South Africa's wide-ranging data protection and privacy act is to come into effect on Wednesday, President Cyril Ramaphosa has announced, in a move designed to bring the nation's data laws in line with the type of regulations common across the developed world.

The long awaited Protection of Personal Information Act 4 of 2013 (POPI) will come into effect on July 1, and businesses will have 12 months to become compliant.

"The act was supposed to come into effect fully on April 1, but was postponed because of the COVID-19 crisis and the lockdown," said Ridwaan Boda, director at ENSafrica.

Some sections of POPI came into force in 2014, leading to the establishment of the Information Regulator, which took office in 2016.

Depending on how it is enforced, POPI has the potential to place South Africa on the EU regulator's white list of preapproved countries to which data can be entrusted, said Boda.

However, he said as it stands the lack of enforceable data protection legislation has never really been a deterrent to international trading and investment, because a privacy protection clause is generally built into agreements.

In line with South Africa's constitution, POPI provides that everyone has the right to privacy and strikes a balance between the right to privacy and the right of access to information.

POPI might make it easier to protect data from being acquired by nefarious means, through what is referred to as 'data colonialism', whereby data is accessed and traded as a commodity across the globe, says Boda.

"Data is a valuable tradeable commodity and has been referred to as the new oil."

The POPI act is closely related to the European General Data Protection Regulation (GDPR) framework, according to Livia Dyer, partner at Johannesburg law firm Bowmans.

She said many organisations are already well advanced with complying with the anticipated POPI requirements, especially banks, insurance companies, retailers and others that store a lot of customer data.

"But they still have a lot of work to do, and there has not been much guidance from the regulator on what they should be doing," she said.

"Non-compliance with POPI will be subject to a fine of up to R10-million or a 10-year jail sentence."

Kelly Hutchesson, senior associate at Eversheds Sutherland said without data protection legislation South Africans have been powerless to do anything when their privacy is violated.

"Data is a valuable commodity, and direct marketing is creating money for a lot of people and often targets those who are most vulnerable."

She said the enforcement of the POPI act is likely to influence countries in the rest of Africa to follow South Africa's lead and adopt their own data privacy and protection laws.

"South Africa has learned valuable lessons from the EU in this regard, and other African countries are likely to look to us for guidance on how to implement such first-world laws."

However, she said, the question is whether it will suit African governments to bring in privacy legislation when they now have free access to any data within their respective countries.

The development is the latest example of nations across the Middle East and Africa bringing their data laws more closely in line with the GDPR.

Earlier this month, the Dubai International Financial Centre Authority introduced new data protection legislation designed to align the area's data laws with those in Europe, particularly the GDPR.

|

Read More

Dubai's Financial Hub Rolls Out 'Enhanced' Data Laws to Align With GDPR