Statutory and Regulatory Framework

1.What laws regulate the provision of online education programs?

There is currently no legislation regulating online education programs in South Africa. Legislation exists that regulates the general provision of higher education in South Africa, including the regulation of private and public higher education institutions (for both local and non-South African juristic persons), but it does not apply to online education offered from outside South Africa by institutions which do not have a presence in South Africa.

The following laws and policies would apply to the offering of education services to consumers in South Africa by service providers outside, as well as inside, South Africa:

Consumer Protection Act, 2008 (CPA)

The CPA will apply to any services marketed to consumers in South Africa. It contains provisions that govern advertising of goods and services and imposes liability on service providers for warranties and representations made in connection with offers to provide goods and services. It also places restrictions on the manner in which, and times when, unsolicited direct marketing approaches may take place, and requires that all written agreements between a supplier and a consumer be in "plain and understandable language".

Electronic Communications and Transactions Act, 2002 (ECTA)

ECTA provides for the facilitation and regulation of electronic communications and transactions. It is not specific to the provision of education services, but would include any commercial transaction or marketing activity conducted online.

Protection of Personal Information Act 4 of 2013 (POPIA), together with the Regulations

POPIA aims to regulate the manner in which personal information may be processed and provides persons with rights and remedies to protect their personal information from processing which is not compliant with POPIA. POPIA establishes minimum requirements for the processing of personal information of persons by an individual or entity domiciled in South Africa or, where not domiciled locally, by an individual or entity who processes that information in South Africa. POPIA lists eight conditions for the lawful processing of data by a Responsible Party and/or an Operator. All processing of personal information must be made to conform to POPIA by no later than 30 June 2021.

Policy for the Provision of Distance Education in South African Universities in the Context of Integrated Post- School System Draft, 2014 (The Policy)

The Policy, published by the Department of Higher Education and Training (DHET), deals specifically with cross-border distance higher education and the need for regulation thereof. In this regard, the Policy states that the Ministry of Higher Education (MHET) supports the principle that the international provision of education services should be subject to proper regulation by national authorities, including supervision by competent quality assurance bodies.

The MHET has taken the view that higher education is a public good whose provision in South Africa by non-South African institutions or companies must be regulated in accordance with South African law to ensure that acceptable standards are maintained, students are protected, and the democratic transformation of South African higher education is sustained. In this regard, inter-governmental agreements designed to curb fraudulent or inferior distance higher education at their source are the best available safeguard since they commit signatory states to ensure that providers of cross-border education meet acceptable criteria and are subjected to suitable quality assurance supervision in their home countries.

The Policy, as its name implies, is simply a policy statement, and it does not appear that any of its provisions have been incorporated in legislation yet.

The following laws are relevant to the provision of education services inside South Africa only:

Constitution of the Republic of South Africa, 1996 (Constitution)

Section 29(3) of the Constitution provides that everyone has the right to establish and maintain, at their own expense, independent educational institutions that:

  1. do not discriminate on the basis of race;
  2. are registered with the state; and
  3. maintain standards that are not inferior to standards at comparable public educational institutions.

Higher Education Act, 1997 (HE Act)

The HE Act regulates higher education and related matters in South Africa, and also provides for the registration of private higher education institutions in South Africa.

Continuing Education and Training Colleges Act, 2006 (CET Act)

The CET Act provides for the regulation of continuing education and training, as well as the registration of private colleges that offer continuing education and training qualifications, including part-qualifications. In this regard, section 28 of the CET Act is relevant with respect to the registration of private colleges.

National Qualifications Framework Act, 2008 (NQF Act)

The NQF Act provides for the National Qualifications Framework (NQF), which is a comprehensive system approved by the Minister for the classification, registration, publication, and articulation of quality-assured national qualifications. All public and private higher education institutions must ensure that the qualifications (or part-qualifications) offered by them are registered in terms of the relevant sub-frameworks provided in the NQF Act.

Skills Development Act, 1998 (SDA)

The SDA provides for the creation of a National Skills Agency, establishment of the Quality Council for Trades and Occupations, and regulation of apprenticeships and learnerships, as well as all matters related to skills development.

