South African Cyber Privacy Regulations I Brit Insurance

We’ve compiled this information on privacy and cybersecurity legislation in South Africa.

It’s designed as a high-level overview with links to sources for further research. Please read our disclaimer at the bottom of this page.

POPIA Act 4 of 2013

The Protection of Personal Information Act (POPIA) came into force in July 2020 to regulate how public and private bodies collect, use, and process personal information. POPIA sets conditions for lawful processing, and requires responsible parties to take reasonable measures to protect personal information. The Information Regulator of South Africa monitors and enforces compliance with POPIA.  ​

The POPIA applies where the responsible party is: (i) domiciled in South Africa; or (ii) not domiciled in South Africa but makes use of automated or non-automated means in South Africa to process personal information, unless those means are used only to forward personal information through South Africa.

Where a responsible party is alleged by the Information Regulator to have committed a criminal offence under the POPIA, an administrative fine may be imposed for an amount of up to ZAR 10 million (approximately €598,000). ​

POPIA Act 4 of 2013

Marketing and Cookies

·       There are no specific ePrivacy laws but the POPIA contains provisions relating to direct marketing.

·       POPIA does not expressly regulate the use of cookies. However, “online identifiers” fall within the definition of personal information, so cookies may be subject to POPIA.

·       It is only possible to send direct marketing e-mails to data subjects if their consent has been obtained, or if they are customers of the responsible party. Further conditions apply relating to how data and permissions have been obtained.

Marketing and Cookies

Since POPIA became enforceable, the South African Information Regulator has been proactively taking steps to monitor and enforce POPIA. The first fine (ZAR 5 million) was issued against the Department of Justice and Constitutional Development (DoJ&CD) on 3 July 2023. The DoJ&CD suffered a security compromise in 2021, which severely impacted its electronic systems and resulted in the loss of approximately 1,204 files containing personal information.​

The Cybercrimes Act 19 of 2020

The Cybercrimes Act 19 of 2020 was signed into law in June 2021 and came into force on 1 December 2021. It brings the country's cybersecurity legislation in line with global standards. The Act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cybersecurity breach and to report such breaches to the South African Police Service within 72 hours of becoming aware of the breach. Non-compliance is a criminal offence and fines can be imposed. The Cybercrimes Act further criminalizes harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. The Cybercrimes Act also criminalizes cyber fraud, extortion, forgery and the theft of incorporeal property. Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.

The Cybercrimes Act 19 of 2020

AI

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan. Existing legislation regulates some activities conducted by organisations using AI, including the Protection of Personal Information Act (POPIA), the Copyright Act, the Patents Act, and the Competition Act.

AI

A quick disclaimer about this advice

The information here is not, and doesn’t intend to be, legal advice.

All information, content, and materials are for general information only. The information may not be the most up-to-date, legally or otherwise and may not be exhaustive. This website contains links to other websites – these are for convenience; Brit does not recommend or endorse the contents of the third-party sites.

A quick disclaimer about this advice

Insights

Read the latest insights from our cyber security partners.

Insights

Artboard – 5

Operational Technology (OT): Protecting Critical Systems in a Connected World

19-06-2024 |Cyber
Read more
Woman working on a computer with digital screens in view

Digital Forensics:
Managing a Digital Crime Scene

19-09-2024 |Cyber
Read more
Breach Counsel Teaser

Breach response: leave it to the experts

24-01-2025 |Cyber
Read more
Ai Snippet

Risk Versus Reward: Using AI In Business

22-05-2024 |Cyber
Read more
Cyberpam Header

How cybercriminals exploit MFA reset prompts

25-04-2024 |Cyber
Read more
Ransomware Fullbleed1

Ransomware negotiation: Don’t try this at home

18-03-2024 |Cyber
Read more
Adcybergap Pageimg

Addressing The Cyber Gap With SMEs

29-01-2024 |Cyber
Read more
NIS2 Header

Brit - NIS2: What does it mean for cyber security?

30-11-2023 |Cyber
Read more
DT

The Cyber Security Threat from Digital Twins - Brit

30-11-2023
Read more