Law of Privacy in South Africa

There is an international consensus that the collection, processing and use of personal data should be regulated by a management body. The existence of uniform rules on the processing of personal data will not only protect individuals and organisations from costly breaches, but will also facilitate international trade, as data protection concerns can be a major barrier to cross-border trade. Technology is constantly evolving, so data protection law must evolve with it. The Personal Information Protection Act in South Africa is older than many other data protection laws, but was introduced over several years and is therefore quite topical. Part of the information regulator`s role is also to conduct research, consult and work with Parliament to further develop the Act. The Act aims to promote the protection of personal data processed in South Africa and gives prosecutable rights to the right to privacy enshrined in the Bill of Rights. POPIA aligns South Africa with global best practices in data protection. It applies to any organisation that processes information in South Africa. It does not apply to processing for personal or household purposes.

Personal data has a broad meaning and is any information that can be used to identify a natural or legal person. POPIA is one of the few data protection laws in the world that also protects legal entities (e.g. companies and trusts). POPIA has been a work in progress since it was proposed for implementation by the South African Law Reform Commission in 2005. The delay in adoption was due in part to the publication of the draft EU General Data Protection Regulation (“GDPR”) in 2013, when POPA`s editorial board took a break to review some of the innovations proposed in the GDPR and take steps to ensure that the South African Data Protection Authority (i.e. The Information Regulator (“SAIR”) has had the opportunity to develop operational capabilities. In this regard, POPIA entered into force over a longer period, with the first provisions allowing in particular the creation of SARs entering into force on 11 April 2014. So far, SAIR has taken steps to become fully operational, such as issuing regulations, establishing codes of conduct and raising public awareness.

South Africa is not only moving from old data protection legislation to updated legislation, but is also introducing data protection laws for the first time. Therefore, organizations that have not yet launched their compliance programs need to start soon, as time is already running out until July 1, 2021. Compliance with POPIA does not only mean the creation of a privacy policy. In fact, the first step towards compliance is for a company to understand how data flows through its business (which isn`t an easy task if it hasn`t been done before) and launch its training and awareness campaigns. South African citizens must also be informed of their new access rights for data subjects, giving them more control over how their data is processed. In recognition of the constitutional right to privacy, POPIA provides the mandatory mechanisms and procedures for the processing and processing of personal data in South Africa. As the law was formulated under the EU Directive, it is similar to the General Data Protection Regulation (GDPR) and lubricates cross-border processing and processing of personal data between the EU and South Africa. POPIA goes into less detail than the GDPR when it comes to data transfers (“cross-border information flows”), but there are still restrictions in the name of privacy and security described in Section 72. Overall, the conditions are similar to the legal bases for the processing of personal data, e.g.

contractual agreement, consent of the data subject, performance of the contract, legitimate interest, etc. In accordance with Articles 17-18, the controller must keep documentation of all processing activities and take reasonable steps to ensure that data subjects are informed of the conditions of the processing and may contact the controller. Information about processing activities and related requirements must also be easily accessible to data subjects, for example via a website cookie or privacy statement. Specifically, the Chief Information Officer will be involved in tasks such as drafting and updating the Privacy Policy and other related documents, conducting risk assessments, training staff, drafting and maintaining contracts with third parties, addressing security issues – including data breaches – and reporting/liaising with the regulator and data subjects and other duties. be involved. Section 6 describes exceptions to POPA compliance requirements, which are quite common compared to other data protection laws: Preeta Bhagattjee is a Director within our Technology, Media and Telecommunications practice. She has supported many important clients both in the ICT sector and as clients of ICT services, as well as in the public and private sectors in the areas of technology and communications law, outsourcing and service level agreements, e-commerce law, intellectual property and data protection and privacy. The Data Protection Act does not provide for regulatory measures regarding cookies.

Accordingly, the general data protection provisions of data protection law also apply to online privacy. The Constitution of the Republic of South Africa guarantees the right to privacy. In addition, certain provisions of the Electronic Communications and Transactions Act 2002 (“ECTA”) govern the electronic collection of personal information, although compliance with these provisions is voluntary. However, these ECTA provisions on the protection of personal data will be repealed on 30 June 2021 (see below). In today`s digital economy, organizations face unprecedented challenges in managing the privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements for the collection, use and disclosure of personal information makes it imperative that modern businesses have a nuanced understanding of the issues if they are to compete in today`s economy. The Personal Information Protection Act (POPIA) is South Africa`s federal data protection law for the protection of individuals` privacy, which is considered a human right. The law describes when it is legal for a company, such as a company, to process the personal data of another company, such as that of an individual. Zeyn Bhyat of ENSafrica reports that on the 22nd. In June 2020, it was announced that South Africa`s comprehensive Data Protection Act, known as the Personal Information Protection Act 2013 (POPIA), will come into force on 1 July 2020.