More than two years after the EU General Data Protection Regulation (GDPR) went into effect, South Africa has finalized its own data protection statute with the Protection of Personal Information Act of 2013 (POPIA). POPIA’s implementation comes after a lengthy waiting period and represents a significant shift in strengthening the privacy rights of data subjects in South Africa.
POPIA’s Road to Implementation
POPIA had started as a South African Law Reform Commission issue paper in 2003 and been designated for implementation back in 2005. Initially influenced by the EU Data Protection Directive 95/46/EC, lawmakers eventually delayed POPIA’s implementation in order to consider the draft publication of the EU GDPR. As a result, POPIA was rolled out incrementally starting in 2013, with the initial provisions of the regulation laying out the definitions, establishment of the South African Information Regulator (‘SAIR’), and delegation of powers to the Minister of Justice and SAIR to make and publish regulations giving effect to POPIA.
The SAIR published the final draft of POPIA regulations in December 2018, with the hopes that it would be commenced by the beginning of the financial year that runs from April 1 to March 31 2020. After some delay, the comments period closed in January 2020 and the South African President announced that POPIA would finally be implemented on July 1, 2020. The key POPIA provisions going into effect at that time include:
- Purposes and applications provisions;
- Conditions for the lawful processing of personal information;
- Regulations pertaining to the processing of special personal information and personal information relating to children;
- Exemption provisions;
- Provisions relating to Information Officers;
- Prior authorization requirements;
- Cross-border data transfer provisions;
- Codes of conduct issued by the SAIR;
- Procedures for dealing with complaints;
- Provisions regulating direct marketing by means of unsolicited electronic communication; and
- Guidelines for enforcement, offenses, and sanctions.
Definition of Personal Information
The manner in which POPIA defines ‘personal information’ is also fairly broad. Section 1 defines ‘personal information’ as information relating to an identifiable, living natural person and existing juristic person (such as an identifiable company or other similar legal entity). This expansive definition is very important – as it reflects an understanding that personal information applies both to partnerships as well as unincorporated persons.
The statute then provides an extensive set of examples of personal information covered, which includes, but is not limited to:
- information related to a person’s race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth;
- information related to a person’s education, medical, financial, criminal, or employment history;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, or online identifiers;
- the biometric information of the person;
- the personal opinions, view or preferences of the person;
- correspondence that is implicitly or explicitly private or confidential in nature or where further correspondence would reveal the contents of the original correspondence;
- the views or opinions or of another individual about that person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Responsible Parties under POPIA
POPIA will apply to processing of personal information entered in a record by or for a ‘responsible party’ who processes the information in South Africa and is domiciled in South Africa, or is domiciled elsewhere but uses automated or non-automated means in South Africa to process that personal information. POPIA defines these ‘responsible parties’ as any public or private body or other person which, alone or in conjunction with others, determines the purpose and means for processing information (i.e. ‘data controllers’). Similar to EU GDPR, it then sets forth more limited responsibilities for ‘operators’ (i.e. ‘data processors’) who process personal information pursuant to a contract or mandate with a responsible party.
Eight Principles of Processing Personal Information
Of particular importance, POPIA sets out eight principles governing the processing of personal information, including those activities related to direct marketing, automated decision-making, and processing of cross-border data transfers. These eight principles are:
- Accountability: The person processing the data is responsible for ensuring POPIA compliance.
- Processing limitation: Personal information may only be processed in a fair and lawful manner, done with the data subject’s consent, and limited to only that information which is required.
- Purpose specification: Personal information may only be processed for a specific, explicitly defined and lawful purpose.
- Further processing limitation: If processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.
- Information Quality: The person processing personal information must take reasonable steps to ensure that the personal information is complete, not misleading, up to date, and accurate – keeping in mind the purpose for which the personal information was collected
- Openness: The person processing personal information must take steps to ensure that the data subject is aware that his or her personal information is going to be collected, including the name and address of the responsible party and the purpose for which it is being collected.
- Security safeguards: Technical and organizational measures must be implemented to keep personal information secure against the risk of loss, damage, unauthorized access, interference, modification, destruction, and disclosure.
- Data subject participation: The data subject must be able to access the personal information that a responsible party has on them and be able to correct that information.
- Responsible parties processing personal information will need to comply with each of the eight principles listed at the time the purpose and means of processing are determined as well as during the processing itself.
Penalties for Noncompliance & 12-Month Grace Period
Penalties for noncompliance can include up to 10 years’ imprisonment and/or ZAR 10 million in administrative fines (around $580,000 USD). Further, it gives individuals impacted by a data breach the right to file a claim against the company responsible for their personal information without requiring proof that the business stored and/or processed that information in a negligent manner.
This strict liability framework has not gone unnoticed. Both Amazon Web Services and Microsoft have opened up cloud data centers in South Africa to help ensure compliance with POPIA’s cross-border transfer requirements. Meanwhile, other companies are acting quickly to notify regulators about possible data breaches – noting how Logbox, a South African medical data startup, announced within the first week of POPIA taking effect that it would be filing a report with the SAIR after a database containing access keys for thousands of patient records was exposed to hackers.
With that in mind, the enactment of POPIA may serve as a wake-up call to some companies that have taken a ‘wait-and-see’ approach over the last seven years. Anticipating that not all companies would be ready to go on day one, POPIA Section 114 sets forth a 12-month grace period that will allow responsible parties to get up to speed – requiring that all forms of processing of personal information must conform with the statute’s requirements by July 1, 2021.
To ensure POPIA compliance, companies will need to review existing records management policies and procedures – looking to both the nature and scope of current data processing operations within South Africa, as well as the adherence to specific recordkeeping requirements under South African law. As with the EU GDPR, this will help companies create a clear line of sight on how personal information is being managed and ensure that the processing of that information meets the standards set forth by POPIA come the July 2021 deadline and beyond.