South Africa President Zuma Signs Framework Privacy Bill into Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  

Dec. 4 -- As expected, South Africa President Jacob Zuma recently signed into law the country's new framework data protection statute, the Protection of Personal Information Bill (PoPI).

PoPI “will give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” Zuma said in a Nov. 27 statement announcing his approval of the legislation.

Consent, Breach Notice, Right to Sue

PoPI incorporates several data protection “conditions,” including accountability, transparency, and limitations on processing of personal data tied to data subject consent, data collection minimization and purpose specification.

The law requires, among other things: data subject notice of and consent to the collection and use of their personal information; data breach notification to affected individuals and the newly formed data protection authority; and reasonable data security safeguards at businesses.

The new law includes not just protection for individuals but for “juristic persons”--legal entities, such as corporations and partnerships.

The new law allows individuals to file, or have the DPA file on their behalf, lawsuits seeking injunctive redress and damages. Stein said that it is significant that PoPI introduces “strict liability for the data controller” and adds aggravated damages as “a new statutory form of damages.”

PoPI would give the DPA authority to carry out investigations and seek fines of up to 10 million rand ($957,171).

Decade-Long Wait for Law

It has taken a decade for the framework law to be adopted. The South African Law Reform Commission began considering the need for new data protection legislation in 2003, and in 2005, the first draft data protection framework legislation was distributed for comment (4 PVLR 1304, 10/24/05).

PoPI was introduced in Parliament in August 2009 (8 PVLR 1317, 9/14/09).

At the time of the legislation's introduction, lawmakers said it could help ensure a finding by the European Commission that South Africa's privacy regime provided a sufficient level of privacy protection consistent with the EU Data Protection Directive (95/46/EC) (8 PVLR 1317, 9/14/09).

The measure cleared Parliament in August (12 PVLR 1463, 9/2/13).

Not Immediately Effective

PoPI will take effect after a minimum one-year transition period for businesses to take measures to comply with the new law.

The bill allows, however, for an extension of the period up to a maximum of three years for certain businesses or classes of information, if requested by the Department of Justice and Constitutional Development, after consultation with the newly established DPA.


To contact the reporter on this story: Donald G. Aplin in Washington at

To contact the editor responsible for this story: Katie W. Johnson at

Full text of the 80-page Protection of Personal Information Bill, as amended by the National Council of Provinces and passed by the National Assembly, is available at



Request Bloomberg Law: Privacy & Data Security