If you have business operations or an online presence in South Africa, you may be subject to its new data privacy law, which contains both monetary fines and prison sentences for violations of the law.
As South Africa joins the list of countries enhancing the protection of personal information, most multinational businesses are trying to understand how they can comply with South Africa’s new Protection of Personal Information Act (POPIA, Act No. 4 of 2013), how to ensure the lawful processing of personal data and how POPIA compares to the EU General Data Protection Regulation (GDPR).
In this article, we will cover all of it and more. Keep reading to learn everything you need to know about POPIA.
What is South Africa’s Protection of Personal Information Act (POPI Act)?
South Africa’s new data privacy law, the Protection of Personal Information Act (POPI Act or POPIA) has become enforceable on July 1st, 2021. It aims to enhance the protection of personal information processed within South Africa and enable individuals to enforce their rights to privacy as set out in the Bill of Rights.
While the POPIA was drafted based on the EU Data Protection Directive 95/46/EC, (predecessor of the GDPR), it includes stricter requirements by taking into account the earlier draft version of the GDPR.
When does the POPIA apply?
The POPIA applies to a broad range of data processing activities and it applies to both South African and foreign organizations that process personal data within South Africa. An organization will be subject to the provisions of POPIA if it falls within the POPIA’s scope based on the following criteria:
All processing of personal information is covered by POPIA requirements. Personal information is defined broadly and covers all information that relates to an identified or identifiable living individual.
The POPIA applies to all personal data processing activities such as collection, use, storage, disclosure, and the deletion of personal information.
However, a limited number of processing activities are exempt from the scope of the POPIA. These include processing data for personal or household activity and processing for journalistic expression.
The POPIA applies to both organizations located in South Africa and foreign organizations that use means to process personal data within south Africa.
Requirements to be compliant with the Protection of Personal Information Act (POPIA)
The POPIA was drafted taking into account the first drafts of the GDPR and its requirements are similar to those included there.
However, POPIA differs from the GDPR in an important aspect: It does not set separate requirements for data controllers and data processors. GDPR, on the contrary, imposes distinct requirements on controllers and processors.
An organization subject to the POPIA will have to meet the following requirements so that it can ensure the protection of personal information:
Comply with information protection conditions
POPIA includes 8 specific information protection conditions which organizations must comply with. These principles require organizations to ensure the lawful processing of personal information and to collect and process personal data in compliance with all POPIA requirements.
Furthermore, organizations are required to ensure that they are transparent to data subjects about how they collect and use personal data and they must implement appropriate security safeguards.
In addition, organizations must only collect and process personal information for explicitly defined purposes. They should not further process personal data for purposes incompatible with the original purpose. The purposes are as follows:
Data subject participation
Inform data subjects about the collection and use of their data
Organizations need to adhere to transparency obligations and inform data subjects about the collection, use, and processing of personal information at the time when they collect data from data subjects.
For example, organizations can display a privacy and cookie notice on their website and tell individuals about how they collect their data and how they can share their data with third parties.
Identify a legal basis
Organizations can conduct the processing of personal information only if there is a legal basis that justifies the processing. POPIA lists the following legal bases:
Consent of data subjects
Processing of data necessary to perform a contractual obligation
Processing helps comply with a legal obligation set by applicable law
Processing protects the legitimate interests of the data subject
Performance of public law duty
Legitimate interests of either the responsibly party or a third party
Comply with data collection rule
Under POPIA, the rule is that an organization can only collect personal data directly provided by individuals. However, an organization can also collect personal data indirectly or from third parties in exceptional circumstances. These include the consent of individuals to the collection of their data from third parties. Another exception is when a data subject made its data public.
International data transfer
POPIA sets out strict requirements for the transfer of personal data out of South Africa. Organizations can only transfer personal data abroad under limited circumstances. The transfer is lawful only if the foreign country provides an adequate level of privacy protection, the data subject consents to transfer or the transfer is necessary for the performance of a contract.
Data protection impact assessment
Similar to the GDPR, POPIA requires organizations to carry out data protection impact assessments.
Data processing records
Section 17 of POPIA requires that the organization maintains details of all personal data processing operations.
Article 14 of the POPIA contains rules relating to retention periods for personal data. According to this article, an organization should not retain personal data for longer than is necessary to achieve the specific purpose of processing of data. However, this is subject to exceptions such as retention periods imposed by applicable laws.
