The South African Parliament passed - on 22 August 2013 - the Protection of Personal Information (POPI) Bill. POPI was introduced in August 2009 by the South African Cabinet and represents South Africa's first comprehensive data protection legislation. POPI is expected to come into force before the end of the year.
"[POPI] will, upon promulgation, impose a number of stringent obligations on all persons which in any manner process personal information", Simone Gill, Director of the Technology Media and Telecommunications Practice at Cliffe Dekker Hofmeyr, told DataGuidance. "It is expected to have a significant impact on the manner in which private and public bodies process personal information, [defined as] any information that identifies a natural or [legal] person."
POPI was drafted on the basis of the EU Data Protection Directive 95/46/EC (the Directive), and establishes eight data protection principles, which reflect EU, Canadian and Australian data protection models. Of particular note, POPI restricts cross-border data transfers unless the country to which the data is transferred provides a similar level protection of personal data. Under POPI, companies may adopt contractual clauses and binding corporate codes of conduct.
[POPI] is expected to have a significant impact on [how organisations] process personal information.
POPI will also introduce a mandatory data breach notification requirement. 'Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person', reads Article 21, 'the responsible party, or any third party processing personal information under the authority of a responsible party, must notify the Regulator; and data subject, unless the identity of such data subject cannot be established.'
POPI establishes the Information Protection Regulator (IPR) with investigatory and enforcement powers, including the power to impose fines of up to ZAR 10 million (approx. €740,200). POPI also imposes criminal sanctions of up to 10 years' imprisonment for obstruction of the activities of the IPR, and up to 12 months for other violation.
Once enacted, POPI will provide South African companies with a one-year grace period to bring their existing data protection processing practices in line with the legislative requirements. However, the Information Protection Regulator, once established, may extend this transitional period to a maximum of three years.
"As promulgation is now imminent, it is essential for all persons, including private and public entities, to initiate awareness workshops and to conduct detailed due diligence exercises in order to assess their current levels of compliance with [POPI]", said Gill. "[Businesses need] to determine which steps are to be taken to ensure compliance, failing which they may find themselves being subject to criminal sanction and civil liability. Although [POPI] does allow for a one year transition period, the obligations imposed are extensive and will take time and effort to implement."
To become law, POPI will need to be translated into Afrikaans and then signed by the President. It is expected to be enacted before the end of the year.