Published On: June 19, 2026
Authored By: Malehlohonolo Msibi
Regenesys Business School
Introduction
The proliferation of artificial intelligence systems across public and private sectors has fundamentally altered the relationship between individuals, technology, and the law. In South Africa, as elsewhere, AI-driven tools now influence decisions affecting employment, creditworthiness, access to services, and even criminal justice outcomes. Yet the legal framework governing accountability for harms caused by these systems remains profoundly underdeveloped. The central research question guiding this article is: To what extent does South Africa’s current legal framework, particularly the Protection of Personal Information Act 4 of 2013, provide effective accountability mechanisms for harms arising from algorithmic decision-making systems, and what reforms are necessary to bridge the gap between data protection law and the realities of AI governance?
This article argues that while South Africa has established a foundational data protection regime through POPIA, this framework is woefully inadequate to address the unique challenges posed by artificial intelligence, including algorithmic bias, opaque decision-making processes, the generation of inferred personal information, and the practical difficulties of enforcing data subject rights against complex AI systems.[1] Drawing on comparative insights from the European Union’s AI Act and Digital Services Act, as well as emerging case law from other jurisdictions, this article proposes a set of targeted reforms to enhance AI accountability within the South African legal order.
Legal Framework Governing AI and Data Protection in South Africa
The constitutional foundation for data protection in South Africa lies in section 14 of the Constitution of the Republic of South Africa, 1996, which guarantees the right to privacy, including the right not to have communications infringed and the right to control the collection and use of personal information.[2] The Constitutional Court has affirmed that privacy is an intrinsic component of human dignity and autonomy, though the precise contours of this right in the digital age remain subject to ongoing judicial elaboration.[3]
The primary legislative instrument governing data protection is the Protection of Personal Information Act 4 of 2013 (POPIA), which gives effect to the constitutional right to privacy by establishing conditions for the lawful processing of personal information.[4] Section 1 of POPIA defines “processing” broadly to include any operation concerning personal information, whether or not by automatic means, encompassing collection, storage, use, and merging of data.[5] Critically, section 3(1) explicitly provides that POPIA applies to the processing of personal information by automated means, bringing AI systems within its ambit.[6]
Of particular relevance to AI governance is section 71 of POPIA, which provides that a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, based solely on the automated processing of personal information intended to profile the person.[7] As Davis and Trott observe in their analysis of AI regulation through data protection laws, this provision aims to mitigate the risks associated with profiling by AI, but its wording is broad and unclear, and to date South Africa’s Information Regulator has neither released guidelines on its application nor published codes of conduct to operationalise this right.[8]
The Cybercrimes Act 19 of 2020 supplements POPIA by criminalising certain conduct involving computer systems, including unlawful access, data interception, and cyber fraud.[9] However, as Aphane notes in her study on policing cybercrime in South Africa, the enforcement landscape remains fragmented, with the South African Police Service lacking dedicated resources and specialised expertise to investigate sophisticated cyber incidents effectively.[10] The Act’s focus on traditional criminal offences does not extend to the systemic harms arising from algorithmic bias or automated decision-making errors.
South Africa’s monist approach to international law means that binding international instruments, including the African Charter on Human and Peoples’ Rights, form part of domestic legal order.[11] The African Commission on Human and Peoples’ Rights has adopted Resolution 473 calling for a study on human and peoples’ rights and artificial intelligence, and Principle 41 of the Revised Declaration of Principles of Freedom of Expression and Access to Information provides that states shall not engage in or condone indiscriminate and untargeted collection, storage, or sharing of communications.[12] These soft law instruments, while not directly enforceable, provide interpretive guidance for South African courts confronting AI-related privacy disputes.
Critical Analysis: Gaps and Insufficiencies in the Current Legal Framework
The Inadequacy of Automated Decision-Making Provisions
Section 71 of POPIA represents the most direct attempt to regulate AI-driven decisions, yet its limitations are manifest. The provision applies only to decisions based “solely” on automated processing, creating an obvious loophole: a decision-maker may incorporate a trivial human review of an AI recommendation and thereby circumvent the protection entirely. As Hohma and colleagues found in their workshop-based study of AI accountability, practitioners consistently identified the lack of clear definitions and standardised procedures as primary obstacles to effective risk governance.[13] The phrase “affects him, her or it to a substantial degree” is undefined, leaving responsible parties and data subjects alike uncertain about when the provision applies.