How does POPIA affect cookie consent?
While POPIA does not directly address cookies, it includes “personal identifier” as a type of personal data and cookies are personal identifiers. Therefore, if an organization uses means to process data in South Africa and has cookies on its website, it must comply with POPIA requirements.
For example, organizations must notify website visitors at the point of collection about the purposes their data is collected and used for, and on what legal basis. Organizations can achieve this with a privacy and cookie notice.
Furthermore, an organization should ensure that individuals have the option to withdraw their consent at any time.
What are the main differences between POPIA and GDPR?
While there are many parallels between POPIA and the Europan General Data Protection Regulation (GDPR), there are also a number of differences that are important to keep in mind:
The territorial scope of application
GDPR applies to the processing of personal data related to the offering of goods and services to people in the EU. POPIA, on the other hand, does not refer to these criteria: POPIA applies when an organization is located in South Africa or when it is using means in South Africa to process personal data.
Data protection impact assessment
Although both the GDPR and the POPIA include the requirement to carry out a data protection impact assessment (DPIA), the GDPR provides stricter requirements and is more prescriptive. For example, the GDPR lists circumstances where a data controller needs to conduct DPIA. POPIA does not contain such details.
Data processing records
While the Protection of Personal Information Act requires organizations to create data processing records, it does not set out what details this document should include. GDPR, on the contrary, specifies what these records should cover. Under the GDPR, the “records of processing activities” should include contact details of the data controller, purposes for processing, and categories of personal data processed.
Data breach notification
Under the GDPR, a data controller must notify the relevant regulatory authorities of a data breach within 72 hours at the latest. POPIA, however, does not set such a time limit. It only states that a data breach must be notified to regulatory authorities as soon as reasonably possible.
Another key difference is that POPIA requires organizations to inform data subjects about the data breach as soon as reasonably possible. Under the GDPR, however, an organization should inform data subjects only when there is a high risk to the data subject.
Data subject rights
GDPR and POPIA provide similar rights for data subjects. However, there are key differences organizations should take note of:
Under the GDPR, there are exceptions to the right to deletion and the right to correction of personal data. These exceptions include compliance with legal obligations and establishment of legal claims. Contrary to GDPR, POPIA does not include such exceptions for the right to deletion.
Under the GDPR, a data subject can make a data subject request orally, in writing, or via email and he/she does not have to comply with a certain format. Under POPIA, however, data subject requests must be submitted in a prescribed manner. Form 2 of POPIA Regulations includes these forms.
GDPR requires organizations to respond to data subject requests within 1 month following receipt. POPIA, however, does not impose a time limit and it only states that an organization must respond to requests as soon as reasonably practicable.
Unlike the GDPR, POPIA does not include the right to data portability.
POPIA sets out different refusal grounds for access requests by public and private bodies.
In terms of the right to access data, the Promotion of Access to Information Act 2 of 2000 ('PAIA') in South Africa contains separate provisions on how individuals can exercise their right to gain access to information controlled by public and private bodies and should also be considered.
Fines and the Information Regulator
Under the GDPR, an organization may face a fine in the amount of 2% of global annual turnover or €10 million, whichever is higher; or 4% of global annual turnover or €20 million, whichever is higher.
Under the Protection of Personal Information Act (Popia), the maximum amount of fine the Information Regulator is ZAR 10 million (approx. €490,000). Furthermore, certain violations under the POPIA can be subject to imprisonment for up to 10 years. GDPR, however, does not include an imprisonment penalty.
How to ensure compliance with South African regulations?
In light of all this information, what are the penalties involved with POPIA and how can organizations ensure they comply with South Africa's POPIA?
What are the penalties for non-compliance with POPIA?
Under Section 109 of POPIA, the Information Regulator can fine an organization up to ZAR 10 million (approx. €490,000) for violations of the POPIA requirements.
Section 107 states that individuals may face imprisonment of up to 10 years for certain violations of the Protection of Personal Information Act (POPIA).
How can Didomi help businesses comply with POPIA requirements
If you have a business presence in South Africa or your website is accessible to South Africa residents, you may be subject to the Protection of Personal Information Act (POPIA) requirements.