Support Centre

South Africa

Summary

Law: Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA), Commencement of Section 1, Part A of Chapter 5 and Sections 112 and 113 of POPIA (April 2014), and Regulations Relating to the Protection of Personal Information (2018) (the Regulations)

Regulator: The Information Regulator (the Regulator)

Summary: On November 26, 2013, the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA) was promulgated into law and, with the exception of Section 58, became fully enforceable on July 1, 2021. The Information Regulator (the Regulator) was established as the supervisory authority by POPIA, and in 2018 it published the Regulations Relating to the Protection of Personal Information (2018) (the Regulations), mostly clarifying administrative provisions and practical requirements.

POPIA provides a broad understanding of personal information, not only by specifying that personal information might include information relating to the biometric information, employment history, personal correspondence, personal opinions, pregnancy, mental health, and even the language of a person, but also by including juristic person's personal information within its scope. Additionally, POPIA establishes general data protection requirements in South Africa, and addresses data processing notifications, data subject rights, data transfers, and the right to object to the processing of personal information for direct marketing purposes. POPIA provides for penalties of up to ZAR 10 million (approx. $527,340) for the violation of its provisions. South Africa signed the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on February 16, 2020.

Insights

The complexity and rapid growth of artificial intelligence (AI) have sparked the need, globally, for legal clarity when it comes to the effective regulation of AI, and South Africa is not exempt. AI raises great concern over consumer protection but, by the same token, requires stability in the support of responsible development of AI, without governments stifling the significant value that such technology might hold for the future growth of the country. PR de Wet, Director at VDT Attorneys Inc., sets out to briefly address the current steps taken by the South African Government and role players towards carving the way to effective regulation of AI in South Africa.

The past month has witnessed a surge in the number of allegations regarding the infringement of intellectual property (IP) rights by artificial intelligence (AI) models. In this Insight article, Tasmiya Patel, Davin Olën, and Amaarah Kapdi, from Dentons, unpack the broad international legal framework that is applicable in such cases, the potential defenses available, and discuss the remedies accessible to parties claiming the infringement of their IP rights.

To navigate this landscape, the article first articulates the methods used by AI to develop neural networks. It then proceeds to address the applicable international IP rights regime, which is subsequently developed, and concludes with an examination of the likely relief that a court may grant in such cases.

There have been radical developments in various artificial intelligence (AI) models, with ChatGPT being the most prominent. ChatGPT serves as a language-based AI chatbot that uses a set of techniques referred to as deep learning that has continuous learning capabilities. As a result of these revolutionary AI developments, businesses have acknowledged the valuable insights that AI platforms can provide. It facilitates the generation of contracts, marketing content, CVs, articles, essays, and much more. It does so by gathering and processing data sourced from the internet, encompassing large sets of data derived from books, articles, and other online resources. PR de Wet and Jako Fourie, from VDT Attorneys Inc., examine the impact of POPIA on AI developments, with a specific focus on the processing of data by automated means through AI.

Since the inception of the Protection of Personal Information Act, 4 of 2013 (POPIA), the Information Regulator has achieved some significant milestones in terms of POPIA and the Promotion of Access to Information Act, 2 of 2000 (PAIA). In this Insight Article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc, analyze the milestones accomplished in 2022 and the expectations for 2023.

Personal data is one of the most sought-after commodities of the 21st century1, and as a result, consent has, in recent years, become increasingly prevalent as a codified legal mechanism intended to enable the informational self-determination2 of data subjects. Whilst consent is only one of various lawful bases upon which controllers3 can process personal data4, consent notices have become ubiquitous. The efficacy of consent as a privacy-preserving mechanism, however, is not so straightforward, as the manner in which it is defined, interpreted, and applied can have a significant impact upon numerous rights that data subjects are afforded under current data protection laws. Alon Lev Alkalay, assisted by Mahir Ahmed and Mudda Sulaiman, from Lighthouse Law, compare and analyse how consent is defined under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')5 and South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), as well as what constitutes valid, binding consent.

Sections 34 and 35 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') deals with the processing of children's information. PR de Wet and Jako Fourie, from VDT Attorneys Inc., provide a brief overview of the aforementioned sections and requirements with specific emphasis on the higher degree of protection afforded by POPIA with regard to the processing of personal information of children. As a first in a series of articles to follow, this article will explain some practical implications for valid consent being one such requirement, especially in relation to the modern technical age that we find ourselves in today.

While cloud services had seen small-scale uptake within South Africa prior to 2020, the national working environment was fundamentally challenged by the onset of lockdown regulations following the COVID-19 pandemic. As staff members were required to stay at home, many organisations were obliged to shift their data onto cloud platforms for staff members to continue working. In many instances, this emergency operational modification did not consider the legislative implications of data migrations and, following the relaxation of lockdown regulations, companies have been forced to consider the risk and compliance aspects of their migration.

In this Insight article, PR De Wet and Davin Olën, from VDT Attorneys Inc., unpack the regulatory position of cloud service providers and organisations making use of cloud services. To shed light on the phenomenon, this article commences with an overview of the most relevant legislative provisions regarding cloud storage facilities, followed by the applicable operational aspects of the regulatory framework.

During December 2021, the South African President signed the Cybercrimes Act, 2020 (Act 19 of 2020) ('the Cybercrimes Act') into law. This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management. But what impact does the Cybercrimes Act have on organisations operating in South Africa? In this Insight, the first on the topic of cybercrimes, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview and unpack how the new legislation slots into the existing South African regulatory universe, with specific reference to the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). The article also provides an overview of the applicable business processes which South African companies would need to consider in ensuring compliance with the Cybercrimes Act.

In order to process certain categories of data, South African organisations require 'prior authorisation' from the national Information Regulator ('the Regulator') in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). This regulatory restriction is established by Section 57(1) of POPIA and applies to a list of data categories which is detailed further within that Section. While some organisations are exempted from applying for prior authorisation, many are not1. In this insight, the second on the topic of prior authorisations2 in accordance with POPIA, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview of the applicable process which South African companies must follow to receive prior authorisation approval.

The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA'). Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, explains the key provisions of the Code and what credit bureaus must now consider when processing personal information.

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.