In short, the practical machinery to curb unsolicited electronic marketing under the CPA is finally in force.

While privacy enforcement under other statutes remains important in the broader ecosystem, these Regulations make clear that, within the Consumer Protection Act (“CPA“) framework, the  NCC now has custody of the national opt‑out registry and the associated compliance lifecycle for direct marketers, thereby addressing persistent concerns about spam call and messages.

The Regulations are issued by the Minister of Trade, Industry and Competition under section 120(1)(a), read with section 11(6), of the CPA, following consultation with the NCC and provincial consumer regulatory authorities, which situates the new regime squarely within the CPA’s consumer rights to restrict unwanted direct marketing.  The Regulations amend the 2011 Consumer Protection Act Regulations by adding three annexures, reflected as Annexures N, O and P, which supply the operative forms and tariff schedules required to run a functioning opt‑out and direct‑marketer registration system. The amended Regulations states expressly that it comes into effect on the date of publication of the Notice, which means the obligations and processes described are already live as of 15 April 2026.

The reliance on section 11(6) is significant because section 11 of the CPA addresses a consumer’s right to restrict unwanted direct marketing, and the amendments implement the mechanics for that right through a Commission‑run registry, rather than leaving it as an unenforced principle.

The Regulations introduce a defined concept of “cleansing”, which is described as the process of removing consumers who have opted‑out of electronic communication from a direct marketer’s database to ensure they are no longer contacted. This is important because it transforms the opt‑out right into a recurring operational duty on marketers.  The term “direct marketer” is expressly defined to capture any person who engages in direct marketing, thereby pulling both traditional and digital outreach actors within the compliance perimeter regardless of specific channel. The Regulations also define an “electronic communication recipient” as a consumer who receives electronic communication from a direct marketer and has registered a pre‑emptive block, which clarifies that registry protection attaches to recipients who have taken the step to opt‑out.

The pivotal instrument for exercising that protection, “pre‑emptive block”, is defined as registering a block on the opt‑out registry established by the Commission to prevent unwanted electronic communications from direct marketers.

Collectively, these definitions move compliance from general notions of consent and preference into a concrete taxonomy that underpins duties to register, verify, and purge marketing databases against the official registry.

The amended Regulation 4 makes clear that the opt‑out registry is administered by the Commission, and it must be accessible at all times, save for unforeseen technical interruptions, to all persons in the Republic for the purpose of registering a pre‑emptive block, which positions the NCC as the operational hub and guarantees public access to exercise the opt‑out right. The Regulations require direct marketers to register on the Commission’s opt‑out registry using the dedicated Direct Marketer Registration Form, which internalises a single point of onboarding into the system for all entities engaging in direct marketing. A corresponding Consumer Pre‑emptive Block Form specifies the data elements a consumer must provide to register a pre‑emptive block, embedding a standardised, recordable process for opt‑outs. To preserve integrity and privacy of registry information, the Commission must use information it receives solely to operate the opt‑out registry and may not disclose confidential information without consent, except where required by law, which both limits secondary use and recognises lawful disclosure obligations. The Commission is also obliged to verify all information submitted for registration with other relevant state organs before registering profiles, to publish guidance on its website for consumers and direct marketers on how to use the registry, and to inform the public if the registry is unavailable for 24 hours or more, which together create a governance framework for accuracy, transparency and service continuity.

At its core, the Regulations impose a hub‑and‑spoke compliance model in which every direct marketer must register on the opt‑out registry and must renew that registration annually on the anniversary date by paying the prescribed renewal fee, thereby ensuring that only current, identified entities interface with consumers for direct marketing. Each direct marketing communication must enable the recipient to identify the name, electronic address, physical address and contact number of the direct marketer, and any communication transmitted to a recipient’s device must itself be identifiable, which elevates transparency and traceability across channels. The marketer must ensure that information kept on the opt‑out registry is up to date, must be identifiable even on public platforms, and may not disseminate electronic communication from a public platform where the originator is unidentifiable, which closes anonymity loopholes in social or messaging contexts. A categorical prohibition is placed on direct marketing to any consumer who has registered a relevant pre‑emptive block, and marketers may not contact any consumer for purposes of direct marketing unless the marketer is registered on the opt‑out registry, which together create both a substantive contact bar to protect opted‑out consumers and a procedural registration gate for all outbound marketing activity. Crucially, marketers must remove from their databases all data of persons who have registered a relevant pre‑emptive block by “cleansing” such data monthly with the Commission, translating the opt‑out registry into a recurring data‑hygiene obligation rather than a one‑off scrub.

For marketing teams, the immediate implication is that registration on the NCC’s opt‑out registry is now a gatekeeping requirement for any direct marketing contact, and failure to register forecloses lawful outreach regardless of consent arrangements a marketer may believe it holds, because contact is prohibited unless the marketer is registered.  Transparency rules requiring identification of the marketer and contact details in every electronic communication, and prohibitions on unidentifiable dissemination from public platforms, will make it harder for bad actors to hide behind generic handles or anonymous broadcasts when engaging in promotional outreach. From a consumer‑experience perspective, universal public access to register pre‑emptive blocks, combined with Commission website guidance and uptime communication commitments, creates the infrastructure necessary for scale adoption of opt‑out protections, which should, in practice, reduce unsolicited electronic marketing as registry coverage expands.

Organisations engaging in any form of direct marketing should register on the NCC opt‑out registry without delay, and templates for electronic communications should be updated immediately. Consumers who wish to cease unsolicited electronic marketing can complete the Annexure O form to register a pre‑emptive block and should keep their registry information current to maintain effective protection, in line with Commission guidance available on its website.

The message is clear: responsibility for curbing unsolicited direct marketing is now distributed through a concrete CPA compliance machinery anchored by the NCC’s opt‑out registry, and marketers must adapt their processes immediately to the new rule set.

The post Do not call me I’ll call you …… South Africa’s 2026 CPA Amendment Regulations: operationalising the national opt‑out regime for direct marketing and shifting day‑to‑day anti‑spam responsibility to the National Consumer Commission appeared first on Werksmans Attorneys.

I am presently reading Noah M Kenney’s Governing Intelligence: Law, Privacy, Security, and Compliance,[1] and it has given me genuine cause to reflect, which I suspect was precisely the author’s intention. The book lands at a time when South Africa has published its own Draft National Artificial Intelligence Policy,[2] opening a public comment period on what is intended to become the foundational instrument for AI governance in this jurisdiction.

The timing is fortunate. Kenney’s central thesis, that AI governance must be understood and implemented as a structured, layered, interdependent system, throws into sharp focus both the ambitions and the shortcomings of South Africa’s Draft Policy.

What follows is an attempt to read the Draft Policy through the organising framework at the heart of Kenney’s text, the AI Governance Stack, and to consider whether South Africa’s proposed approach is structurally adequate for the task it sets itself.

