The Protection of Personal Information Act 4 of 2013 (POPIA) is a South African domestic law. Essentially, the purpose of POPIA is to protect people, both individuals and businesses, from harm by protecting their personal information. It is intended to stop their money being stolen, stop their identity being stolen, and generally protect their privacy, which is a fundamental human right.
The General Data Protection Regulation (GDPR) is the binding law that has regulated data protection across the European Union (EU) since 2018. The GDPR has extraterritorial application and regulates the transfer of personal information. Unlike in South Africa, this applies only to individuals, and to third countries outside the EU. Practically, this may require organisations based outside the EU to ensure compliance with the GDPR if they want to do business in the EU with EU citizens.
As a general position, POPIA applies to the processing of personal information entered in a record by or for a responsible party who is domiciled in South Africa.
However, POPIA may also apply to a responsible party not domiciled in South Africa, with that responsible party making use of automated or non-automated means in South Africa. POPIA also provides for certain exclusions and exemptions, including for purely personal or household activities, for personal information that has been de-identified and that cannot be reidentified, or for journalistic, literary or artistic purposes.
POPIA is the comprehensive data protection legislation enacted in South Africa and aims to give effect to the constitutional right to privacy, while balancing this against competing rights and interests, particularly the right of access to information. POPIA was signed into law in November 2013, and by proclamation has been in full force from June 2020.
POPIA involves three parties (they can be natural or juristic persons):
The data subject: the person to whom the information relates. It can be a natural person or a legal entity. In short, the ‘owner’ of the data.
The responsible party: the person who determines why and how to process the data. In short, the party you give your information to.
The operator: a person who processes personal information on behalf of the responsible party. In short, the person who does something with the data on behalf of the person you gave your data to.
Example: John (data subject) applies for a loan from ABC Bank (responsible party), and ABC gives John’s data to a credit bureau (operator) to do a credit score.
POPIA sets out eight conditions for the lawful processing of personal information:
Condition 1: Accountability: the responsible party must ensure that the conditions for the lawful processing of personal information are complied with at the time of determining the purpose and means of the processing, and during the processing itself.
Condition 2: Processing limitation: personal information must be processed lawfully and in a reasonable manner, and only if it is adequate, relevant and not excessive, given the purpose for which it is processed.
Condition 3: Purpose specification: personal information must be collected for a specific, explicitly defined and lawful purpose relating to a function or activity of the responsible party, and should not be retained for longer than is necessary to achieve that purpose.
Condition 4: Further processing limitation: further processing of personal information should be compatible with the purpose for which it was collected.
Condition 5: Information quality: the responsible party is required to take steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Condition 6: Openness: the responsible party is required to take reasonably practicable steps to ensure that the data subject is aware of, among other things, what personal information is being collected, the source of the information, the purpose for which it is being collected, and the name and address of the responsible party.
Condition 7: Security safeguards: the responsible party is required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures.
Condition 8: Data subject participation: a data subject has a right to request a responsible party to confirm whether personal information is held about the data subject, and be provided with the record or a description of the information held. A data subject may further request a responsible party to correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete or misleading or was obtained unlawfully.
While POPIA is substantially similar to the GDPR, it is not identical. Importantly, the GDPR includes certain key protections that are not contained in POPIA.
Consent: The GDPR contains stronger, clearer conditions for consent. It expressly requires that consent must be freely given, and be presented in a manner that is clearly distinguishable from other matters, in an easily accessible form, using clear and plain language.
Right of access by data subjects: The GDPR includes enhanced access rights for data subjects, including that in circumstances in which personal information is transferred to a third country outside the EU, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
Right to erasure/right to be forgotten: The GDPR more expressly defines the ambit of the right to erasure (also known as ‘the right to be forgotten’), including the steps to be taken to give effect to the right and the balance to be taken into account with, for instance, the right to freedom of expression and information.
Data portability: The GDPR introduces data portability, which relates to the right of a data subject to receive the personal information that they have provided in a structured, commonly used and machine-readable format, and the data subject’s right to transmit that information to another data controller.
Privacy by design: The GDPR includes privacy by design as an express legal requirement, which requires appropriate organisational and technical measures to be implemented both at the time of the determination of the means of processing and at the time of the processing itself. These measures must be designed to implement data protection principles in an effective manner, and to integrate the necessary safeguards and protect the rights of data subjects.