South Africa’s Data Privacy Law Is Now In Effect

Written by: Charles R. Langhorne IV, Esq.

South Africa’s newest data privacy law, the Protection of Personal Information Act (“PoPIA”) is now in effect. There is a 12-month grace period, and enforcement will not begin until July 1, 2021.

The PoPIA applies to businesses that process personal information in South Africa, whether or not they are domiciled in South Africa. Keeping with the current trend among new data privacy laws, the definition of “personal information” is expansive and includes any information that relates to an identifiable, living person.

Previous drafts of the PoPIA pre-date the European Union’s GDPR, but were ultimately put on hold to allow for completion of GDPR. As expected, the PoPIA has provisions that are very similar to the European Union’s GDPR.

Important provisions to note are:

• Information can only be used for the specified purpose it was originally obtained for.
• Further processing is limited. If processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.
• Businesses must take reasonable steps to ensure that the information is complete, not misleading, up to date, and accurate.
• The data subject and the South African Information Regulator must be notified that data is being processed.
• Businesses must ensure that proper security safeguards and measures to safeguard against loss, damage, destruction, and unauthorized or unlawful access or processing of the information, have been put in place.
• The data subject must be able to access the personal information stored by a business and must be able to correct the information.
• Cross-border transfers are limited to countries that have legislation in place that is effectively similar to the PoPIA or the recipient is under contractual obligations that are effectively similar to the PoPIA.