The AI Governance Stack as an Organising Discipline

Kenney’s AI Governance Stack is a five-layer operational model, drawn from a decade of practical implementation work across regulated industries.[3] Built from the base upward, it comprises:

• Layer 1 (Data Governance) constituting data inventory, quality management, bias assessment, provenance tracking, and consent mechanisms;
• Layer 2 (Model Governance) focusing on architecture review, fairness testing, robustness evaluation, interpretability, and model documentation;
• Layer 3 (System Integration Governance), considering integration architecture, pipeline security, cascading failure analysis, human-AI interaction design, and boundary condition testing;
• Layer 4 (Control and Monitoring Governance) addressing access controls, performance monitoring, anomaly detection, incident response, and deployment governance; and
• Layer 5 (Audit and Evidence Governance) calling for documentation standards, evidence preservation, audit mechanisms, regulatory reporting, and stakeholder communication.[4]

The framework’s real force lies in its insistence on cascading dependency.

Each layer of the Kennedy AI Governance Stack creates the foundation for the one above it, and points out that a governance failure at Layer N cannot be fully remediated at Layer N+1.[5]  This is not simply an architectural preference. It is a testable operational claim: piecemeal governance, attending to audit whilst neglecting data quality, or monitoring without model documentation, will produce governance that is structurally unsound, no matter how many resources are thrown at it.[6] This is in fact true for any form of regulatory compliance.

The practical upshot, which Kenney demonstrates through a detailed walkthrough of an AI credit decision system, is that each layer must have exactly one primary organisational owner and that governance must be sequenced to follow the dependency chain.[7] Done properly, the Stack transforms governance from a set of aspirational commitments into something closer to an executable specification, with defined requirements, thresholds, decision rules, and verification criteria.[8]

South Africa’s Draft Policy: Ambition Without Architecture

There is much to celebrate in the Draft Policy. It is rightly anchored in the Constitution of the Republic of South Africa, 1996, and expressly provides that AI must not be used to violate the rights enshrined in sections 9 (equality), 10 (human dignity), 14 (privacy), 16 (freedom of expression), and 33 (just administrative action), amongst others.[9] It identifies the Protection of Personal Information Act 4 of 2013 (POPIA), the Cybercrimes Act 19 of 2020, and the Promotion of Access to Information Act 2 of 2000 as part of the legislative architecture within which AI governance must operate.[10] It goes further still, proposing the establishment of a National AI Commission, an AI Ethics Board, an AI Regulatory Authority, an AI Ombudsperson Office, a National AI Safety Institute, and an AI Insurance Superfund modelled on the Road Accident Fund.[11]

These are serious institutional commitments that should not be dismissed. But when one measures them against the operational specificity of the Governance Stack, a conspicuous gap opens up. The Draft Policy proceeds largely at the level of principles and institutional mandates. It sets out six key principles of responsible AI, fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability, and proposes embedding these across the AI lifecycle.[12] It calls for “sufficient explainability” and “sufficient transparency” in high-risk systems.[13] It contemplates risk-based classification, drawing some inspiration from the European Union AI Act.[14]

What it does not do is specify the operational infrastructure through which any of these principles can be enforced. One looks in vain for anything equivalent to the Stack’s requirement that organisations maintain data catalogues with provenance records documenting origin, transformations, and lineage, or its mandatory quality thresholds, completeness at 95 per cent, accuracy at 98 per cent for labelled data, cross-source consistency at 90 per cent, below which data must not be used for model training without documented exception approval.[15] Cascading failure analysis, circuit breaker requirements for systems with downstream dependencies, boundary condition testing protocols, none of these features.[16] The Policy’s reference to “AI-specific data governance frameworks that ensure provenance, quality control, and interoperability of datasets” reads as aspiration, not specification.[17]

Key Tensions and Risks

Three tensions in the Draft Policy deserve close scrutiny.

The first concerns accountability. The Draft Policy’s treatment of it is structurally incomplete. It provides that “organisations must take responsibility for the outcomes of their AI systems” and that “accountability must ultimately point to an attributable official or entity.”[18] That is necessary, but it is not enough. Kenney’s point is that diffuse accountability is the primary organisational failure mode in AI governance. The remedy is to assign determinate accountability at each Stack layer: data stewards at Layer 1, ML engineering leads at Layer 2, platform and infrastructure teams at Layer 3, security and operations teams at Layer 4, and compliance and legal teams at Layer 5.[19] Without that degree of granularity, the Draft Policy’s accountability requirement risks becoming what Kenney aptly terms a “compliance fiction”, formally satisfied but operationally hollow.

The second tension arises from the Draft Policy’s reliance on POPIA as the primary data governance instrument for AI, which is, at best, partial. POPIA’s conditions for lawful processing, including purpose limitation (section 13), minimality (section 10), and security safeguards (section 19), were simply not designed with the demands of AI training data in mind. The friction between data minimisation and the data-hungry requirements of machine learning model training, which Kenney identifies as a fundamental governance challenge under the analogous provisions of the GDPR,[20] is not acknowledged in the Draft Policy. Nor does the Draft Policy grapple with how section 71 of POPIA, which governs automated decision-making, will interact with the proposed AI Ombudsperson’s jurisdiction or the AI Regulatory Authority’s audit mandate.[21]

The third tension is regulatory fragmentation. The Draft Policy proposes an elaborate institutional architecture involving the DCDT, ICASA, the Information Regulator, the Competition Commission, the South African Reserve Bank, and the Financial Sector Contingency Forum, among others.[22] Kenney’s argument on this point is direct: the Governance Stack provides a unified architecture through which organisations can satisfy the requirements of multiple regulators by means of a single layered governance system, rather than maintaining separate compliance programmes for each.[23] Without a unifying operational framework, the Draft Policy’s multi-regulator model risks imposing precisely the kind of compliance fragmentation that the Stack was designed to resolve.

A Considered View

What, then, should organisations operating in or entering the South African market actually be doing?

It is submitted that the Draft Policy should be treated as a signal of regulatory direction, not as a governance blueprint. Its principles are sound and its institutional ambitions are genuine. But the operational gap between principle and implementation is wide, and organisations that wait for the regulatory apparatus to mature before building their own governance frameworks will find themselves badly exposed. If the EU AI Act teaches us anything, and Kenney documents this in considerable detail, it is that compliance costs compound rapidly when governance is retrofitted rather than designed in from the outset.[24]

Organisations would be well advised, now, to map their AI systems against the five layers of the Governance Stack, assign primary ownership at each layer, and begin building the documentation, testing, and monitoring infrastructure that any competent regulator will eventually demand.[25] They should ensure that their data governance practices satisfy POPIA’s existing requirements whilst also anticipating the more demanding standards that the Draft Policy foreshadows.[26] And they should engage meaningfully with the public comment process, not merely to protect commercial interests, but to press for the kind of operational specificity that separates effective governance from well-intentioned aspiration.

If Kenney’s book can be reduced to a single proposition, it is that governance must be engineered, not merely declared.[27]

South Africa’s Draft Policy has declared its intentions. The engineering remains to be done.

[1] Kenney NM Governing Intelligence: Law, Privacy, Security, and Compliance (Digital 520 2026).

