New South African data privacy law

On the day after Nelson Mandela’s passing, we wanted to highlight the long awaited South African law on data protection which has been gazetted and signed into law. This new law, going by the nick name of POPI (which stands for the Protection of Personal Information) has blossomed from a “Bill” to an “Act”.

South African commentators seem to believe that POPI is one of those laws by which everyone, from the ruling party to the opposition and from businesses to non-governmental organisations in South Africa, are pleased about. It has taken 10 years to draft and is based on EU data privacy law principles.

What is in the detail?

POPI applies to every “responsible person” (i.e. a natural or legal person who processes personal information and is domiciled in South Africa). Others will also fall under the remit of POPI if they make use of “automated or non-automated means” for the processing of personal information in South Africa (unless the purpose is to simply forward the information through South Africa).

POPI introduces eight data protection principles (sound familiar?) with which to comply, in order for the processing of personal information to be lawful. The principles fall under the following headings: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation. POPI also incorporates a section on the use of personal information for direct marketing purposes (see Section 66), which contains similar provisions as the EU Privacy and Electronic Communications Regulations.

A big change

POPI marks a significant change in the way South Africa handles privacy, bringing it more in line with the European way of thinking. Currently, the South African data protection legislative framework consists of a right to privacy as granted under the South African Constitution, common law and, to some limited extent, the Electronics Communications and Transaction Act 2002. But these do not provide comprehensive protection for personal data as is now enshrined in POPI.


POPI is a step forward for South Africa but it is not effective yet…it still needs to be signed by the South African President (Jacob Zuma). When will this happen?  It’s unclear. Also once in force, POPI grants organisations a “grace” period of 12 months within which to comply. There also seems to be a possibility of this period being extended if the justice minister thinks more time is required for organisations to comply with POPI.

It is also unclear how well resourced the new South African Information Protection Regulator will be to enforce POPI, as it is yet to be set up. No details have emerged about the shape of the Regulator or whether it will have adequately skilled resource.

So, it might be some time yet, before we see the full flourish of POPI.

Many thanks to Danielle van der Merwe for writing this piece.