South Africa ’s New Data Privacy Law Comes Into Force Today. What Does This Mean For Startups?

July 1, 2020

The D-day is here. From today, all businesses in South Africa, including startups which process enormous amount of personal data must obey a new law in order to remain in business. Cyril Ramaphosa, South Africa’s president recently announced that the operative provisions of the Protection of Personal Information (PoPI) Act, 2013 will come into force, today, July 1, 2020

South African president Cyril Ramaphosa
South African president Cyril Ramaphosa

Here Are Key Things South African Startups Processing Public Data Must Know About The New Law

What Is Meant By Protection of Personal Information (PoPI)?

The PoPI is now South Africa’s chief privacy law and it stands for Protection of Personal Information. The law aims to give effect to the constitutional right to privacy, by safeguarding personal information when processed by any person, subject to justifiable limitations. It also aims to regulate the manner in which a person’s information may be processed; and to that effect, it prescribes the minimum requirements for the lawful processing of personal information. 

What Constitutes Personal Information Under The New Law?

A range of information is considered personal information under the new data law in South Africa Hence, personal information is any information that relates to a human being or company or businesses registered in South Africa, especially as it concerns their: 

  • race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; 
  • information relating to the education or the medical, financial, criminal or employment history of the person; 
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; 
  • the biometric information of the person; 
  • the personal opinions, views or preferences of the person; 
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; 
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Which Businesses Does The New Law Apply To?

The law is applicable to all local and foreign companies which process (i.e. whether by way of collecting, using or otherwise handling) personal information in South Africa.

What Are Required Of Businesses Under The New Law?

A lot of things are expected of businesses under the new law. 

  • Under the new law, owners of personal information reserve the right to choose the way information about them are used by any business or organisation; and their consent must be sought before such use. They must also been informed that their personal information has been acquired by any organisation. They also have the right to request the destruction or deletion of their personal information. They can also reasonably refuse to grant permission for use of their personal information. They can also refuse to allow their information, such as their email addresses, etc., to be used for direct marketing by means of unsolicited electronic communications. The owners of the information may withdraw this consent at any time, and where such happens the information shall continue to remain lawful where it has fulfilled the relevant provisions of the law. 
  • However, such protection does not extend to information used only solely for journalistic, literary or artistic expression, provided that such information was used to exercise the right to freedom of expression, or where use is permitted by law, or the processing of such information is in public interest. 
  • The information so processed shall not be retained for longer time than reasonable unless there is consent for continued retention; the retention has been permitted by the parties under their contracts; or permitted by law; or retained for historical, statistical or research purposes. 
  • No person in South Africa may transfer another person’s personal information to a third party who is in a foreign country without their consent, unless a contract between affected persons permits so or the transfer is for the benefit of the owner of the information, and provided the law applicable in the foreigner’s country guarantees similar protection for personal information use in South Africa. 
With this new data law, South Africa will be joining other countries in the world in their quests to regulate large volumes of personal data now available in public spaces.

Read also: What Nigeria ’s New Broadcast Media Regulation Means For Media Startups

Who Is The Regulator Under The New Law And When Will They Start Compliance Monitoring?

  • Under the new law, the regulator is the Information Regulator and it has jurisdiction throughout South Africa. The Regulator will also monitor and enforce compliance with the law. It also handles complaints about alleged violations of the protection of personal information by businesses. 
  • Anybody using any personal information in South Africa must also obtain approval from the Regulator prior to such use where it processes the information for the purposes of credit reporting; transfers or link special personal information to any person; processes information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  • By the terms of the law, businesses have 12 months from July 1, 2020 to become compliant. The implication of this is that there will be no sanctions for non-compliance until July 1, 2021. This may however be extended by South Africa’s Minister of Justice and Correctional Services, on request or of his or her own accord and after consultation with the Regulator, which period may not exceed three years

What Are The Penalties For Non-Compliance? 

The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million ($577k) fine.

Does The New Law Provide Any Benefit To Businesses?

Definitely! Apart from protecting consumers, the new law will help businesses value the data in their possession, since the cost of data acquisition will most likely increase. It will therefore provide businesses with the opportunity to analyse and have more control over the data handled within their organisations and to better understand their purposes. 

For more information about the new law, download it here. (PDF)

Charles Rapulu Udoh

Charles Rapulu Udoh is a Lagos-based lawyer who has advised startups across Africa on issues such as startup funding (Venture Capital, Debt financing, private equity, angel investing etc), taxation, strategies, etc. He also has special focus on the protection of business or brands’ intellectual property rights ( such as trademark, patent or design) across Africa and other foreign jurisdictions.
He is well versed on issues of ESG (sustainability), media and entertainment law, corporate finance and governance.
He is also an award-winning writer.

Tags: , ,