Regulations for the registration of private higher education institutions, 2016 (Regulations)

The Regulations published in terms of section 53(1)(c) read with section 69 of the HE Act, regulate the application process for registration of private higher education institutions and also set out certain responsibilities of the institutions in this regard.

Publication of the General and Further Education and Training Qualifications Sub-framework and Higher Education Qualifications Sub-framework of the National Qualifications Framework, 2013

These frameworks were published in section 27(k)(iv) of the NQF Act, which requires the Minister of Higher Education and Training to determine frameworks for the classification, registration, publication, and articulation of quality-assured national qualifications. They outline the various levels of qualifications that may be conferred by institutions.

2.What agencies or entities regulate the provision of online education programs?

South Africa does not have a specific agency or entity that regulates the provision of online programs in South Africa. However, the following bodies are relevant with respect to the provision of higher education within South Africa:

  • The Department of Higher Education and Training (DHET), which oversees all universities and other post-secondary education in South Africa, and with whom all higher education institutions must be registered.
  • The Minister of Higher Education (MHET), who is responsible for the determination and publication of a higher education policy.
  • The Council on Higher Education (CHE), which has the executive responsibility for quality assurance and promotion of higher education and discharges this responsibility through the Higher Education Quality Committee (HEQC).
  • The South African Qualifications Authority (SAQA), which is mainly responsible for the development and implementation of the NQF and the coordination of the sub-frameworks.

3.Is approval (e.g., authorization, registration, licensure) required for an institution to offer online education programs?

As noted above, the provision of online education programs in South Africa is not specifically regulated. No approval is necessary for an institution that does not have any presence in South Africa, and that operates wholly outside South Africa, to offer online education programs.

However, the Higher Education Act, together with its Regulations, regulates the registration of private higher education institutions that operate within South Africa.

4.Is other action (e.g., in-country accreditation or reporting) required for an institution to offer and maintain online education programs?

There are no additional legislative requirements with which an institution that does not have any presence in South Africa, and that operates wholly outside South Africa, must comply in order to offer online education programs.

The Higher Education Act sets out various requirements with which a private higher education institution with a presence in South Africa must comply, which relate to:

  • The display of its certificate of registration;
  • Access to information;
  • Record keeping and audits; and
  • Continued compliance with registration requirements.

5.Are there other known criteria that an institution must meet to offer online education programs?

No.

6.Is the process different if an institution partners with an institution located in the foreign country to provide the online education programs?

The local institution will have to be registered as a public or private higher education institution in terms of the relevant South African legislation. Relevant provisions are summarized below:

Higher Education Act, 1997 (HE Act)

Section 51(1) of the HE Act provides that no juristic person (whether local or foreign) may provide higher education, unless that person is registered or recognized as a juristic person in terms of the Companies Act, 2008, and is registered or conditionally registered as a private higher education institution in terms of the HE Act. Where the applicant is a foreign juristic person (i.e., a person that has the legal authority to provide higher education in their country of origin, and is registered as a juristic person in terms of a law of their country, and is entitled to be registered as an external company in terms of section 23 of the Companies Act of 2008), section 51(2) requires that the person must ensure that any qualification or part-qualification offered within South Africa is registered on the sub-frameworks for higher education and trades and occupations on the National Qualifications Framework contemplated in section 7(b) and (c) read with section 13(1)(h) of the NQF Act.

In order to register as a private higher education institution, the following requirements, as set out in section 53 of the Act, must be adhered to:

"(1)       The registrar may register an applicant as a private higher education institution if the registrar has reason to believe that the applicant:

  1. is financially capable of satisfying its obligations to prospective students;
  2. is able to provide higher education that will
    1. maintain acceptable standards that are not inferior to standards at a comparable public higher education institution; and
    2. comply with the requirements of the CHE; [and]
  3. complies with any other reasonable requirement prescribed by the Minister.

(2)        The registrar may require further information, particulars and documents in support of any application for registration."

7.Does the law apply differently to an institution if the student is a resident of the foreign country, but not a citizen of the foreign country?

