Published September 29, 2020.
South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020 with a grace period of 12 months, meaning that enforcement will begin July 1, 2021.
In this blogpost, we break down South Africa’s POPIA – its key terms, rights, requirements and how your website becomes compliant.
The EU’s General Data Protection Regulation (GDPR) is no longer only just a European data privacy law, it has also become a global data privacy standard – and the speed with which this standard is spreading around the world is increasing, ensuring a higher level of protection of end-user privacy on the Internet.
South Africa’s POPIA is the latest major data privacy law in the world to be modelled closely after the EU’s GDPR (and the ePrivacy Directive) – empowering its citizens with enforceable rights over their personal information, establishing eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection, as well as forming the Information Regulator (SAIR) as lead enforcer and supervisor of the law.
POPIA makes South Africa the latest country to create strong data protection for its citizens.
POPIA quick breakdown –
POPIA in South Africa also protects companies and organizations as “juristic persons”, unlike the EU’s GDPR.
There are key differences between POPIA and GDPR, in particular –
Try Cookiebot free for 30 days – or forever if you have a small website
Cookiebot is the world’s leading consent management platform built around a cutting-edge scanning technology that detects all cookies and trackers on your website and hands total control to the end-user for true granular consent in full compliance with the EU’s GDPR, California’s CCPA, Brazil’s LGPD and now also South Africa’s POPIA.
Cookiebot works by simulating a handful of real-life users visiting your website, scrolling, clicking, browsing as people do, to active and reveal the entire network of cookies, trackers and trojan horses on your domain.
Cookiebot’s cookie banner for compliance with GDPR, LGPD, POPIA in South Africa and more.
Through highly customizable consent banners, your end-users will be able to quickly and smoothly give their preferred consent, while Cookiebot automatically geo-targets each user to make sure that the right consent interface is presented, be it GDPR in the EU or CCPA in California.
Try Cookiebot free for 30 days – or forever if you have a small website
Let’s look closer at the details of POPIA in South Africa; how it fits into the current data privacy legal regime, what rights it empowers citizens with and how companies and organizations obtain POPIA compliance.
South Africa’s Protection of Personal Information Act (POPIA) was actually drafted way back in 2003, closely modelled after the European data privacy legislation at the time, the ePrivacy Directive, but halted and changed over several occasions in the subsequent years, when the General Data Protection Regulation (GDPR) came into force and significantly updated the EU’s data privacy regime.
POPIA finally came into force on July 1, 2020.
The legal data privacy regime in South Africa consists of the Constitution itself (that guarantees its citizens the right to privacy) and the Electronic Communications and Transactions Act (ECTA) from 2002, which do actually regulate the collection of personal information, but makes compliance with it voluntary for companies and organizations.
The Protection of Personal Information Act (POPIA) will enter into enforcement on July 1, 2021 and replace the provisions in the ECTA that deal with personal information protection.
South Africa is today not considered by the EU to have an adequate level of data protection and therefore ranks as a third country, requiring additional notices, consent and legal bases for when websites, companies and organizations inside the EU transfer data to the country.
With the POPIA now in force in South Africa, an adequacy decision could be made in the future by the EU that would secure a much easier flow of data between EU member states and South Africa.
POPIA applies to any processing (collection, recording, organizing, sharing, using, storing etc.) of personal information by a responsible party (website, company or organization) located in South Africa or outside, if they use means to process in South Africa.
This means that the scope of POPIA in South Africa is more limited than the scope of the GDPR in Europe, which applies to anyone who processes personal data from the EU, no matter where there are located.
If your website, company or organization is located in South Africa and you process personal information, you’re automatically obligated to comply with POPIA.
If you have a website that is not located in South Africa but processes personal information on South African citizens within the country, you are also obligated to comply with POPIA.
The scope of POPIA in South Africa is smaller than the EU’s GDPR.
POPIA has a very broad definition of personal information, basically any kind of information relating to an identifiable, living natural person, company or similar legal entity, including but not limited to –
POPIA’s broad personal information definition covers activities that happen on most websites in the world, such as first- and third-party cookies collecting IP addresses, search and browser history, trackers setting unique IDs and more.
Just as the EU’s GDPR and Brazil’s LGPD, POPIA in South Africa creates a whole new set of rights for its citizens that they can exercise to protect their data and privacy, gain insight into what data is collected about them, request it corrected and deleted.
POPIA in South Africa secures protection for end-users and the flow of their data online.
POPIA creates the following rights for South African citizens (data subjects) –
In other words, South African citizens will be able to know when their personal information is likely to be collected, and have the right to consent to it before it happens; will have the ability to request that your website gives them access to see what personal information it has collected about them, as well as have that information either corrected or deleted altogether, among others.
Try Cookiebot free for 30 days – or forever if you have a small website
As its European and Brazilian counterparts, South Africa’s POPIA also establishes minimum requirements for companies and organizations in order to lawfully process personal information of South African citizens.
POPIA makes it very clear: personal information is only allowed to be processed if the end-user consents to the processing, including to the specific purposes for which the personal information is being collected.
The data subject can withdraw their consent at any time.
Take a closer look at consent under South Africa's POPIA Act
POPIA establishes eight conditions for lawful processing of data in South Africa –
All eight conditions must be met when processing personal information lawfully under POPIA.
Take a closer look at the conditions for processing under South Africa's POPIA Act
The main supervisory and enforcing body under POPIA is the Information Regulator (SAIR) that is established by the law itself and endowed with the responsibilities of –
The Information Regulator (SAIR) is the lead enforcer and supervisor of POPIA compliance.