Moreover, section 71(2) carves out exceptions where the decision is necessary for contract conclusion, authorised by law, or based on the data subject’s explicit consent. These exceptions risk swallowing the rule entirely, particularly given the well-documented power imbalance between data subjects and the organisations processing their information. Meaningful consent in the context of complex AI systems is arguably illusory, as data subjects cannot genuinely understand how their information will be used or what inferences may be drawn about them.[14]
The absence of notification obligations further undermines the provision’s effectiveness. As Alvero and Kouzehkanani emphasise in their analysis of AI accountability, transparency is foundational to any regulatory effort, yet POPIA does not require decision-makers to notify data subjects that they have been subjected to automated decision-making.[15] Without such notification, individuals cannot exercise their rights to challenge or seek explanation of adverse decisions. The practical consequence, as revealed by ALT Advisory’s research on automated decision-making transparency, is that individuals are effectively denied any meaningful remedy.[16]
The Problem of Inferred Personal Information
AI systems do not merely process data explicitly provided; they generate new information through inference and prediction. A credit scoring algorithm might infer an applicant’s health status from purchasing patterns, or a recruitment tool might deduce a candidate’s age from linguistic markers. POPIA defines personal information as information relating to an identifiable, living natural person, but it is silent on whether inferred information constitutes new personal information requiring its own lawful processing basis.[17]
This silence creates a governance vacuum. As the UN Special Rapporteur on Freedom of Opinion and Expression observed, once data are repurposed in an AI system, they lose their original context, increasing the risk that information about individuals will become inaccurate or out of date and depriving individuals of the ability to rectify or delete the data.[18] The ability of AI to make inferences raises the prospect of processing information about data subjects who never consented in the first place, and who may be entirely unaware that such inferences are being drawn and used to make consequential decisions about their lives.
The data minimisation principle, enshrined in POPIA as a condition for lawful processing, requires that data be adequate, relevant, and not excessive for the specified purpose. Yet the logic of machine learning tends toward maximisation: more data produces better models, and data are retained indefinitely for potential future use. Davis and Trott argue that AI’s reliance on big data incentivises behaviour that undermines the data minimisation principle common to most data protection frameworks.[19] This structural tension between AI’s operational requirements and POPIA’s foundational principles remains unresolved in South African law.
De-identification and Re-identification Risks
POPIA excludes de-identified information from its scope, defined in section 1 as information that cannot be used or manipulated by a reasonably foreseeable method to identify the data subject, nor linked by a reasonably foreseeable method to other information that identifies the data subject.[20] The proliferation of AI-powered re-identification techniques fundamentally challenges this exclusion. As the European Parliament’s research service has documented, AI and the proliferation of data have made it much easier to re-identify anonymised data by linking it with, or drawing probable inferences based on, additional data.[21] The threshold of “reasonably foreseeable method” is technologically dynamic; methods that were not reasonably foreseeable at the time of de-identification may become commonplace within months. A responsible party may lack the technical capacity to re-identify data, but a third party with advanced AI capabilities might succeed. POPIA provides no guidance on whether the reasonable foreseeability test applies from the perspective of the responsible party, the average competent data processor, or the state of the art.[22] This ambiguity effectively creates a safe harbour for irresponsible data practices, as organisations may claim de-identification based on their own limited capabilities while ignoring known vulnerabilities.
Algorithmic Bias and Discrimination
The COMPAS recidivism prediction algorithm, discussed extensively in the literature, exemplifies the systemic risks of algorithmic bias. ProPublica’s investigation revealed that African-American defendants were nearly twice as likely as white defendants to be misclassified as high risk, and COMPAS was 77 percent more likely to assign a higher risk score to African-American defendants after accounting for prior offences, future recidivism, age, and gender.[23] While COMPAS operates in the United States, similar predictive tools are increasingly deployed in South African contexts, including credit scoring, insurance underwriting, and recruitment.
POPIA does not directly address algorithmic bias, though section 11 requires that processing be done in a manner that does not unfairly discriminate against data subjects. The absence of technical standards for bias detection and mitigation makes this provision virtually unenforceable. As Belenguer argues in his analysis of discriminatory algorithmic decision-making, bias can enter AI systems at multiple stages: historical bias in training data, representation bias from non-random sampling, measurement bias in feature selection, and evaluation bias through inappropriate benchmarks.[24] Detecting and remediating these biases requires specialised technical expertise that neither the Information Regulator nor the courts currently possess.
The European Union’s AI Act addresses bias through specific obligations for high-risk AI systems, including requirements for data governance, technical documentation, and conformity assessments. Article 10(5) of the AI Act provides that providers of high-risk AI systems may only process sensitive categories of personal data if strictly necessary for identifying or correcting bias, and if the detection of bias cannot be achieved through other means.[25] South African law currently lacks any comparable provision, leaving individuals vulnerable to algorithmic discrimination without effective recourse.
Enforcement and Access to Justice
Even where legal protections theoretically exist, enforcement remains the weakest link. The Information Regulator, established under POPIA, has issued limited guidance on automated decision-making and has not initiated any high-profile enforcement actions against AI systems. As Makunya and Sindani observe in their analysis of constitutional review in Francophone Africa, the demand for constitutional justice and its supply have remained very low, maintaining the status quo where laws inimical to constitutional values can pass unchallenged.[26] A similar dynamic may be observed in South Africa’s data protection enforcement landscape.
Private enforcement faces even greater obstacles. A data subject who suspects that an AI system has produced a discriminatory outcome must first discover that the decision was automated, then identify the responsible party, then prove that the automated processing caused legal or substantial effects, and finally demonstrate that the decision was based on flawed or biased data. Each step presents formidable evidentiary challenges, particularly given the opacity of most commercial AI systems. The right to access information under section 5 of POPIA provides some leverage, but as ALT Advisory’s research demonstrates, even large technology companies are often unable to meaningfully respond to data subjects’ requests to understand whether and how their personal information is used in automated processing.[27]
Discussion: Toward a Principled Framework for AI Accountability
The deficiencies identified above suggest that South Africa’s current legal framework is insufficient to ensure meaningful accountability for AI systems. This section develops an argument for reform grounded in the principles of transparency, fairness, and effective remedy, drawing on comparative insights from the European Union’s emerging AI governance architecture.
The workshop-based study by Hohma and colleagues identified five required characteristics for AI risk management methodologies that are equally applicable to legal frameworks: balance between specialisation and generalisation, extendability to accommodate evolving risks, representation of affected stakeholders, transparency of processes and decisions, and long-term orientation enabling continuous monitoring and updating.[28] South Africa’s current approach fails on each dimension: POPIA’s automated decision-making provision is highly specific yet simultaneously ambiguous, the framework lacks mechanisms for adapting to technological change, affected communities have no formal role in shaping AI governance, the opacity of most AI systems precludes meaningful transparency, and there is no ongoing monitoring or auditing requirement.
The European Union’s AI Act provides a useful reference point for reform, though it must be adapted to South Africa’s constitutional context and institutional capacities. The Act’s risk-based approach categorises AI systems according to their potential for harm, with prohibited practices, high-risk systems subject to strict obligations, limited-risk systems with transparency requirements, and minimal-risk systems largely unregulated.[29] High-risk systems must comply with requirements for risk management, data governance, technical documentation, transparency, human oversight, robustness, accuracy, and cybersecurity.[30]
South Africa could adopt a similar tiered approach, with regulatory intensity calibrated to the nature and magnitude of risks. Prohibited practices would include social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (subject to narrow exceptions), and AI systems that exploit vulnerabilities of persons due to their age, disability, or specific social or economic situation.[31] High-risk systems would include those used in employment, education, access to essential services, law enforcement, migration and border control, and the administration of justice.
For high-risk AI systems, POPIA would need amendment to impose obligations analogous to those in the AI Act: conformity assessments prior to deployment, technical documentation demonstrating compliance, human oversight mechanisms, and post-market monitoring plans. The Information Regulator would require significant capacity enhancement, including the recruitment of technical experts capable of auditing algorithmic systems for bias and compliance.
