South Africa looks to EU for data protection law

By Pamela Stein, Webber Wentzel

Indian and other foreign companies which process personal data in South Africa will need to ensure that they comply with the Protection of Personal Information Bill (POPI), which was adopted by South Africa last year.

This legislation, which is not yet in force, will apply to foreign companies irrespective of whether they process the data in South Africa or transfer the data from South Africa to another country for processing. IT outsourcing companies will also be covered by the legislation in their capacity as operators, even though they are acting on behalf of the data controller.

Pamela Stein
Pamela Stein

POPI, which regulates every aspect of the processing of personal information from its collection to its destruction, is based on data protection law that has been in force in the EU since 1995.

The bill will have far reaching implications for every company that processes personal information. Personal information – widely defined to include any information that is linked to an identifiable person’s physical, physiological, mental, financial, cultural or social identity – is typically collected from employees, customers and suppliers.

Lengthy process

POPI was first published for comment in 2005 and at least nine working drafts have been published since then. The lengthy deliberations have allowed South Africa to draw on the experience of many years of data protection regulation in the EU, including the current comprehensive review by the European Commission.

The constitutional rationale for POPI is to give effect to the right to privacy that protects individuals (known as “data subjects”) against the unlawful collection, retention, dissemination and use of their personal information.

Protection of this information is achieved by requiring the data controller to process personal information strictly in compliance with the EU’s eight data protection principles. These principles restrict the manner and extent to which personal information can be processed, holding a data controller responsible for lawful processing, and giving individuals significant rights over their personal information, including the right to access and correct their data, and withdraw consent to processing, at any time.

An individual’s rights must be enforceable through some form of regulatory agency and data may only be transferred across borders where the recipient’s jurisdiction provides an adequate level of data protection.

The EU review has found that while the original data protection principles and objectives still apply, there is a need for a more coherent data protection system which provides legal certainty and gives individuals more control over their personal information. Such a system must include the implementation of practical measures for companies that inevitably process personal information in the course of business.

A key area of concern for business is the principle restricting the free flow of personal information across borders. This limitation is in place because cross-border transfers carry special enforcement risks – particularly where the destination jurisdiction has no data protection law.

Cross-border information transfers are therefore subject to various conditions, including the requirement of consent, contractual necessity and adequate data protection regulation of the recipient of the data. The restrictions on cross-border information flows affect the ability of companies to operate effectively, because each transfer of data requires an independent assessment of whether the conditions for a lawful transfer exist.

Seeking a more integrated, holistic approach to cross-border transfers of personal information, many EU member states now accept what are termed “binding corporate rules” (BCRs). These are legally binding data processing rules which a company or a group of companies adopt to protect personal information in their possession. BCRs require regulatory approval.

BCRs facilitate international global transfers of personal information while protecting individual privacy rights. Companies that do business in South Africa and regularly transfer personal information to other jurisdictions are advised to explore the use of BCRs.

Learning from experience

POPI, taking its cue from the EU, expressly endorses the use of BCRs, and also seeks to make the law more accessible to both data subjects and data controllers, so that both parties know their rights and obligations. The data subject’s rights are placed at the beginning of the legislation, immediately followed by a list of the requirements for lawful processing of personal information.

A constant theme of the EU review is the challenges to data protection posed by rapidly developing technology, which has increased the scale of data sharing and collecting to unprecedented levels. POPI adopts many of the proposals that address this online challenge to privacy, including providing greater protection for children, prohibiting direct marketing without consent, tightening rules on data security breaches and ensuring the “right to be forgotten” in an online environment.

Pamela Stein is a partner at Webber Wentzel, one of the leading corporate law firms in Africa and the South African member of ALN, an established group of Africa’s 12 foremost law firms.


10 Fricker Road,

Illovo Boulevard

Johannesburg 2196

South Africa

Tel: +27 11 530 5000

Fax: +27 11 530 5111

E-mail: subscripton ad blue 2022