BY Mpho Manyala-Chitapi
Peek-a-boo, I see you: privacy concerns around digital rights management and monitoring tools
Digital rights management (“DRM”) refers to the methods used by content owners to protect their digital content. A number of methods can be used to control and restrict access and usage of digital material. Popular DRM mechanisms include password protecting a digital file/content, as well as platform DRM, which is typically deployed by online streaming platforms and electronic databases to restrict access to content that users are required to pay for. Protecting digital works by encrypting them and providing authorised users who have, for instance, paid for access with a decryption key in order to access the protected work is also one of the many DRM methods that exist.
However, the use of DRM may give rise to a number of legal issues when not used correctly. One such issue is the use of monitoring tools within DRM technologies that have the potential, either inadvertently or otherwise, to report on and collect data pertaining to their consumers’ habits and preferences. This may have serious privacy implications.
A typical example involving a DRM system with questionable monitoring tools may include a conventional streaming platform. Persons are required to pay a monthly premium to access copyrightable/protected content. This may range from music to TV shows and movies accessed while logged onto the platform using a personal sign in/password method. While making use of the digital content, the platform may contain DRM technology that is able to track each individual’s consumption of the service, such as the type of content they enjoy, when they enjoy it and even where, by accessing users location details. While this can be seen as research aimed at improving consumer experience, it is very easy for this kind of data to become unduly invasive of an individual’s privacy. Once collected, the data may be used for purposes unrelated to the platform or even sold to third parties. Monitoring of this nature is not what the average user signs up for when consuming such a service.
The right to privacy is afforded constitutional protection in terms of section 14 of the South African Constitution while the processing of personal information falls within the ambit of the Protection of Personal Information Act, 2013 (“POPI”). In terms of POPI, processing of personal information must be consistent with the eight processing principles set forth in POPI. Most notably, they include accountability which requires that corporations ensure conditions for lawful processing of personal information. In addition, the processing limitation condition requires that processing should be reasonable and should not infringe on the privacy of the data subject. The purpose specification condition states that collection of data must be for a specific defined purpose and not used for further processing without the express consent of the data subject.
These are just a few of the processing conditions enumerated in POPI. Accordingly, where corporations deploy controversial DRM monitoring and metering tools, an enquiry must be embarked upon to determine whether the collection of personal information is warranted in the circumstances and whether such data has been obtained lawfully with the consumers consent. Even where consent has been obtained, collection and monitoring of usage should not infringe on an individual’s right to privacy. POPI has not yet been signed into law, however, more and more companies are starting the process of becoming POPI compliant.
While DRM methods are a perfectly acceptable mechanism for persons to safeguard proprietary and other interests in the digital world, it is crucial to ensure that the appropriate policies, terms and conditions are in place to protect the interests of both the consumers and entities seeking to restrict access to their digital content. Consumers must be mindful of the personal information that they are required to make available in order to consume digital content protected by DRM methods; and entities deploying DRM methods and making use of monitoring tools need to be aware of the privacy rights of their consumers.
Reviewed by Ridwaan Boda, head of ENSafrica’s technology, media and telecommunications department.