More POPI Act sections come into force

Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Presidency has announced the commencement of certain sections of the 2013 Protection of Personal Information (POPI) Act.

The Act, which gives effect to section 14 of the Constitution, provides that everyone has the right to privacy.

The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

The chairperson of the Information Regulator, advocate Pansy Tlakula, in January, wrote a letter to president Cyril Ramaphosa requesting him to bring the outstanding aspects of the law into effect.

“The Act promotes the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information,” said the Presidency in a statement today.

Since 2013, the Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.

However, these delays have resulted in legal uncertainty among local organisations.

Some of the sections in force include those relating to the establishment of the Information Regulator. The members of the Information Regulator took office on 1 December 2016.

Many of the remaining provisions of the Act could only be put into operation at a later stage, as they require a state of operational readiness for the Information Regulator to assume its powers, functions and duties – in terms of the Act, says the Presidency.

It adds that much has since been done in this regard, culminating in the commencement of a number of remaining sections, which has now been proclaimed by the president.

The relevant sections and applicable dates are as follows: sections 2 to 38; sections 55 to 109; section 111, and section 114 (1), (2) and (3) shall commence on 1 July 2020.

Sections 110 and 114(4) shall commence on 30 June 2021.

The sections that will commence on 1 July 2020 are essential parts of the Act and comprise sections that pertain to, among others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.

Section 114(1) is of particular importance, as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act.

According to the Presidency, this means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021.

However, it stands to reason that private and public bodies should attempt to comply with the provisions of the Act as soon as possible in order to give effect to the rights of individuals, it notes.

The reason for the delay in relation to the commencement of sections 110 and 114(4) – which are to commence on 30 June 2021 – is that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (PAIA) from the South African Human Rights Commission to the Information Regulator.

In this regard, the Presidency says the commission must finalise or conclude its functions referred to in sections 83 and 84 of PAIA and all mechanisms must be in place for the regulator to take over these functions.

Entities that process personal information must ensure it is done in a lawful way, says the Presidency.

It points out that the Act is fundamental in safeguarding persons’ personal information, protecting them against data breaches and theft of personal information.