[2] Draft South Africa National Artificial Intelligence (AI) Policy (March 2026) published in GG 54477 of 10 April 2026.

[3] Kenney (n 1) page 22.

[4] Kenney (n 1) page 22-25.

[5] Kenney (n 1) page 18-19; see also page 25 (“Failure at any layer cascades upward; governance cannot be implemented piecemeal”).

[6] Kenney (n 1) page 30.

[7] Kenney (n 1) page 26-28.

[8] Kenney (n 1) page 30.

[9] Constitution of the Republic of South Africa, 1996, section 9, 10, 14, 16, 33; Draft AI Policy (n 2) page 8.

[10] Protection of Personal Information Act 4 of 2013; Cybercrimes Act 19 of 2020; Promotion of Access to Information Act 2 of 2000; Draft AI Policy (n 2) page 7.

[11] Draft AI Policy (n 2) page 26–27.

[12] Draft AI Policy (n 2) page  62.

[13] Draft AI Policy (n 2) page 35–36.

[14] Draft AI Policy (n 2) page 36; cf Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act).

[15] Kenney (n 1) page 23, 27.

[16] Kenney (n 1) pages 24, 32–33.

[17] Draft AI Policy (n 2) page 53.

[18] Draft AI Policy (n 2) page 58.

[19] Kenney (n 1) page 20, 26.

[20] Kenney (n 1) page 258; see also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) art 5(1)(c).

[21] POPIA section 71; Draft AI Policy (n 2) page 72, 26.

[22] Draft AI Policy (n 2) page 28, 61.

[23] Kenney (n 1) page 123, 154.

[24] Kenney (n 1) page 26; see also Regulation (EU) 2024/1689 (EU AI Act).

[25] Kenney (n 1) page 22, 26–28.

[26] Draft AI Policy (n 2) page 55–56; POPIA section 10, 13, 19.

[27] Kenney (n 1) page 30.

The post The AI Governance Stack and South Africa’s Draft National AI Policy: An Operational Gap in Search of a Framework appeared first on Werksmans Attorneys.

On 10 April 2026, South Africa’s Department of Communications and Digital Technologies published its Draft National Artificial Intelligence Policy and opened a sixty-day public comment window.

At eighty-six pages, the document covers an extraordinary amount of ground, everything from supercomputing infrastructure to the digitisation of indigenous languages.

If your company develops, deploys, or procures AI systems with any connection to South Africa, you need to be reading this document carefully. And you need to be paying attention to what it doesn’t say as much as what it does.

The policy’s headline vision, “AI for inclusive economic growth, job creation, cost reduction, and a developing Africa“, is hard to argue with. Education, healthcare, agriculture, and public administration are flagged as priority sectors, and the policy sets out six objectives covering skills development, public-service modernisation, ethical governance, and cultural preservation.

Where things get really ambitious, perhaps overly so, is in the institutional design. The draft proposes:

• a National AI Commission,
• an AI Ethics Board,
• an AI Regulatory Authority,
• an AI Ombudsperson Office,
• a National AI Safety Institute,
• and an AI Insurance Superfund modelled on the Road Accident Fund, designed to compensate people harmed by AI-driven decisions.

The risk-based regulatory approach borrows openly from the EU AI Act, with stricter rules for high-risk applications and lighter treatment elsewhere, plus provision for regulatory sandboxes. Its six principles of:

• responsible AI,
• fairness,
• reliability and safety,
• privacy and security,
• inclusiveness, transparency, and
• accountability,

will feel familiar to anyone who has spent time considering the OECD AI Principles.  None of this is controversial. But the real question is whether the detail behind these commitments is adequate, and in relation to privacy, it is doubted.

Credit where it is due: the draft makes the right noises on data protection. It commits to harmonising AI privacy controls with the Protection of Personal Information Act (POPIA), enforcing its eight conditions for lawful processing, and embedding data protection by design and default, data minimisation, purpose limitation, and storage limitation into AI governance. It calls for Privacy Impact Assessments when sensitive information is at stake and points to POPIA’s Section 71 on automated decision-making as a transparency safeguard.

The problem is that the policy never seems to gets beneath the surface. Given the purpose limitation, in machine learning, training data is routinely repurposed across models and applications in ways that bear little resemblance to the original reason it was collected. The policy says nothing meaningful about how to handle that. Or consider data minimisation. The draft simultaneously champions minimisation and calls for a “sustained national effort to curate large, diverse datasets in AI-ready formats,” treating non-private data as a “public good“. You cannot have it both ways without explaining how you intend to square the circle, and the draft does not try.

Then there is Section 71 of POPIA. The policy rightly identifies it as relevant, but stops there. Section 71 gives individuals a right not to be subject to decisions based solely on automated processing, but it is a narrow provision. How does it interact with the broader rights of data subjects, the right to object, or the right to have personal information corrected? The policy does not explore this. When the economy considers rolling AI out across healthcare diagnostics, credit scoring, law enforcement, and public administration, that is a gap with real consequences for real people.

Working across the UK and EU data protection regimes, it does not take much effort to spot the policy’s influences and, unfortunately, its shortcomings.

The EU AI Act provides a legally binding, granular risk classification system backed by conformity assessments, post-market surveillance, and meaningful penalties. South Africa’s draft uses the same vocabulary of risk categorisation, but punts the substance, what counts as “high-risk,” “medium-risk,” or “low-risk”, to future regulations and sector strategies.  That leaves organisations in limbo, uncertain of what they actually need to do.

The rights gap is just as concerning. Under the UK GDPR and the Data Protection Act 2018, individuals have the right to meaningful information about the logic behind automated decisions, the right to human intervention, and the right to challenge outcomes. POPIA offers less, and the draft policy’s language around “sufficient explainability” and “sufficient transparency” risks entrenching a lower standard than what many multinationals already meet under UK or EU law. The word “sufficient” introduces flexibility, but it also invites interpretation by those who may not share the same commitment to individual rights.

Cross-border data flows deserve a mention, too. The policy invokes the National Policy on Data and Cloud and frames data sovereignty partly as a guard against “perpetuation of colonial-era data extraction practices“. That language resonates politically, but it needs to translate into functioning legal mechanisms. The adequacy frameworks under the UK GDPR and the EU’s standard contractual clauses are well-established tools; South Africa’s own regime for cross-border transfers under POPIA Section 72 remains comparatively undeveloped, and this policy does not move the needle.

More worrisome is the institutional design. Seven new bodies, on top of existing regulators like the Information Regulator, ICASA, and the Competition Commission, is a recipe for overlap, turf disputes, and diluted accountability. The policy acknowledges the need for a National AI Regulatory Forum to coordinate these bodies, but the governance lines remain vague. South Africa is not a country with limitless public resources. The danger is that the country will end up with impressive-sounding institutions that lack the funding, people, and political independence to do anything meaningful.

But what should organisations do now? Three things.

·       First, do not wait. Start mapping AI systems against the risk categories and ethical principles in the draft, and benchmark data protection practices against POPIA, the UK GDPR, and the EU AI Act together,  apply the highest common standard.

·       Second, respond to the consultation. The government has framed this policy explicitly as a “point of departure” and a “work-in-progress”.  Submissions that push for sharper data protection obligations, clearer risk definitions, and stronger individual rights around automated decision-making would make a genuine difference.

·       Third, keep a close eye on who ends up doing what. Whether the Information Regulator, the proposed AI Regulatory Authority, or the AI Ethics Board takes the lead on privacy enforcement will shape the entire character of South Africa’s AI governance regime.

This is a creditable piece of policy work and it reflects a serious engagement with international AI governance thinking. But good intentions are not the same as good regulation.

On the issues that matter most to individuals, privacy, data protection, the right to understand and challenge decisions made about you by a machine, the draft stays at the level of aspiration. Turning those aspirations into enforceable, practical obligations is the hard part, and it is the part that still lies ahead.

The comment window is open.

Use it.

The post Speak now or forever hold your peace. The draft AI policy has been published and parties have 60 days to comment appeared first on Werksmans Attorneys.

In our previous article published on 28 October 2025, we identified the absence of exchange control rules for cross-border crypto asset (“crypto“) transfers as being a significant regulatory gap. This followed the High Court ruling in Standard Bank of South Africa v South African Reserve Bank & Others 2025 (5) SA 289 (GP) (the “SBSA decision“) which found that the Exchange Control Regulations, 1961 (the “Exchange Control Regulations“) did not apply to crypto and that exchange control approval was therefore not required for the cross-border transfer of crypto. Although the South African Reserve Bank (“SARB“) was granted leave to appeal to the Supreme Court of Appeal (“SCA“) against the SBSA decision, legislative intervention now seems inevitable. This is confirmed by the fact that during the budget speech on 25 February 2026, Finance Minister Enoch Godongwana announced that the government will soon publish draft regulations under the Currency and Exchanges Act, 1933 to include crypto assets in the capital flow management regime and that crypto assets will be governed within the cross-border capital movement framework. This is in addition to existing regulations to combat money laundering and fraud. This article discusses this latest development.

Setting the Scene: the SBSA decision

To briefly recap, the facts in the SBSA decision are as follows: Leo Cash and Carry Proprietary Limited (a South African resident company) transferred 4,405.9783 Bitcoin (approximately R556 million) to a non-resident Seychelles-based crypto exchange. The SARB sought forfeiture of related bank-held funds, alleging the transfer referred to contravened exchange control rules. The court considered whether crypto constituted (i) money or “currency” for purposes of Regulation 3(1)(c), which prohibits payments to non-residents without exchange control approval (“Currency Payment Rule“); and/or whether crypto constituted (ii) “capital” under Regulation 10(1)(c), which prohibits the export of capital without approval (“Capital Export Rule“). The court found in the negative on both scores and the forfeiture order was set aside.

The Budget Speech Announcement

Although not very informative, additional details are provided in Annexure E (Financial Sector Update) to the 2026 Budget Review, published on 25 February 2026 alongside the Budget Speech. Under “Capital flows management framework“, it is indicated that the National Treasury will publish amendments to the Exchange Control Regulations, and that these will regulate transfers of crypto (such as Bitcoin and Ethereum) to non-residents. This was confirmed by Exchange Control Circular No. 3/2026 issued by the Financial Surveillance Department of the SARB (“FinSurv“) on 3 March 2026.

If the anticipated amendments to the Exchange Control Regulations are consistent with the recommendations made by the Intergovernmental Fintech Working Group (“IFWG“) as long ago as 2021, it is anticipated that they will place Crypto Asset Service Providers (“CASPs“) on a similar footing as authorised dealers with limited authority, requiring them to authorise crypto transfers within clients’ exchange control allowances and to report transfers to the FinSurv, although the precise mechanism will only be confirmed once the draft amendments are published.

Significance of the anticipated amendments

The anticipated amendments are expected to directly address the regulatory gap exposed by the SBSA decision. Rather than awaiting the outcome of the appeal, government has clearly opted to pursue a legislative amendment: the same approach taken by government after the decision in Oilwell (Pty) Ltd v Protec International Ltd and Others 2011 (4) SA 394 (SCA). In that instance, the Capital Export Rule was promptly amended to include intellectual property rights following the Court’s decision that the rule (as framed at the time) did not include intellectual property rights.

The stated intent behind the anticipated amendments is to form part of the multi-layered approach to crypto regulation in South Africa. CASPs are already regulated under financial services and anti-money laundering legislation (including FAIS and FICA). The anticipated amendments are expected to bolster existing efforts to prevent money laundering and terrorist financing, thereby keeping South Africa off the Grey List.

One would expect the regulatory direction intimated by the Minister in February to align with the IFWG recommendations, which were quite explicit and wide ranging. If this happens, the anticipated amendments would integrate CASPs into the existing authorised dealer architecture and CASPs will be expected to administer clients’ exchange control allowances for crypto transfers and report to the FinSurv.

What This Means for CASPs

Once the anticipated amendments take effect, CASPs will likely have to report crypto transfers to the FinSurv. The precise scope and format will only be clarified once the draft amendments are published. CASPs should however already assess whether their transaction monitoring and record-keeping systems can capture the required data. CASPs should review their FAIS, FICA, and contractual frameworks, including their Risk Management and Compliance Framework, their client agreements, vendor contracts (where certain duties or services are outsourced), and privacy notices. Gaps should be identified and consideration should be given to how exchange control monitoring, reporting, and authorisations will work in practice.

What This Means for Crypto Holders

Under the proposed framework, South African residents wishing to transfer crypto assets to non-residents – including to foreign exchanges – may need to do so within their exchange control allowances. Transfers may be subject to the single discretionary allowance (R2 million per calendar year), with transfers exceeding applicable allowances presumably requiring specific SARB approval.

Crypto holders should accordingly be aware that once the anticipated amendments take effect, cross-border crypto transfers will no longer take place in a regulatory vacuum: they are expected to be subject to the same Capital Flows Management Framework that governs the movement of conventional assets and currency to non-residents.

Bringing Clarity to Crypto: Updated Final Thoughts

In our previous article, we observed that a regulatory framework addressing crypto’s exchange control treatment was “long overdue“. The 2026 Budget Speech signals that this framework is finally on the horizon.

Questions remain: It is unclear whether the anticipated amendments will bring crypto within the ambit of the Currency Payment Rule or the Capital Export Rule, alternatively whether a new purpose-built provision will be introduced. The precise obligations for CASPs and their clients are also yet to be determined. The SBSA decision remains suspended pending the SCA appeal, and the announcement of the anticipated amendments may be seen as acknowledging that the existing Exchange Control Regulations do not apply to crypto, with potential implications for the SARB’s appeal.

The regulatory direction is clear: CASPs should use the period before draft amendments are published to prepare their systems and review compliance frameworks. Crypto holders who have previously transferred crypto abroad without exchange control approval should seek legal advice before the new framework takes effect.

For assistance with your crypto needs or exchange control compliance, feel free to contact a member of our team.

