South Africa’s Protection of Personal Information Act (POPIA) received Presidential assent in November of 2013. However, commencement of various sections coming into effect has been staggered over a number of years. Operations and activities to administrate POPIA had been limited until July 1st, 2020, the date the President announced when key remaining sections would go into effect. Organizations then had 12 months from that date to enact POPIA compliance requirements, and enforcement began as of July 1st, 2021.
References to the act sometimes use POPI, or POPI Act, but the South African government and regulators have expressed a preference for use of POPIA, as POPI refers to the topic of protection of personal information generally, and not to the actual legal framework.
So, what is POPIA compliance, and how does it compare to GDPR compliance? Though older, POPIA has gotten less attention in the data privacy industry than the European Union’s General Data Protection Regulation (GDPR). The GDPR was enacted in 2016, with enforcement beginning in May 2018.
POPIA regulations, as well as the GDPR, use an “opt in” model where consent collection is concerned, which is shared by other international regulations like Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). This model requires the consent of the data subject before any data is collected, shared or sold.
Read on to learn more about POPIA and the GDPR’s similarities and differences regarding:
- Who is responsible for protecting and processing personal data?
- Data subject rights
- Data subject requests and responses
- Where are POPIA and the GDPR applicable?
- Legal bases
- Data subject consent
- Who oversees POPIA and GDPR compliance?
- What data subjects are covered by POPIA and the GDPR?
- What kinds of personal data are protected?
- “Sensitive” or “special” categories of personal data
- Data subjects who are children
- De-identification and anonymization of data
- Requirements, restrictions, exemptions and prohibitions for data processing
- Data transfer
- Data security and data breaches
Who is responsible for protecting and processing personal data?
POPIA defines a “responsible party” in Section 1 as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
This is comparable to a “data controller” in the GDPR’s Art. 4(7), defined as “the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Also in Section 1, POPIA defines an “operator” as “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.
Whereas in the GDPR, also in Art. 4, the comparable entity is a “processor”, defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Data subject rights
A cornerstone of privacy regulations is the rights they give to individuals over their own data. Under POPIA, data subject rights are outlined in Section 5. These include:
- The right to be notified that personal information is/has been collected
- The right to be informed if a processor holds personal information of the data subject, and to request access to it
- The right to request correction, destruction, or deletion of personal information of the data subject
- To object to/withdraw consent for the processing of personal information, in whole or for specific purposes
- To not be subject to decisions made by automated processing of personal information that’s intended to provide a profile of the data subject
- To submit a complaint to the regulator regarding “alleged interference” of data subject rights
- To initiate civil proceedings regarding “alleged interference”
Neither the GDPR nor POPIA regulations specify a right to not be subject to discrimination when exercising the other rights. This right is present in California’s privacy laws, for example.
In the GDPR data subject rights are outlined in Chapter 3, Art. 12-23. It provides a list of information that the controller must record in Art.15, pertaining to the right to be informed, which POPIA does not. This includes:
(a) Name and contact details of the data controller;
(b) Purposes of the processing;
(c) The categories of personal data;
(d) The categories of recipients, or the recipients, to whom the personal data will be disclosed;
(e) The estimated period for which the data will be stored; and
(f) A description of measures (technical, security, organization) adopted by the controller
The GDPR provides data subjects with a right to data portability, which POPIA does not. Data portability refers to the ability to obtain and reuse one’s personal data for one’s own purposes, across different services.
The GDPR specifies that data subjects be provided with information on how to exercise their right to object to data processing, though POPIA does not. The GDPR also provides exceptions to its right to erasure, aka “right to be forgotten”, which POPIA does not. These exceptions include:
- Freedom of expression and information
- Compliance with public interest purposes for public health
- Establishing, exercising, or defending legal claims, or
- Compliance with legal obligations for the purposes of public interest
Under Art. 30, the GDPR also exempts companies with fewer than 250 employees from certain record-keeping, which POPIA does not, unless the data processing is “likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10”.