No.

Curriculum

8.Will the foreign country recognize a certificate or degree earned by a student taking online education programs from a U.S. institution?

South African legislation does not provide in general terms for the recognition of qualifications conferred by institutions that do not have a presence in South Africa.

Section 7(b) and (c) of the NQF Act describe The National Qualifications Framework as a single integrated system which comprises three coordinated qualifications sub-frameworks, among them Higher Education (contemplated in the Act) and Trades and Occupations (contemplated in the Skills Development Act 97 of 1998).

Section 13(1)(m) of the NQF Act mandates SAQA to provide an evaluation and advisory service in regard to non-South African qualifications consistent with the NQF Act. Every non-South African qualification obtained would have to be submitted on its individual merits for evaluation by SAQA. Pursuant to its mandate in terms of section 13(1)(m), SAQA has issued the "Policy and Criteria for Evaluating Foreign Qualifications within the South African NQF,” in which SAQA states that it will evaluate each qualification in the context of the purpose for which evaluation is sought, e.g., whether it qualifies the holder to practice a specific profession, take up particular employment, or embark on a post-graduate study program. The National Qualifications Framework Amendment Act , 2019 proposes amendments to section 13 of the NQF Act, the provisions of which will be put into operation on a date  to be proclaimed. Once in operation, the amendment will authorize SAQA to provide a verification service, evaluate all non-South African qualifications referred to it in terms of the NQF Act against the South African National Qualifications Framework in accordance with SAQA policy and procedures, and, where appropriate, issue a SAQA Certificate of Evaluation. In addition the amendment will allow SAQA to formulate and publish criteria for evaluating non-South African qualifications.

When verifying or evaluating a qualification, SAQA will have to, amongst other things, consider whether the education institution, skills development provider or foreign institution is registered and whether the qualification or part-qualification is authentic and complies with the policy and criteria contemplated in section 13(1)(h) of the NQF Act.

9.Are there any online education programs that (i) may NOT be offered by an institution; or (ii) require additional oversight from an appropriate foreign entity?

As noted above, a non-South African institution with no presence in South Africa is not subject to South African legislation.

In terms of section 51 and 52 of the HE Act, as set out above, a foreign juristic person that operates within South Africa is obliged to register as a private higher education institution and must ensure that any qualification or part-qualification offered within South Africa is registered on the sub-frameworks for higher education and trades and occupations on the NQF Act contemplated in section 7(b) and (c) read with section 13(1)(h) of the NQF Act. Section 66(1)(a) of the HE Act provides that any person other than a registered higher education institution who, without the authority of a higher education institution, offers or pretends to offer any higher education program or part thereof is guilty of an offense and is liable on conviction to a sentence which may be imposed for fraud.

10.Must the online education program’s curriculum be approved by an appropriate foreign entity?

A non-South African institution that does not have a presence in South Africa is not subject to South African legislation and would not have to have its curriculum approved.

11.Are there additional requirements for online education programs that lead to work in a professional field (e.g., nursing, teaching, law)?

SAQA, in conjunction with the professional body governing each profession, determines the qualifications required for admission as a practitioner of the pertinent profession. These qualifications are contained in the legislation that governs the pertinent profession or, where no legislation is in place, by the rules of the professional body.

12.Are there additional requirements if – in addition to primarily online sessions – some supplemental instruction takes place at a physical location in the foreign country?

As soon as a non-South African higher educational institution offers any services within South Africa that may lead to the conferring of a credential, the registration and certification requirements in terms of the HE Act, as set out above, would apply.

13.Are there additional requirements if a student participates in an on-the-ground internship, externship, practicum, or clinical in the foreign country to fulfill part of the online education program?

It would depend whether the institution exercises any active organizational, supervisory, or oversight role in connection with the internship, externship, practicum, or clinical. If it does, that might be seen as offering services in South Africa, and compliance with the legislation might be required. If it does not, and the student is required to make all of his or her own arrangements with third parties in South Africa in order to comply with the relevant requirements of the online program, compliance would not be required.

