South Africa finally has data protection legislation! Although the right to privacy has been enshrined as a fundamental right in the Bill of Rights since 1996, United Nations Special Rapporteur on the Right to Privacy Joseph Cannataci said in March South Africa is “about 30 years behind” in implementing its privacy legislation when compared to other jurisdictions.
The substantive provisions of the Protection of Personal Information Act 2013 enter into force July 1 (certain provisions relating to the oversight of the access to information will commence June 30, 2021). The act allows for a grace period of 12 months to enable organizations to become compliant. Given that the act has been around for a number of years, many have long completed their compliance initiatives, while others adopted a “wait-and-see” approach and now need to start their compliance projects. Enforcement goes into effect July 1, 2021, and organizations could be liable for administrative fines of up to ZAR 10million (approximately $580,000 USD), civil cases or criminal liability.
The process of drafting the act began in 2003 and was principally based on the EU Data Protection Directive 95/46/EC, although it includes some stricter provisions. The act was signed into law in 2013 and partially enforced in 2014, allowing for the establishment of the Information Regulator in 2016 (the chairperson and members of the Information Regulator have been elected for five years with their term ending in December 2021).
In the interim, the EU moved onto the more comprehensive General Data Protection Regulation in 2018. POPIA could be considered “adequately protective” in terms of the GDPR, as certain stricter provisions were included in the initial text, based on earlier versions of the GDPR. That is the hope of organizations in South Africa. If it is not seen as adequately protective in terms of the GDPR, we could expect further amendments to the act sooner rather than later, as an aim of this legislation would be to enhance the ability of information sharing globally. An adequately protective finding would make South Africa an appealing location for outsourcing and offshoring of back-office functions and data centers.
The act aims to promote the protection of personal information processed in South Africa and gives actionable rights to the right to privacy enshrined in the Bill of Rights. POPIA aligns South Africa with global data protection best practices. It applies to any organization processing information in South Africa. It does not apply to processing for personal or household purposes. Personal information is given a wide meaning and means any information that can be used to identify a natural or juristic person. POPIA is one of the few data protection laws globally that also affords protection to juristic persons (for example, companies and trusts).
One big change the act brings is the obligation to report data breaches. Until now, there have been several breaches that have flown under the radar due to the lack of reporting obligations. Organizations will be required to report suspicions of unauthorized access to personal data to the Information Regulator, and in some cases, to the data subjects.
POPIA also brings increased requirements when offshoring data. Organizations need to ensure they meet the requirements of the cross-border provisions of POPIA when sending data out of the country. Both Microsoft and Amazon Web Services have created local data centers in anticipation of the act coming into force.
South Africa is not merely moving from an old data protection legislation to an updated one, but also introducing data protection legislation for the first time. Therefore, organizations that have not yet started their compliance programs will need to start soon as the clock is already ticking down to July 1, 2021. Compliance with POPIA does not mean merely drafting a privacy policy. Indeed, the first step in compliance is an organization understanding how data flows through their business (not an easy task if it has not been done before) and starting their education and awareness campaigns. South African citizens also need to be made aware of their new data subject access rights, which will allow them more control over how their data is handled.
Protection of privacy rights came into the spotlight this year, both in South Africa and globally, with the COVID-19 pandemic giving rise to contact-tracing apps and the creation of new databases of sensitive personal information. Although the act was not in full force at the time, the Information Regulator published guidelines relating to the collection of personal information for COVID-19-tracking purposes. Given the increased importance on the right to privacy with the advent of COVID-19 contact-tracing apps and the creation of national databases of sensitive information, the commencement of the act is just in time.
Photo by Sincerely Media on Unsplash