A Q&A guide to data protection in South Africa.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
Although there is currently no specific data protection legislation in force, the following laws are relevant:
The Constitution of the Republic of South Africa guarantees the right to privacy.
Certain provisions within the Electronic Communications and Transactions Act 2002 (ECT Act) regulate the electronic collection of personal information. (Compliance with these provisions is voluntary.)
The Consumer Protection Act 2008 (CPA) includes provisions applicable to direct marketing to consumers that will overlap with the provisions on direct marketing and unsolicited communications under the Protection of Personal Information Bill (PPI Bill).
The PPI Bill will safeguard personal information by imposing stringent obligations on persons holding and processing personal information. It is expected to be enacted during the second half of 2012. (All information provided in this chapter in relation to the PPI Bill is based on the most recent draft of the PPI Bill, which was published by the South African legislature and is subject to change. Therefore, the final provisions contained in the PPI Bill may differ from the provisions outlined below.)
There is currently no comprehensive data privacy legislation in effect in South Africa. Directive 95/46/EC on data protection is not applicable. The personal information protection principles set out in Chapter VIII of the ECT Act are voluntary. Any subscription to these principles must be recorded in an agreement with the data subject. The principles in the ECT Act are subject to change when the PPI Bill is promulgated.
When enacted, the PPI Bill will:
Set out mandatory information protection principles, which will apply to the processing of personal information by public and private bodies.
Establish a regulator that will oversee any public or private body who processes the personal information of any data subject (see box, The regulatory authority).
The CPA provisions with regard to direct marketing (including by way of unsolicited electronic communications) apply in the context of consumer protection. These provisions will be amended or supplemented (or both) by the PPI Bill.
The PPI Bill applies to all public and private bodies (defined jointly as a "responsible party" in the PPI Bill). It governs the automated or non-automated processing of personal information in South Africa by or for a responsible party, irrespective of whether or not the responsible party is domiciled in South Africa.
"Personal information" is defined broadly in the PPI Bill to include information relating to an identifiable, living and natural person or an identifiable juristic person (including corporate legal entities and trusts). It covers:
Information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth.
Information relating to education, medical, financial, criminal or employment history.
Any identifying number, unique identifier, symbol, e-mail address, physical address, telephone number or other particular assignment to the person.
The blood type or any other biometric information of the person.
The personal opinions, views or preferences of the person.
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
The processing of all personal information is regulated by the PPI Bill. "Processing" includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of any personal information of a data subject.
The ECT Act, CPA and PPI Bill (when promulgated) are all applicable nationally.
There are currently no data protection laws. However, once enacted, the PPI Bill will not apply to information:
Used in the course of a purely personal or household activity.
That has been de-identified to the extent that the data subject is unidentifiable and it cannot be re-identified.
Used by or on behalf of the state with regard to national security, defence or public safety, or the prevention, investigation or proof of offences.
Relating to the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information.
Used for exclusively journalistic purposes by responsible parties who are subject to a code of ethics that provides adequate safeguards for the protection of personal information (by virtue of office, employment or profession).
Used for bona fide literary or artistic expression.
Used by Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality. (This option may be deleted in the final version of the PPI Bill when it is promulgated.)
Relating to the judicial functions of a court referred to in section 166 of the Constitution.
That has been exempted from the application of the information protection principles by the regulator (established by the PPI Bill) in certain circumstances.
(This list may be amended in the final version of the PPI Bill.)
There are currently no notification/registration requirements for the processing of data. However, once enacted, the PPI Bill will:
Place an obligation on public or private bodies to notify the regulator before processing personal information if they, acting on their own or in conjunction with others, determine the purpose of and means for the processing of personal information.
Prescribe the particulars that must be incorporated in any such notification, including:
the name and address of the responsible party;
the purpose of the processing (including any trans-border flows of the information);
a description of the categories of data subjects; and
a description of the information.
Empower the regulator to exempt certain categories of information processing from the notification requirement.
The mandatory information protection principles (or "conditions" as they are called in the PPI Bill) are set out in Chapter 3 of the PPI Bill as follows:
Accountability. Data controllers and responsible parties must comply with the terms of these eight principles (Principle 1).