14.Are there additional requirements if students take tests/assessments at testing centers or locations in the foreign country?

If a non-South African institution offers any services within South Africa that may lead to the conferring of a credential, then the registration and certification requirements set out above would apply.

Marketing

15.Must an institution meet certain requirements before advertising its online education programs to students in the foreign country?

The Consumer Protection Act 68 of 2008 (CPA) will apply to any services marketed to consumers in South Africa. Section 22(1)(b) of the CPA provides that the producer of a notice, document, or visual representation produced, provided, or displayed to a consumer must produce, provide, or display that notice, document, or visual representation in plain language. Furthermore, section 22(2) provides that a notice, document, or visual representation is in plain language if it is reasonable to conclude that an ordinary consumer of the class of persons for whom the notice, document, or visual representation is intended, with average literacy skills and minimal experience as a consumer of the relevant goods or services, could be expected to understand the content, significance, and import of the notice, document, or visual representation without undue effort, considering:

  • the context, comprehensiveness, and consistency of the notice, document, or visual representation;
  • the organization, form, and style of the notice, document or visual representation;
  • the vocabulary, usage, and sentence structure of the notice, document, or visual representation; and
  • the use of any illustrations, examples, headings, or other aids to reading and understanding.

16.Does the foreign country require an institution’s website or online portal to contain certain information?

Yes. Relevant provisions of the ECTA are cited below.

Section 43(1) - A supplier offering goods or services for sale, for hire or for exchange by way of an electronic transaction must make the following information available to consumers on the web site where such goods or services are offered:

  1. its full name and legal status;
  2. its physical address and telephone number;
  3. its web site address and e-mail address;
  4. membership of any self-regulatory or accreditation bodies to which that supplier belongs or subscribes and the contact details of that body;
  5. any code of conduct to which that supplier subscribes and how that code of conduct may be accessed electronically by the consumer;
  6. in the case of a legal person, its registration number, the names of its office bearers and its place of registration;
  7. the physical address where that supplier will receive legal service of documents;
  8. a sufficient description of the main characteristics of the goods or services offered by that supplier to enable a consumer to make an informed decision on the proposed electronic transaction;
  9. the full price of the goods or services, including transport costs, taxes and any other fees or costs;
  10. the manner of payment;
  11. any terms of agreement, including any guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers;
  12. the time within which the goods will be dispatched or delivered or within which the services will be rendered;
  13. the manner and period within which consumers can access and maintain a full record of the transaction;
  14. the return, exchange and refund policy of that supplier;
  15. any alternative dispute resolution code to which that supplier subscribes and how the wording of that code may be accessed electronically by the consumer;
  16. the security procedures and privacy policy of that supplier in respect of payment, payment information and personal information;
  17. where appropriate, the minimum duration of the agreement in the case of agreements for the supply of products or services to be performed on or ongoing basis or recurrently; and
  18. the rights of consumers in terms of section 44, where applicable.

Section 43(2) – The supplier must provide a consumer with an opportunity:

  1. to review the entire electronic transaction;
  2. to correct any mistakes; and
  3. to withdraw from the transaction, before finally placing any order.

Section 43(5) – The supplier must utilize a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.

17.What are the requirements, if any, for marketing that is solely online (e.g., through websites or apps)?

POPIA applies to the processing of personal information of both natural and juristic persons, and specifically regulates direct marketing.

“Direct Marketing” means to approach a data subject (defined as the person to whom personal information relates), either in person or by mail or electronic communication, for the direct or indirect purpose of—

(a)  promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or

(b)  requesting the data subject to make a donation of any kind for any reason.

Section 69 of POPIA provides that the processing of personal information of a data subject for the purpose of direct marketing by means of electronic communication if:

  1. the data subject consents to the processing of their personal information; or
  2. the data subject is an existing client of the business, provided that the information has been obtained in the context of the sale of a product or service, for the purpose of marketing similar goods and services and the data subject has been provided a reasonable opportunity to object to the use of their electronic details (with each communication).

The data subject will need to retain a record of the customers who opt-in and opt-out of receiving direct marketing communication.