Data subject requests and responses
Under POPIA, access to the data subject’s requested information must be provided:
(i) within a reasonable time;
(ii) at a prescribed fee, if any;
(iii) in a reasonable manner and format; and
(iv) in a form that is generally understandable
There is a fair bit of leeway for interpretation of those requirements. Under the GDPR, though, action by the processor, such as correction, deletion, or providing a copy of personal data, must be provided free of charge unless the requests are ”manifestly unfounded or excessive”, which can be difficult for the processor to prove. Under both laws, processors are allowed to require verification of identity from the data subject making a request (Section 23 of POPIA, Recital 64 of the GDPR).
In Section 24 of POPIA, corrections or deletions of personal data must be done as soon as “reasonably practicable”. It does not provide for correction or deletion of publicly available personal information, however. Under the GDPR, the processor has one month to respond to the data subject, ideally by completing the request, though under certain circumstances an extension of the time needed can be requested, up to two months.
Both laws also outline that information or personal data requested must be supplied in an accessible format (likely digital or possibly paper). Requests for information or copies of personal data can be made orally, digitally, or in writing per the GDPR. POPIA only notes that requests be made in the “prescribed manner”.
Where are POPIA and the GDPR applicable?
Outlined under Section 3, POPIA applies to any “responsible party” that is:
- domiciled in the Republic; or
- not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.
The Republic being South Africa specifically. Relevant personal data processed by the “responsible party” is:
“entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof”.
This would cover data collection and processing online or in physical formats. Excluded from the use of automated or non-automated means if they are only being used to forward personal information through South Africa.
The GDPR protects the rights of European Union residents, so applies to organizations “established” in the EU and outside of the EU. This could be companies based there, or companies that are based elsewhere, but that process the data of EU residents. This is referred to as “extraterritorial scope”. Per Art. 3, this includes: “offering goods or services, irrespective of whether a payment of the data subject is required”, but also “the monitoring of [data subjects’] behaviour as far as their behaviour takes place within the Union”. So really, anything from collecting data on website visitor behavior, to processing ecommerce transactions, to recording newsletter signups could be relevant. It would also apply to both physical and digital data collection and processing.
A legal basis defines legal grounds for processing personal data. Further detail is provided regarding processing data classified as “sensitive”, what the conditions are for valid consent, its provision and withdrawal, and certain other exemptions.
(a) the data subject or a competent person where the data subject is a child consents to the processing;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the data subject;
(e) processing is necessary for the proper performance of a public law duty by a public body; or
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
The GDPR’s legal bases are listed in Art. 6 and are very similar, with slight variances in wording though no substantive difference in intent. Both regulations have specific legal grounds regarding processing of special categories of data or “special personal information”, such as the requirement for explicit consent. In POPIA these are outlined in Sections 27-33. In the GDPR, Articles 7-9 cover these conditions.
Data subject consent
Consent for data processing is probably the most common legal basis affecting consumers online. Both POPIA and the GDPR include specifications regarding who can provide consent, the conditions under which consent can be obtained, and how it can be withdrawn by the data subject.
POPIA defines consent in Section 1 as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.
Under the GDPR’s Art. 4, the definition of consent is a little more detailed: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Who oversees POPIA and GDPR compliance?
Section 17 of POPIA requires a responsible party to “maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act”. POPIA does not explicitly require that a representative be based within South Africa.
Section 39 outlines the establishment of a juristic person as an Information Regulator. This role would be more comparable to country-level regulators in the EU than to a company-level Data Protection Officer.
POPIA outlines the Information Regulator’s mandate as follows:
(a) has jurisdiction throughout the Republic;
(b) is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice;
(c) must exercise its powers and perform its functions in accordance with this Act and the Promotion of Access to Information Act; and
(d) is accountable to the National Assembly.
In Section 1 POPIA also defines an “information officer” as “of, or in relation to:
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
The information officer role would be closer to that of the Data Protection Officer (DPO) in the GDPR, with the difference that the scope of an “information officer” may be considered to be less expansive than a DPO. The requirements and responsibilities of an “information officer” are detailed in the Promotion of Access to Information Act (PAIA) (Act 2 of 2000) and the POPIA regulations (Section 55), which include (but aren’t limited to):
- the encouragement of compliance
- dealing with requests
- working with the Information Regulator in relation to investigations
- otherwise ensuring compliance
The GDPR is fairly detailed regarding representation, requiring a designated “representative” in the EU in Art. 27 and Recital 80, and more explicitly the designation of a Data Protection Officer in Art. 37, applicable if:
(a) The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
What data subjects are covered by POPIA and the GDPR?
