After 10 years of debate, South Africa's President Jacob
Zuma has finally signed South Africa's first framework privacy
bill into law, the Protection of Personal Information Bill (PoPI).
PoPI will reinforce the right to privacy under Article 14 of the
South African Constitution. PoPI will take effect one year after
the date of enactment, though there is potential for this
transition period to increase to three years, dependent on
discussions between the Minister of Justice and Constitutional
Development, and the newly established data protection authority
(DPA). After this date, the DPA will be empowered by PoPI to
enforce fines of up to 10 million Rand ($957,171) for
PoPI will provide protection for both individuals and juristic
persons, including corporations. The new law will also allow the
DPA to file lawsuits on behalf of individuals against data
controllers. Data controllers will have to be aware of this strict
liability they will bear, and the potential for remedies sought to
include aggravated damages.
PoPI is based upon a framework of conditions, including:
Accountability – Data controllers will bear ultimate
liability and responsibility for compliance with PoPI
Processing Limitation – data may only be processed
lawfully and excessively, and with consent of the data subject
(which can be withdrawn at any time.) Explicit consent of the data
subject is required for processing sensitive data.
Purpose Specification – data may only be collected for a
specific, explicitly defined and lawful purpose. Any data collected
should not be retained any longer than is necessary for achieving
that purpose. Explicit consent is required for direct
Further Processing – any further processing must be
compatible with the original purpose of collection
Information Quality – reasonable steps must be taken to
ensure data is complete, accurate, not misleading and updated when
Openness – Data controllers must retain open records
documenting all processing operations undertaken, and must take
reasonable steps to ensure data subjects are informed of the
purpose and extent of data collected; the identity of the data
controller; whether provision of the information is mandatory or
voluntary and the consequences of failure to supply that
information; any subsequent disclosure to third parties; and the
full extent of rights available to data subjects under PoPI
Security Safeguards – Data controllers must take
responsible steps to secure the integrity and confidentiality of
personal data in their possession by taking appropriate technical
and organisational security measures. Any security compromises must
be notified to the DPA and the data subject concerned.
Data Subject Participation – A data subject has rights
under PoPI to access or correct their personal information held by
the data controller
President Jacob Zuma commented, "PoPI will give effect
to the right to privacy by introducing measures to ensure that the
personal information of an individual is safeguarded when it is
processed by responsible parties."
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Nigerian Communications Commission (NCC) has concluded plans to introduce Lawful Interception (LI); a legally sanctioned official access to private communications, such as telephone calls or email messages
If collection and processing of personal data pertains to private or family life, the individual's consent is required.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).