Ramaphosa paves the way for new data protection laws with POPI Act
Consumers concerned about their personal information can breathe a sigh of relief as President Cyril Ramaphosa has proclaimed sections of the Protection of Personal Information Act into law.
The Presidency said on Monday sections of the POPI Act will now come into effect on June 30 and July 1 respectively. The POPI Act gives effect to section 14 of the Constitution, which provides that everyone has the right to privacy. The act tries to strike a balance between the right to privacy and the right for access to information.
Much of the act's components were put into effect in April 2014, but other sections had to be halted until other measures were put in place. As part of the act's requirements, an Infomation Regulator was established and its members took office in December 2016.
Now that an Information Regulator has been established it has paved the way for other sections of the act to come into effect. These sections include Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) will commence on 1 July, 2020. Sections 110 and 114(4) will commence on 30 June, 2021.
The various sections deal with the following components:
"The sections which will commence on 1 July, 2020 are essential parts of the act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the act.
"Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the act by 1 July, 2021.
"However, it stands to reason that private and public bodies should attempt to comply with the provisions of the act as soon as possible in order to give effect to the rights of individuals," the Presidency explained.
The Presidency said the reasons for the delay in implementation of the Acts sections was to allow for the transfer of functions.
"The reason for the delay in relation to the commencement of sections 110 and 114(4) – which are to commence on 30 June, 2021 – is that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (PAIA) from the South African Human Rights Commission to the Information Regulator.
"In this regard, the Commission must finalise or conclude its functions referred to in sections 83 and 84 of PAIA and all mechanisms must be in place for the Regulator to take over these functions."
The Presidency said that public and private bodies that process personal information will have to ensure that they do so in a lawful manner to safeguard against the theft of personal information and data breaches.
The powers afforded to the Information Regulator of South Africa may see non-compliant entities face censure if they fail to follow measures to protect private information.
Rosalind Lake and Priyanka Naidoo, from law firm Norton Rose Fulbright, said organisations should not underestimate how quickly the 12 months will pass because there is a lot to do to become compliant.
"Serious consideration has to be given to the personal information that the organisation processes, and how this creates risk from a reputational, commercial and enforcement perspective.
"This can be efficiently managed through a POPI compliance audit. Such an audit will identify risks or gaps which the organisation may not have been aware of, and will implement measures to address those risks," they said.