In addition, section 69(4) provides that any communication for the purpose of direct marketing must contain —

(c)  details of the identity of the sender or the person on whose behalf the communication has been sent; and

(d)  an address or other contact details to which the recipient may send a request that such communications cease.

Section 11 of the CPA provides the following:

(1)  The right of every person to privacy includes the right to

  1. refuse to accept;
  2. require another person to discontinue; or
  3. in the case of an approach other than in person, to pre-emptively block, any approach or communication to that person, if the approach or communication is primarily for the purpose of direct marketing.

(2)  To facilitate the realization of each consumer’s right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication."

(3)  The [National Consumer] Commission may establish, or recognize as authoritative, a registry in which any person may register a pre-emptive block, either generally or for specific purposes, against any communication that is primarily for the purpose of direct marketing.

Section 12(2) states, "In order to protect the privacy of consumers, the Minister, by notice in the Gazette, may prescribe specific days, dates, public holidays or times of days for the purpose of subsection (1)." The Regulations to the CPA provide that the restricted periods are:

  1. Sundays or public holidays contemplated in the Public Holidays Act, 1994 (Act No. 36 of 1994);
  2. Saturdays before 09h00 and after 13h00; and
  3. all other days between the hours of 20h00 and 08h00 the following day,

except to the extent that the consumer has expressly or implicitly requested or agreed otherwise.

While it may seem that the provisions of the CPA and POPIA relating to direct marketing overlap, both continue to apply. Importantly, the CPA only relates to natural persons and juristic persons with assets or turnover below ZAR 2 million, whereas POPIA applies to all persons (natural or juristic) whose data is processed where the responsible party is domiciled in South Africa or processes information in South Africa.. In addition, the CPA direct marketing provisions are structured to allow a consumer to "opt out", affording consumers the opportunity to request that they not be contacted by the direct marketer. POPIA's provisions, on the other hand, are structured as "opt-in" provisions, requiring the consent of the data-subject.

18.If an institution wants to market through other means – like direct mailing, or email, or telephone calls – what requirements apply?

The same requirements outlined in #17 above will apply.

19.Can an institution send representatives to the foreign country to speak with students about the institution and its online education program offerings?

A non-South African institution may send representatives to speak with students, but any form of marketing and visual representations should comply with the requirements set out in #17 above.

Admission & enrollment

20.What minimum qualifications must a prospective student have in order to be eligible to apply to and take an online education program from an institution?

We are not aware of any regulations that specifically address this issue.

21.Must an institution enter into a written enrollment agreement with a prospective student for online education programs?

There is no South African legal requirement for a written agreement. However, any agreement entered into must comply with the requirements of the CPA and ECTA.

Data privacy

22.What data privacy laws, if any, would apply to an institution that may hold academic records, personally identifiable information, and financial information of students or prospective students?

POPIA was assented to by President Cyril Ramaphosa on 19 November 2013, however only certain sections came into effect on 11 April 2014 and the remainder came into effect on 1 July 2020. Persons processing personal information have been granted a one year grace period to 30 June 2021 to comply with POPIA. POPIA is substantially similar to the UK Data Protection Act and the General Data Protection Regulation 2016/679 (GDPR). POPIA provides for minimum requirements by way of conditions that attach to the lawful processing of personal information, in general, which include:

  1. accountability – the conditions for lawful processing of personal information must be complied with;
  2. processing limitation – the processing of personal information in a lawful and reasonable manner that does not infringe the privacy of a data subject, that includes processing that is adequate, relevant and not excessive, that is in accordance with all relevant consents, justifications and objections, and that is collected directly from the data subject, subject to certain exceptions;
  3. purpose specification – collection for a specific, explicitly defined and lawful purpose related to a function or activity of the Responsible Party, that is not retained longer than is necessary;
  4. further processing limitation – any further processing of personal information must be in accordance with the purpose for which it was collected;
  5. information quality – a Responsible Party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary;
  6. openness – a Responsible Party must maintain the documentation of all processing operations under its responsibility and must take steps to ensure the data subject is aware of the details surrounding the collecting of the data subject's personal information;
  7. security safeguards – a Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures; ensure that the Operator is bound, by written contract, to establish and maintain similar security measures; notify the Information Regulator immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person; and
  8. data subject participation – a data subject, having provided adequate proof of identity, has the right to request a Responsible Party to confirm, free of charge, whether or not the Responsible Party holds personal information about the data subject and to request the record or a description of the personal information about the data subject held by the Responsible Party and to request a Responsible Party correct, destroy or delete such personal information.