Processing limitation. Data should only be obtained by limited and lawful processing that does not unnecessarily infringe the privacy of a data subject (Principle 2).
Purpose specification. The purpose for which personal data is collected must be specific, explicitly defined and lawful (Principle 3).
Further processing limitation. Further processing must be compatible with the purpose for which data is collected (Principle 4).
Information quality. Reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading and updated where necessary (Principle 5).
Openness. The data controller/responsible party must notify the regulator that it processes personal information and advise the data subject of certain mandatory information in regard to the collection of the personal information (Principle 6).
Security safeguards. The integrity and confidentiality of the personal information must be secured. Reasonable technical and organisation measures must be taken to prevent loss, or unauthorised access or processing (Principle 7).
Data subject participation. The data subject has certain access rights with regard to his personal information, including a right to request its deletion (Principle 8).
There are currently no consent requirements for the processing of personal information. However, once the PPI Bill is enacted, the processing of personal information will require data subjects' prior consent. Where the data subject is a child, a competent person (a parent or legal guardian) must provide this consent.
Personal information must be collected directly from the data subject, except if any of the following apply (section 12, PPI Bill (seventh draft)):
The information is contained in or derived from a public record, or has been deliberately made public by the data subject.
The data subject or a competent person (where the data subject is a child) has consented to the collection of the information from another source.
Collection of the information from another source would not prejudice a legitimate interest of the data subject.
Collection of the information from another source is necessary to avoid prejudice to the maintenance of the law by any public body.
Collection is required to enforce a law imposing a pecuniary penalty.
Collection is required to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in the relevant tax legislation.
Collection is required for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated.
It is in the legitimate interests of national security.
Collection is required to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied.
(This list may be amended in the final version of the PPI Bill.)
The consent of a data subject to the processing of personal information is not required where the processing (section 11, PPI Bill (seventh draft)):
Is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
Complies with an obligation imposed by law on the responsible party.
Protects a legitimate interest of the data subject.
Is necessary for the proper performance of a public law duty by a public body.
Is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
There are currently no legislative requirements for the processing of sensitive data. However, once the PPI Bill is enacted, a distinction will be made between personal information, special personal information (which concerns religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour) and the processing of personal information of children.
The PPI Bill prohibits the processing of special personal information and the personal information of children by responsible parties. However, these general prohibitions are subject to a number of exceptions, including consent from a parent or legal guardian in the case of a child.
The data subject must be made aware of (section 18, PPI Bill (seventh draft)):
The nature of the information being collected.
The identity of the responsible party.
The purpose of the collection of the information.
Whether or not the supply of the information by that data subject is voluntary or mandatory.
The consequences of failure to provide the information.
Any particular law authorising or requiring the collection of the information.
Any further information (such as the recipient or category of recipients of the information, nature or category of the information, existence of the right of access to and the right to rectify the information collected).
The existence of the right to object to the processing of personal information.
There are currently no rights granted to data subjects with regard to processing their personal information. However, once the PPI Bill is enacted, the data subject will have a right to request both:
At no cost, confirmation of the holding of personal information by a responsible party.
Access to the personal information held by a responsible party.
If a data subject is required to pay a fee for services provided to the data subject, the responsible party:
Must give him a written estimate of the fee before providing the services.
May require him to pay a deposit for all or part of the fee.
A responsible party has the right to refuse to disclose any information requested by a data subject on the basis of the Promotion of Access to Information Act 2 of 2000 (PAIA) where such a request for information falls within the scope of one of the stipulated grounds for refusal of access to records set out in PAIA.
There is currently no law that regulates the rights of data subjects to access their personal information, apart from the general access to records held by public or private bodies under PAIA, which could include personal information records. There is no right to request the deletion of records held by public and private bodies under PAIA.
However, once the PPI Bill is enacted, a data subject will have the right to request a responsible party to correct or delete personal information that is inaccurate, irrelevant and excessive or which the responsible party is no longer authorised to retain.
There is currently no law that regulates the security requirements applicable to processing data. However, once the PPI Bill is enacted, a responsible party must secure the integrity of the personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
Loss of, damage to or unauthorised destruction of personal information.
