Data privacy in SA: It's all about to change
JOHANNESBURG – On 1 July 2020 the way in which we deal with personal information in South Africa will change. Long gone are the days where privacy can be ignored or undervalued.
The Protection of Personal Information (PoPI) Bill was first tabled 12 years ago, in 2009. It was signed into law in 2013, but very few provisions in the PoPI Act, 2013 were operational to date.
The presidency has determined on 22 June 2020 that sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) of the PoPI Act shall commence on 1 July 2020.
Sections 110 and 114(4) shall commence on 30 June 2021.
The sections which will commence on 1 July 2020 are crucial parts of the PoPI Act and brings with it the duty to comply with the conditions for processing as stipulated in terms of the PoPI Act. This not only includes aspects in relation to lawful processing but also security of information. It also includes how companies will deal with direct marketing going forward.
The PoPI Act recognises in its preamble that section 14 of the Constitution provides that everyone has the right to privacy. In section 2 of the PoPI Act it is recorded that the purpose of the PoPI Act is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at –
- balancing the right to privacy against other rights, particularly the right of access to information; and
- protecting important interests, including the free flow of information within the Republic and across international borders.
Since time immemorial, South Africa has been playing catch up in respect of implementing the data privacy laws it has developed. So much so that the United Nations special rapporteur on data and privacy protection Professor Joseph Cannataci has stated on 11 March 2020 at a roundtable discussion at the Human Sciences Research Council in Pretoria that –
“Privacy laws started decades ago. By 2001 there were more than 20 countries that brought legislation up to certain levels. South Africa is about 30 years behind. The first data privacy laws were written in Sweden in 1973. Other European countries then followed shortly. South Africa, in 2020, is only now playing catch up.“ ( L Kiewit)
The South African society will be able to claim the protection afforded by the PoPI Act form 1 July 2020. The road has been long to get to this point. The problem is the road to full compliance will be very short. Companies will be required to be in full compliance with the PoPI Act within 12 months after the PoPI Act comes into effect. This means that entities, not only private but also public, will have to ensure compliance with the PoPI Act by 1 July 2021.
Ahmore Burger-Smidt is head of the Data Privacy Practice Group at Werksmans Attorneys.