POPIA further provides restrictions related to the processing of special personal information and the processing of the personal information of children (persons under the age of 18). Special personal information includes information related to a person's religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health or sex life; and criminal behaviour or biometric information.

In addition, POPIA regulates the transfer of personal information outside of South Africa. Section 72(1) requires, inter alia:

  1. the third party recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection which are substantively similar to the conditions in POPIA;
  2. the data subject consents to the transfer;
  3. the transfer is necessary for the performance of a contract between the data subject and the Responsible Party;
  4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Responsible Party and a third party; or
  5. the transfer is for the benefit of the data subject, and
    1. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
    2. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

23.Specifically, are there any requirements related to student consent or breach notification?

Section 14(d) of the South African Constitution grants every person the right to privacy, including the right not to have the privacy of their communications infringed upon. The right to privacy is also recognized as an independent personality right under the common law. The right to privacy encompasses the right to confidentiality, which is owed between companies and organs of state organizations and data subjects.

The common law requires the voluntary and informed consent of each data subject (in this case, the student) in order to process their personal information.

POPIA provides that the processing of information is subject to a processing limitation (Condition 2), set out in sections 9 to 12. Specifically, section 11(1), provides that:

Personal information may only be processed if—

  1. the data subject (or a competent person where the data subject is a child) consents to the processing;
  2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
  3. processing complies with an obligation imposed by law on the responsible party;
  4. processing protects a legitimate interest of the data subject;
  5. processing is necessary for the proper performance of a public law duty by a public body; or
  6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

As part of Condition 7 (Security Safeguards) to the lawful processing of personal information, section 22 requires the notification of security compromises, such as where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.

Taxes

24.Would the tuition revenue stream to the institution trigger any tax obligations in the foreign country, as it relates to the institution itself?

The Income Tax Act No.58 of 1962

Assuming that the non-South African institution will not be required to register a formal corporate presence in South Africa, the non-South African institution will be required only to register as a provisional taxpayer in South Africa. It will have to account to the South African Revenue Service (SARS) for all of the income derived from South African sources. Generally, the non-South African institution will be liable to pay income tax on the income received from South African residents utilizing their services.

To the extent that a formal corporate presence is required to be registered, separate consideration will have to be given to the tax consequences that arise therefrom.

The Value-added Tax Act 89 of 1991 (VAT Act)

Any person that carries on a business making "taxable supplies" must register for value-added tax (VAT) subject to the requirements of the VAT Act.

The VAT Act requires all non-South African suppliers of electronic services (Foreign Electronic Service Entities) to register for VAT, which is levied at a standard rate of 15% in South Africa where the total value of electronic services supplied in South Africa exceeds R50,000.

This is underpinned by the following legislation in the VAT Act:

  • The definition of an "enterprise" according to section 1(1) of the VAT Act includes:
    • The supply of electronic services by a person from an export country where two of the following criteria are met:
      • The recipient of the electronic services is a resident of South Africa;
      • The payment to the non-South African electronic service entity originates from a bank registered or authorized in terms of the Banks Act 94 of 1990;
      • The recipient of the electronic services has a business, residential, or postal address in South Africa.
  • Information required for VAT registration - Registration for VAT must be done electronically by downloading the relevant VAT Application Form from the SARS website, called the VAT101 form. After completing and signing the VAT Application Form, it must be emailed together with the supporting documents to SARS.

The supporting documentation required by SARS may vary and can include requests for financial information evidencing taxable supplies made or anticipated to be made.

