Some years ago, a major retailer in the United Kingdom was asked what happened when they introduced the Data Protection Directive of 1995 (an immense shift – almost like a sea change – in the way that personal information was handled). Surprisingly, he said he had no idea. In fact, he said he couldn’t remember a time when they did not have a data protection law in place; indeed, he suspected that no one in his organisation would remember that far back.

South Africa’s sea change for data protection has just been announced by President Cyril Ramaphosa. Almost all the remaining sections of the pdf Protection of Personal Information Act no. 4 of 2013 (816 KB) (POPIA) will be enacted on 01 July 2020. Before you go into full-on panic mode, this does not mean that POPIA will be in force as of 01 July 2020, it will only come into force a year after the commencement date (01 July 2021). A little panic may be justified.

POPIA’s journey has been an unusually long one, from the first draft of the Protection of Personal Information Bill in 2007 to its enactment in 2013 along with the appointment of the Information Regulator administered by Pansy Tlakula (chairperson), Adv. Legogang Stroom-Nzama, Adv. Collen Weapond and attorney Sizwe Snail Ka Mtuze. During this time, the entire European Union (EU) replaced their 1995 directive with the current EU General Data Protection Regulation (GDPR) (and lesser known General Data Protection Directive). It has been a long road, but we are finally at the place where Australia was in 1988: South Africa is about to have a law that protects the personal information of data subjects.

The announcement of the enactment of POPIA comes at a unique time in South Africa’s (and the world’s) history. The corona virus has swung South Africa firmly into recession with widespread unemployment along with a massively changed commercial environment and a tourism industry that has been pulverised. The requirement to comply with yet another piece of particularly complex and tricky legislation seems more of a cruel and unusual punishment for South African companies. However, all is not doom and gloom. A 2020 study by CISCO found that for every US dollar of investment on data protection, the company received US$2.70 worth of benefit. What this ultimately means is that – if done right – data protection has the potential to significantly increase company profits.

South Africa’s data protection legislation comes into force just as many other African countries are starting their own path towards the protection of personal information. Countries, such as Egypt, Nigeria and Rwanda, have a draft data protection law which is close to enactment. Others, such as Kenya, have just enacted their data protection law, whereas in 2017 Mauritius revised its 2006 data protection law in a manner similar to that of the EU GDPR.

From a consumer perspective, POPIA is several decades overdue as there is a prevailing culture in South Africa (and arguably in most of Africa) that personal information gets ‘owned’ by a company once it collects it, and it can do with it what it likes (including selling it at significant profit). Most African consumers currently feel that they have no rights over their personal information – even though at some fundamental level, they feel that they should.

While companies in developed countries may not recall much about their implementation of data protection, one thing is clear: a new data protection law stimulated a progressive increase in data subject requests (where a company is asked to reveal what information it holds about the person). This has increased exponentially as consumers realise that they actually have a right over their personal information and that daily infringements of their privacy – such as spam calls – are no longer acceptable.

It might be worthwhile to touch up on some of the positive things that POPIA has the potential to bring from an African Union (AU) perspective:

• While Mauritius is clearly ahead of the curve, the majority of African countries are just beginning their journey down the data protection path. This is a unique opportunity for African countries to work together to pool their collective resources and find common industry positions on data protection: not just benefiting from shared expertise but also fostering trade between African countries through the African Continental Free Trade Area (AfCFTA). From a practical perspective, the way to do this would be to draft data protection codes of conduct which would allow companies to comply with data protection in the same way, irrespective of the African country in which they are dealing.

• One of the small silver linings that the corona virus has brought to African shores is the necessity to rely more on e-commerce. In South Africa, for example, this has led to some online retailers having so many orders that they have been forced to shut their doors to try and cope with the backlog. This is an unique time for data protection regulators to come together to agree on a common contract template (similar to the EU’s model Data Processing Agreement) which could set out the rights and duties of data processors (called ‘Operators’ in South Africa) – this would be the African benchmark for respecting personal information while allowing business to flourish. Ideally these agreements would – unlike the EU model agreements – be drafted in plain language and would probably set a more attainable standard for African countries than the GDPR. POPIA also dovetails nicely with the principles of the AU’s Convention on Cyber Security and Personal Data Protection and the rise of African e-commerce. tralac has recently published ‘Trade in the Digital Economy: a tralac collection’ which includes a review of the Convention in Chapter 9: ‘Aligning Data Protection laws in Africa to facilitate e-commerce’.

Now that POPIA has been announced, maybe South Africa (and its fellow African countries) will be able to move towards a new normal, where privacy and the wishes of the individual are respected. This, in turn, will lead to South Africa being a safe destination for not only African personal information but for personal information worldwide.