The Protection of Personal Information Act (“POPI” or the “Act”) was assented to on 19 November 2013 and enacted to, amongst other things, regulate the processing of personal information in South Africa. POPI came into force incrementally with section 1 (Definitions), Part A of Chapter 5 (Information Regulator), section 112 (Regulations) and section 113 (Procedure for making Regulations) becoming operative on 11 April 2014. Since then, POPI has been in legislative limbo as the operation of the material sections of the Act has been suspended.
The legal uncertainty and anticipation surrounding the enactment of POPI has come to an end with a proclamation issued by President Cyril Ramaphosa on 17 June 2020. In terms of the proclamation, the majority of POPI’s sections will commence on 1 July 2020, with sections 110 (Amendment of laws) and 114(4) (Transitional arrangements) of POPI only commencing on 30 June 2021. This is a fundamental step in safeguarding personal information, ensuring protection against data breaches and curtailing the unlawful distribution of personal information.
Implementation of certain sections of POPI on 1 July 2020
Broadly, the sections which come into effect on 1 July 2020, stipulate the conditions on which personal information may be lawfully processed. They are, in particular:
- sections 2 to 38;
- sections 55 to 109;
- section 111; and
- section 114(1), (2) and (3).
These are the fundamental sections of POPI, which include:
- the conditions for the lawful processing of personal information, including the provisions relating to accountability, processing limitations, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation;
- the regulation of the processing of special personal information. “Special” information is information which relates to a data subjects religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life and criminal behaviour or biometric behaviour;
- the Codes of Conduct issued by the Information Regulator;
- procedures for dealing with complaints relating to breaches of POPI, for example, unlawful sharing of a data subjects personal information;
- the regulation of direct marketing by means of unsolicited electronic communication; and
- the general enforcement of POPI and penalties against those in breach of POPI.
Trigger of the application of POPI
Keeping up with global privacy and information processing standards, POPI promotes the protection of personal information processed by public and private bodies. The purpose of POPI is to give effect to the Constitutional right to privacy. The right to privacy includes the right to protection against the unlawful collection, retention, dissemination and use of personal information.
POPI governs the processing of personal information where information is entered into a record by a responsible person, where this responsible person is domiciled in South Africa or is domiciled outside South Africa, but makes use of automated or non-automated means to forward personal information through South Africa.
POPI compliance is essential to avoid penalties linked to non-compliance and may require significant financial, technological and human capital costs to ensure that professional and legal standards are adhered to.
Both private and public bodies will have until 30 June 2021 to ensure compliance with POPI. One year may be insufficient if a body does not have existing data protection policies and procedures or inadequate policies/procedures.
This bulletin was prepared by partner Melanie Hart, senior associate Kathryn Mitchell and candidate attorney Emma Alimohammadi.