South Africa’s Protection of Personal Information Act – an overview

South Africa’s Protection of Personal Information Act (POPIA) is a legal framework to protect the country’s residents from harm by protecting their personal information. It is enforced by the country’s Information Regulator. It is sometimes referred to as POPIA or the POPI Act, but POPIA is preferred by regulators and the South African government. POPI is more commonly used as a synonym for data protection, rather than specifically referring to the legal framework.

Who is affected by POPIA depends on context. It affects both those providing and processing personal information. On a day to day basis, it would likely affect companies and other organizations more, as they must achieve and maintain compliance with POPIA. Most individuals wouldn’t be actively affected unless notified of a data breach or other violation affecting their personal information.

POPIA is distinct from the Promotion of Access to Information Act (PAIA), which is even older, having been passed in 2000. PAIA provides the constitutional right of access to information held by the South African government or by private organization, if it is required to protect or exercise individuals’ rights. PAIA is enforced by the South African Human Rights Commission.

South Africa’s POPIA went into full effect in 2020, though it had been rolled out in sections starting from when it received Presidential assent seven years earlier. Enforcement then began in 2021. In modern terms, it is one of the older data privacy laws, predating the European Union’s General Data Protection Regulation (GDPR) by several years.

The Protection of Personal Information Act (POPIA) is South Africa’s federal data protection law to protect people’s privacy, which is considered a human right. The Act outlines when it is legal for one entity, like a company, to process another entity’s personal information, like that of an individual.

POPIA received parliamentary assent on November 19th, 2013, however, the Act did not fully go into effect immediately. Sections have gone into effect since 2013, but a number of key sections didn’t go into effect until July 1st, 2020, which the President proclaimed to be the date of commencement. Organizations had 12 months to work toward compliance with the Act, and enforcement began on July 1st, 2021.

The Information Regulator was established on December 1st, 2016, and is responsible for enforcing POPIA. It handles both investigations of alleged violations as well as penalties where noncompliance has been demonstrated. The Information Regulator reports to the South African Parliament.

POPIA has 12 Chapters, containing 115 Sections. The rights of data subjects are covered in Section 5. Chapter 3 of POPIA covers Conditions for Lawful Processing. Section 11 outlines the conditions for data subjects’ consent or objection, and other legal justifications and responsibilities for data processing:

• with the consent of the data subject or a competent person where the data subject is a child
• the processing is necessary to perform or conclude a contract, of which the data subject is a party
• to comply with a legal obligation of the responsible party (that one doing the processing)
• protection of legitimate interest of the data subject
• required for performance of public law duty by a public body
• to pursue legitimate interests of the responsible party or of a third party to whom the information is supplied

Additionally, the responsible party bears the burden of proof for the data subject’s (or competent person as representative’s) consent, and the data subject or competent person may withdraw consent at any time.

Data subjects may also object to the processing of their personal information at any time on reasonable grounds, via the prescribed manner, as long as prevention or termination of that data processing is not prevented by active legislation.

Section 4 outlines the lawful conditions of data processing:

• Accountability (Section 8)
• Processing limitation (Sections 9-12)
• Purpose specification (sections 13 and 14)
• Further processing limitation (Section 15)
• Information quality (Section 16)
• Openness (Sections 17 and 18)
• Security safeguards (Sections 19 to 22)
• Data subject participation (Sections 23 to 25)

POPIA applies to “any natural or juristic person who processes personal information” by “automated or non-automated means” (Section 3). So it does apply to individuals, though more commonly to companies, other organizations, and the government.

Note that under the definitions in Section 1, the “responsible party” is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

Also per Section 3, POPIA applies to responsible parties both “domiciled in the Republic”, or not, i.e. POPIA is extra-territorial. The key consideration is if data subjects are located in South Africa, not whether the entity that is processing their data is located there.

Section 6 outlines exclusions from POPIA compliance requirements, which are fairly common in comparison to other data privacy laws:

• the data processing is for “personal or household activity”, i.e. not commercial
• the data has been anonymized sufficiently that it can’t be de-anonymized
• if there are issues of national security, including public safety or combatting terrorism
• if the data processing is in service of the functions of law enforcement
• if the data processing is performed by government agencies, “by the Cabinet and its committees or the Executive Council of a province”
• if the data processing is in service of judicial functions of a court

Section 7 has some further exclusions and specific requirements relating to “journalistic, literary or artistic expression”. This section helps enable freedom of expression and the freedom of the press, while ensuring responsible actions, e.g. adherence to “domestic and international standards, and to professional codes of ethics.

