The Protection of Personal Information Bill 2009 (POPI or the Bill) was approved by the Portfolio Committee on Justice and Constitutional Development (the Committee) today. This is the first step towards the introduction of a new data protection regime for South Africa and follows a lengthy period of deliberation on the Bill by the Committee.


POPI proposes the introduction of a number of fundamental principles aimed at protecting personal information held by businesses and brings South Africa in line with international data protection laws. Once it is enacted, POPI will become South Africa's primary legislation dealing with the processing of personal information. Its impact will be far-reaching and will significantly affect the manner in which companies collect, store and disseminate personal information. In general, POPI will apply to the processing of personal information entered in a record by a responsible party who is processing information in South Africa and is domiciled in South Africa, or is domiciled elsewhere and is doing more than merely forwarding personal information through South Africa.

Going forward

The Bill will now be considered and is likely to be passed by the National Assembly before being referred to the National Council of Provinces (NCOP) for consideration. The NCOP can accept or reject the Bill or propose amendments to it. Once these deliberations are finalised, and subject to any further amendments that may be proposed by the National Assembly, the Bill will be signed into law. It is anticipated that this process could take anything from one to six months. The Bill also provides for a one year grace period before its provisions become effective. This will allow organisations some time to become compliant.

We are closely monitoring the progress of the Bill and will keep you updated as and when developments occur.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.