South Africa finally has data protection legislation! Although the right to privacy has been enshrined as a fundamental right in the Bill of Rights since 1996, United Nations Special Rapporteur on the Right to Privacy Joseph Cannataci said in March South Africa is “about 30 years behind” in implementing its privacy legislation when compared to other jurisdictions.
The substantive provisions of the Protection of Personal Information Act 2013 enter into force July 1 (certain provisions relating to the oversight of the access to information will commence June 30, 2021). The act allows for a grace period of 12 months to enable organizations to become compliant. Given that the act has been around for a number of years, many have long completed their compliance initiatives, while others adopted a “wait-and-see” approach and now need to start their compliance projects. Enforcement goes into effect July 1, 2021, and organizations could be liable for administrative fines of up to ZAR 10million (approximately $580,000 USD), civil cases or criminal liability.
The process of drafting the act began in 2003 and was principally based on the EU Data Protection Directive 95/46/EC, although it includes some stricter provisions. The act was signed into law in 2013 and partially enforced in 2014, allowing for the establishment of the Information Regulator in 2016 (the chairperson and members of the Information Regulator have been elected for five years with their term ending in December 2021).
In the interim, the EU moved onto the more comprehensive General Data Protection Regulation in 2018. POPIA could be considered “adequately protective” in terms of the GDPR, as certain stricter provisions were included in the initial text, based on earlier versions of the GDPR. That is the hope of organizations in South Africa. If it is not seen as adequately protective in terms of the GDPR, we could expect further amendments to the act sooner rather than later, as an aim of this legislation would be to enhance the ability of information sharing globally. An adequately protective finding would make South Africa an appealing location for outsourcing and offshoring of back-office functions and data centers.
The act aims to…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
