What is POPIA?

South Africa’s POPIA, quick summary

POPIA – South Africa’s new data protection law, in brief

The EU’s General Data Protection Regulation (GDPR) is no longer only just a European data privacy law, it has also become a global data privacy standard – and the speed with which this standard is spreading around the world is increasing, ensuring a higher level of protection of end-user privacy on the Internet.

South Africa’s POPIA is the latest major data privacy law in the world to be modelled closely after the EU’s GDPR (and the ePrivacy Directive) – empowering its citizens with enforceable rights over their personal information, establishing eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection, as well as forming the Information Regulator (SAIR) as lead enforcer and supervisor of the law.

POPIA quick breakdown –

• POPIA took effect on July 1, 2020.
• POPIA enforcement began on July 1, 2021.
• POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
• Fines for non-compliance with POPIA can range up to 10 million ZAR (South African rands).
• Transfers of personal information outside of South Africa is prohibited by POPIA (with exceptions).
• POPIA creates nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.
• POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is central. It is up to websites, companies and organizations (“responsible parties”) to prove that their processing is lawful, e.g. that correct consents have been obtained from users.
• POPIA defines consent as any voluntary, specific and informed expression of will.
• POPIA defines processing as collection, receipt, recording, organization, storage, merging, linking, and more.
• POPIA defines personal information broadly as any information relating to not only a living person, but also a company or legal entity.
• POPIA allows companies and organizations to process data if it’s deemed in the user’s “legitimate interest”, creating a point of ambiguity for possible abuse and enforcement difficulties.

POPIA vs GDPR

There are key differences between POPIA and GDPR, in particular –

• POPIA also protects companies and organizations as juristic persons, where the GDPR only protects living individuals.
• Unlike the GDPR, which applies to the processing of personal data from inside the EU regardless of where the controller/processor is located, POPIA only applies to companies or organizations who are located within South Africa (with the exception of entities that make use of automated processing means in South Africa, e.g. adtech and social media companies).
• Where the GDPR clearly defines a data processor (as a natural or legal person processing personal data on behalf of the data controller), POPIA only talks about the responsible party, i.e. no “joint controller”-responsibility as we know it from the EU.
• POPIA requires all companies and organizations to appoint an Information Officer (automatically assigned to the CEO), who’s role and responsibilities differ in important areas from the GDPR’s Data Protection Officer. In addition, POPIA also requires companies and organizations to appoint a Deputy Information Officer.
• While both POPIA and GDPR split the definition of data into personal information and special personal information (or sensitive data in the GDPR), POPIA also assigns criminal offenses to the latter.

South Africa’s POPIA, in detail

Let’s look closer at the details of POPIA in South Africa; how it fits into the current data privacy legal regime, what rights it empowers citizens with and how companies and organizations obtain POPIA compliance.

South Africa’s legal regime and POPIA

South Africa’s Protection of Personal Information Act (POPIA) was actually drafted way back in 2003, closely modelled after the European data privacy legislation at the time, the ePrivacy Directive, but halted and changed over several occasions in the subsequent years, when the General Data Protection Regulation (GDPR) came into force and significantly updated the EU’s data privacy regime.

POPIA finally came into force on July 1, 2020.

The legal data privacy regime in South Africa consists of the Constitution itself (that guarantees its citizens the right to privacy) and the Electronic Communications and Transactions Act (ECTA) from 2002, which do actually regulate the collection of personal information, but makes compliance with it voluntary for companies and organizations.

On July 1, 2021, South Africa’s POPIA went into enforcement. Anticipating this, South Africa’s Information Regulator released a statement 100 days prior detailing its prioritized focus areas, including –

• Creating codes of conduct for POPIA compliance
• Reviewing draft guidelines for information officer registrations
• Finalizing guidance notes and templates for prior authorization, and security compromise and cross-border personal information notifications.

South Africa’s Information Regulator also states in the March 24 statement that the compulsory registration of information officers will be available on their website from May 1, 2021 under the title Guidance Note on Information Officers.

Scope and application of POPIA

POPIA applies to any processing (collection, recording, organizing, sharing, using, storing etc.) of personal information by a responsible party (website, company or organization) located in South Africa or outside, if they use means to process in South Africa.

This means that the scope of POPIA in South Africa is more limited than the scope of the GDPR in Europe, which applies to anyone who processes personal data from the EU, no matter where there are located.

If your website, company or organization is located in South Africa and you process personal information, you’re automatically obligated to comply with POPIA.

If you have a website that is not located in South Africa but processes personal information on South African citizens within the country, you are also obligated to comply with POPIA.