Also under Section 1 of POPIA, a “data subject” refers to “the person to whom personal information relates”. Adding a bit more clarification, however, Section 1 also defines a “person” as “a natural person or a juristic person”. Natural persons are human beings, whereas juristic persons refer to entities like corporations that are recognized to be able to enjoy, and be subject to, legal rights and duties. POPIA does not explicitly include nationalities or places of residence of data subjects protected by it.
Art. 4 of the GDPR defines a “data subject” as “an identified or identifiable natural person”. It does not include further clarification on the definition of a person, though there are several definitions that include “personal”, such as “personal data” or “personal data breach”. Recital 14 also clarifies that data subjects should be protected “whatever their nationality or place of residence, in relation to the processing of their personal data”. That said, in the same way POPIA protects the rights of South African residents, the GDPR protects the rights of EU residents, and not, for example, United States residents.
What kinds of personal data are protected?
Section 1 of POPIA refers to “personal information” as “relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”. It further clarifies with inclusions (but not limited to):
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
The GDPR defines “personal data” in Art. 4 as:
“any information relating to an identified or identifiable natural personal (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
“Sensitive” or “special” categories of personal data
POPIA defines sensitive personal information, which is given greater consideration than other categories of personal information, in Section 26. Subject to the conditions of Section 27, which include complying with international law, or with explicit consent of the data subject, “special personal information” cannot be processed when it relates to:
- the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
- the criminal behaviour of a data subject to the extent that such information relates to—
- the alleged commission by a data subject of any offence; or
- any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Under Art. 9, the GDPR outlines requirements for, or prohibition against, the processing of “special categories of personal data”, including:
“…revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
However, like POPIA, the GDPR follows it up with situations in which those prohibitions do not apply, including, among others, receiving explicit consent from, or protecting the vital interests of, the data subject.
Data subjects who are children
Under Section 1 of POPIA, a child is defined as under 18 years of age, and “who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself”. POPIA does not require verification of identity for this “competent person”. Section 35 further outlines requirements regarding children, and circumstances under which their personal data can be processed, including with the consent of “a competent person”, if it serves a public interest, when necessary to comply with “an obligation of international public law”, and other conditions.
18 is a higher age threshold than under the GDPR, where the definition is 13-16. Under Art. 8, consent must be provided for children under age 16 by “the holder of parental responsibility over the child”. Individual EU member states can lower the age for this to 13, however.
De-identification and anonymization of data
Section 6 of POPIA excludes personal data that has been permanently de-identified from broader data processing requirements and restrictions. (POPIA does not reference “pseudonymization”.) In Section 1 it defines de-identification, as it relates to personal information of a data subject, to mean deletion of any information that:
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
The GDPR’s Recital 26 is similar, covering “anonymous data”, and referring to “personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.
Requirements, restrictions, exemptions and prohibitions for data processing
Under POPIA Section 1, data processing is defined as:
“any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;”
This is very similar to the definition of processing under the GDPR in Art. 4(2), though is actually a bit more detailed.
Exclusions to the requirements and restrictions for processing of personal data under POPIA are in Section 6, and include a wide variety of reasons, from the mundane: “personal or household activity” (i.e. not commercial), to the very serious, like issues pertaining to national security.
The GDPR reads similarly in Art. 2, including “purely personal or household” activity, as well as legal considerations like preventing criminal activity or activities falling outside of the scope of European Union law.
Under POPIA Section 7, there are also specific requirements and exemptions for processing data for “journalistic, literary, or artistic purposes”. In the GDPR under Art. 85, which covers freedom of expression and information, academic purposes are also included along with those others.
