The Protection of Personal Information Act (POPIA) came into force in July 2020 to regulate how public and private bodies collect, use, and process personal information. POPIA sets conditions for lawful processing, and requires responsible parties to take reasonable measures to protect personal information. The Information Regulator of South Africa monitors and enforces compliance with POPIA.
The POPIA applies where the responsible party is: (i) domiciled in South Africa; or (ii) not domiciled in South Africa but makes use of automated or non-automated means in South Africa to process personal information, unless those means are used only to forward personal information through South Africa.
Where a responsible party is alleged by the Information Regulator to have committed a criminal offence under the POPIA, an administrative fine may be imposed for an amount of up to ZAR 10 million (approximately €598,000).
· There are no specific ePrivacy laws but the POPIA contains provisions relating to direct marketing.
· POPIA does not expressly regulate the use of cookies. However, “online identifiers” fall within the definition of personal information, so cookies may be subject to POPIA.
· It is only possible to send direct marketing e-mails to data subjects if their consent has been obtained, or if they are customers of the responsible party. Further conditions apply relating to how data and permissions have been obtained.
Since POPIA became enforceable, the South African Information Regulator has been proactively taking steps to monitor and enforce POPIA. The first fine (ZAR 5 million) was issued against the Department of Justice and Constitutional Development (DoJ&CD) on 3 July 2023. The DoJ&CD suffered a security compromise in 2021, which severely impacted its electronic systems and resulted in the loss of approximately 1,204 files containing personal information.
The Cybercrimes Act 19 of 2020 was signed into law in June 2021 and came into force on 1 December 2021. It brings the country's cybersecurity legislation in line with global standards. The Act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cybersecurity breach and to report such breaches to the South African Police Service within 72 hours of becoming aware of the breach. Non-compliance is a criminal offence and fines can be imposed. The Cybercrimes Act further criminalizes harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. The Cybercrimes Act also criminalizes cyber fraud, extortion, forgery and the theft of incorporeal property. Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.
South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan. Existing legislation regulates some activities conducted by organisations using AI, including the Protection of Personal Information Act (POPIA), the Copyright Act, the Patents Act, and the Competition Act.
The information here is not, and doesn’t intend to be, legal advice.
All information, content, and materials are for general information only. The information may not be the most up-to-date, legally or otherwise and may not be exhaustive. This website contains links to other websites – these are for convenience; Brit does not recommend or endorse the contents of the third-party sites.
Read the latest insights from our cyber security partners.