Section 5 covers the rights of data subjects under POPIA. They include rights to:

• be notified that their personal information is/has been collected
• be informed if a processor holds their personal information and to request access to it
• request correction, destruction, or deletion of their personal information
• object to/withdraw consent for the processing of their personal information, in whole or for specific purposes
• not be subject to decisions made by automated processing of personal information that’s intended to provide a
• profile of them (which can include AI use)
• submit a complaint to the regulator regarding any alleged interference with their rights
• initiate civil proceedings regarding “alleged interference” (aka the right to sue)

POPIA does not include a right not to be discriminated against when exercising one’s other rights as a data subject. The GDPR doesn’t either, though the CCPA does. Note that POPIA uses an opt-in model of data subject consent, i.e. consumers’ consent must be obtained prior to collection or processing of their personal information.

Definitions of key terms in POPIA are in Section 1.

Covered in Chapter 3, Part A, this is information that relates to “an identifiable, living, natural person” or identifiable, existing juristic person. Personal information can include, but is not limited to:

(a) race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) biometric information of the person;
(e) personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) views or opinions of another individual about the person; and
(h) name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

It should be noted that while physical or mental health, religion, disability, ethnic origin, colour, sexual orientation, and some other information are included in POPIA’s definitions of “personal information”, in fact they qualify as “special personal information” and thus require specialized and/or restricted handling. In some cases processing of this type of information is prohibited.

This type of personal information is covered in Section 26, or, more specifically, there are prohibitions on processing this type of personal information due to the potential for it to be used harmfully. Types of personal information classified as “sensitive” include:

(a) religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

(b) criminal behaviour of a data subject to the extent that such information relates to—

• • the alleged commission by a data subject of any offence; or
  • any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Processing special personal information is prohibited unless it is performed under the exceptions outlined in Section 27, which include consent, legal obligations, the subject having already made the information public, and other stipulations.

This refers to “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

The natural or juristic person to whom personal information relates. Refers to persons residing in South Africa. A juristic person is an organization legally recognized to have rights and responsibilities like a human individual.

POPIA does not refer to “controllers” like some other privacy laws, i.e. the party responsible for the collection and processing of data, and, as a result, safeguarding it as well. POPIA does refer to the responsible party, meaning “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

Under some other privacy laws, the operator performs the processing for the controller. Under POPIA, the operator does this for the responsible party. Specifically, the operator is “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.

The data protection authority, officially the Information Regulator (SAIR), as defined and with duties covered in Sections 39-54, including education, guidance, research, monitoring, handling complaints and enforcement. This entity is also responsible to advise on and direct the evolution of the law.

Some privacy laws refer to the anonymization of data. Under POPIA, the term is de-identification, which “in relation to personal information of a data subject, means to delete any information that—

(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject”

A natural person under the age of 18 who is not legally competent to consent to actions or decisions. A competent person (an adult of over the age of 18 legally able to make decisions for a child) is required where consent regarding a child’s personal information is needed.

Per the definitions in Section 1, consent under POPIA is “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. Consent is one of the legal bases for data processing, as outlined in Section 11.

Like the GDPR and some other international privacy laws, POPIA uses an opt-in model of consent, so generally data subject consent must be procured from a legally competent person, or their representative in the case of a child, before collecting or processing their data.

Section 11 covers justifications for personal information processing, commonly referred to as “legal bases” in the GDPR and elsewhere. These requirements are quite similar to those listed in the GDPR:

(a) the data subject or a competent person where the data subject is a child consents to the processing;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the data subject;
(e) processing is necessary for the proper performance of a public law duty by a public body; or
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied

Justification like legitimate interest might seem convenient as it would not require obtaining data subject consent, but as with other laws, entities would not just be able to claim legitimate interest and start collecting and processing personal information at will. There are requirements specific to claiming legitimate interest (and any other legal basis) as well.

Under POPIA, companies are not the only organizations required to comply, but those inside and outside of South Africa (but doing business there) are substantially affected.

Chapter 3 covers companies’ responsibilities, i.e. conditions of lawful processing. Part A of Chapter 3 outlines POPIA’s eight conditions for processing personal information that are companies’ responsibilities. The Information Regulator can conduct an assessment or audit of an organizations’ POPIA compliance either by request or on its own initiative (Section 40).

Per Section 8, the responsible party must ensure conditions for lawful processing, such as the general ones for processing of personal information, as well as specific conditions and prohibitions for processing of sensitive personal information or the information of children

Per Sections 9-12, the responsible party does not infringe on data subjects’ rights and limits processing to only that which is needed for the stated purpose, for which they have a legal basis, and respond to requests or complaints from data subjects regarding their personal information.

Per Sections 13-14, the responsible party can only collect and process personal information for a specific, stated and legal purpose, can only retain the information for as long as necessary to fulfill the purpose, and must securely store, restrict access to, and delete the information as necessary.

Per Section 15, for any further processing of the information beyond the stated and legal purpose, a number of conditions must be met, including, potentially, obtaining new data subject consent. This also affects retaining personal information after the period of time necessary for the original processing purpose.

Per Section 16, the responsible party must reasonably ensure that personal information collected and processed is complete, accurate, and up to date. Related to this is being responsive to requests or complaints from data subjects regarding access to, update of, or deletion of their personal information.

