The President announced and published a proclamation, on 22 June 2020, that the majority of the provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) will commence on 1 July 2020.
POPIA is the new South African data protection legislation. The proclamation means that all the substantive requirements in POPIA in relation to data protection will be applicable from 1 July. These include, amongst other things, the conditions for the lawful processing of personal information and requirements for:
- the treatment of sensitive personal data and children’s information;
- the prior authorisation of certain processing activities;
- the cross-border transfer of personal data;
- the security of personal information;
- the duties and responsibilities of Information Officers;
- direct marketing by means of unsolicited electronic communication; and
- reporting and notification of data breaches.
The provisions setting out the procedures for dealing with complaints and the general enforcement of POPIA by the Information Regulator will also come into effect on 1 July. The Information Regulator was established to implement and enforce POPIA and its powers include the ability to levy administrative fines (of up to ZAR10 million).
POPIA provides for a transitional period of 1 year. This means that both private businesses and organisations and public bodies that process personal information must, at this stage, ensure that they comply with POPIA by 1 July 2021.
The transitional period can be extended by a further 3 years for specific classes of information and certain data controllers (referred to as ‘responsible parties’ in POPIA), but there is no guarantee that an extension will be given.
The sections in POPIA which will amend other laws, including the Promotion of Access to Information Act 2 of 2000 (PAIA),and which provide for the effective transfer of certain functions currently performed by the South African Human Rights Commission (SAHRC) to the Information Regulator will come into effect on
30 June 2021.