Unlawful access to, or processing of, personal information.
To give effect to these measures, the responsible party must take reasonable steps to:
Identify all reasonably foreseeable internal and external risks to personal information under its control.
Establish and maintain appropriate safeguards against the risks identified.
Regularly verify that the safeguards are effectively implemented.
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
There is currently no requirement to notify personal data security breaches to data subjects or the national regulator. However, the PPI Bill provides for data security breach notification.
Where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the responsible party, or any third party processing personal information under the authority of the responsible party, must notify the Regulator (and the police, where relevant) and the data subject, unless the identity of the data subject cannot be established (section 22, PPI Bill (seventh draft)).
Notification to the data subject must be:
Made as soon as reasonably possible after the discovery of the breach.
Sufficiently detailed.
In writing and communicated to the data subject by:
post (to the data subject's last known physical or postal address);
e-mail to the data subject's last known e-mail address;
placement in a prominent position on the website of the responsible party;
publication in the news media; or
any other means as may be directed by the regulator.
The notification must include sufficient detail to allow the data subject to take protective measures. A responsible party may be directed by the regulator to publicise the breach where the regulator has reasonable grounds to believe that the publicity would protect the data subjects affected by the breach.
There is currently no law that regulates the processing of third parties on behalf of the data controller. However, once the PPI Bill is enacted, a third party (operator) or anyone processing personal information on behalf of a responsible party under the PPI Bill must enter a written contract with the responsible party to process the personal information of a data subject. Furthermore, the processing of personal information of a data subject can only take place if the operator both:
Processes such information with the knowledge or authorisation of the responsible party.
Treats personal information that comes to their knowledge as confidential, unless it must disclose the personal information by law or in the course of the proper performance of its duties.
A responsible party must ensure that the operator adopts security measures to process the personal information. The obligation to maintain the confidentiality and integrity of such personal information must be documented in the written agreement between the responsible party and the operator.
The PPI Bill is silent on the use of cookies or equivalent devices on a data subject's terminal equipment. However, the express consent requirements under the PPI Bill may be interpreted to require responsible parties to obtain the consent of the data subject to use cookies or similar devices.
Every consumer has the right to (section 11, Consumer Protection Act 2008 (CPA)):
Ask direct marketers to desist from engaging in any direct marketing practice (whether electronic or otherwise).
Pre-emptively block any such communications (other than personal approaches).
The CPA, read with its regulations, creates a national registry of pre-emptive blocks under which a marketer cannot send direct marketing communications to a consumer without first obtaining their consent.
It will be illegal for a direct marketer to seek to engage in direct electronic marketing (which includes marketing by automated calling machine, fax, SMS or e-mail), unless either (section 74, PPI Bill (seventh draft)):
The data subject has given his prior consent to the activity.
The data subject is an existing customer of the marketer.
The PPI Bill allows direct marketing to an existing customer if the contact details of that customer are obtained in the context of a sale of a product or service for the purpose of marketing similar products or services. The customer must also be given a reasonable opportunity to object, free of charge, to such use of his electronic details at the time when the information was collected and in each and every subsequent electronic communication with the data subject for the purposes of marketing.
Every direct marketing message must contain details of both:
The identity of the sender or the party on whose behalf it is sent.
How the recipient can request the cessation of these communications.
There is currently no regulation of the transfer of data. However, once the PPI Bill is enacted, a responsible party will not be able to transfer personal information about a data subject to a third party in a foreign jurisdiction, unless one of the following applies:
The recipient is subject to a law or contract which:
upholds principles of reasonable processing of the information that are substantially similar to the principles contained in the PPI Bill; and
includes provisions that are substantially similar to those contained in the PPI Bill relating to the further transfer of personal information from the recipient to third parties.
The data subject consents to the transfer.
The transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
The transfer is for the benefit of the data subject and:
it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
While a transfer to a foreign jurisdiction can be effected pursuant to a data transfer agreement, there are no approved standard forms or precedents. No standard forms or precedents have been proposed in the PPI Bill.
A data transfer agreement is sufficient to legitimise a transfer of personal information, provided that it upholds principles of reasonable processing of the information that are substantially similar to the principles contained in the PPI Bill (see Question 8).
