South Africa\u2019s POPIA went into full effect in 2020, though it had been rolled out in sections starting from when it received Presidential assent seven years earlier. Enforcement then began in 2021. In modern terms, it is one of the older data privacy laws, predating the European Union\u2019s General Data Protection Regulation (GDPR) by several years.<\/p>\n\n\n
What is South Africa\u2019s Protection of Personal Information Act (POPIA)?<\/h2>\n\n\n
The Protection of Personal Information Act (POPIA)<\/a> is South Africa\u2019s federal data protection law to protect people\u2019s privacy, which is considered a human right. The Act outlines when it is legal for one entity, like a company, to process another entity\u2019s personal information, like that of an individual.<\/p>\n POPIA received parliamentary assent on November 19th, 2013, however, the Act did not fully go into effect immediately. Sections have gone into effect since 2013, but a number of key sections didn\u2019t go into effect until July 1st, 2020, which the President proclaimed to be the date of commencement. Organizations had 12 months to work toward compliance with the Act, and enforcement began on July 1st, 2021.<\/p>\n The Information Regulator was established on December 1st, 2016, and is responsible for enforcing POPIA. It handles both investigations of alleged violations as well as penalties where noncompliance has been demonstrated. The Information Regulator reports to the South African Parliament.<\/p>\n POPIA has 12 Chapters, containing 115 Sections. The rights of data subjects are covered in Section 5<\/a>. Chapter 3<\/a> of POPIA covers Conditions for Lawful Processing. Section 11<\/a> outlines the conditions for data subjects\u2019 consent or objection, and other legal justifications and responsibilities for data processing:<\/p>\n Additionally, the responsible party bears the burden of proof for the data subject\u2019s (or competent person as representative\u2019s) consent, and the data subject or competent person may withdraw consent at any time.<\/p>\n Data subjects may also object to the processing of their personal information at any time on reasonable grounds, via the prescribed manner, as long as prevention or termination of that data processing is not prevented by active legislation.<\/p>\n\n\n Section 4<\/a> outlines the lawful conditions of data processing:<\/p>\n POPIA applies to \u201cany natural or juristic person who processes personal information\u201d by \u201cautomated or non-automated means\u201d (Section 3<\/a>). So it does apply to individuals, though more commonly to companies, other organizations, and the government.<\/p>\n Note that under the definitions in Section 1<\/a>, the \u201cresponsible party\u201d is \u201ca public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information\u201d.<\/p>\n Also per Section 3<\/a>, POPIA applies to responsible parties both \u201cdomiciled in the Republic\u201d, or not, i.e. POPIA is extra-territorial. The key consideration is if data subjects are located in South Africa, not whether the entity that is processing their data is located there.<\/p>\n\n\n Section 6<\/a> outlines exclusions from POPIA compliance requirements, which are fairly common in comparison to other data privacy laws:<\/p>\n Section 7<\/a> has some further exclusions and specific requirements relating to \u201cjournalistic, literary or artistic expression\u201d. This section helps enable freedom of expression and the freedom of the press, while ensuring responsible actions, e.g. adherence to \u201cdomestic and international standards, and to professional codes of ethics.<\/p>\n\n\n Section 5<\/a> covers the rights of data subjects under POPIA. They include rights to:<\/p>\n POPIA does not include a right not to be discriminated against when exercising one\u2019s other rights as a data subject. The GDPR<\/a> doesn\u2019t either, though the CCPA<\/a> does. Note that POPIA uses an opt-in model of data subject consent, i.e. consumers\u2019 consent must be obtained prior to collection or processing of their personal information.<\/p>\n\n\n Definitions of key terms in POPIA are in Section 1<\/a>.<\/p>\n Covered in Chapter 3, Part A<\/a>, this is information that relates to \u201can identifiable, living, natural person\u201d or identifiable, existing juristic person. Personal information can include, but is not limited to:<\/p>\n (a)<\/strong> race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; It should be noted that while physical or mental health, religion, disability, ethnic origin, colour, sexual orientation, and some other information are included in POPIA\u2019s definitions of \u201cpersonal information\u201d, in fact they qualify as \u201cspecial personal information\u201d and thus require specialized and\/or restricted handling. In some cases processing of this type of information is prohibited.<\/p>\n This type of personal information is covered in Section 26<\/a>, or, more specifically, there are prohibitions on processing this type of personal information due to the potential for it to be used harmfully. Types of personal information classified as \u201csensitive\u201d include:<\/p>\n (a)<\/strong> religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or<\/p>\n (b)<\/strong> criminal behaviour of a data subject to the extent that such information relates to\u2014<\/p>\n Processing special personal information is prohibited unless it is performed under the exceptions outlined in Section 27<\/a>, which include consent, legal obligations, the subject having already made the information public, and other stipulations.<\/p>\n This refers to \u201cany operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including\u2014<\/p>\n (a)<\/strong> the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; The natural or juristic person to whom personal information relates. Refers to persons residing in South Africa. A juristic person is an organization legally recognized to have rights and responsibilities like a human individual.<\/p>\n POPIA does not refer to \u201ccontrollers\u201d like some other privacy laws, i.e. the party responsible for the collection and processing of data, and, as a result, safeguarding it as well. POPIA does refer to the responsible party, meaning \u201ca public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information\u201d.