The Information Regulator is a broader entity in POPIA than the Supervisory ity of the GDPR, since it not only is the lead enforcer and supervisor of POPIA compliance, but also has several other areas of operations, such as izing websites, companies and organizations to –
In December 2018, the Information Regulator published POPIA regulations for compliance and enforcement with the law. These regulations are still in effect and form the basis of the Information Regulator’s enforcement of POPIA – which won’t begin until July 1, 2021 though.
The POPIA regulations include information and codes of conduct regarding –
The Information Regulator’s POPIA regulations (in PDF)
Since the EU’s General Data Protection Regulation (GDPR) is so clearly reflected in South Africa’s Protection of Personal Information Act (POPIA), it makes good sense to hold them up against each other to spot the key differences in the laws – that are vital for websites and companies to be aware of, in order to navigate two regimes and be in compliance with POPIA and the GDPR.
Key differences between GDPR and POPIA are vital to note in order to obtain proper compliance
POPIA defines personal information as information relating to an identifiable, living, and natural person, which is very close to the GDPR and its definition of personal data as information relating to an identified or identifiable natural person (“data subject”, as both laws call it.).
However, POPIA also includes in its definition of data subjects companies, organizations and other legal entities, while the GDPR strictly limits its definition to human individuals.
This obviously has great significance, because it allows companies to not only be “responsible parties”, but also “data subjects”, with rights to the “personal” information collected and shared about them.
Exactly how this plays out will become clearer upon enforcement of POPIA from July 1, 2021, but it’s safe to say that it will create very different data privacy practices in South Africa than the GDPR does in Europe.
When it comes to the definitions of consent, POPIA and the GDPR are almost identical.
POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”; whereas the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”.
However, POPIA specifically mentions that it is a matter of interpretation as to what constitutes a voluntary expression of will, leaving the door open for industry standards and enforcement precedents to shape the practical nature of compliance with POPIA.
This has been the case with the EU’s GDPR, where compliance has been shaped by court decision and guidelines issued from the European Data Protection Board (EDPB) that national data protection ities will follow in their enforcement of the data protection law.
As a result, proper and lawful consent under the GDPR has come to mean the prior and explicit action of end-users when interacting with consent interfaces on websites that are not allowed to have pre-ticked checkboxes or to nudge users towards opting in to cookies and trackers.
Exactly how consent will take its practical shape through enforcement of compliance with POPIA in South Africa will become clear after July 1, 2021.
POPIA applies to processing done by websites, companies, organizations and other legal entities that are located inside of South Africa – but also to “responsible parties” who are located outside of South Africa, if they process personal information inside South Africa (not only passing data through the country).
Compared to the EU’s GDPR, POPIA has a smaller scope.
The GPDR applies to any processing of personal data from inside the EU, regardless of where in the world the data controller and/or data processor is located.
Rather than aligning itself with the standard of the GDPR, POPIA’s scope mirrors that of the EU’s ePrivacy Directive.
The GDPR is very clear when it comes to dividing the responsibility between a data controller and a data processor (i.e. an entity processing personal data on behalf of the data controller) and specifies how both must obtain GDPR compliance under the term joint controllers.
Unlike the GDPR, POPIA only addresses a responsible party, which means that websites, companies and organizations are uniquely responsible for meeting POPIA’s requirements for end-user protection.
By not having joint controllers in the law like GDPR, POPIA creates a bigger liability for websites and companies, who are ultimately responsible for all processing of their end-users’ information, even if it’s being done by adtech companies or social media platforms embedded on their websites through cookies and trackers.
The GDPR’s Data Protection Officer is mirrored in POPIA as the Information Officer that any responsible party must appoint. However, the role of the Information Officer under POPIA differs significantly from its GDPR equivalent.
Under the GDPR, the Data Protection Officer has to have specific expertise and training in EU data privacy law but is not automatically required in every company or organization, and in fact can be an external, independent supervisor.
Under POPIA, the Information Officer is compulsory for every company and organizations and is automatically assigned to the CEO – it’s not possible to assign to an external, independent party. The Information Officer is not required to have any prior training or expertise of South Africa’s data privacy regime but must be registered with the Information Regulator (SAIR).
POPIA also requires companies and organizations to appoint a Deputy Information Officer, a position not found to have an equivalent in the GDPR.
With the Protection of Personal Information Act (POPIA) in South Africa in effect, another strong, protective data privacy law has emerged to join the expanding network of end-user empowerment spreading across the globe and the Internet.
Closely aligned with the EU’s General Data Protection Regulation, POPIA ensures thorough data privacy protection for citizens of South Africa and makes an adequacy decision by the EU likely, paving the way for smooth and secure transfers of personal data between the two.
Try Cookiebot free for 30 days – or forever if you have a small website.
The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law that empowers citizens with enforceable rights over their personal information, requires websites, companies and organizations to live up to minimum conditions for lawful processing, and establishes the Information Regulator to supervise and enforce compliance with POPIA.
The Protection of Personal Information Act (POPIA) applies to websites, companies, organizations and other legal entities who are located inside South Africa and who process personal information. However, POPIA also applies to responsible parties who are located outside South Africa, if they process personal information inside the country (not only transferring it through it).
Compliance with POPIA means asking for and obtaining the prior consent of end-users before any processing of their personal information. Compliance also means meeting several minimum requirements for lawful processing, such as documentation, security and confidentiality and ensuring that end-users can exercise their right to access, correct and have deleted already collected data.
Using a consent management platform like Cookiebot can help you reveal all cookies and trackers in operation on your website that process personal information, and to see where in the world your domain sends data to.
POPIA aligns South Africa with global data protection best practices, IAPP
South Africa’s Protection of Personal Information Act (POPIA Act), official law
South Africa’s POPIA goes into effect July 1, The National Law Review
Comparison of POPIA and GDPR in key areas, TechGDPR