New South African Privacy Law Will Have 'Significant Impact' On Businesses

The South African Parliament has passed the Protection of Personal Information (POPI) Bill. POPI represents South Africa's first comprehensive data protection legislation and is expected to come into force before the end of the year. "POPI will, upon promulgation, impose a number of stringent obligations on all persons which in any manner process personal information", said Simone Gill, Director of the Technology Media and Telecommunications Practice at Cliffe Dekker Hofmeyr. "It is expected to have a significant impact on the manner in which private and public bodies process personal information."

POPI was drafted on the basis of the EU Data Protection Directive and establishes eight data protection principles, which reflect EU, Canadian and Australian data protection models. Of particular note, POPI restricts cross-border data transfers unless the country to which the data is transferred provides a similar level protection of personal data. Under POPI, companies may adopt contractual clauses and binding corporate codes of conduct. It will also introduce a mandatory data breach notification requirement and establish the Information Protection Regulator (IPR) with investigatory and enforcement powers, including the power to impose fines of up to ZAR 10 million (approx. €740,200).