This post was written by Cynthia O’Donoghue.

After 10 years of debate, South Africa’s President Jacob Zuma has finally signed South Africa’s first framework privacy bill into law, the Protection of Personal Information Bill (PoPI). PoPI will reinforce the right to privacy under Article 14 of the South African Constitution. PoPI will take effect one year after the date of enactment, though there is potential for this transition period to increase to three years, dependent on discussions between the Minister of Justice and Constitutional Development, and the newly established data protection authority (DPA). After this date, the DPA will be empowered by PoPI to enforce fines of up to 10 million Rand ($957,171) for non-compliance.

PoPI will provide protection for both individuals and juristic persons, including corporations. The new law will also allow the DPA to file lawsuits on behalf of individuals against data controllers. Data controllers will have to be aware of this strict liability they will bear, and the potential for remedies sought to include aggravated damages.

PoPI is based upon a framework of conditions, including:

  • Accountability – Data controllers will bear ultimate liability and responsibility for compliance with PoPI
  • Processing Limitation – data may only be processed lawfully and excessively, and with consent of the data subject (which can be withdrawn at any time.) Explicit consent of the data subject is required for processing sensitive data.
  • Purpose Specification – data may only be collected for a specific, explicitly defined and lawful purpose. Any data collected should not be retained any longer than is necessary for achieving that purpose. Explicit consent is required for direct marketing.
  • Further Processing – any further processing must be compatible with the original purpose of collection
  • Information Quality – reasonable steps must be taken to ensure data is complete, accurate, not misleading and updated when necessary
  • Openness – Data controllers must retain open records documenting all processing operations undertaken, and must take reasonable steps to ensure data subjects are informed of the purpose and extent of data collected; the identity of the data controller; whether provision of the information is mandatory or voluntary and the consequences of failure to supply that information; any subsequent disclosure to third parties; and the full extent of rights available to data subjects under PoPI
  • Security Safeguards – Data controllers must take responsible steps to secure the integrity and confidentiality of personal data in their possession by taking appropriate technical and organisational security measures. Any security compromises must be notified to the DPA and the data subject concerned.
  • Data Subject Participation – A data subject has rights under PoPI to access or correct their personal information held by the data controller

President Jacob Zuma commented, ‘PoPI will give effect to the right to privacy by introducing measures to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties.”