To give effect to the constitutional right to privacy, on 20 August 2013, the National Assembly passed the Protection of Personal Information Bill (B9D of 2009), which is largely based on the European Data Protection Directive (to be replaced in due course by the stricter General Data Protection Regulation). The Bill was signed into law by the President on 19 November 2013 and was gazetted as the Protection of Personal Information Act 4 of 2013 (“POPI”) on 26 November 2013.
As mentioned in a previous ENSight, POPI will come into force on a date to be determined by the President by proclamation in the Gazette. Certain provisions relating to the establishment of the Information Regulator (“Regulator”) and the making of regulations under POPI were brought into force on 11 April 2014.
Although nominations for the appointment of the Regulator were called for last year, no appointment has yet been made and draft regulations have not yet been published. On 11 November 2015, a parliamentary “workshop” was convened to consider and debate the role of the Regulator. Parliament has now called for a further workshop to be held this year.
It is probably fair to presume that the Regulator will only be appointed and draft regulations will only be published after this workshop. With local government elections in May 2016, we anticipate that the POPI commencement date will be in the second half of 2016.
Until we receive credible feedback from Parliament and the Minister, a great deal of uncertainty remains. One thing is, however, clear: given the global trend towards stricter data-protection regulation, POPI is not going away and companies are well advised to get their “data houses” in order before the POPI rush.