<\/p>\n Under some other privacy laws, the operator performs the processing for the controller. Under POPIA, the operator does this for the responsible party. Specifically, the operator is \u201ca person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party\u201d.<\/p>\n The data protection authority, officially the Information Regulator (SAIR), as defined and with duties covered in Sections 39-54<\/a>, including education, guidance, research, monitoring, handling complaints and enforcement. This entity is also responsible to advise on and direct the evolution of the law.<\/p>\n Some privacy laws refer to the anonymization of data. Under POPIA, the term is de-identification, which \u201cin relation to personal information of a data subject, means to delete any information that\u2014<\/p>\n (a) <\/strong>identifies the data subject; A natural person under the age of 18 who is not legally competent to consent to actions or decisions. A competent person (an adult of over the age of 18 legally able to make decisions for a child) is required where consent regarding a child\u2019s personal information is needed.<\/p>\n\n\n Per the definitions in Section 1, consent under POPIA is \u201cany voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information\u201d. Consent is one of the legal bases for data processing, as outlined in Section 11<\/a>.<\/p>\n Like the GDPR and some other international privacy laws, POPIA uses an opt-in model of consent, so generally data subject consent must be procured from a legally competent person, or their representative in the case of a child, before collecting or processing their data.<\/p>\n\n\n Section 11<\/a> covers justifications for personal information processing, commonly referred to as \u201clegal bases\u201d in the GDPR and elsewhere. These requirements are quite similar to those listed in the GDPR:<\/p>\n (a)<\/strong> the data subject or a competent person where the data subject is a child consents to the processing; Justification like legitimate interest might seem convenient as it would not require obtaining data subject consent, but as with other laws, entities would not just be able to claim legitimate interest and start collecting and processing personal information at will. There are requirements specific to claiming legitimate interest (and any other legal basis) as well.<\/p>\n\n\n Under POPIA, companies are not the only organizations required to comply, but those inside and outside of South Africa (but doing business there) are substantially affected.<\/p>\n Chapter 3<\/a> covers companies\u2019 responsibilities, i.e. conditions of lawful processing. Part A<\/a> of Chapter 3 outlines POPIA\u2019s eight conditions for processing personal information that are companies\u2019 responsibilities. The Information Regulator can conduct an assessment or audit of an organizations\u2019 POPIA compliance either by request or on its own initiative (Section 40<\/a>).<\/p>\n Per Section 8<\/a>, the responsible party must ensure conditions for lawful processing, such as the general ones for processing of personal information, as well as specific conditions and prohibitions for processing of sensitive personal information or the information of children<\/p>\n Per Sections 9-12<\/a>, the responsible party does not infringe on data subjects\u2019 rights and limits processing to only that which is needed for the stated purpose, for which they have a legal basis, and respond to requests or complaints from data subjects regarding their personal information.<\/p>\n Per Sections 13-14<\/a>, the responsible party can only collect and process personal information for a specific, stated and legal purpose, can only retain the information for as long as necessary to fulfill the purpose, and must securely store, restrict access to, and delete the information as necessary.<\/p>\n Per Section 15<\/a>, for any further processing of the information beyond the stated and legal purpose, a number of conditions must be met, including, potentially, obtaining new data subject consent. This also affects retaining personal information after the period of time necessary for the original processing purpose.<\/p>\n Per Section 16<\/a>, the responsible party must reasonably ensure that personal information collected and processed is complete, accurate, and up to date. Related to this is being responsive to requests or complaints from data subjects regarding access to, update of, or deletion of their personal information.<\/p>\n Per Sections 17-18<\/a>, the responsible party must maintain documentation regarding all processing activities, and take reasonable steps to ensure that data subjects are notified about the conditions of processing and can contact the responsible party. Information regarding processing activities and related requirements also need to be easily accessible to data subjects, e.g. via a website cookie or privacy policy.<\/p>\n Per Section 19-22<\/a>, the responsible party must take reasonable actions to ensure the security of all personal information processed, including if it is passed to other parties (e.g. the operator, for processing), and to take appropriate and immediate action if there is a breach of security, which would include contacting the Regulator and affected data subjects.<\/p>\n Per Sections 23-25<\/a>, data subjects have rights of request and access to their personal information, to which responsible parties must be responsive. There are also conditions under which such requests can be denied.<\/p>\n All organizations that are required to comply with POPIA must have an information officer, which is the same as a data protection officer or similar titles. Depending on the volume and types of duties, it may also be necessary to appoint one or more Deputy Information Officers (Section 56<\/a>). The information officer and any deputies must be registered with the Regulator by the responsible party before they can begin performing any duties.