South Africa's first comprehensive data protection law, the Protection of Personal Information Act (POPI), was assented to on 19 November 2013 and its commencement date is to be proclaimed. Based on European data protection law, POPI regulates every aspect of the processing of personal information, from its collection to its destruction.
POPI aims to give full effect to the right to informational privacy which is a distinct element of the right to privacy protected in the Constitution of the Republic of South Africa, 1996. It provides substantive content to this right by establishing a threshold of minimum conditions for the processing of personal information and providing individuals with rights and remedies to protect their personal information.
Another reason for POPI is to bring South Africa's data protection law in line with those of its major trading partners who have had data protection laws for many years. It applies to all kinds of processing in both the private and public sectors and recognises a limited number of exceptions. POPI renders non-compliant processing of personal information unlawful and subject to a fine, criminal prosecution and/or imprisonment.
The lengthy and detailed deliberations on POPI have allowed the drafters to draw on the experience of data protection regulators in the European Union. This includes the comprehensive review of data protection law which resulted in the European Union Draft Regulation on Data Protection. A number of proposals in this draft regulation are included in POPI.
“POPI renders non-compliant processing of personal information unlawful and subject to a fine, criminal prosecution and/or imprisonment.”
For a comprehensive document outlining the implications of this area of law in South Africa