by Ahmore Burger-Smidt , Director, Head of the Data Privacy Practice Group

“On privacy issues, it’s just like hundreds of years ago when people said, ‘I would rather put my money under my pillow than in a bank.’ But today, banks know how to protect money much better than you do. Today, we may not have the answers to privacy issues, but I believe our young people will come up with the solutions. “

Jack Ma

On 1 July 2020 the way in which we deal with personal information in South Africa will change. Long gone are the days where privacy can be ignored or undervalued.

The Protection of Personal Information Bill was first tabled 12 years ago, in 2009. It was signed into law in 2013, but very few provisions in the Protection of Personal Information Act, 2013 (“POPIA“) were operational to date.

The presidency has determined on 22 June 2020 that sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) of POPIA shall commence on 1 July 2020.

Sections 110 and 114(4) shall commence on 30 June 2021.

The sections which will commence on 1 July 2020 are crucial parts of POPIA and brings with it the duty to comply with the conditions for processing as stipulated in terms of POPIA. This not only includes aspects in relation to lawful processing but also security of information. It also includes how companies will deal with direct marketing going forward.

POPIA recognises in its preamble that section 14 of the Constitution provides that everyone has the right to privacy. In section 2 of POPIA it is recorded that the purpose of POPIA is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at –

• balancing the right to privacy against other rights, particularly the right of access to information; and
• protecting important interests, including the free flow of information within the Republic and across international borders.

Since time immemorial, South Africa has been playing catch up in respect of implementing the data privacy laws it has developed. So much so that the United Nations special rapporteur on data and privacy protection Professor Joseph Cannataci has stated on 11 March 2020 at a roundtable discussion at the Human Sciences Research Council in Pretoria that –

“Privacy laws started decades ago. By 2001 there were more than 20 countries that brought legislation up to certain levels. South Africa is about 30 years behind. The first data privacy laws were written in Sweden in 1973. Other European countries then followed shortly. South Africa, in 2020, is only now playing catch up.“^[1]

It is time to focus!

The South African society will be able to claim the protection afforded by POPIA form 1 July 2020. The road has been long to get to this point. The problem is the road to full compliance will be very short. Companies will be required to be in full compliance with POPIA within 12 months after POPIA comes into effect.  This means that entities, not only private but also public, will have to ensure compliance with POPIA by 1 July 2021. 

[1] L Kiewit “South Africa must implement privacy laws to protect citizens, says UN expert” available at https://mg.co.za/article/2020-03-12-south-africa-must-implement-privacy-laws-to-protect-citizens-says-un-expert/, accessed on 1 April 2020.