Enforcement of South Africa’s Privacy Law Miles Away

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Marcia Klein

Full implementation and enforcement of South Africa’s 2013 privacy law remains a long way off, so companies doing business there aren’t facing an imminent threat of big fines or imprisonment for violations, privacy officials and attorneys told Bloomberg BNA.

Companies could be hit with fines of up to 10 million rand ($765,405)— and up to 10 years’ imprisonment of company leaders—for violating South Africa’s Protection of Personal Information Act (POPI).

But with only a chairman, two full-time members, and a support staff of two, South Africa’s office of the Information Regulator, which will administer POPI, is far from ready to begin implementing and enforcing the privacy law. There are also outstanding implementing regulations awaiting promulgation by the Information Regulator.

Meanwhile, South Africa’s largest companies, including banking giants First Rand Ltd. and Standard Bank Ltd., should be well-positioned to comply with POPI as a result of their compliance preparations for the European Union’s new privacy regime taking effect in May 2018.

Long-Awaited Law

Implementation of POPI—which was finally enacted in 2013 after a decade of legislative missteps—has been beset by delays, and even the privacy office won’t set a target date for its full implementation. Even after POPI takes effect, there will be a 12-month grace period before the law is enforced to allow companies time to adapt to its new privacy and data security requirements.

South African companies that do business in or with the European Union may well end up being largely prepared for POPI by default, well ahead of its effective date. Complying with the EU GDPR will set a strong foundation for POPI compliance, privacy professionals said.

South Africa’s POPI legislation is similar in scope to the EU General Data Protection Regulation, Mosa Thekiso, a senior associate who advises multinationals on data protection issues for DLA Piper South Africa in Johannesburg, told Bloomberg BNA. South African companies with customers in or other connections to the EU will find that GDPR implementation has readied them for POPI.

One of the biggest GDPR and POPI challenges facing South African businesses will be restrictions on data scraping and data mining of information without consent, Thekiso said. The issue is problematic in South Africa where everything from credit to health information is widely dispersed, she said.

Processing Complaints

Johannes Collen Weapond, one of the Information Regulator’s two full-time members, told Bloomberg BNA that the office is accepting complaints, establishing its organizational structure, and intends to eventually hire 80 to 100 staffers.

Even as the privacy office is focused on finishing implementing regulations, it is fielding privacy complaints. Its most recent draft regulations, released Sept. 8, cover administrative issues, including how to object to or ask for correction, deletion or destruction of personal information and submit complaints or grievances. The notice also outlines corporate information officers’ duties and responsibilities.

Companies waiting for detailed guidance on more substantive concerns may be disappointed, John Giles managing attorney and POPI compliance specialist at Michalsons in Cape Town told Bloomberg BNA. “The notice has not gone into any granular detail,” he said.

The privacy office is accepting public comments through Nov. 7 on the five-page draft regulations notice and accompanying 26 pages of draft forms.

Weapond said the majority of complaints received by the privacy office so far concerned unsolicited telemarketing, with individuals asserting that they didn’t consent to the use of their contact information. Many of the complaints assert that personal information is allegedly being shared by financial services companies, resulting in unsolicited calls from insurance companies, he said.

Individuals have also been asking the office whether they can force companies to delete personal information, Weapond said.

The office attempts to resolve complaints through discussions with companies, “but we have not appointed a judge, or investigators, or an enforcement committee,” and so can’t force any action, he said.

Rohan Isaacs, an information technology, telecommunications and media, e-commerce and privacy director at Norton Rose Fulbright South Africa in Johannesburg, predicted that the office will be swamped with complaints once it is fully operational. The primary challenge will be to establish an effective process to review complaints and decide which ones merit formal enforcement action, he said.

Budget Issues

Rian Schoeman, a legal adviser at South African digital security consulting company LawTrust, told Bloomberg BNA that although there had been much speculation about the reasons for delays in effectively implementing the privacy regulator, an insufficient budget is likely to blame.

The office was only allocated enough to get started, but not enough to fully meet its regulatory oversight and enforcement missions, Schoeman said. Subsequent budget allocations will probably be enough to allow the office to start meeting its goals, he said.

The 2016 government budget allocated 10 million rand ($781,293) to the Information Regulator for the 2016-17 fiscal year to “provide for the employment of 12 administrative personnel and their office requirements.”

The 2017 budget, announced on Feb. 22, provided 25 million rand ($1.95 million) for the privacy office in fiscal 2017-18. The 2017 budget also allocated 27 million rand ($2.1 million) to the office for fiscal 2018-19, and 28 million rand ($2.2 million) for fiscal 2019-20.

To contact the reporter on this story: Marcia Klein in Cape Town at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security