Personal information under POPIA

POPIA has a very broad definition of personal information, basically any kind of information relating to an identifiable, living natural person, company or similar legal entity, including but not limited to –

• names, addresses, telephone numbers, email addresses,
• information about age, race, gender, appearance, characteristics, sexual orientation, pollical convictions, religious beliefs, language,
• health data such as physical or mental health, well-being, disabilities,
• online identifiers such email addresses, IP addresses, cookies, unique IDs, search and browser history, location data.

POPIA’s broad personal information definition covers activities that happen on most websites in the world, such as first- and third-party cookies collecting IP addresses, search and browser history, trackers setting unique IDs and more.

If your website processes personal information from inside South Africa, e.g. through the use of cookies and similar trackers, you must comply with the POPIA.

End-user rights under POPIA

Just as the EU’s GDPR and Brazil’s LGPD, POPIA in South Africa creates a whole new set of rights for its citizens that they can exercise to protect their data and privacy, gain insight into what data is collected about them, request it corrected and deleted.

POPIA creates the following rights for South African citizens (data subjects) –

• Right to be notified about collection and processing of personal information
• Right to access personal information
• Right to request correction of personal information
• Right to request deletion of personal information
• Right to object to the processing of personal information
• Right not to have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications (clearly reflecting the ePrivacy Directive and not the GDPR)
• Right to not be subject to a decision which results in legal circumstances based solely on the basis of the automated processing
• Right to complain to the Information Regulator
• Right to effect judicial remedy

In other words, South African citizens will be able to know when their personal information is likely to be collected, and have the right to consent to it before it happens; will have the ability to request that your website gives them access to see what personal information it has collected about them, as well as have that information either corrected or deleted altogether, among others.

Minimum requirements for processing under POPIA

As its European and Brazilian counterparts, South Africa’s POPIA also establishes minimum requirements for companies and organizations in order to lawfully process personal information of South African citizens.

POPIA makes it very clear: personal information is only allowed to be processed if the end-user consents to the processing, including to the specific purposes for which the personal information is being collected.

The data subject can withdraw their consent at any time.

POPIA establishes eight conditions for lawful processing of data in South Africa –

• Accountability (processing is lawful and done in a non-privacy infringing way)
• Processing limitation (processing only for the given purpose)
• Purpose specification (specific purpose must be explicitly defined)
• Further processing limitation (additional processing must still be in accordance with original purpose that the end-user gave their consent to)
• Information quality (make sure that the data is complete, accurate and updated)
• Openness (documentation of all processing operations)
• Security safeguards (must ensure protection and confidentiality of personal information)
• Data subject participation (ensure that end-users can exercise their rights to access, correct and delete their data)

All eight conditions must be met when processing personal information lawfully under POPIA.

Information Regulator (SAIR) and POPIA regulations

The main supervisory and enforcing body under POPIA is the Information Regulator (SAIR) that is established by the law itself and endowed with the responsibilities of –

• providing education and training around the data protection law and compliance,
• monitoring and enforcing compliance on companies and organizations who process personal information in South Africa,
• handling complaints from data subjects,
• creating guidelines, regulations and industry codes of conduct for practical compliance with POPIA,
• facilitating foreign cooperation for the enforcement of compliance with POPIA outside of South Africa.

The Information Regulator is a broader entity in POPIA than the Supervisory Authority of the GDPR, since it not only is the lead enforcer and supervisor of POPIA compliance, but also has several other areas of operations, such as authorizing websites, companies and organizations to –

• process unique identifiers on data subjects for a purpose other than the one intended at the point of collection,
• process data in relation to credit reporting,
• transfer special personal information (or children’s personal information) out of South Africa to a foreign country that does not have an adequate level of data protection, according to POPIA.

In December 2018, the Information Regulator published POPIA regulations for compliance and enforcement with the law. These regulations are still in effect and form the basis of the Information Regulator’s enforcement of POPIA – which won’t begin until July 1, 2021 though.

The POPIA regulations include information and codes of conduct regarding –

• how requests to correct or delete personal information can be made,
• how objections to personal information processing can be made,
• how to ask for and obtain consent for unsolicited, direct electronic marketing,
• what the responsibilities and obligations of Information Officers are,
• specification of industry codes of conduct from the Information Regulator,
• how to complain to the Information Regulator,
• and further specifications of the role and responsibilities of the Information Regulator.

POPIA vs GDPR

Key differences between POPIA vs GDPR

Since the EU’s General Data Protection Regulation (GDPR) is so clearly reflected in South Africa’s Protection of Personal Information Act (POPIA), it makes good sense to hold them up against each other to spot the key differences in the laws – that are vital for websites and companies to be aware of, in order to navigate two regimes and be in compliance with POPIA and the GDPR.

Personal information and data subjects under POPIA and GDPR

POPIA defines personal information as information relating to an identifiable, living, and natural person, which is very close to the GDPR and its definition of personal data as information relating to an identified or identifiable natural person (“data subject”, as both laws call it.).

