Countdown to South Africa’s new data laws – What to expect
South Africa is preparing for the full implementation of the Protection of Personal Information Act (POPIA), which will take effect from 1 July 2021.
In a statement on Wednesday 24 March, the government noted that the 100-day countdown to this date was underway and there were numerous processes that were being implemented to ensure all public and private bodies meet this deadline.
“Today marks 100 days to the deadline for public and private bodies to ensure that their processing of personal information conforms to the Protection of Personal Information Act (POPIA),” the Information Regulator (IR) said.
“The Guidelines to develop Codes of Conduct as well as the standards for making and handling complaints under approved codes of conduct were gazetted on 19 February 2021 and are available on the website.”
“This means that the IR can now receive applications for codes of conduct and those applications may be sent to [email protected],” it added.
The regulator said it is currently processing public comments received on the draft guidelines for the registration of information officers.
It said it is anticipated that the Guidance Note on Information Officers and Deputy Information Officers will be published on or before the end of April 2021 and registration will commence on 1 May 2021.
“An online registration portal for registration of Information Officers will be established,” the IR said.
The regulator noted that failure to comply with certain provisions of POPIA may result in the IR imposing an administrative penalty of up to R10 million as of 1 July 2021 or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment.
What to expect
Previously, businesses that did not comply with the new regulations could not have been prosecuted as described by the regulator, as they are expected to conform to the laws as of 30 June 2021.
From 1 July 2021, if companies do not conform with all the provisions of the regulations, they will be liable for violating any component of the Act and may face prosecution and fines.
POPIA focuses greatly on consumers’ right to privacy, requiring the secure and local storage of customer information.
The processing of this data can only be completed under specific conditions which balance the right to privacy against other rights – particularly the right of access to information.
The circumstances under which private data is allowed to be processed include the following cases:
- The data subject (the customer or employee) consents to the processing.
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
- Processing complies with an obligation imposed by law on the responsible party.
- Processing protects a legitimate interest of the data subject.
- Processing is necessary for the proper performance of a public law duty by a public body.
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
This means that South Africans will have greater control over the processing of their personal data in most circumstances, and companies will need to be careful to comply with regulations when storing and accessing customer information.
Ramifications for online platforms
Popular online services such as WhatsApp may clash with POPIA regulations, as will a number of other major international providers.
The Information Regulator had already previously stated that WhatsApp could not force South Africans to accept its new privacy policy, which caused a significant backlash when it was announced earlier this year.
The IR said disabling the functionality of users who do not accept the new policy is unacceptable.
“The consent in terms of our law is specific – it is a voluntary expression of will on what you are consenting to,” Advocate Pansy Tlakula, chair of the Information Regulator of SA, said.
“On the face of it, the new WhatsApp privacy policy requires involuntary consent because it says you should leave the platform if you do not give consent. That can never be voluntary consent.”
Many online platforms which collect information such as cellphone numbers from customers may be forced to comply with South Africa’s new data privacy laws to operate to their full extent locally.
It remains to be seen how international platforms will update their systems to fit South Africa’s new regulatory environment, as well as whether local companies will be prepared for the changes.