Authors: Gonzalo Zeballos, James Sherer, and Alan Pate

South Africa

On August 22, 2013, after four years of deliberation, the South African Parliament passed the first comprehensive data protection legislation in South Africa, the Protection of Personal Information (POPI) Bill. This Bill supports the existing right to privacy found in section 14 of the Constitution of the Republic of South Africa, 1996, and is designed to prevent the negligent disclosure of South African citizens’ Personally Identifiable Data (PID). Modeled on the current EU data protection regime, the Bill establishes the Office of the Information Regulator (OIR) as a data protection office, and outlines requirements for out-of-country transfers of PID, explicit consent for the collection and use of PID, time limits on PID retention, disclosure requirements, and minimum security and protection measures associated with the storage of PID. POPI provides exclusions for purely household or personal activity; “sufficiently de-identified information;” and state, national security, judiciary, and journalistic functions. In contrast, violations invoke civil and criminal penalties, for which the OIR may seek fines up to ZAR 10 Million (~$1 Million US), as well as compensatory and/or aggravated damages.