President Cyril Ramaphosa has announced the commencement dates for parts of the Protection of Personal Information Act (Popia).
The Act has been put into operation incrementally, with a number of sections having been implemented in April 2014.
The legislation aims to promote the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information.
“Many of the remaining provisions of the Act could only be put into operation at a later stage as they require a state of operational readiness for the Information Regulator to assume its powers, functions and duties in terms of the Act,” the presidency said in a statement on Monday (22 June).
“Much has since been done in this regard culminating in the commencement of a number of remaining sections which has now been proclaimed by the President.”
The presidency said that sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) shall commence on 1 July 2020.
Sections 110 and 114(4) shall commence on 30 June 2021.
The sections which will commence on 1 July 2020 are essential parts of the Act and comprise sections which relate to:
- The conditions for the lawful processing of personal information;
- The regulation of the processing of special personal information;
- Codes of Conduct issued by the Information Regulator;
- Procedures for dealing with complaints;
- Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.
“Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act,” the Presidency said.
“This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021. However, it stands to reason that private and public bodies should attempt to comply with the provisions of the Act as soon as possible in order to give effect to the rights of individuals.”
Entities which process personal information must ensure that it is done in a lawful way, the presidency said.
“The Act is fundamental in safeguarding persons’ personal information and thus protecting them against data breaches and theft of personal information.”
The end of annoying marketing calls?
Pansy Tlakula, the chairperson of the Information Regulator of South Africa, says that the full POPIA will give serious enforcement powers to the regulator including the ability to levy fines of over R10 million and the ability to pursue criminal prosecution.
Speaking in an interview in January, Tlakula said that the act will provide protection from unwelcome marketers and spam callers, however, she warned that information posted online on social media will remain in the public domain.
She added that the POPIA will ensure that companies have adequate security measures when dealing with your private information.
According to Justine Krige, a director at law firm Cliffe Dekker Hofmeyr, the POPIA is premised on an “opt-in” approach in terms of which consumers are deemed to have opted out of receiving communication via direct marketing unless they have expressly opted-in.
Although certain provisions of POPIA are already in force (such as those mandating the establishment of the regulator), the primary provisions dealing with direct marketing have not yet been enacted, she said.
Krige said there is currently a great deal of confusion about the rules of direct marketing.
“For example, it is unclear if ‘cold-calling’ prospective customers will still be allowed, if and how consent must be requested, and what will generally be required when the remaining provisions of POPI (in particular those in respect of direct marketing) come into force.
“At the moment (while only the provisions of the CPA and not POPIA which regulate direct marketing are in force), provided that marketing campaigns clearly allow for consumers to ‘opt-out’ or ‘unsubscribe’ from any direct marketing, such communication is seemingly lawful.
“However, POPIA will change this. It will impact how the initial contact with a prospective consumer can take place, and will impose a significant administrative burden as regards the collection, storage and distribution of personal information.”
Krige said that POPIA regulates direct marketing by means of any form of electronic communication including automated calling machines, faxes, SMSes and email.
She added that the POPIA’s direct marketing provisions are going to make using contact details obtained from lead generation businesses for direct marketing a great deal trickier.
“Companies are also going to need to manage their customer databases a lot more effectively, and keep records of where, how and when was the personal information initially obtained; whether the person is an existing customer and, if so, in respect of what products or services; whether the person has consented to receiving direct marketing; and whether the person has unsubscribed from receiving direct marketing.”