The post Cracking Down or Catching Up? South Africa’s Approach to Crypto Regulation: Part 4 – Exchange Control Update appeared first on Werksmans Attorneys.

In a much-needed victory for hard-pressed consumers, the National Credit Regulator (“NCR”) has recently published a non-binding opinion (“NCR’s Opinion”), throwing a lifeline to those consumers that are required to pay premiums for mandatory credit life insurance. The NCR’s Opinion highlights the inconsistent industry practices in calculating mandatory credit life insurance premiums, and the real financial impact this has on consumers. The NCR has now given guidance: consumers should be paying progressively lower premiums for mandatory credit life insurance, as the debt owed to credit providers decreases.

South Africa’s credit market depends on a careful balance: it needs to enable access to finance, whilst simultaneously protecting consumers from unfair or excessive costs. One area where that balance has been under strain is the pricing of mandatory credit life insurance – a product intended to safeguard both borrowers and lenders when unexpected events occur.

The problem: two interpretations, two very different outcomes

At the centre of the issue lies a technical but important ambiguity in the Final Credit Life Regulations 2017 (“the Regulations“) issued under the National Credit Act (“NCA“).

The NCA itself is clear. Section 106(1) provides that credit life insurance must, at any point in time, not exceed the consumer’s outstanding obligations under a credit agreement. In simple terms, as a borrower pays down their debt, the mandatory credit life insurance cover (and therefore its cost) should reduce accordingly.

However, things become murkier when one looks at the Regulations, and in particular Regulation 3(1), which seeks to prescribe the maximum cost of mandatory credit life insurance that a credit provider may charge under section 106(1) of the NCA. Inexplicably, Regulation 3(1) provides two means of interpreting the manner of calculating the cost of mandatory credit life insurance –

1. The ‘first interpretation’ seemingly permits insurers to calculate the premium based on the deferred amount at the inception of the credit agreement, and to apply that premium for the entire duration of the agreement. In other words, premiums are calculated at the start of the credit agreement, when the outstanding debt is greatest, and do not decrease as the debt is paid down.  As such, consumers are likely to continue paying higher premiums, even as their debt reduces (as a result of their monthly payments), effectively resulting in consumers paying for mandatory credit life insurance cover in excess of the maximum statutory tariff amounts.
2. The ‘second interpretation’ permits premiums to be calculated on the deferred amount from time to time under the credit agreement. In other words, the premium is calculated on what should be a gradually reducing balance that is owed by the consumer over time: as the overall debt decreases (due to the consumer’s payments), so does the amount of the premium.

This seemingly technical distinction has significant consequences that affect consumers in the real world. Throughout the term of a credit agreement, the divergence between these two approaches can give rise to substantial additional costs for consumers, with particular detriment to lower-income consumers who rely most on credit. More concerningly, inconsistent interpretations (and thus practices) across the industry mean that different credit providers are charging different premiums for the same insurance cover. This means that consumers may pay vastly different premiums for the same products, without knowing that they are doing so, or why.

The differing approach obviously has wider implications. Where regulatory clarity is absent, inconsistent industry practices tend to become entrenched. In this case, it has resulted in different credit providers earning different insurance premiums for the same mandatory credit life insurance products which should be subject to the same statutory maximum tariffs, giving them a competitive advantage from a practice that seems to clash directly with the provisions of s106(1) of the NCA. This has created uneven competition between market participants, and incentives for aggressive or opportunistic interpretations, leading to the inevitable erosion of trust in financial products.

This undermines one of the key objectives of the NCA, namely, the fair, consistent and transparent treatment of consumers.

The NCR steps in to provide much-needed clarity

The NCR has now provided the necessary guidance which, can play a crucial role in promoting consistency across the industry, providing clarity to credit providers and insurers, and protecting consumers from ongoing overcharging for mandatory credit life insurance under section 106(1).

The NCR’s Opinion is premised on the long-accepted legal principles that determine how statutory ambiguities should be resolved: regulations must be interpreted in a way that is consistent with the empowering legislation (in this case, the NCA), and in light of their purpose and context, so as to avoid invalid or unlawful outcomes.

Applying these principles, the first interpretation, which fixes premiums to the original loan amount, is difficult to sustain. It conflicts with the s106(1) requirement that mandatory credit life insurance cover must track the consumer’s actual, outstanding liability.

By contrast, the second interpretation’s declining-balance approach aligns with s106(1)’s wording, the NCA’s purpose of consumer protection provisions, and the principle that consumers should not pay for unnecessary or excessive cover or be charged  for a level of risk that no longer exists.

The NCR’s Opinion comes down firmly on the side of the second interpretation. It constitutes clear guidance that those credit providers that calculate premiums on the first interpretation (and thus charge and earn higher premiums), should alter their ways. The NCR has undertaken to closely monitor the market, to determine the level of compliance with its opinion, and will take whatever steps are necessary to ensure compliance. In the future, if practices (and charges) remain inconsistent, it might be that amendment to the NCA and/or the Regulations, or even judicial clarification, is required, in order to remove all ambiguity and to fully align the NCA’s provisions under section 106(1) with those of the Regulations. Nevertheless, the NCR’s guidance is a meaningful and constructive starting point.

In an economic environment that many believe looks set to worsen, the NCR’s Opinion provides consumers with some much-needed respite from credit life insurance  costs that are excessive. The NCR’s Opinion seeks to restore coherence and fairness, and settle an ambiguity that prevailed, to the detriment of consumers and the credit life insurance industry as a whole. The NCR’s Opinion is therefore a welcome clarification: both timely and consequential.

The post NCR Throws a Lifeline to Consumers Required to Pay Premiums for Mandatory Credit Life Insurance appeared first on Werksmans Attorneys.

We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government. “Osborn v. United States, 385 U.S. 323”. U.S. Supreme Court case

December 12, 1966

For most organisations, CCTV is invisible infrastructure, bolted to a wall, quietly recording, and only thought about when something goes wrong. But that comfortable obscurity is ending. Under South Africa’s privacy regime, CCTV footage is personal information whenever an individual (or, in certain contexts, a juristic person) is identifiable. That single legal fact transforms video from a facilities line item into a regulated data asset, carrying with it governance obligations, lifecycle controls, and enforceable rights that many organisations have yet to reckon with.

The Information Regulator’s (“Regulator“) draft code of conduct on the processing of personal information at gated access communities is the clearest signal yet that the Regulator is moving beyond high-level principles and into operational expectations for high-risk environments. CCTV is named explicitly as a key risk area, and the implications reach well beyond residential estates.

What the draft code does, and why it matters for CCTV

The draft code is a sector-specific instrument designed to align data processing practices in gated-access environments with POPIA. It targets the full ecosystem: owners and managers of premises, homeowners’ associations and bodies corporate, security operators, and the technology suppliers that underpin modern access control.

