South Africa has witnessed numerous, significant data breaches. A notable instance was when the servers of one of South Africa’s best known real estate companies was breached and the personal data of 31.6 million persons, including that of the President and the Finance Minister, was put at risk. The information included ID numbers, age, location, marital status, occupation, estimated income, address and mobile phone numbers. Privacy is protected in the South African Constitution and the President signed into law the Protection of Personal Information Act, 2013 (the “Act”) in 2013. Yet, several substantive provisions of the Act are yet to come into effect seven years after the Act was signed.
The Act governs the collection, storage, dissemination and use of personal data under the umbrella term ‘processing’ (similar to the approach in the EU General Data Protection Regulation (“GDPR”) and India’s forthcoming data protection law). The Act applies to the processing of personal information through automated or non-automated means. The Act also has extra-territorial effect to the extent where the entity processing the data is located outside of the country but makes use of automated or non-automated means within the country. The Act places obligations on a ‘responsible party’, defined as a public or private body or any other person which, alone or in conjunction with others, determines the purpose and means for processing personal information – similar to the GDPR construct of a ‘data controller’. The Act places limited obligations on ‘operators’ who process personal information for a responsible party – similar to the concept of ‘data processors’ under the GDPR and the proposed Indian law.
The Act also establishes an Information Regulator with the mandate to monitor and enforce compliance with the Act, handle complaints about infringements, issue guidelines and facilitate cross-border cooperation in the enforcement of privacy laws.
Data Protection Principles
The Act establishes eight pre-conditions for the lawful processing of personal information. These conditions align with internationally accepted data protection principles.
- Accountability: The principle of accountability requires persons managing the data processing to ensure compliance with legal conditions laid down in the Act.
- Processing limitation: Processing of personal data must be lawful. It should be based on a legal basis, which include: consent of the data subject, necessity for performance of a contract; to comply with obligations imposed by law; or necessity to pursue the legitimate interests of the responsible party or a third party to whom the information is supplied. Personal information processed should be adequate and relevant to original purpose and not excessive.
- Purpose specification: The purpose for which personal data is collected must be specific, explicitly defined and lawful. This also extends to retention of personal data. The Act also restricts the processing of personal information where the accuracy of such information is contested by the data subject, where retention is only for purposes of proof and where the data subject requests transmission to another automated proceeding system.
- Further processing limitation: Any further processing of personal information must also be compatible with the initial purpose for which it was collected.
- Information quality: The responsible party must ensure that the personal information it has collected is complete, accurate, not misleading and updated.
- Openness: The principle of openness requires responsible parties to document all data processing operations as required under extant South Africa access to information law. Responsible parties must also suitably notify data subjects when collecting personal information. The notice should include purpose for information collection, the law authorising collection, intention to transfer information to any third party, details of the responsible party and whether providing the information is voluntary or mandatory.
- Security safeguards: The security, integrity and confidentiality of the personal information collected must be ensured by the responsible party. This is with the intention of preventing loss, damage, destruction or unlawful access to such information. Responsible parties are required to take reasonable measures to foresee risks, maintain safeguards and verify implementation of security safeguards. Where there are reasonable grounds to believe that a data breach has taken place, the responsible party is obliged to notify the Information Regulator and, if the identify of the data subject can be established, the data subject as well. The only exception to notifying the data subject is if such notification is determined by a legal authority to impede a criminal investigation into the breach.
- Data subject participation: Data subjects must be able to access their personal information and correct or delete personal information that is inaccurate, irrelevant, excessive, outdated, incomplete, misleading or obtained through unlawful means.
There are some exceptions in the Act to the applicability of these conditions. Some of these exceptions are widely accepted, such as processing in the course of a purely personal or household activity or for journalistic, literary or artistic purposes, and where the information in question has been anonymised to the extent that it cannot be de-anonymised. There is also a broad exception that allows processing by public bodies for purposes of national security, public safety or where the purpose is the prevention, detection including assistance in unlawful activities investigations, money laundering activities or even prosecution or execution of sentences or security measures. This seems to be a fairly wide exception which does not even require government bodies to show evidence of an active investigation. The Act also provides considerable discretion to the Information Regulator to grant exceptions from the data protection principles. Where the Regulator is of the view that public interest outweighs privacy rights of the data subject or where the processing provides a ‘clear benefit’ to the data subject or a third party that outweighs privacy considerations, data protection principles do not apply. Public interest is outlined in broad terms and includes national security interests; prevention, detection and prosecution of offences; economic and financial interests of a public body; compliance with legal provisions; historical, statistical or research activity; or freedom of expression.
The rights of a data subject in the Act largely mirror the data protection principles outlined above. The Act establishes certain rights for data subjects some of which are explained below:
- Right to have personal data processed in accordance with the data protection principles in the Act;
- Right to be notified when personal information is being collected or where it has been accessed by unauthorised persons;
- Right to know whether a responsible party holds personal information of the data subject and request access to such information;
- Right to request correction, destruction or deletion of personal information, as necessary;
- Right to object on reasonable grounds to the processing of personal information;
- Right to object to processing of personal information for the purposes of direct marketing;
- Right to submit a complaint with the Information Regulator regarding interference with data protection safeguards in the Act or to institute civil proceedings.