A more fundamental challenge concerns the nature of accountability in complex socio-technical systems. The responsibility gaps articulated by Santoni de Sio and Mecacci—the culpability gap arising from difficulty in attributing causal responsibility for AI-driven harms, and the moral accountability gap arising from inability to predict machine behaviour—cannot be fully resolved through technical fixes alone.[32] Some degree of legal fictions may be necessary: treating organisations as vicariously liable for their AI systems’ outputs, imposing strict liability for high-risk applications, or requiring mandatory insurance coverage for potential AI-related harms.[33]
The principle of demonstrable accountability, emphasised by Alvero and Kouzehkanani, requires that organisations not only implement appropriate measures but also prove that those measures are effective.[34] This shifts the burden of proof: rather than requiring harmed individuals to demonstrate fault, organisations would need to show that they took reasonable steps to prevent harm, that their systems were appropriately designed and tested, and that they responded appropriately when problems emerged. This approach aligns with the accountability principle already present in POPIA but would require its operationalisation through binding technical standards and enforceable certification mechanisms.
Recommendations for Law Reform and Policy Improvement
Based on the foregoing analysis, this article proposes the following reforms to strengthen AI accountability in South Africa.
First, the automated decision-making provisions of POPIA should be amended to close the loopholes identified above. The “solely” qualifier should be removed, replaced with a provision that decisions based significantly on automated processing trigger protections.[35] Notification requirements should be introduced, requiring responsible parties to inform data subjects when automated decision-making has occurred and to provide information about the logic involved, the significance of the decision, and the right to object. Exceptions should be narrowly construed, with the burden on responsible parties to justify reliance on contract necessity or explicit consent.
Second, the Information Regulator should issue binding guidance on algorithmic bias, establishing technical standards for bias detection and mitigation. This guidance should address data governance practices, including requirements for representative training data, documentation of data provenance, and regular bias audits. The Regulator should develop sector-specific codes of conduct, as permitted under POPIA section 60, for high-risk applications such as credit scoring, recruitment, and insurance underwriting.[36] These codes should specify acceptable methodologies for bias testing, reporting requirements for significant disparities, and remedies for affected individuals.
Third, South Africa should consider legislation specifically addressing AI governance, either through amendment of POPIA or through standalone legislation analogous to the EU AI Act. Such legislation should establish a tiered risk framework, impose obligations on providers and deployers of high-risk AI systems, and create enforcement mechanisms proportionate to the risks. The constitutional right to just administrative action under section 33 of the Constitution would require that decisions significantly affecting individuals be subject to meaningful review, including decisions generated by AI systems.
Fourth, enforcement capacity requires substantial investment. The Information Regulator should be resourced to recruit technical experts capable of auditing algorithmic systems, including data scientists, machine learning engineers, and algorithmic accountability specialists. The Regulator should be empowered to conduct own-initiative investigations, issue binding compliance notices, and impose meaningful administrative fines. The Cybercrimes Act’s enforcement provisions should be reviewed to ensure that the South African Police Service has adequate resources, training, and specialised units to investigate sophisticated AI-related offences.[37]
Fifth, procedural mechanisms for individual redress should be strengthened. The small claims court jurisdiction should be extended to cover AI-related data protection violations, reducing barriers to access for individuals with limited resources. Class action mechanisms should be clarified to permit representative actions for systemic algorithmic discrimination.[38] The right to approach courts under section 38 of the Constitution, which permits anyone acting in the public interest to enforce rights in the Bill of Rights, should be actively utilised by civil society organisations to challenge discriminatory AI systems.
Sixth, South Africa should actively participate in international standard-setting processes, including the Council of Europe’s Convention on Artificial Intelligence and the ongoing work of the African Commission on Human and Peoples’ Rights. The monist approach to international law means that robust international standards can directly inform domestic interpretation and application. Cross-border data transfers, governed by POPIA section 72, should be permitted only to jurisdictions with adequate AI governance frameworks, creating incentives for harmonised standards.
