South Africa’s New Privacy Law

The right to privacy is protected under South African common law, as well as in Sec. 14 of the Constitution. The recognition and protection of the right to privacy is a fundamental human right in the Constitution.

On August 22, 2013, the South African Parliament passed the Protection of Personal Information Bill. This bill was sent to President Jacob Zuma to be signed into law and represents South Africa’s first comprehensive data protection legislation.

South Africa’s PPIB

The Protection of Personal Information Bill sets forth several measures to protect personal data, including:

  • Establishing an Information Protection Regulator with investigatory and enforcement powers
  • Requiring the data subject’s consent to process personal information
  • Requiring that notice be provided to the data subject and the Information Protection Regulator in order to process personal information
  • Setting limitations on processing of children’s personal information and information regarding data subjects’ religious of philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior
  • Requiring entities who process personal information to implement security measures to maintain the integrity of the personal information
  • Requiring notification of data breaches to affected data subjects and the Information Protection Regulator
  • Requiring public and private entities to designate information protection officers
  • Setting restrictions on processing of personal information for the purpose of direct marketing by “automatic calling machine,” fax, text messaging and email
  • Limiting cross-border transfers of personal information unless the recipient is subject to laws, binding corporate rules or contracts that establish the same level of data protection as the Protection of Personal Information Bill


Compliance with the PPIB would be required within one year of the law taking effect, though the Information Protection Regulator may extend this transitional period for up to three years.


European Parallels

South Africa’s first comprehensive data protection laws are closely aligned with those which are being debated in Europe. The proposed European laws provide online consumers the right to withhold personal information, while using websites. This presents a challenge to the businesses who have based their revenue model on garnering this kind of idea.

If these laws are introduced in South Africa, they could have far reaching implications for both individual citizens, as well as businesses.

According to observer JJ Milner:

“The spirit of the European legislation – with which the South African legislation in its current form is closely aligned – is to hand back a measure of control to consumers. It requires companies to have an extra opt-in level, alerting consumers to what information they are giving and what will be done with that information.

“It will also require companies to be more responsible with the data they’ve collected – the standards for compliance have to be higher. They will need stronger systems and updated human and evaluation processes in place.”


South Africa’s first comprehensive data protection law was passed in late August. It is known as the Protection of Personal Information Bill.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/European Privacy (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

  • EU Data Protection Directive 95/46/EC (I.C.b.)
  • International data transfers – safe jurisdictions (II.I.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>