For those of us who advise on CCTV governance, the draft code’s significance lies in the structural reality it addresses. Gated-access CCTV deployments are multi-party by design. An estate management company, a contracted guarding firm, a remote monitoring service, and a cloud or video platform provider may all touch the same footage on any given day. The draft code’s emphasis on governance, accountability, and the formal differentiation between Responsible Parties and Operators forces organisations to formalise roles and relationships that, in practice, have often been left to assumption and goodwill.

That informality is precisely where risk accumulates.

Six areas where the draft code reshapes CCTV practice

·         Processing Basis: The End of “Implied Consent” as a Default

The draft code identifies several high-risk and non-compliant patterns, including reliance on consent as a processing basis without prior assessment of legitimate interest, and the absence of a personal information impact assessment (“PIIA“). CCTV processing is listed alongside biometrics as a prominent risk category. The direction of travel is unmistakable: CCTV governance must be designed to stand on its own without leaning on consent as a primary legal crutch. In practical terms, organisations should document the security purpose and necessity of each CCTV deployment, record the lawful justification within their POPIA framework (and ensure consistency across signage, privacy notices, contracts, and internal policy), and treat a PIIA as a baseline control rather than an aspirational exercise.

·         Purpose Limitation: Guarding Against Function Creep

The draft code’s core principles include strict purpose limitation, use CCTV footage for access control and security, and nothing more. In my experience, the fastest route to legal exposure is function creep, and it is far more common than most organisations appreciate. Footage originally captured for perimeter security is repurposed for employee performance management. Clips are shared on internal messaging groups under the banner of vigilance. Recordings end up in marketing materials or social media posts. Audio recording and advanced analytics are enabled because the hardware supports them, not because a risk assessment demands them. A defensible CCTV programme draws a hard line: repurposing is not an operational convenience. Every use beyond the stated purpose requires separate justification.

·         Data Minimisation: Design Before You Record

The draft code’s principle of lawfulness and minimality is direct: collect only what is necessary. For CCTV, minimisation does not begin at the storage layer; it begins at the lens. Thoughtful design controls include positioning and masking cameras to avoid filming neighbouring properties or public spaces unnecessarily, limiting coverage of sensitive areas such as private dwellings, medical rooms, restrooms, and prayer spaces, calibrating zoom and resolution to the stated purpose rather than maximising capability by default, and treating advanced features like facial recognition or behavioural analytics as discrete risk decisions, not standard settings to be left on.

·         Retention and Deletion: No More Ambiguity

Retention and deletion are foregrounded in the draft code as core governance obligations. Every organisation operating CCTV should be able to answer four questions consistently and auditably. How long is footage kept by default? Who may extend retention, and under what documented trigger, an incident, a claim, or an investigation? How is deletion executed and evidenced? And what happens when footage is exported and its retention moves outside the primary system? If the answers to these questions vary depending on whom you ask within the organisation, the retention framework is not yet fit for purpose.

·         Security Safeguards: Assume CCTV Is High-Value, High-Risk Data

Under the draft code’s treatment of security (aligned with Condition 7 of POPIA), the Regulator highlights technical and organisational measures to prevent loss, unlawful access, damage, or unauthorised destruction, including restricted access to CCTV footage, encryption, password protection, and secure systems, as specific expectations. In reality, CCTV security failures are rarely sophisticated. They are shared passwords across guards and supervisors, unlogged exports to USB devices, system installers retaining remote access long after a project is complete, network video recorders left exposed to the internet, and uncontrolled circulation of clips once they have been exported. A mature compliance posture treats CCTV as what it is, high-value, high-risk data, and implements controls accordingly: role-based access, strong authentication, comprehensive audit logs, export controls, vendor hardening requirements, and secure disposal protocols.

·         Data Subject Rights: A Real Operational Workload

The draft code explicitly reinforces the full spectrum of data subject rights, including the rights to be informed, to access, to correction, to deletion, to object, to withdraw consent, to restrict processing, and to lodge complaints. For CCTV operators, these rights create a genuine operational challenge. A subject access request for footage requires balancing the privacy rights of other individuals visible in the recording, the integrity of any ongoing security or disciplinary investigation, and the organisation’s own POPIA obligations. In practice, this means designing workflows around viewing rather than copying, investing in redaction and blurring capability, and establishing clear internal decision rights for the release of footage.

A Practical Compliance Playbook

For organisations that want to move from reactive risk to structured governance, the following framework offers a pragmatic starting point.

Treat CCTV as a full data lifecycle, not a camera network. Map the end-to-end flow of footage: capture (camera placement and fields of view), transmission (network architecture and remote access), storage (on-premises or cloud, including backups), access (who watches live feeds versus who reviews recordings), export and sharing (to law enforcement, insurers, residents, HR, or other parties), and retention and disposal. Until the lifecycle is mapped, it cannot be governed.

Clarify who is the Responsible Party and lock down operator controls. The draft code foregrounds governance roles – the Responsible Party, the Information Officer, and operators acting on a need-to-know basis. For CCTV, this means aligning contracts and operating procedures so that the Responsible Party can demonstrate it controls the purpose and manner of processing, that operators process only on documented instructions, and that access to footage is restricted, logged, and revocable.

Build a CCTV-specific gap analysis. Consider what a regulator or a complainant would probe: necessity and proportionality of coverage, transparency through signage and notices, alignment between retention settings and retention policy, access governance including export and sharing approvals, security hardening across authentication, patching, vendor access, and audit trails, a repeatable process for handling rights requests, and a documented position on high-risk features such as biometrics and analytics.

Anticipate the leak moment. Most reputational and regulatory harm materialises after an incident, when someone exports a clip and circulates it without adequate controls. Design for this inevitability by watermarking exported footage, restricting export permissions and requiring case numbers or formal authorisations, mandating secure sharing channels rather than ad hoc messaging, using short-lived links where feasible, and establishing a defined escalation path for urgent requests so that urgency does not become a standing excuse for bypassing controls.

Looking ahead

The Regulator’s strategic planning frames the gated-access code as a priority response to public concern about overprocessing at gated communities, set against a backdrop of escalating security compromises. This is not an isolated initiative. What we should expect to see is increasing complaints-driven scrutiny of CCTV practices in estates, business parks, and controlled-access premises, particularly where footage is shared widely, retention periods are long, or transparency is weak. The compliance baseline is shifting from policy on paper to demonstrable system configuration and operational discipline – access controls, retention automation, and auditable exports. There will be heightened attention on CCTV combined with biometrics and analytics, which the draft code already positions as risk-heavy processing categories.

The strategic opportunity for organisations is to treat CCTV compliance not as a constraint on security operations, but as a means of making security more trustworthy, more defensible, and far less fragile under regulatory or public scrutiny. The organisations that invest in structured CCTV governance now will find themselves better positioned, not only to satisfy the Regulator, but to maintain the trust of the communities and stakeholders they serve.

The post CCTV Footage: What the Information Regulator’s Draft Code Means for Surveillance Governance appeared first on Werksmans Attorneys.

Confidentiality and gun-jumping – the tension at the heart of the process

The one-shot design of the pre-merger consultation process creates an inherent tension: you need to bring sufficient substance to the table to make the meeting worthwhile, but doing so requires sharing information that may be competitively sensitive and that, if handled carelessly, could give rise to gun-jumping concerns.