<\/p>\n Section 55<\/a> covers their duties and responsibilities, which include encouraging compliance, managing requests, working with the Regulator on investigations, and related duties. Section 56<\/a> covers the designation of deputy information officers, if needed.<\/p>\n More granularly, the information officer will be involved in tasks like drafting and maintaining the privacy policy and other related documentation, conducting risk assessments, training employees, drafting and maintaining contracts with third parties, handling security issues \u2014 including data breaches \u2014 and reporting\/liaising with the Regulator and data subjects affected, and other tasks.<\/p>\n POPIA goes into less detail regarding data transfers (\u201ctransborder information flows\u201d) than the GDPR does, but there are still restrictions in the name of privacy and security, outlined in Section 72<\/a>. Broadly, the conditions are similar to legal bases for personal information processing, e.g. contractual agreement, data subject consent, performance of a contract, legitimate interest, etc.<\/p>\n POPIA does not have a requirement for adequacy decisions, i.e. international agreements among countries where it has been determined that the country or organization in question has established an adequate level of data protection. These decisions can significantly streamline contractual requirements and obligations between relevant parties when data transfers need to occur, or cause large headaches when companies have to reorganize operations because of a lack of them.<\/p>\n Sections 19-22<\/a> cover security safeguards, including specific requirements in the event of a data breach. Unsurprisingly, two key requirements are the notifications to the Regulator and impacted data subjects (unless their identities can\u2019t be determined) as soon as reasonably possible (Section 22<\/a>). There are also specifications for how notifications must be delivered and information they need to contain. The Regulator may also require the responsible party to publicize the breach if it would benefit data subjects (e.g. to help notify them where it was otherwise not possible).<\/p>\n\n\n Under POPIA, children are classified as people under age 18, who are not considered legally competent. This is a higher age threshold than with the GDPR. In most cases, in order to process children\u2019s personal information, consent from their parent, guardian, or other legal representative (\u201ccompetent person\u201d) must be obtained in advance, though there are a number of other conditions under which it can take place, broadly following standard processing legal bases, but with additional bases.<\/p>\n Processing of children\u2019s personal information is covered in Sections 34-35<\/a>, with the latter section covering conditions under which children\u2019s personal information can be processed.<\/p>\n\n\n Enforcement is covered in considerable detail in POPIA in Chapter 10, Sections 73-99<\/a>. As noted, enforcement comes under the responsibility of the Information Regulator, which is a federal level government position. The Regulator is involved with investigating alleged violations, making referrals to other regulatory bodies, working toward securing warrants from a judge or magistrate, handing down penalties, and other actions.<\/p>\n\n
Conditions for lawful data processing under South Africa\u2019s Protection of Personal Information Act?<\/h2>\n\n\n
\n
Who does South Africa\u2019s Protection of Personal Information Act apply to?<\/h2>\n\n\n
Exclusions from South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
\n
What are consumers\u2019 rights under South Africa\u2019s Protection of Personal Information Act?<\/h2>\n\n\n
\n
Key definitions from South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
Personal information<\/h4>\n
\n(b)<\/strong> the education or the medical, financial, criminal or employment history of the person;
\n(c)<\/strong> any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
\n(d)<\/strong> biometric information of the person;
\n(e)<\/strong> personal opinions, views or preferences of the person;
\n(f)<\/strong> correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
\n(g)<\/strong> views or opinions of another individual about the person; and
\n(h)<\/strong> name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person<\/p>\nSpecial personal information<\/h4>\n
\n
\n
Processing<\/h4>\n
\n(b)<\/strong> dissemination by means of transmission, distribution or making available in any other form; or
\n(c)<\/strong> merging, linking, as well as restriction, degradation, erasure or destruction of information;<\/p>\nData subject<\/h4>\n
Responsible party<\/h4>\n
Operator<\/h4>\n
Regulator<\/h4>\n
De-identification<\/h4>\n
\n(b)<\/strong> can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
\n(c) <\/strong>can be linked by a reasonably foreseeable method to other information that identifies the data subject\u201d<\/p>\nChild<\/h4>\n
Definition of consent under South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
Legal bases under South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
\n(b)<\/strong> processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
\n(c)<\/strong> processing complies with an obligation imposed by law on the responsible party;
\n(d)<\/strong> processing protects a legitimate interest of the data subject;
\n(e)<\/strong> processing is necessary for the proper performance of a public law duty by a public body; or
\n(f)<\/strong> processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied<\/p>\nCompanies\u2019 responsibilities under South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
Accountability<\/h4>\n
Processing limitation<\/h4>\n
Purpose specification<\/h4>\n
Further processing limitation<\/h4>\n
Information quality<\/h4>\n
Openness<\/h4>\n
Security safeguards<\/h4>\n
Data subject participation<\/h4>\n
Information Officer<\/h4>\n
Data transfers<\/h4>\n
Reporting data breaches<\/h4>\n
South Africa\u2019s Protection of Personal Information Act and children<\/h2>\n\n\n
Penalties and enforcement under South Africa\u2019s Protection of Personal Information Act<\/h2>\n\n\n
![\"icon](\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/09\/Checklist.png\")
<\/div>\n <\/div>\n <\/div>\n<\/div>\n