What is POPIA?

The Protection of Personal Information Act (‘POPIA’)–South Africa’s omnibus data protection statute—was signed into law in November 2013. Since then, only certain administrative sections of POPIA have come into force, namely, the appointment of South Africa’s Information Regulator to monitor and enforce the law, as well as implementing regulations. When POPIA becomes fully effective, public and private entities will have a year-long grace period to comply with the sections regarding the processing of personal information and data subject rights. In particular, POPIA will require “responsible parties” that process personal information to adhere to specific conditions for lawful processing, including accountability, processing limitation, purpose specification, information quality, openness, security safeguards, and data subject participation. POPIA will also grant data subjects several rights, such as the rights to notice of collection, to request the correction, destruction, or deletion of personal information, to object to direct marketing, to not be subject to automated processing, and to direct private right of action. The Information Regulator addresses some of the required procedures entities must implement and include template forms for, among other things, submitting objections to the processing of personal information and requests to correct or delete that information, and obtaining data subjects’ consent to process their personal information.

At the beginning of 2020, the Information Regulator asked the South African President and Minister of Justice to bring the remaining sections of POPIA into effect before April 1, 2020. This date has since passed, so what is happening with POPIA?

Why has the POPIA not fully entered into effect?

Since its initial passing into law, POPIA’s sections have come into effect incrementally. Certain pieces of the Act are already operational today, including the definitions section, the establishment of the regulatory body, and a section that empowers the authority to make regulations. When OneTrust DataGuidance spoke with Lebogang Stroom-Nzama, Member of the Information Regulator of South Africa in October 2019, she explained that there are still many factors, including staffing and funding, that are influencing when the authority can approach the President to promulgate the remaining sections.

Ms. Stroom-Nzama explained, “To speed up our timing for approaching the President to promulgate the remaining sections of POPIA so that it can be fully operational, we are in consultation with the Minister of Finance. We must approach and get concurrence from the Minister of Finance to get staff. We have done the first phase where we have our Executive for the legal research of POPIA, and now after that, we are on the second phase of capacitating the regulator. So, in 2020 we will be advertising posts for the second phase, which is human capacity that we need to enable us to respond to complaints and because now we cannot do anything because we do not have human capacity.”

When will South Africa bring all POPIA into effect?

Although POPIA’s new effective date has yet to be set, the Information Regulator made two announcements in April 2020. First, it issued guidance regarding the processing of personal information in the management and containment of the COVID-19 pandemic. The Information Regulator encourages proactive POPIA-compliance even though POPIA is not entirely in effect. Additionally, the Information Regulator published its Annual Performance Plan for the 2020-2021 financial year, which calls for the government to bring all of POPIA into effect in the same financial year.