South Africa Data Protection Measure Clears Parliament, Heads to President

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  


It remains to be seen whether South Africa's Protection of Personal Information Bill(PoPI) --which recently cleared Parliament and will likely be signed into law by the end of 2013--will be a paper tiger if enacted, attorneys in the country recently told BNA.

The effectiveness of what would be the country's first data protection framework law is in doubt, given the uncertain ability of the planned data protection authority to enforce it, they said.

If it is strictly enforced, PoPI “will be a big additional burden for business. Many companies will be very diligent in doing their best to adhere to its requirements, some will not and some simply may not be able to due to lack of capacity and resources,” Robby Coelho, a partner at Webber Wentzel, in Johannesburg, which is associated with Linklaters, said in a statement provided to BNA Aug. 28.

The law “needs to be more conservatively implemented,” or it would run the risk of negatively affecting “the country's attractiveness as an investment destination,” he said.

According to the European Commission, in 2011--the latest year for which figures are posted--European Union-based foreign direct investment inward stocks to South Africa was €7.4 billion ($9.8 billion).

“International companies do a multi-jurisdictional review and establish a country matrix before they decide where to invest,” Coelho said. “While they want to invest in countries with strong laws and good systems, they don't want to invest in countries that are over-regulated and where it is difficult to do business.”

Decade-Long Process

It has taken a decade for the legislation to reach this point.

The South African Law Reform Commission began considering the need for new data protection legislation in 2003. In 2005, the first draft data protection framework legislation was distributed for comment (4 PVLR 1304, 10/24/05).

PoPI was introduced in Parliament in August 2009 (8 PVLR 1317, 9/14/09).

PoPI cleared Parliament Aug. 22, when the National Assembly, the primary legislative body of Parliament, unanimously approved the bill as amended by the National Council of Provinces, according to a procedural notice released by the Legislature.

The National Assembly sent the bill to the National Council of Provinces in September 2012 (11 PVLR 1447, 9/24/12).

The legislation was sent to President Jacob Zuma for consideration, according to the notice. He is expected to sign the bill into law “before the end of the year,” Pamela Stein, a partner at Webber Wentzel in Johannesburg, told BNA Aug. 28.

If Zuma assents to the bill, PoPI would take effect after a minimum one-year transition period for businesses to take measures to comply with the new law.

The bill allows, however, for an extension of up to a maximum three-year transition period for certain businesses or classes of information, if requested by the office of the Minister of Justice and Constitutional Development, after consultation with the newly established data protection authority.

It is likely “more time will be needed for both private and public sector organizations to prepare for this complex legislation,” Coelho said.

EU Adequacy?

At the time of the legislation's introduction, lawmakers said it could help ensure a finding by the European Commission that South Africa's privacy regime provided a sufficient level of privacy protection consistent with the EU Data Protection Directive (95/46/EC) (8 PVLR 1317, 9/14/09).


“There is a very real danger “ that the new law “will discourage rather than encourage investment in South Africa.”



Robby Coelho, Partner,
Webber Wentzel, Johannesburg

An adequacy finding would ease the flow of personal data from the European Union to the country.

Although “on paper the South African law compares favourably with the most comprehensive data protection regimes in the EU,” Stein said, “the real test for adequacy will not be in an assessment of the content of PoPI.” Implementation and compliance enforcement by the new data protection authority, the Information Regulator, will be the true test of adequacy, she said.

“A big issue will be how well resourced the Information Regulator is, in an environment where other regulatory agencies are facing serious funding and skills challenges,” Stein said.

Coelho agreed, saying that he “foresees major problems arising from the enforcement and policing of the legislation via the office of an appointed Information Regulator which could be flooded with issues that it will be expected to resolve.”

According to the EC, in 2011 the EU exported €26.6 billion ($35.5 billion) in goods and €7.1 billion ($9.5 billion) in services to South Africa. EU imports from South Africa in 2011 totalled €20.5 billion ($27 billion) in goods and €4.4 billion ($5.9 billion) in services, the EC said.


It is important that the legislation presents the overarching framework items “as 'conditions' rather than principles, to emphasise that they are an absolute prerequisite for the lawful processing of personal information.”



Pamela Stein, Partner,
Webber Wentzel, Johannesburg

Coelho said, however, that “South Africa's ambition to become a major outsourcing venue for foreign companies would be adversely impacted by PoPI.” Companies will face regulation of “every aspect of the processing of personal information, from before it is even collected and throughout the lifecycle of personal information until it is ultimately destroyed,” he said.

“There is a very real danger” that the new law “will discourage rather than encourage investment in South Africa,” Coelho said.

Data Protection Conditions

PoPI incorporates several data protection “conditions,” including accountability, transparency, and limitations on processing of personal data tied to data subject consent, data collection minimization, and purpose specification.

Stein said that it is important that the legislation presents the overarching framework items “as 'conditions' rather than principles, to emphasise that they are an absolute prerequisite for the lawful processing of personal information.”

The new law includes not just protection for individuals but for “juristic persons”--legal entities, such as corporations and partnerships.

“This is consistent with the approach of the South African Constitutional Court that, although juristic bodies do not have all the personality rights, they do have a right to privacy,” Stein said, adding that the new law would “greatly enhance a corporation's right to protect its confidential information.”

Consent, Breach Notice, Right to Sue

PoPI would, among many other things:

• govern the cross-border movement of personal information to require that those transferring data ensure that companies in other countries have binding corporate rules or other agreements establishing a level of data protection consistent with PoPI requirements;

• require data subject notice of and consent to the collection and use of their personal information;

• limit the retention of data to, in most instances, no longer than necessary to achieve the purpose for which it was collected;

• require data subject access and a right of correction to their collected personal information;

• create an independent Information Protection Regulator commission as the country's data protection authority;

• require companies to appoint data protection officers to ensure compliance with the new law and coordinate with the Information Protection Regulator;

• detail restrictions on spam;

• mandate data breach notification to affected individuals and the new DPA; and

• demand that businesses employ reasonable data security safeguards.


The new law will allow individuals to file, or have the DPA file on their behalf, lawsuits seeking injunctive redress and damages. Stein said that it is significant that PoPI introduces “strict liability for the data controller” and adds aggravated damages as “a new statutory form of damages.”

Amendments Limit Fines

PoPI would give the DPA authority to carry out investigations and seek fines of up to ZAR 10 million ($960,934).

The version of the bill sent to the National Council of Provinces would have allowed unrestricted fines.

A previous fifth draft of the bill, released in October 2011, limited fines to ZAR 1 million ($96,093) (11 PVLR 213, 2/6/12).

PoPI would allow for the imposition of up to 10 years in prison for obstruction of the activities of the Information Protection Regulator, and a prison term of up to 12 months for other violations of the new law.


Full text of the 80-page Protection of Personal Information Bill, as amended by the National Council of Provinces and passed by the National Assembly, is available at

Request Bloomberg Law: Privacy & Data Security