South Africa’s Protection of Personal Information Act (POPIA) was set to take effect from 1 April 2020, but this date has been delayed due to the coronavirus outbreak in the country.
No new date has been set for the effective date of the new legislation.
The Act concerns the processing of personal information by companies and other agents, and introduces a number of new laws that clamp down on user and employee data processing.
Michalsons has posited that the POPIA deadline may be 1 June 2021, which means the effective date of the regulations would be 1 June 2020.
“We continuously monitor developments on privacy and data protection in South Africa and 1 June 2021 is our best guess based on the information publicly available,” the law firm said.
“This will mean that the POPIA commencement date or effective date will be 1 June 2020, with the 12-month grace period ending on 1 June 2021.”
Michalsons noted that the information regulator has consistently said POPIA will not commence until the regulator is fully operational, which has taken longer than expected.
“The information regulator still has much work to do in order to be operational – the prerequisite for the POPIA deadline,” the firm said.
“Considering the number of people who currently work for the information regulator and the slow pace at which they have been becoming operational it is difficult to see that they will complete this work before the end of May 2020, which then means that the POPIA commencement date would be about 1 June 2020 with the POPIA deadline then being about 1 June 2021.”
“There will be lots of attention on data protection on the POPIA deadline and it cannot be on the same date as the end of the information regulator’s first term because it would create too much uncertainty,” the firm added.
There needs to be an established information regulator in office to manage the transition from the grace period to POPIA being in full force and effect, Michalsons added.
Effects of POPIA on businesses
POPIA will bring about a number of changes to South African businesses.
Citizens will have more control over the processing and privacy of their information, which will result in fewer spam calls and reduced exposure of their personal details to companies.
Pansy Tlakula, the chairperson of the Information Regulator of South Africa, previously stated that the Act would provide protection from unwelcome callers.
Although certain provisions of POPIA are already in force – such as those mandating the establishment of the regulator – the primary provisions dealing with direct marketing have not yet been enacted.
These provisions may result in “cold calling” no longer being allowed and will impose a significant burden on direct marketers to secure databases of personal information.
Companies will also need to ensure their customer data is processed securely and in line with the regulations, or they will face hefty fines.
Importantly, POPIA includes provisions for the disclosure and processing of personal information if:
- The data subject consents to the processing.
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
- Processing complies with an obligation imposed by law on the responsible party.
- Processing protects a legitimate interest of the data subject.
- Processing is necessary for the proper performance of a public law duty by a public body.
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
In other cases, personal information may not be processed or disclosed – providing South Africans with protection against companies that would use their personal data unscrupulously.