Section 106 extends this to third parties who knowingly or recklessly obtain or disclose them without consent.
• Section 22 – Notification of Security Compromises: In the event of a security breach involving personal information, the responsible party[2] must notify both the Information Regulator and the affected data subjects (you!) as soon as reasonably possible to ensure transparency.
• Sections 23, 24, 25 – Data Subject Participation: These sections give individuals the right to access their personal information, request corrections if it’s inaccurate, and, in some cases, request its deletion or destruction.

Globally, the General Data Protection Regulation (GDPR) in the European Union sets a strong precedent that inspired POPIA. GDPR classifies payment data as highly sensitive and requires strict standards, including “Privacy by Design” and “Data Minimisation”. Both POPIA and GDPR empower individuals with rights to their data, which is crucial for maintaining control over their digital footprint in the age of instant payments.

Securing Our Data in the Fast Lane

To balance speed with data privacy, payment systems are adopting several key security measures:

• Encryption: This involves transforming sensitive data into unreadable codes during transmission and storage, with protocols like TLS being essential for securing data as it moves across networks.
• Tokenisation: This method replaces sensitive payment information, such as a credit card number, with a unique, meaningless “token”. The real data is stored in a secure vault, and only the token is used for transactions, which significantly reduces the risk of data breaches.
• Multi-Factor Authentication (MFA): Adding extra layers of verification, such as a password combined with a one-time passcode sent to a phone, enhances security beyond a single password.
• Robust Fraud Detection Systems: These systems use machine learning to detect suspicious patterns and block fraudulent activity in real-time.

While instant payments reduce the risk of non-payment for sellers, they increase the risk of loss for buyers through scams and fraud, making consumer vigilance particularly important. The goal is to build a future where fast payments are not only seamless but also inherently private and secure.

 

[1]     Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

• (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use.
• (b) dissemination by means of transmission, distribution or making available in any other form; or
• (c) merging, linking, as well as restriction, degradation, erasure or destruction of information.

[2]     Responsible party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

 

By Nolwazi Hlophe
Senior Fintech Specialist at FSCA
Digital Frontiers Institute Alum

 

Established in 2015, Digital Frontiers Institute is a proud brand of Digital Frontiers.