However, POPIA also includes in its definition of data subjects companies, organizations and other legal entities, while the GDPR strictly limits its definition to human individuals.

This obviously has great significance, because it allows companies to not only be “responsible parties”, but also “data subjects”, with rights to the “personal” information collected and shared about them.

Exactly how this plays out will become clearer upon enforcement of POPIA from July 1, 2021, but it’s safe to say that it will create very different data privacy practices in South Africa than the GDPR does in Europe.

Consent under POPIA and GDPR

When it comes to the definitions of consent, POPIA and the GDPR are almost identical.

POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”; whereas the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”.

However, POPIA specifically mentions that it is a matter of interpretation as to what constitutes a voluntary expression of will, leaving the door open for industry standards and enforcement precedents to shape the practical nature of compliance with POPIA.

This has been the case with the EU’s GDPR, where compliance has been shaped by court decision and guidelines issued from the European Data Protection Board (EDPB) that national data protection authorities will follow in their enforcement of the data protection law.

As a result, proper and lawful consent under the GDPR has come to mean the prior and explicit action of end-users when interacting with consent interfaces on websites that are not allowed to have pre-ticked checkboxes or to nudge users towards opting in to cookies and trackers.

Scope of GDPR vs POPIA

POPIA applies to processing done by websites, companies, organizations and other legal entities that are located inside of South Africa – but also to “responsible parties” who are located outside of South Africa, if they process personal information inside South Africa (not only passing data through the country).

Compared to the EU’s GDPR, POPIA has a smaller scope.

The GPDR applies to any processing of personal data from inside the EU, regardless of where in the world the data controller and/or data processor is located.

Rather than aligning itself with the standard of the GDPR, POPIA’s scope mirrors that of the EU’s ePrivacy Directive.

Data processor in GDPR and POPIA

The GDPR is very clear when it comes to dividing the responsibility between a data controller and a data processor (i.e. an entity processing personal data on behalf of the data controller) and specifies how both must obtain GDPR compliance under the term joint controllers.

Unlike the GDPR, POPIA only addresses a responsible party, which means that websites, companies and organizations are uniquely responsible for meeting POPIA’s requirements for end-user protection.

By not having joint controllers in the law like GDPR, POPIA creates a bigger liability for websites and companies, who are ultimately responsible for all processing of their end-users’ information, even if it’s being done by adtech companies or social media platforms embedded on their websites through cookies and trackers.

Information Officer in POPIA and GDPR

The GDPR’s Data Protection Officer is mirrored in POPIA as the Information Officer that any responsible party must appoint. However, the role of the Information Officer under POPIA differs significantly from its GDPR equivalent.

Under the GDPR, the Data Protection Officer has to have specific expertise and training in EU data privacy law but is not automatically required in every company or organization, and in fact can be an external, independent supervisor.

Under POPIA, the Information Officer is compulsory for every company and organizations and is automatically assigned to the CEO – it’s not possible to assign to an external, independent party. The Information Officer is not required to have any prior training or expertise of South Africa’s data privacy regime but must be registered with the Information Regulator (SAIR).

POPIA also requires companies and organizations to appoint a Deputy Information Officer, a position not found to have an equivalent in the GDPR.

South Africa’s POPIA and EU adequacy

South Africa is today not considered by the EU to have an adequate level of data protection and therefore ranks as a third country, requiring additional notices, consent and legal bases for when websites, companies and organizations inside the EU transfer data to the country.

With the POPIA now in force in South Africa, an adequacy decision could be made in the future by the EU that would secure a much easier flow of data between EU member states and South Africa.

Summary: POPIA in South Africa

With the Protection of Personal Information Act (POPIA) in South Africa in effect, another strong, protective data privacy law has emerged to join the expanding network of end-user empowerment spreading across the globe and the Internet.

Closely aligned with the EU’s General Data Protection Regulation, POPIA ensures thorough data privacy protection for citizens of South Africa and makes an adequacy decision by the EU likely, paving the way for smooth and secure transfers of personal data between the two.

Cookiebot CMP enables compliance with most major data privacy laws in the world, such as EU’s GDPR, California’s CCPA, Brazil’s LGPD and South Africa’s POPIA as well.

Resources

CREDIT: ARTICLE INFORMATION ABOVE WAS TAKEN FROM : COOKIEBOT.COM

CREDIT: VIDEO WAS TAKEN FROM YOUTUBE ESPRESSO SHOW CHANNEL

POPIA aligns South Africa with global data protection best practices, IAPP

South Africa’s Protection of Personal Information Act (POPIA Act), official law

Learn more about GDPR and cookie consent

Learn more about EDPB guidelines for valid consent under GDPR

Learn more about cookie, trackers and website tracking

South Africa’s POPIA goes into effect July 1, The National Law Review

Comparison of POPIA and GDPR in key areas, TechGDPR