The regulator does not need to approve the data transfer agreement. However, it is empowered to participate in any initiative that is aimed at facilitating cross-border co-operation in the enforcement of privacy laws.
There is currently no effective data protection regulator. However, once enacted, the PPI Bill will establish a regulator with specific enforcement mechanisms. The regulator will be responsible for the investigation and enforcement of the PPI Bill.
Any person can submit a complaint to the regulator either orally or in writing (although oral submissions will be converted to writing as soon as reasonably practicable), in the event of alleged interference with their personal information.
After receiving a complaint, the regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action contemplated by the PPI Bill (section 81, PPI Bill (seventh draft)).
In exercising its investigative powers, the regulator can, among other things:
Administer the oath.
Summon and enforce the appearance of persons.
Compel the provision of written or oral evidence under oath.
Receive evidence irrespective of whether such evidence is admissible in a court of law.
Enter and search any premises occupied by a responsible party.
Where necessary, the regulator can apply to a judge of the High Court or a magistrate to issue a warrant to enable the regulator to enter and search premises.
Data controllers (or responsible parties) have a right of appeal against a decision of the regulator. Data subjects have the right to institute a civil action for damages in a court against a data controller for its breach of any provision of the PPI Bill.
For any contravention of the CPA, the National Consumer Commission may elect to investigate a complaint regarding direct marketing and issue a compliance notice. In the event of a failure to comply, the Tribunal established under the CPA may impose an administrative fine taking into consideration the nature and facts pertaining to the offence.
There are currently no sanctions or remedies for non-compliance with data protection laws. However, once the PPI Bill is enacted, any person will be guilty of an offence if they:
Obstruct the regulator.
Breach the confidentiality provisions contained in the PPI Bill.
Intentionally obstruct or unreasonably fail to assist in the execution of a warrant.
Fail to comply with an information or enforcement notice.
Such a person will be liable on conviction to a fine or imprisonment (or both) for a maximum period of ten years in respect of the obstruction of the regulator, and 12 months in respect of the other offences.
Furthermore, the regulator can impose administrative fines not exceeding ZAR10 million for the offences listed above (as at 1 June 2012, US$1 was about ZAR8.5) (section 111A, PPI Bill (seventh draft)).
(This section may be amended in the final version of the PPI Bill.)
If a person fails to comply with a compliance notice with reference to the provisions on direct marketing (including unsolicited electronic communications), they will be liable on conviction for a fine or imprisonment for a period up to 12 months (CPA). The Tribunal established under the CPA may also impose administrative fines of 10% of a respondent's turnover or ZAR1 million.
Main areas of responsibility. The responsibilities of the regulator are:
To educate and promote an understanding of the requirements applicable to the lawful processing of personal information of data subjects.
To monitor and enforce compliance of the provisions of the PPI Bill by private and public bodies.
To examine any proposed legislation or policies affecting the protection of personal information and to report such findings to the Minister and Parliament from time to time.
To consult and allow representations from members of the public on matters affecting personal information of data subjects and to engage on a national and international basis with persons and bodies concerned with the protection of personal information of data subjects.
To act as a mediator between opposing parties in matters concerning the interests of protecting personal information and to provide advice to the Minister or a public or private body on their obligations under the Bill.
To receive complaints and investigate alleged violations of the protection of personal information of data subjects and form reports to such complaints.
To conduct research and report to Parliament from time to time on the desirability of accepting international instruments relating to the protection of personal information.
To suggest necessary legislative amendments relating to the protection of personal information of data subjects.
To issue, amend and revoke from time to time, codes of conduct and to make guidelines to assist bodies in developing their codes of conduct or in applying such codes of conduct.
To participate in any initiative that is aimed at facilitating cross-border co-operation in the enforcement of privacy laws.
T +2711 562 1038
F +2711 562 1638
E preeta.bhagattjee@dlacdh.com
W www.cliffedekkerhofmeyr.com
Qualified. South Africa, 1999
Areas of practice. Technology and communications law; outsourcing; e-commerce law; intellectual property; data protection; privacy law.
Recent transactions