Conclusion
The rapid integration of artificial intelligence into South African society presents both opportunities and profound legal challenges. This article has argued that the current legal framework, centred on POPIA, is fundamentally inadequate to ensure accountability for AI-driven harms. The automated decision-making provisions are narrowly drafted and poorly enforced; the status of inferred personal information is legally uncertain; de-identification does not provide robust protection against AI-powered re-identification; algorithmic bias is addressed only obliquely; and enforcement mechanisms remain inaccessible to most affected individuals.
Yet the deficiencies identified are not beyond remedy. Drawing on comparative insights from the European Union, and guided by the constitutional values of dignity, equality, and accountability, South Africa can develop a fit-for-purpose AI governance framework. Such a framework must be risk-based, proportionate, and enforceable. It must recognise that AI systems are not neutral tools but socio-technical artefacts that reflect the values, biases, and power relations of their creators. It must centre the rights and interests of those most likely to be harmed: marginalised communities, economically vulnerable individuals, and those with limited access to legal remedies.
The urgency of this task cannot be overstated. AI systems are already making consequential decisions about South Africans’ lives, often without their knowledge or meaningful consent. Each day of regulatory delay entrenches existing inequalities and creates new avenues for automated discrimination. The law must catch up, not through reactive band-aids but through principled, forward-looking governance that harnesses AI’s benefits while protecting fundamental rights. The alternative is a future in which algorithmic systems operate beyond democratic accountability, shaping life chances according to logics that neither subjects nor regulators fully understand—a future that South Africa’s constitutional democracy should reject.
Bibliography
Primary Sources
South African Legislation
Constitution of the Republic of South Africa, 1996.
Cybercrimes Act 19 of 2020.
Protection of Personal Information Act 4 of 2013.
European Union Legislation
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (Directive on electronic commerce) [2000] OJ L178/1.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1.
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L277/1.
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L1689/1.
South African Case Law
Northbound Processing (Pty) Ltd v The South African Diamond and Precious Metals Regulator and Others (unreported) (High Court of South Africa, Gauteng Division, Pretoria).
United States Case Law
Andrea Bartz, Charles Graeber, and Kirk Wallace Johnson v Anthropic PBC, No C 24-05417 WHA (ND Cal 23 June 2025).
Secondary Sources
Books
M Bovens, R Goodin and T Schillemans (eds) The Oxford Handbook of Public Accountability (Oxford University Press 2014).
L Floridi The Ethics of Artificial Intelligence (Oxford University Press 2023).
C O’Neil Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy (Crown 2016).
O Renn Risk Governance: Coping with Uncertainty in a Complex World (Earthscan 2008).
Journal Articles
L Belenguer ‘AI bias: exploring discriminatory algorithmic decision-making models and the application of possible machine-centric solutions adapted from the pharmaceutical industry’ (2022) 2(1) AI and Ethics 1.
T Davis and W Trott ‘The regulation of artificial intelligence through data protection laws: Insights from South Africa’ (2024) 1(1) African Journal on Privacy & Data Protection 207.
A Hohma, A Boch, R Trauth and C Lütge ‘Investigating accountability for Artificial Intelligence through risk governance: A workshop-based exploratory study’ (2023) 14 Frontiers in Psychology 1073686.
TM Makunya and JK Sindani ‘Leveraging constitutional review to combat retrogressive communication surveillance laws in Francophone Africa’ (2024) 24 African Human Rights Law Journal 252.
MP Aphane ‘Policing cybercrime in South Africa: Issues and challenges’ (2025) 14(6) International Journal of Research in Business & Social Science 415.
KM Alvero and R Kouzehkanani ‘The power of accountability in AI governance’ (2025) ISACA Journal 3.
Reports and Policy Documents
ALT Advisory ‘Failure to access: AI transparency in South Africa’ (2022) https://ai.altadvisory.africa accessed 23 May 2026.
European Commission ‘Ethics guidelines for trustworthy AI’ (2019) https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai accessed 23 May 2026.
Information Regulator (South Africa) ‘Guidance note on automated decision-making’ (2024) (forthcoming).
High-Level Expert Group on Artificial Intelligence ‘Ethics guidelines for trustworthy AI’ (European Commission 2019).
UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression ‘Report on artificial intelligence and freedom of expression’ UN Doc A/73/348 (29 August 2018).
News and Online Sources
J Angwin, J Larson, S Mattu and L Kirchner ‘Machine bias: There’s software used across the country to predict future criminals. And it’s biased against blacks’ ProPublica (23 May 2016) https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing accessed 23 May 2026.
References
[1] T Davis and W Trott ‘The regulation of artificial intelligence through data protection laws: Insights from South Africa’ (2024) 1(1) African Journal on Privacy & Data Protection 207.
[2] Constitution of the Republic of South Africa, 1996, s 14.
[3] Investigating Accountability for Artificial Intelligence through Risk Governance (n 2) 5.
[4] Protection of Personal Information Act 4 of 2013, s 2.
[5] POPIA s 1 (definition of ‘processing’).
[6] POPIA s 3(1).
[7] POPIA s 71(1).
[8] Davis and Trott (n 1) 217-218.
[9] Cybercrimes Act 19 of 2020, ch 2.
[10] MP Aphane ‘Policing cybercrime in South Africa: Issues and challenges’ (2025) 14(6) International Journal of Research in Business & Social Science 415, 417–418.
[11] Constitution s 231(4) (international agreements binding on Republic).
[12] African Commission on Human and Peoples’ Rights Resolution 473 (EXTOS/XXXI) 2021; Revised Declaration of Principles of Freedom of Expression and Access to Information in Africa (2019) Principle 41.
[13] A Hohma, A Boch, R Trauth and C Lütge ‘Investigating accountability for Artificial Intelligence through risk governance: A workshop-based exploratory study’ (2023) 14 Frontiers in Psychology 1073686, 12.
[14] Davis and Trott (n 1) 210-211.
[15] KM Alvero and R Kouzehkanani ‘The power of accountability in AI governance’ (2025) ISACA Journal 3, 5-6.
[16] ALT Advisory ‘Failure to access: AI transparency in South Africa’ (2022) https://ai.altadvisory.africa accessed 23 May 2026, 4-5.
[17] POPIA s 1 (definition of ‘personal information’).
[18] UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression ‘Report on artificial intelligence and freedom of expression’ UN Doc A/73/348 (29 August 2018) para 11.
[19] Davis and Trott (n 1) 211.
[20] POPIA s 1 (definition of ‘de-identify’).
[21] European Parliament ‘The impact of the General Data Protection Regulation (GDPR) on artificial intelligence’ (European Parliamentary Research Service June 2020) 50.
[22] Davis and Trott (n 1) 217.
[23] J Angwin, J Larson, S Mattu and L Kirchner ‘Machine bias’ ProPublica (23 May 2016).
[24] L Belenguer ‘AI bias: exploring discriminatory algorithmic decision-making models’ (2022) 2(1) AI and Ethics 1, 4-6.
[25] Regulation (EU) 2024/1689 (AI Act) art 10(5).
[26] TM Makunya and JK Sindani ‘Leveraging constitutional review to combat retrogressive communication surveillance laws in Francophone Africa’ (2024) 24 African Human Rights Law Journal 252, 270-271.
[27] ALT Advisory (n 16) 7-8.
[28] Hohma et al (n 13) 14.
[29] AI Act art 5 (prohibited), arts 6-49 (high-risk), arts 50-56 (transparency).
[30] AI Act arts 9–15.
[31] AI Act art 5(1)(a)–(h).
[32] F Santoni de Sio and G Mecacci ‘Four responsibility gaps with artificial intelligence’ (2021) 34 Philosophy & Technology 1, 3-5.
[33] See Andrea Bartz, Charles Graeber, and Kirk Wallace Johnson v Anthropic PBC No C 24-05417 WHA (ND Cal 23 June 2025) (fair use found for AI training but not for pirated library copies).
[34] Alvero and Kouzehkanani (n 15) 7.
[35] See AI Act art 22(1) (right not to be subject to decision based solely on automated processing, with broader protections).
[36] POPIA s 60.
[37] Aphane (n 10) 420-421.
[38] See section 38 of the Constitution for public interest standing.
