The South African National Assembly passed the Protection of Personal Information Bill (POPI) on 20 August 2013 after more than four years of deliberation. All that remains before the bill becomes law is President Zuma’s signature. This article summarises the key elements of the legislation and considers some of the key practical challenges that organisations in SA will need to overcome in order to ensure compliance.
European data protection practitioners will be familiar with many aspects of POPI which is broadly based on similar European legislation:
- An Information Regulator will be established to manage, monitor and enforce compliance
- A similar definition of Personal Data (referred to in POPI as Personal Information) has been adopted with a notable exception relating to juristic persons
- The concepts of Data Subject, Data Processor (referred to in POPI as Operator), Processing and Data Controller (referred to in POPI as Responsible Party) apply
The seven data protection principles referred to in European legislation are covered by eight principles in POPI:
- Accountability – the Responsible Party is accountable for ensuring compliance
- Processing Limitation – setting out the rules for how Personal Information will be processed including lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject and requiring either to the Data Subject’s consent or certain other requirements such as the legitimate interest of the Data Subject
- Purpose Specification – Personal Information must be collected for a specified purpose of which the Data Subject is aware
- Further Processing Limitation – Further processing of Personal Information must be compatible with the purpose for which it was collected
- Information Quality – The Responsible Party must take reasonable practical steps to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary
- Openness – The Responsible Party is required to notify both the Information Regulator and the Data Subject before it may process Personal Information
- Security Safeguards – The Responsible Party is required to ensure the integrity of the Personal Information in its possession or under its control by implementing appropriate, reasonable, technical and organisational measures to prevent loss, damage or destruction of Personal Information or unlawful processing, including by entering into data processing contracts with Operators
- Data Subject Participation – the Data Subject has the right to access and request information about his/her Personal Information held by a Responsible Party and require the Responsible Party to correct or destroy Personal Information
- Stricter prohibitions apply to processing (subject to specified exemptions) of ‘Special Personal Information’ concerning children or a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour
- A prohibition on the transfer of Personal Information outside of South Africa subject to certain exceptions broadly determined by whether the transfer is in the best interest of the Data Subject or whether the Data Subject has consented
- The role of the Information Protection Officer (referred to as the data protection officer in many other jurisdictions) in public and private bodies who will be responsible for ensuring compliance of their organisation
Notably POPI has been passed based on European legislation that is in itself in a state of flux as issues such as the right to be forgotten, data protection by design and requirements for consent remain hot topics of debate in Europe.
Practical Compliance Challenges
- Cost of Required Technology
Compliance with POPI will require technology and process, including structured database protocols and logical security on systems that hold Personal Information. These levels of technology and process will at least need to be implemented by any organisation that is a Responsible Party to ensure that POPI’s eight principles are met. Compliance is likely to require investment, either in technology infrastructure or the outsourcing to third parties and ongoing compliance monitoring. This level of investment and ongoing compliance will be a challenge in South Africa, particularly for local government and the small business community. If organisations have not already done so, they will need to put in place a plan for implementing the technical and organisational measures required to ensure compliance and to avoid the potential penalties, which include fines or imprisonment.
- The Burden of Consent
One of the key principles of most data protection legislation is the requirement to obtain Data Subject consent to the processing of Personal Information, and the more onerous consent requirements related to Special Personal Information. Organisations will be required to consider carefully when consent is required and how it will be obtained in order for processing to be POPI compliant. Obtaining such required consent can entail an onerous administrative burden for organisations that process significant amounts of Personal Information. Again, these organisations will need to adopt processes and standard policies to enable compliance in the most efficient and cost effective way possible.
- Cross Border Transfers
POPI includes a restriction on transfer of Personal Information outside of South Africa, subject to certain exceptions including: Data Subject consent, the subjecting the recipient to the same levels of data privacy compliance, or transferring for the benefit of the Data Subject. Other than consent, the exceptions are open to interpretation and likely a set of industry standard terms similar to the model clauses adopted in Europe will be used as a mechanism to ensure any transfer of Personal Information to recipients outside of South Africa is compliant with POPI. Organisations considering options for offshore data centre services solutions will also need to give careful consideration to their compliance obligations under POPI when evaluating those options. This is true both in the context of the transfer of Personal Information outside of South Africa and in the technical and organisational measures for the protection of Personal Information proposed as part of the data centre provider’s solution.
- The Grace Period
POPI has to some extent acknowledged the challenges that it poses to organisations in South Africa by introducing a grace period of 12 months for organisations to be fully compliant. This period may be extended by the Information Regulator but any entity subject to the POPI compliance regime will need to work on the basis that all technical, organisational and process measures will need to be in place within 12 months of POPI coming into full force and effect.
Although parliament has understandably attempted to remain in line with international best practice for data privacy, whether legislation that has been challenging for many of the world’s largest economies will work for South Africa — with an embattled public sector and a significant percentage of the private sector made up of small businesses with a turnover of less than R10 million — remains questionable. Whether POPI has successfully navigated the unintended consequences of the burden of regulation while simultaneously giving effect to the constitutional right to privacy, regulating the way Personal Information is processed and providing rights and remedies to Data Subjects remains to be seen.