Both POPIA and the GDPR specify requirements for a contract or legal act between the “responsible party” (“data controller”) and the “operator” (i.e. entity that is processing the data) to determine requirements, restrictions, security measures, etc. Additionally, measures must be taken to ensure that third parties accessing or processing data can sufficiently guarantee technical and security measures for data compliance.
Both laws include restrictions on the transfer of data, though the GDPR provides greater detail and requirements than POPIA does. Section 72 of POPIA covers data transfers, but does not include a provision like the GDPR does in Art. 45 for “adequacy decisions”, i.e. international agreements wherein the EU Commission has previously determined that a country or organization has an adequate level of protection for data. These adequacy decisions can significantly streamline or limit the need for additional contractual requirements and obligations where data transfers need to occur.
Data security and data breaches
Both POPIA and the GDPR have substantial requirements for data security (POPIA Condition 7, Sections 19-21, GDPR Art. 32), as well as specific stipulations in the event of a data breach, including notification of regulatory authorities and data subjects. Under POPIA, exemptions to immediate notification include if data subjects cannot be identified, or delay of notification is permitted if it would impede a criminal investigation (POPIA Section 22, GDPR Arts. 33–34). The GDPR’s language requiring organizations to take “appropriate technical and organisational security measures” is fairly consistent in both laws.
The requirement to notify supervisory authorities “immediately” (POPIA) or “without undue delay” (GDPR) is also standard, though the GDPR also stipulates that notification take place within no more than 72 hours of discovery of a breach, if it is likely to result in “high risk to the rights and freedoms of natural persons”.
The major difference in these sections in the respective laws is that POPIA has fewer exceptions to notification requirements. POPIA does also enable the regulator to make responsible parties post public data breach notifications, and provides very specific information about how to notify data subjects by at least one means, e.g. postal mailing, last known email address, published on the responsible party’s website, etc.
The GDPR specifies what information about the breach must be provided – nature of it, approximate number of affected data subjects, and likely consequences. POPIA has similar requirements, outlining that the responsible party: “must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
- a description of the possible consequences of the security compromise;
- a description of the measures that the responsible party intends to take or has taken to address the security compromise;
- a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.”
The potential monetary penalties for a violation of the GDPR (Chapter 8) are much higher than those set out by POPIA (Chapter 11). However, POPIA also has provisions (Section 107) for sanctions of “natural or juristic persons” and prison sentences of up to 10 years for certain violations for responsible individuals, which the GDPR does not. The GDPR also does not establish liabilities for Data Protection Officers.
Under POPIA Section 109, the maximum fine is ZAR 10 million (~ €490,000). Under Art. 83(4) of the GDPR, depending on considerations about the breach, the fines fall into one of two categories. They can be up to €10 million or up to 2 percent of global annual turnover (revenue) for the preceding year, whichever is higher. Or, for “especially severe” violations, up to €20 million or up to 4 percent of global annual turnover (revenue) for the preceding year, whichever is higher.
Under POPIA, the regulator must consider the following regarding potential fines (Section 109):
(a) the nature of the personal information involved;
(b) the duration and extent of the contravention;
(c) the number of data subjects affected or potentially affected by the contravention;
(d) whether or not the contravention raises an issue of public importance;
(e) the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects;
(f) whether the responsible party or a third party could have prevented the contravention from occurring;
(g) any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information; and
(h) whether the responsible party has previously committed an offence in terms of this Act.
The wording in Art. 83 of the GDPR is slightly different, but conveys the same requirements and considerations. POPIA enables the Information Regulator to levy fines country-wide. Under the GDPR “supervisory authorities” have the power to penalize violators. While the GDPR applies to all countries in the European Union, each member country has its own supervisory authority, which is responsible for issuing fines. This is why strictness of legal interpretations and severity of penalties can vary across different European countries.
National or regional privacy laws, including POPIA and the GDPR, are far too sprawling in scope to fully encapsulate and compare in this overview. But the similarities between the two well-established laws, as well as Brazil’s LGPD, are far more in number than the differences. Companies wanting to achieve privacy compliance globally will be well-positioned by pursuing either GDPR or POPIA compliance, with limited additional work to achieve further regional compliance. It should be noted that there are some greater differences with the state-level laws in the United States.