Having first been tabled in August 2009, the Protection of Personal Information Bill (POPI) has taken just over four years to get to the point where it was passed by the South African National Assembly on 20 August. All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma.
There have been a number of delays in the drafting of POPI, not the least of which is the public consternation regarding the controversial Protection of State Information Bill. There was also some hope that the delay would enable the South African legislators to amend POPI to take into consideration any changes to the EU Data Protection Directive 95/46/EC. However, the recent developments show that South Africa is not willing to wait for the conclusion of the European debate and is ready to move this legislation forward.
What Do You Need To Know About POPI?
POPI should provide European companies some comfort regarding the processing of personal data in South Africa, as it is essentially based on the EU Data Protection Directive, in particular the UK’s interpretation of that directive.
POPI establishes eight conditions that need to be met in order for the processing of personal data to be lawful. Those conditions are accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
The eight conditions essentially encompass the EU Directive principles one through seven. POPI also contains restrictions on the transfer of personal data outside of South Africa unless the country to which the data is being transferred has laws that provide a similar level of protection for the personal data. Given that POPI is based on the EU Directive, transfers to the EU are in all likelihood to meet the requirements of POPI.
Compliance and Enforcement
POPI gives South African organisations a 12-month grace period in which to bring their personal data processing practices in line with the requirements of POPI. However, in light of the fact that POPI is also the instrument that establishes the information regulator, it seems likely that organisations may have a little more time to prepare themselves before any formal action takes place, thus giving the information regulator a little more time to settle into its role.
While 12 months may seem like a long time in which to prepare to comply with POPI, the reality is that it often takes organisations a lot more time to understand what their data flows are, let alone how to make those data flows complaint with data privacy legislation. We would strongly recommend those organisations that have been putting off a review of their personal data processing activities now take time to consider what personal data they collect and process and start taking steps to achieve compliance with the requirements of POPI. After all, noncompliance could result in a fine of up to R10 million, or about 650,000 GBP, and no organisation wants to be the first to experience the wrath of a newly established regulator looking to make itself known both to business and, perhaps more importantly, the public.
Paula Barrett is a partner in Eversheds LLP’s commercial practice and leads Eversheds’ international data privacy practice. She is currently advising on data protection compliance issues in 60-plus countries around the world. Paula is recommended by Chambers as a leading individual in the field of data protection and has presented seminars and webinars for the IAPP and Association of Corporate Counsel. Paula is the only legal representative on the National Information Assurance Forum committee reporting into the government on the promotion of information security.
Penelope Jarvis is an Eversheds associate (South African qualified) and is a data protection, freedom of information and environmental information regulation specialist. Penelope joined Eversheds in the middle of 2012 having previously worked at the Olympic Delivery Authority and the BBC. With nearly five years of in-house experience, Penelope has a unique understanding of the challenges faced by companies with regard to compliance with data protection/privacy and information access regimes.