South Africa's Protection of Personal Information Act (POPIA) will soon see some very crucial sections come into effect on 1 July 2020. Specifically, as announced in the statement issued by President Cyril Ramaphosa's office, sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2), and (3) shall all commence on 1 July 2020.

Before this announcement, only a few sections of POPIA had been signed into law. These sections only dealt with the formation of the Information Regulator, an organization that is tasked, among other functions, with investigating data breaches and determining penalties.

"The sections which will commence on 1 July 2020 are essential parts of the Act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act," reads a statement issued by the office of South Africa's President, Cyril Ramaphosa.


Tech Legal Matters: What you need to know about the Life Healthcare data breach

You can also listen to the podcast on: Apple Podcasts, Google Podcasts, Spotify, Deezer, and Stitcher.


History of data breaches in South Africa

Looking back 5 to 10 years, South Africa has experienced some significant data breaches that left a lot of people's personal information exposed.

The largest of these data breaches and leaks, by the number of people in South Africa affected, is one that has been popularly known as the masterdeeds data leak (because the publicly exposed database had the filename masterdeeds.sql). The data leaked in this database contained a myriad of personal information including ID number, marital status, income, company directorships held (and previously held), employment details as well as property ownership information.

Despite an iAfrikan investigation and further confirmation of the real estate company and data aggregation company that could have allegedly been the sources of the data leak, to date, no one has been taken to task for this data leak of sensitive personal information. This is mainly because at the time it happened during 2017, POPIA was not enforceable.

Importance of having enforceable data protection law in South Africa

The problem with data breaches and data leaks in South Africa, as once previously highlighted by Advocate Pansy Tlakula (chairperson of South Africa's Information Regulator), without key sections of POPIA being enforceable the breaches will continue to happen without much recourse for people in South Africa and any consequences for companies that handle people's personal information.

However, this will soon change with the announcement of the commencement of key sections of POPIA, especially once the 12 month period for organizations to get ready is completed, this will all change.

"The reason for the delay in relation to the commencement of sections 110 and 114(4) – which are to commence on 30 June 2021 - is that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (PAIA) from the South African Human Rights Commission to the Information Regulator. In this regard, the Commission must finalise or conclude its functions referred to in sections 83 and 84 of PAIA and all mechanisms must be in place for the Regulator Β to take over these functions."


Subscribe to our newsletter
Insights and analysis into how technology impacts Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.

Share this article via: