Waiting for POPIA

From seven thin years to seven thinner years?

On 22 June 2020 South African President Cyril Ramaphosa announced that the bulk of the Protection of Personal Information Act (POPIA) will come into force, seven years after the Act was passed. While Parliament passed the Act in 2013, most of the sections have not been in force. The commencement date for all but two of the remaining sections is 1 July 2020.

But although the Act is mostly being brought into force, an effective personal data regime is still more than a year away as two important qualifications impact its implementation. The first is that section 114 (1) holds that all processing of information must be done lawfully within one year of the commencement date. So essentially, both public and private bodies have until 1 July 2021 to get their processing procedures in line. Second, section 110 and 114(1) commence from 1 July 2021. This means that all the laws POPIA seeks to amend (such as the Promotion of Access to Information Act (PAIA), and the National Credit Act) will remain unchanged until that point. The South African Human Rights Commission (which has monitoring and oversight roles that relate to PAIA) will continue to have those functions until that date.

POPIA has been a long time coming, with many false starts. The need for legislation on personal information privacy in South Africa was officially raised twenty years ago. The Report of the Ad Hoc Joint Committee on the Open Democracy Bill of 24 January 2000 recommended privacy legislation to match access to information legislation. Eventually, the issues in the Open Democracy Bill were subdivided. The South African Law Commission was tasked with investigating the personal data in 2005 and by 2009 recommended general personal data legislation. Yet the privacy issues identify by the Parliamentary Committee remained largely unaddressed in law outside of some sectoral protections – until the passing of POPIA in 2013.

A few of the POPIA sections were signed into effect in April 2014, and members of the Information Regulator took office in December 2016, with Advocate Pansy Tlakula being appointed as Chairperson through a process in the National Assembly. After a flurry of activity in which corporations readied themselves to comply with POPIA, there was a significant pause, long enough perhaps for preparations for compliance to lose their novelty.

In the meantime, the European Union negotiated and implemented the far-reaching General Data Protection Regulation (GDPR). The European GDPR is widely seen as a ‘best practice’ data protection standard, that is being replicated in many jurisdictions worldwide. Although the GDPR has been seen as a positive normative development by some data protection proponents, others argue that it represents policy laundering promoted by the major global corporations, including big tech, who lobbied for its dilution (Lynskey 2014). Effective implementation of the GDPR compatible legislation by a country requires a range of democratic and institutional capacities and on mature markets, conditions that do not apply to many developing countries. Importantly, for cross-border personal data flows, the GDPR requires broad compliance with its own principles. A failure to give full effect to GDPR-type protection in good time, could therefore threaten South Africa’s capacity to host data centres and other cross-border collaborative innovations involving European citizen data, and thus South Africa’s competitiveness in the globalised digital economy.

Since POPIA was drafted, the digital economy has become dominated by global corporations that profit from the extraction and use of personal data. At the same time, state-driven efforts to collect and process personal data have also multiplied. Some have argued that these trends towards consistent ‘datafication’ have led to a global surveillance state driven by the logic of surveillance capitalism or data colonialism. Shoshana Zubboff, a professor at Harvard Business School, says that surveillance capitalism “…unilaterally claims human experience as free raw material for translation into behavioral data,”

With data collection becoming the default model of capitalism and economic growth today, does the now-dated POPIA give the Information Regulator the right tools to stem ever-expanding, ever-evolving data privacy risks? Or is its planned implementation too late, too limited? How does South Africa prepare for a future where concerns over our privacy and data are much more encompassing than when POPIA was enacted?