In the digital world, this happens to be true. But it is not only companies that have realised the value that lies in personal data and have monetised it; personal data is just as valuable for cyber criminals.

Data privacy legislation allows for data subjects to sue for civil damages arising out of data privacy violations. But what is claimed?

Personal data carries immense value for various reasons. At its core, personal data is a resource. Access to information creates a competitive advantage and enables the holder of it to understand the playing field, and strategically position itself to lead the competitive landscape. How personal data is used and valued depends primarily on the ambitions of the holder thereof.

For companies, data is an opportunity to better understand the needs, desires and concerns of their customer. Companies aim to commercialize personal data in order to generate higher revenue or create cost savings. In analyzing an existing data set, new business opportunities, services, or products can be identified. Data mining, pattern recognition, or machine learning algorithms assist in getting to the answer. One thing is for sure and that is that data commercialization involves leveraging data to create new value for a business.

On the other hand, cyber criminals steal personal data for a variety of reasons—blackmail, identity theft, extortion—but the most common is to sell that information to anyone willing to pay.

Recently, Vodacom Tanzania PLC (“Vodacom“) has been confronted with the allegation that they shared personal data with an artificial intelligence chatbot, ChatGPT, without the complainant’s consent.

Mr. Sayida Masanje (“Mr. M“) has asked the court to grant him relief by ordering Vodacom to pay him damages of SH10 billion for the “substantial loss of privacy” caused by Vodacom’s alleged failure to protect his personal data. [1]

Mr. M argues that –

• during February and March 2023, he discovered his personal data on ChatGPT;
• Vodacom purposely facilitated and allowed third-party unauthorised access to his personal data and proprietary network information; and
• the data shared on ChatGPT includes incoming and outgoing calls, IMEI, IMSI, his SIM identity, his location and other personal identifiable information. [2]

But what is the real worth of personal data? Like any market, the value of personal data is based on supply and demand. We know that male data comes at a higher premium that female data. This is just because there are more females than males in the world. The dark web is where cyber criminals go to sell personal data. As of May 2021, you can buy access to a hacked Facebook account on the dark web for $65 (approximately R1,251)!

On the other hand, because health records often reflect a far more complete collection of personal data of an individual, this being personal identifying and sensitive information, health care records have proven to be of particular value for cyber criminals. 

The matter against Vodacom is still pending before the Tanzanian High Court and is scheduled to be heard on 13 September 2023.[3] It remains to be seen whether the Tanzanian High Court will find in favour of Mr. M and if so, what value the court will place on the personal information of Mr M.

We await the outcome!

Footnotes:

[1] See “Vodacom Tanzania faces Sh10 billion suit over data privacy” accessed on 27 July 2023.

[2] See “Vodacom Tanzania faces Sh10 billion suit over data privacy” accessed on 27 July 2023.

[3] See “Vodacom Tanzania faces Sh10 billion suit over data privacy” accessed on 27 July 2023.