  • Required information can include:
    • companies’ office registration details, where applicable;
    • details of directors of the non-South African institution;
    • postal address of the non-South African institution; and
    • value of taxable supplies made or anticipated to be made over the relevant period.

25.Are there any tax obligations related to the tuition paid by a student for online education programs?

VAT

The non-South African institution would have to account for VAT on the tuition fees received from South Africa. VAT is levied at a standard rate of 15% on the tuition fees received, which would have to be paid over to SARS by the non-South African institution.

The non-South African institution will be required to submit VAT returns and make payments of the VAT liabilities in accordance with the relevant tax period (of which there are several categories that will have to be considered, depending on the quantum of taxable supplies made). The VAT returns and payments are normally submitted/made on or before the 25th day after the end of the tax period. Late payments of VAT will attract a penalty and interest.

The student paying the tuition fees will not have any tax obligations in relation to the tuition fees paid.

Exchange control

Fees or amounts payable to non-residents require prior approval of the South African Reserve Bank (SARB), which will require evidence of the transaction giving rise to the payment. The particular factual circumstances will inform the nature of the application to the SARB.

Other

26.Is there any risk that in-country authorities could block access to the U.S. institution’s website?

There are no specific legislative provisions which authorize a South African authority to block access to any website. However, South African consumers who believe a right has been infringed or unlawful activity has been carried out by material posted on a website hosted by a service provider that is a member of the Internet Service Providers' Association (ISPA) can lodge a Take-Down Notice with ISPA under section 77 of the Electronic Communications and Transactions Act, 2002 (ECTA). The Take-Down Notice would require to be removed any content mentioned in the Take-Down Notice.

Under Section 80 of ECTA, the Director-General of Telecommunications may appoint a cyber-inspector, who has the power to monitor and inspect any website or activity on an information system in the public domain and report any unlawful activity to the appropriate authority.

Under Section 82 of ECTA, a cyber-inspector has the following powers:

"(1) A cyber inspector may, in the performance of his or her functions, at any reasonable time, without prior notice and on the authority of a warrant issued in terms of section 83(1), enter any premises or access an information system that has a bearing on an investigation and

(a)        search those premises or that information system;

(b)        search any person on those premises if there are reasonable grounds for believing that the person has personal possession of an article, document, or record that has a bearing on the investigation;

(c)        take extracts from, or make copies of any book, document or record that is on or in the premises or in the information system and that has a bearing on the investigation;

(d)        demand the production of and inspect relevant licenses and registration certificates as provided for in any law;

(e)        inspect any facilities on the premises which are linked or associated with the information system and which have a bearing on the investigation;

(f)         have access to and inspect the operation of any computer or equipment forming part of all information system and any associated apparatus or material which the cyber inspector has reasonable cause to suspect is or has been used in connection with any offense;

(g)        use or cause to be used any information system or part thereof to search any data contained in or available to such information system;

(h)        require the person by whom or on whose behalf the cyber inspector has reasonable cause to suspect the computer or information system is or has been used, or require any person in control of, or otherwise involved with the operation of the computer or information system to provide him or her with such reasonable technical and other assistance as he or she may require for the purposes of this Chapter; or

(i)         make such inquiries as may be necessary to ascertain whether the provisions of this Act or any other law on which an investigation is based, have been complied with."

POPIA also provides for the possibility of search and seizure, in particular, section 82 provides:

(1) A judge of the High Court, a regional magistrate or a magistrate, if satisfied by information on oath supplied by the Information Regulator that there are reasonable grounds for suspecting that—

  1. a responsible party is interfering with the protection of the personal information of a data subject; or
  2. an offence under this Act has been or is being committed,

and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, that are within the jurisdiction of that judge or magistrate, may, subject to subsection (2), grant a warrant to enter and search such premises.

(2) A warrant issued under subsection (1) authorises any of the Regulator’s members or staff members, subject to section 84, at any time within seven days of the date of the warrant to enter the premises as identified in the warrant, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal information and to inspect and seize any record, other material or equipment found there which may be such evidence as is mentioned in that subsection.

27.Is there anything else an institution should know about offering online education programs in the foreign country?

No.