South Africa’s Protection of Personal Information Act (PoPIA) empowers its citizens with enforceable rights over their personal information. The law establishes eight minimum requirements for data processing, creating a broad definition of personal information for comprehensive end-user protection, as well as forming the South African Information Regulator (SAIR) as lead enforcer and supervisor of the law. PoPIA was assented to in November 2013, by then-president Jacob Zuma, and took effect in July 2020. South Africa’s Parliament granted all South African entities a one-year grace period, expecting them to comply by June 30, 2021.
The Legislation at a Glance
- PoPIA applies to any company or organization processing personal information in South Africa, either domiciled in the country or not domiciled but making use of automated or non-automated means of processing personal information in the country
- Fines for non-compliance with PoPIA can range up to 10 million South African Rands (ZAR)
- PoPIA prohibits transfers of personal information outside of South Africa albeit with exceptions discussed a little further on
- PoPIA creates nine actionable rights for South African citizens (also discussed a little further on)
- PoPIA also creates eight conditions for lawful data processing (also discussed a little further on)
- PoPIA defines consent as any voluntary, specific, and informed expression of will
- PoPIA defines processing as collection, receipt, recording, organization, storage, merging, or linking (and more)
- PoPIA defines personal information broadly as any information about a living person, company, or legal entity
- PoPIA allows companies and organizations to process data if it’s deemed in the user’s legitimate interest
9 Rights for South African Citizens
- The right to be notified about collection and processing of personal information
- The right to access personal information
- The right to request correction of personal information
- The right to request deletion of personal information
- The right to object to the processing of personal information
- The right to not to have personal information processed for direct marketing by unsolicited electronic communications
- The right to not be subject to a decision which results in legal circumstances based solely on the basis of the automated processing
- The right to complain to SAIR
- The right to effect judicial remedy
In other words, South African citizens have the right to know when their personal information is likely to be collected, have the right to consent to it before it happens, have the ability to request that a website gives them access to see what personal information it has collected about them, as well as have that information either corrected or deleted.
8 Conditions for Lawful Data Processing
- Accountability: organizations are responsible for ensuring compliance with the law and must take appropriate measures to protect personal information
- Processing limitation: personal information should only be collected and processed for a specific purpose that is lawful, justified, and compatible with the reason it was collected
- Purpose specification: relevant entities must inform individuals about the purpose for which their personal information is being collected and processed
- Further processing limitation: organizations should only further process personal information in a way compatible with the original purpose for which it was collected
- Information quality: personal information should be accurate, complete, and kept up to date
- Openness: individuals have the right to know what personal information the organization is collecting, how it uses that data, and who has access to it
- Security safeguards: organizations must implement appropriate technical and organizational processes to protect personal information against unauthorized access, loss, destruction, or alteration
- Data subject participation: individuals have the right to access their personal information, request corrections, and object to its processing in certain circumstances
Cross-Border Data Transfers
PoPIA states that a responsible party may only transfer personal information to a third party that is in a foreign country if certain protections are in place. To transfer personal information out of the country, one of the following protections must exist:
- There’s adequate legal protection: the cross-border recipient of the personal information is subject to a law, corporate rules, or an agreement that provides an adequate level of protection that effectively upholds the principles for reasonable processing
- Consent: the data subject consents to the transfer of personal information
- Necessary: the transfer of personal information is necessary for the performance of a contract between the data subject and the responsible party
- It’s in the interests of the data subject: the transfer of personal information is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the responsible party and a third party
- It benefits the data subject: The transfer of personal information is for the benefit of the data subject in circumstances where it is not reasonably possible to obtain the consent of the data subject for the transfer, and if it were reasonably possible, the data subject would be likely to give consent
So, PoPIA allows for the export of personal data to countries that have laws providing an adequate level of protection for personal information but does not specify those countries or create a mechanism for any regulatory recognition of such countries. This means the responsibility lies with the party transferring the data to analyze the adequacy of legislation in the countries to which the data will be sent.
Non-compliance with PoPIA can have various consequences, including:
- Administrative penalties: SAIR can impose administrative fines for non-compliance with a maximum penalty of up to ZAR 10 million ($530,000 / £444,000) or 10 percent of the organization’s annual turnover, whichever is higher
- Civil liability: civil suits that can result in courts awarding financial compensation to the affected individuals
- Reputational damage: public awareness of privacy rights and data breaches is increasing, and consumers are becoming more concerned about how relevant entities handle their data and data breaches or privacy violations can erode trust and negatively impact an organization’s reputation
- Business disruption: SAIR may issue enforcement notices or orders requiring organizations to rectify non-compliant practices, which can divert resources and / or require significant changes to data processing procedures
- Criminal offenses: severe violations can result in criminal charges
Examples of Notable Enforcement
September 2021: The Department of Justice and Constitutional Development was fined ZAR 5 million ($265,000 / £222,000) for a security compromise of its IT systems and systems were unavailable to its employees, which affected the services provided to the public and resulted in the loss of 1,204 files that contained personal information.
May 2022: SAIR issued Dis-Chem (a South African Pharmacy franchise) with an enforcement notice following a data breach that resulted in data of more than 3.6 million South Africans being compromised. The Enforcement Notice issued by SAIR ordered Dis-Chem to conduct a Personal Information Impact Assessment, implement strong access control measures, maintain an Information Security Policy, and ensure that it concludes written contracts with all operators who process personal information on its behalf—and that such contracts compel the operator to establish and maintain same or better security measures as referred to in PoPIA (among other things) and submit a report outlining every detail of all of the above.
September 2023: This year, SAIR issued an enforcement notice to the SAPS after it found that officers violated multiple sections of PoPIA when they shared personal information of the victims of gang rape—including their names, ages, home addresses and ID numbers—on a WhatsApp group. The time for the SAPS to make submissions on the actions taken in line with the regulator’s recommendations has expired and the response to that deadline having been issued is forthcoming.
Comparing PoPIA to GDPR
- PoPIA protects companies and organizations in the same way as it does people where the GDPR only protects living individuals.
- Unlike the GDPR, which applies to the processing of personal data from inside the EU regardless of where the controller/processor is located, PoPIA only applies to companies or organizations who are located within South Africa.
- There is an exception to the above for entities that make use of automated processing means in South Africa, e.g. adtech and social media companies.
- Where the GDPR clearly defines a data processor, PoPIA only talks about the “responsible party” so there’s no “joint controller” definition or responsibility.
- PoPIA requires all organizations to appoint an Information Officer, typically automatically assigned to the CEO, whose roles and responsibilities differ from the GDPR’s Data Protection Officer.
- PoPIA also requires organizations to appoint a Deputy Information Officer.
What’s Next for Privacy Law in South Africa
Growing pains. Having only come in to force in 2021, there’s going to be a lot to learn in terms of applying the law, doing so fairly, consistently, and reducing the time it takes to get to a decision, which are all things that take time as seen over the last five years in the EU with the GDPR.
If you’re not sure where to start in creating your privacy strategy, we’re here to chat.