Preparation is crucial. The Competition Commission’s (“Commission“) procedures contemplate formal confidentiality claims via Form CC7, and parties should prepare non-confidential summaries and redactions aligned to those mechanisms for any materials shared during or following the consultation. Clean-team protocols and need-to-know controls should be established in advance, particularly where market data, strategy documents, or remedy proposals involve sensitive forward-looking information.

It bears repeating that the consultation confers no permission to integrate operations or exercise control. Parties must not treat the meeting as an informal green light to begin implementation. The prohibition on pre-implementation for notifiable intermediate and large mergers remains absolute, and the Commission’s post-COVID enforcement posture on gun-jumping has, if anything, become more assertive.

Equally important is the transition from the consultation to the formal filing. Submitting inconsistent narratives or changing key factual predicates between the two can erode trust and trigger broader follow-up requests. Overstating certainty during the consultation can box you into positions that later discovery or third-party input renders untenable. A conservative approach to information-sharing and disciplined documentation of what was discussed is essential to managing both confidentiality and process risk.

Public-interest strategy – do not leave it to the end

South Africa’s merger regime assigns public-interest considerations equal weight with competition effects. The Revised Public Interest Guidelines articulate a positive obligation to promote a greater spread of ownership by historically disadvantaged persons and workers in every merger. This is not a box-ticking exercise. It is a substantive requirement that drives outcomes in complex matters.

The consultation is expressly designed to allow upfront discussion of possible remedies and information scope, creating a structured opportunity to test the feasibility, structure, and monitoring of potential public-interest commitments alongside competition remedies. Given the Commission’s emphasis on employment, ownership, investment, and localisation outcomes, parties should arrive prepared to discuss realistic commitments, their timing, and their interaction with global remedy packages.

Sequencing within the meeting itself matters. Opening with the public-interest narrative, then presenting concrete remedy sketches with implementation mechanics, governance, and monitoring pathways, invites feedback on proportionality and evidential support. This approach respects the non-binding character of the meeting while eliciting guidance that can be translated into condition proposals during the formal review.

Integrating public-interest design early can materially reduce later negotiation cycles, particularly in very complex matters where HDP and worker ownership structures or employment moratoria often drive the final outcome.

The risks you need to manage

The principal procedural risk is over-reliance on non-binding impressions, mistaking preliminary feedback for comfort on substantive or public-interest issues, and then under-preparing for the formal review. The one-shot design amplifies this: if you do not put the right questions or remedy constructs on the table, you may forfeit your only chance to shape the Commission’s early focus.

Inconsistent narratives between the consultation and the eventual filing can damage credibility and expand the scope of information requests, making meticulous internal coordination across jurisdictions and functions non-negotiable.

The mitigation strategies flow directly from the guidelines’ architecture. Crystallise your theory of the case advance. Align cross-border positions. Prepare public-interest proposals capable of iteration into enforceable conditions. Treat the session as a scoping and design workshop, not a persuasion hearing.

The question that should be keeping practitioners up at night

The one-shot consultation framework is, on its face, a welcome development, a structured, transparent mechanism for early engagement on complex transactions. But it rests on a classification distinction that has become increasingly difficult to apply in practice.

The guidelines reserve the consultation process for Phase II and Phase III matters. Phase I transactions, those deemed straightforward, are excluded. In principle, this makes sense: routine mergers do not warrant the same level of pre-filing engagement.

But here is the difficulty. Since the onset of COVID, practitioners have observed a marked shift in the Commission’s classification practice. The Commission has, in effect, adopted the habit of classifying virtually all notifiable mergers as either Phase II or Phase III matters. Phase I classifications have become vanishingly rare. Whether this reflects a genuine increase in transactional complexity, a resource allocation preference, or an institutional tendency towards caution, the practical consequence is the same: the Phase I category has been largely hollowed out.

This raises a question that goes to the heart of the new consultation framework, and indeed to the broader functioning of South Africa’s merger control regime.

How do we actually know whether a transaction is a Phase I or Phase II matter and does the distinction, as currently applied, still serve a meaningful purpose?

If the Commission classifies nearly everything as Phase II, then the consultation mechanism is not really reserved for complex cases at all, it is available for most transactions, which in turn raises questions about the Commission’s capacity to deliver on the one-shot model at scale. And if the Phase I classification has effectively fallen into disuse, practitioners are left without a reliable framework for advising clients on likely timelines, procedural expectations, and the strategic value of seeking a pre-filing consultation in the first place.

That is not a question the guidelines answer. But it is the question that will determine whether this process works as intended.

The post Part 2: The “One-Shot” Pre-Merger Consultation in South Africa. Preparation, Risk, and the Question no-one is asking appeared first on Werksmans Attorneys.

On 28 January 2026, the global community celebrated International Data Privacy Day. This year, its commemoration landed in a world where privacy and personal information protection are no longer optional, purely legal, regulatory, or compliance issues, but are central to how organisations design systems, deploy services and/or products, collaborate across ecosystems, and earn trust in a digitally connected world.

In South Africa, the Information Regulator hosted a mini-conference themed “12 years of POPIA – what next?”, indicating a shift in our national conversation on privacy and personal information protection from introducing and implementing POPIA to assessing its real-world impact and planning the future of data protection in South Africa.

POPIA in practice: Where are we?

Since POPIA came into full force in 2021, the privacy compliance and regulatory landscape in South Africa have matured. It has shifted from a primarily awareness-raising phase to an era of active enforcement, strategic guidance, and public engagement:

• The Information Regulator (“the Regulator”) has, over the past 4 years, moved from primarily educating stakeholders and increasing POPIA awareness to formal enforcement action, including imposing administrative fines and compliance directives.
• There is increased institutional visibility on privacy incidents due to data breach reporting and transparency obligations, which have compelled organisations to invest in security and incident response resources.
• The Regulator has also issued updated POPIA regulations that clarify procedural expectations on notifications, correction and deletion rights, and Information Officer responsibilities — an important step in operationalising POPIA’s protections across both private and public sectors.
• The Regulator has rolled out a centralised eServices portal that supports compliance, reporting, and public engagement on POPIA and PAIA. Through the portal, organisations and the public can, among others, register their Information Officers, submit PAIA annual reports, check and verify whether organisations have complied with their POPIA and PAIA requirements, report security compromises, submit POPIA and PAIA complaints, apply for exemptions and prior authorisations from the Regulator, and view user personal privacy scores and records. Through these tools, the Regulator has likely reduced administrative delays and increased accountability. These e-services are available here. The Regulator has also, through their partnership with the CIPC, made some of these eServices available on the BizPotal

What next?

During the Regulator’s mini-conference, attendees reflected on whether our current systems make privacy practical, accessible, and enforceable, and highlighted the move towards a society in which privacy is built into how we operate, instead of being bolted onto systems, processes, and documents afterwards. This is consistent with global themes for International Data Privacy Day this year, which focused on promoting privacy-by-design, the idea that data protection should be embedded in technologies and processes from inception, not added after the fact. It also mirrors emerging expectations from regulators and courts around the world, which focus on accountability and built-in safeguards that are demonstrable rather than mere documentation.

