An Update on South Africa’s 2013 Protection of Personal Information Act

President Cyril Ramaphosa announced on June 22, 2020, that certain sections of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPIA”) would become effective on July 1, 2020.  POPIA gives effect to the right to privacy in section 14 of the Constitution of the Republic of South Africa, 1996 (Act 108 of 1996).  POPIA will impact all responsible parties that collect, store, process and / or disseminate personal information as part of their business activities.  POPIA defines a responsible party as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.  The commencement of these essential provisions contained in POPIA, now position South Africa in line with global best practice on data protection and privacy.  The commencement of POPIA signifies a great advance for the South African data protection and privacy legal landscape.

Background

Since 2013, POPIA has been put into operation incrementally, with a number of sections of POPIA having been implemented in April 2014 (i.e. the definitions; legislation pertaining to the establishment and operation of the South African Information Regulator (“Information Regulator”); the power for the Minister of Justice and the Information Regulator to make and publish Regulations to give effect to POPIA and the procedural sections relating thereto).  The incremental implementation of POPIA was largely due to the publication of the draft EU General Data Protection Regulations (“GDPR”) in 2013 and its commencement thereafter in May 25, 2018, which guided and informed the South African legislature in the drafting of POPIA.  The South African legislature has ensured that POPIA mirrors the essential provisions contained in the GDPR.  For example, under the GDPR, as under POPIA, individuals have a right to request the deletion of their information or request a limitation of the processing of their information in certain instances, and all businesses now have a duty to report any data breach to the Information Regulator within 72 hours of becoming aware of the breach, where practicable.

POPIA provisions effective as of July 1, 2020

The POPIA provisions effective as of July 1, 2020 pertain to:

  • the conditions for the lawful processing of personal information.;
  • the regulation pertaining to the processing of special personal information;
  • codes of conduct issued by the Information Regulator;
  • procedures for dealing with complaints;
  • provisions regulating direct marketing by means of unsolicited electronic communication and the general enforcement of POPIA; and
  • all forms of processing of personal information must, within 1 year after the commencement of the section, be made to conform to POPIA.  In other words, all private and public entities will need to ensure compliance with POPIA by July 1, 2021 (see section 114(1) of POPIA)

See No. R. 21 of 2020 in Government Gazette no. 11136, Vol. 660 No 43461 dated June 22, 2020 sections 2 to 38; sections 55 to 109; section 111; and sections 114 (1), (2) and (3).Sections 110 and 114(4) of POPIA will take effect June 30, 2021.  The delay in relation to the commencement of sections 110 and 114(4) is as a result of the fact that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (“PAIA”) from the South African Human Rights Commission to the Information Regulator, which is yet to be concluded.

Key POPIA Provisions

With the commencement of POPIA, businesses operating within this space must demonstrate that they have implemented measures prescribed under and in terms of POPIA and its regulations, to ensure that personal information in its possession are protected from any unauthorized access, loss and/or use.  For example, Regulation 4 (Responsibilities of Information officers) read together with sections 55 to 56 of POPIA make provision for the appointment of an information officer, who must ensure that:

  • “a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is done to ensure that adequate measures;
  • and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the PAIA;
  • internal measures are developed together with adequate systems to process request for information or access thereto; and
  • internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Information Regulator”.
  • POPIA also requires businesses to incorporate suitable technical and security measures to protect personal information, in line with the volume, nature, and sensitivity of the personal information in a business’s possession.

POPIA provides data subjects who are affected by a data breach the right to institute a claim against a business that has inadequately stored information.  Data subjects will not be required to prove that the business storing and/or processing the information was negligent in doing so.  This means that, POPIA empowers data subjects to institute claims against parties responsible for their personal information on a strict liability basis.Furthermore, section 114(1) is of particular importance as it states that all forms of processing of personal information must, within 1 year after the commencement of the section, be made to conform to POPIA, which means that both public and private entities must ensure compliance with the POPIA by July 1, 2021.  However, it stands to reason that all entities subject to POPIA should attempt to comply with the provisions of the POPIA as soon as possible in order to give effect to the right of privacy.Businesses should note that once POPIA is in full force and effect, non-compliance with POPIA may result in administrative fines of up to R10 million, imprisonment, civil damages and most importantly, reputational harm.

For further information on POPIA, please contact Robert Kayihura at RKayihura@cov.com or Shivani Naidoo at SNaidoo@cov.com.

This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.

LexBlog