Per Sections 17-18, the responsible party must maintain documentation regarding all processing activities, and take reasonable steps to ensure that data subjects are notified about the conditions of processing and can contact the responsible party. Information regarding processing activities and related requirements also need to be easily accessible to data subjects, e.g. via a website cookie or privacy policy.

Per Section 19-22, the responsible party must take reasonable actions to ensure the security of all personal information processed, including if it is passed to other parties (e.g. the operator, for processing), and to take appropriate and immediate action if there is a breach of security, which would include contacting the Regulator and affected data subjects.

Per Sections 23-25, data subjects have rights of request and access to their personal information, to which responsible parties must be responsive. There are also conditions under which such requests can be denied.

All organizations that are required to comply with POPIA must have an information officer, which is the same as a data protection officer or similar titles. Depending on the volume and types of duties, it may also be necessary to appoint one or more Deputy Information Officers (Section 56). The information officer and any deputies must be registered with the Regulator by the responsible party before they can begin performing any duties.

Section 55 covers their duties and responsibilities, which include encouraging compliance, managing requests, working with the Regulator on investigations, and related duties. Section 56 covers the designation of deputy information officers, if needed.

More granularly, the information officer will be involved in tasks like drafting and maintaining the privacy policy and other related documentation, conducting risk assessments, training employees, drafting and maintaining contracts with third parties, handling security issues — including data breaches — and reporting/liaising with the Regulator and data subjects affected, and other tasks.

POPIA goes into less detail regarding data transfers (“transborder information flows”) than the GDPR does, but there are still restrictions in the name of privacy and security, outlined in Section 72. Broadly, the conditions are similar to legal bases for personal information processing, e.g. contractual agreement, data subject consent, performance of a contract, legitimate interest, etc.

POPIA does not have a requirement for adequacy decisions, i.e. international agreements among countries where it has been determined that the country or organization in question has established an adequate level of data protection. These decisions can significantly streamline contractual requirements and obligations between relevant parties when data transfers need to occur, or cause large headaches when companies have to reorganize operations because of a lack of them.

Sections 19-22 cover security safeguards, including specific requirements in the event of a data breach. Unsurprisingly, two key requirements are the notifications to the Regulator and impacted data subjects (unless their identities can’t be determined) as soon as reasonably possible (Section 22). There are also specifications for how notifications must be delivered and information they need to contain. The Regulator may also require the responsible party to publicize the breach if it would benefit data subjects (e.g. to help notify them where it was otherwise not possible).

Under POPIA, children are classified as people under age 18, who are not considered legally competent. This is a higher age threshold than with the GDPR. In most cases, in order to process children’s personal information, consent from their parent, guardian, or other legal representative (“competent person”) must be obtained in advance, though there are a number of other conditions under which it can take place, broadly following standard processing legal bases, but with additional bases.

Processing of children’s personal information is covered in Sections 34-35, with the latter section covering conditions under which children’s personal information can be processed.

Enforcement is covered in considerable detail in POPIA in Chapter 10, Sections 73-99. As noted, enforcement comes under the responsibility of the Information Regulator, which is a federal level government position. The Regulator is involved with investigating alleged violations, making referrals to other regulatory bodies, working toward securing warrants from a judge or magistrate, handing down penalties, and other actions.

Under Section 109, the maximum fine for a POPIA violation is ZAR 10 million. Regarding potential fines, the Regulator must consider the following:

(a) the nature of the personal information involved
(b) the duration and extent of the breach or issue
(c) the number of data subjects (potentially) affected
(d) whether or not the breach raises an issue of public importance
(e) the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects
(f) whether the responsible party or a third party could have prevented the breach
(g) any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information
(h) whether the responsible party has previously committed a POPIA-related offence

POPIA also has provisions (Section 107) for sanctions of “natural or juristic persons” and prison sentences of up to 10 years for certain violations for responsible individuals, which isn’t included in the GDPR or LGPD. Offenders can also be required to pay compensation to data subjects.

Less “official” penalties for a POPIA violation include loss of reputation and loss of existing customers and failure to attract new ones, which can impact revenues.

Technology continually evolves, requiring privacy law to evolve with it. The Protection of Personal Information Act in South Africa is older than many other privacy laws, but was rolled out over a number of years, so it is fairly up to date. Part of the Information Regulator’s responsibilities are also to perform research and consult and work with Parliament to evolve the Act.

Ongoing changes in technology will continue to be important considerations with POPIA, like third-party browser cookies, apps and particularly children’s interactions with them, the proliferation of biometric data, AI and machine learning usage, and more. As a well established privacy law, POPIA is well situated to be influential in privacy legislation around Africa and elsewhere in the world.

For companies, there are tools, such as those for consent management, to help navigate POPIA requirements and communicate them to users.

If you have questions about how POPIA affects your business, or about consent management for websites and apps, we’re happy to help. Contact one of our experts!