For South African organisations, this emphasis aligns naturally with POPIA’s conditions for lawful processing of personal information, including accountability, purpose specification, minimality, security safeguards, and data subject participation. Embedding POPIA principles at design stages reduces compliance risk and strengthens trust with stakeholders.

Key focus areas for South African businesses going forward

Given the domestic enforcement environment and the global direction of privacy regulation, we recommend that South African organisations focus their compliance and risk strategies around several core pillars:

1. Ensure that you can demonstrate privacy, governance, and accountability. Merely drafting policies is not enough. You must be able to show compliance through documented and monitored organisational practices, such as appointing and effectively deploying Information Officers, and maintaining inventories of personal information processing activities, data protection impact assessments, and evidence of lawful bases for processing.
2. Embed privacy into your operational design. Integrate privacy requirements into business logic, technology selection, vendor processes, and customer experience. Design systems with default privacy settings and robust security, and consider data minimisation and retention at the inception of the project.
3. Implement responsive systems for enabling data subjects to exercise their rights by, among others, building workflows to respond to requests and objections within POPIA’s timelines, and providing transparent privacy notices.
4. Ensure that you have well-prepared protocols for addressing and reporting data breaches. Have a tested incident response, communication templates, and escalation plans. Also maintain and analyse logs of your data breaches, and use these to identify trends and reduce future risk.
5. Where appropriate, move beyond consent as the basis for processing personal information. Other lawful grounds often better reflect operational realities, especially when coupled with transparency and security safeguards. It is therefore important that you assess whether consent is necessary or whether other lawful grounds are more appropriate, and avoid reliance on consent where it may cause operational fragility or data subject dissatisfaction.

Conclusion

Global and local privacy discussions on International Data Privacy Day demonstrate the push towards more effective and practical privacy engineering, resilient legal compliance, and demonstrable accountability.

In today’s digital era, where data powers commerce, innovation, and social interaction, those who design systems that respect privacy from the outset will avoid legal risk and build deeper trust with customers, employees, and the broader public.

The post Celebrating International Data Privacy Day: “12 years of POPIA – what next?” appeared first on Werksmans Attorneys.

The post Unpacking the Significant Proposed Changes to the “Generic” Codes of Good Practice (“Codes”) on Broad-Based Black Economic Empowerment (“BBBEE”) appeared first on Werksmans Attorneys.

Like many other sectors of the economy that rely on technology, online gambling, gaming and betting have grown much faster than lawmakers are able to respond. This year, lawmakers throughout the world have made efforts to modernise their gambling laws to close the gap between traditional regulation and digital market realities. Lawmakers are introducing additional laws focussing on consumer protection reforms, increased regulation of digital gambling, stronger action against unlicensed offshore operators and the recognition of the e-sports and hybrid gaming markets. Although South Africa has been engaging on possible regulatory reform, digital gambling laws remain under development.

2025 has been a year of significant legal reform in the regulation of gambling, betting, online gaming and e-sports across the world. Prompted by concerns over consumer protection, money laundering and the rapid expansion of the online betting economy, governments around the world are taking steps to update their legal frameworks to address the increased digitisation of the industry as well as mounting public scrutiny over gambling related harm.

At the forefront of consumer-focussed reform is the United Kingdom which, in April 2025, introduced the world’s first online slot stake limits of £5 per spin for adults and £2 for players aged 18 to 24. In addition, the UK Gambling Commission introduced a ban on mixed-product gambling and a cap on bonus wagering requirements, which will be effective from December 2025. The UK Gambling Commission has also prioritised real-time risk detection obligations which require licensed operators to intervene when signs of financial harm from gambling emerge.

European countries are intensifying action against offshore gambling platforms. Norway implemented new provisions on domain name system blocking and internet service provider enforcement powers against foreign gambling operators without local licences. Denmark has tightened supply chain rules in digital gambling and now requires licensed operators to use only locally licensed B2B software providers. Malta has enhanced its risk-based regulatory oversight methodology in the areas of compliance, player protection and sports betting integrity. The Netherlands, France and Spain have tightened gambling advertising rules and celebrity endorsements to reduce youth exposure.
In August 2025, India enacted the Promotion and Regulation of Online Gaming Act, 2025 which distinguishes between gaming and gambling. It legalises skills-based gaming and e-sports, while banning online gambling classified as games of chance. It also mandates age verification and anti money laundering compliance.

In the United States, the popularity of prediction markets and fantasy stock trading platforms offering bets on real-world outcomes is rapidly growing, bringing with it its own set of legal issues that need to be considered and addressed. U.S. federal regulators are considering whether such platforms should fall under gambling law or financial regulation.
Brazil launched its regulated online betting market on 1 January 2025, which introduced federal licensing controls, advertising controls and anti-money laundering requirements. Although enforcement challenges remain, Brazil is expected to become one of the world’s biggest online sports betting markets.

E-sports regulation gained ground globally this year. China has tightened controls on gambling-linked sponsorship in e-sports and increased cooperation against illegal betting syndicates. South Korea updated its rules on penalising match-fixing in competitive gaming. European Union integrity bodies are calling for a unified e-sports integrity framework. These developments highlight growing recognition that e-sports requires dedicated regulation. Even though some overlaps exist, e.g. e sports betting, e-sports regulation must cover several issues that are distinct from gambling laws, such as cheating, match-fixing, and player welfare. Esports regulation focuses on fair competition and the integrity of the game itself, while gambling laws address financial stakes and potential addiction.
Gambling in South Africa is regulated by the National Gambling Act, 2004 (“the Act”) which was enacted over 20 years ago. The Act requires strict licensing and probity checks, robust anti-money laundering oversight, and provides for co-ordination of the concurrent national and provincial legislative competence over matters relating to gambling. Legal forms of gambling include land-based casinos, limited pay out machines, bingo, horse racing and sports betting. However, the legal framework established under the Act was not designed for the digital era. The national gambling amendment bills of 2008 and 2018 attempted to introduce much needed reform, but they were never fully enacted.

To ensure an appropriate and responsive regulatory framework, South Africa must consider updating its gambling laws to, among others, ensure the implementation of –
• controlled licensing systems for online gambling;
• systems to retain revenue onshore
• a regulatory framework to support the growth of the e sports industry;
• updated gambling advertising restriction;
• real-time monitoring tools;
• domain name system blocking;
• Internet service provider enforcement powers against foreign gambling operators without local licences; and
• provisions on harmonising national and provincial laws.

Without reform, South Africa risks falling further behind on the regulation of digital gambling and continued offshore capital flight. Reform is not only necessary to protect players, but will also close legal and enforcement gaps, preserve the regulatory credibility and economic value.

The post Global developments in gambling, betting and e-sports regulation: Lessons for South Africa appeared first on Werksmans Attorneys.