Cross-border data flows
The Act prohibits the cross-border flow of personal data unless it fulfils one of several conditions. Transfers are permitted where the recipient country has legal standards or binding requirements (whether corporate or contractual) that uphold the same standard of protection as afforded by the Act. Such transfer is also permitted if the data subject consents to it or even where the transfer is for the benefit of the data subject and it is either not reasonably practicable, or where it is reasonably practicable it is likely that the data subject would give consent. Further, transfer is permitted where it is necessary for the performance or conclusion of a contract between the data subject and the responsible party or one that is concluded between the responsible party and a third party and in the interest of the data subject.
The Act also builds on certain existing protections in South African law against electronic marketing by companies. Companies are not permitted to process personal information for the purpose of direct marketing through electronic communication unless the data subject has provided consent or is a customer of the responsible party in question. An existing customer’s data can be processed for direct marketing where: (1) the customer’s contact details were obtained in the context of a sale of product or service, (2) the direct marketing is for the responsible party’s own similar product or service, and (3) the data subject was given a reasonable opportunity to object. All communication with the data subject for direct marketing must also have details of the sender’s identity as well as contact details for the data subject to request stopping the communication.
There has been an inordinate delay in the Act coming in force. While provisions relating to the Information Regulator have already come into effect, the substantive provisions of the Act relating to data protection principles and individual rights are not yet in force. These portions of the Act were expected to come into effect on April 1, 2020 but have been delayed on account of the COVID-19 pandemic. No future date has been set as yet. From the date on which it comes into effect, entities in South Africa will have one year to comply with its provisions. Only once the Act comes into effect will practitioners understand how the Act operates in practice, how the Information Regulator exercises discretion to grant exceptions or the processes for filing complaints by data subjects. Nevertheless, the Act represents a significant moment for data protection safeguards in the country and the region.
This post is authored by Varun Baliga, a consultant working with Ikigai Law, with inputs from Sreenidhi Srinivasan, Senior Associate, Ikigai Law.
For more on the topic, please feel free to reach out to us at [email protected]
 Adela da Veiga, South Africans don’t trust companies to protect their data privacy, The Conversation, 17 May 2019, available at https://theconversation.com/south-africans-dont-trust-companies-to-protect-their-data-privacy-106571.
 Nico Gous, Top real estate company admits to being unwitting source of country’s largest personal data breach, Times Live, 18 October, 2017, available at https://www.timeslive.co.za/news/south-africa/2017-10-18-top-real-estate-company-admits-to-being-unwitting-source-of-countrys-largest-personal-data-breach/.
 Section 14, The Constitution of the Republic of South Africa, 1996, available at https://www.justice.gov.za/legislation/constitution/SAConstitution-web-eng.pdf.
 Protection of Personal Information Act, 2013, No. 4 of 2013, Government Gazette, available at https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf.
 Automated means is defined in the Act as “any equipment capable of operating automatically in response to instructions given for the purpose of processing information”.
 Section 3(1)(a).
 Section 3(1)(b)(ii).
 Section 39.
 Section 40(1).
 Section 8.
 Section 9.
 Section 11.
 Section 10.
 Section 14(2), (3), (4).
 Section 14(6)
 Section 15.
 Section 16(1).
 Section 17.
 Section 18(1).
 Section 19(1)
 Section 19(2).
 Section 22(1)
 Section 22(3)
 Section 24(1)
 Section 24(2).
 Section 6(1)(a).
 Section 7.
 Section 6(1)(b).
 Public body is defined in the Act as: (a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or (b) any other functionary or institution when (i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or (ii) exercising a public power or performing a public function in terms of any legislation.
 Section 6(1)(c).
 Section 37(1).
 Section 37(2).
 Section 5.
 Section 5(a).
 Section 5(b).
 Section 5(c).
 Section 5(d).
 Section 5(e).
 Section 5(h).
 Section 5(i).
 Section 72(1)(a).
 Section 72(1)(b).
 Section 72(1)(e).
 Section 72(1)(c).
 Section 72(1)(d).
 Ntombi Moloro, POPI and its impact on direct marketing, RSM South Africa, 9 April, 2018, available at https://www.rsm.global/southafrica/news/popi-and-its-impact-direct-marketing.
 Direct marketing is defined in the Act as a means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of (a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subjects; or (b) requesting the data subject to make a donation of any kind for any reason.
 Section 69(1).
 Section 69(3).
 Section 69(4).
 Protection of Personal Information Act News Flash, Kisch, 10 February, 2020, available at https://www.kisch-ip.com/article/protection-personal-information-act-news-flash?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration.
 Implementation of South Africa’s data privacy law delayed, International Association of Privacy Professionals, 1 April, 2020, available at https://iapp.org/news/a/implementation-of-south-africas-data-privacy-law-delayed/.
 Mercia Fynn, South Africa: Protection Of Personal Information Act News Flash, Mondaq, 19 February, 2020, available at https://www.mondaq.com/southafrica/data-protection/895302/protection-of-personal-information-act-news-flash.