Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

An Update on South Africa’s 2013 Protection of Personal Information Act

By Cov Africa on July 24, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

President Cyril Ramaphosa announced on June 22, 2020, that certain sections of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPIA”) would become effective on July 1, 2020.  POPIA gives effect to the right to privacy in section 14 of the Constitution of the Republic of South Africa, 1996 (Act 108 of 1996).  POPIA will impact all responsible parties that collect, store, process and / or disseminate personal information as part of their business activities.  POPIA defines a responsible party as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.  The commencement of these essential provisions contained in POPIA, now position South Africa in line with global best practice on data protection and privacy.  The commencement of POPIA signifies a great advance for the South African data protection and privacy legal landscape.

Background

Since 2013, POPIA has been put into operation incrementally, with a number of sections of POPIA having been implemented in April 2014 (i.e. the definitions; legislation pertaining to the establishment and operation of the South African Information Regulator (“Information Regulator”); the power for the Minister of Justice and the Information Regulator to make and publish Regulations to give effect to POPIA and the procedural sections relating thereto).  The incremental implementation of POPIA was largely due to the publication of the draft EU General Data Protection Regulations (“GDPR”) in 2013 and its commencement thereafter in May 25, 2018, which guided and informed the South African legislature in the drafting of POPIA.  The South African legislature has ensured that POPIA mirrors the essential provisions contained in the GDPR.  For example, under the GDPR, as under POPIA, individuals have a right to request the deletion of their information or request a limitation of the processing of their information in certain instances, and all businesses now have a duty to report any data breach to the Information Regulator within 72 hours of becoming aware of the breach, where practicable.

POPIA provisions effective as of July 1, 2020

The POPIA provisions effective as of July 1, 2020 pertain to:

  • the conditions for the lawful processing of personal information.;
  • the regulation pertaining to the processing of special personal information;
  • codes of conduct issued by the Information Regulator;
  • procedures for dealing with complaints;
  • provisions regulating direct marketing by means of unsolicited electronic communication and the general enforcement of POPIA; and
  • all forms of processing of personal information must, within 1 year after the commencement of the section, be made to conform to POPIA.  In other words, all private and public entities will need to ensure compliance with POPIA by July 1, 2021 (see section 114(1) of POPIA)

See No. R. 21 of 2020 in Government Gazette no. 11136, Vol. 660 No 43461 dated June 22, 2020 sections 2 to 38; sections 55 to 109; section 111; and sections 114 (1), (2) and (3).

Sections 110 and 114(4) of POPIA will take effect June 30, 2021.  The delay in relation to the commencement of sections 110 and 114(4) is as a result of the fact that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (“PAIA”) from the South African Human Rights Commission to the Information Regulator, which is yet to be concluded.

Key POPIA Provisions

With the commencement of POPIA, businesses operating within this space must demonstrate that they have implemented measures prescribed under and in terms of POPIA and its regulations, to ensure that personal information in its possession are protected from any unauthorized access, loss and/or use.  For example, Regulation 4 (Responsibilities of Information officers) read together with sections 55 to 56 of POPIA make provision for the appointment of an information officer, who must ensure that:

  • “a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is done to ensure that adequate measures;
  • and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the PAIA;
  • internal measures are developed together with adequate systems to process request for information or access thereto; and
  • internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Information Regulator”.
  • POPIA also requires businesses to incorporate suitable technical and security measures to protect personal information, in line with the volume, nature, and sensitivity of the personal information in a business’s possession.

POPIA provides data subjects who are affected by a data breach the right to institute a claim against a business that has inadequately stored information.  Data subjects will not be required to prove that the business storing and/or processing the information was negligent in doing so.  This means that, POPIA empowers data subjects to institute claims against parties responsible for their personal information on a strict liability basis.

Furthermore, section 114(1) is of particular importance as it states that all forms of processing of personal information must, within 1 year after the commencement of the section, be made to conform to POPIA, which means that both public and private entities must ensure compliance with the POPIA by July 1, 2021.  However, it stands to reason that all entities subject to POPIA should attempt to comply with the provisions of the POPIA as soon as possible in order to give effect to the right of privacy.

Businesses should note that once POPIA is in full force and effect, non-compliance with POPIA may result in administrative fines of up to R10 million, imprisonment, civil damages and most importantly, reputational harm.

For further information on POPIA, please contact Shivani Naidoo at SNaidoo@cov.com.

  • Posted in:
    Corporate & Commercial, International
  • Blog:
    Cov Africa
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo