According to the EC, in 2011 the
EU exported €26.6 billion ($35.5
billion) in goods and €7.1 billion
($9.5 billion) in services to South
Africa. EU imports from South Africa
in 2011 totalled €20.5 billion ($27
billion) in goods and €4.4 billion ($5.9
billion) in services, the EC said.
Coelho said, however, that “South
Africa’s ambition to become a major
outsourcing venue for foreign companies
would be adversely impacted by
PoPI.” Companies will face regulation
of “every aspect of the processing of
personal information, from before it
is even collected and throughout the
lifecycle of personal information until
it is ultimately destroyed,” he said.
“There is a very real danger” that
the new law “will discourage
rather than encourage investment
in South Africa,” Coelho said.
Data Protection Conditions
PoPI incorporates several data protection
“conditions,” including accountability,
transparency, and limitations on
processing of personal data tied to
data subject consent, data collection
minimization, and purpose specification.
Stein said that it is important
that the legislation presents the
overarching framework items “as
‘conditions’ rather than principles,
to emphasise that they are an
absolute prerequisite for the lawful
processing of personal information.”
The new law includes not just
protection for individuals but for
“juristic persons”--legal entities, such
as corporations and partnerships.
?• require data subject notice of and
consent to the collection and use of
their personal information;
?• limit the retention of data to, in most
instances, no longer than necessary to
achieve the purpose for which it was
collected;
• require data subject access and a right
of correction to their collected personal
information;
“This is consistent with the approach
of the South African Constitutional
Court that, although juristic bodies
do not have all the personality rights,
they do have a right to privacy,” Stein
said, adding that the new law would
“greatly enhance a corporation’s right to
protect its confidential information.”
• create an independent Information
Protection Regulator commission as the
country’s data protection authority;
Consent, Breach Notice,
Right to Sue
• detail restrictions on spam;
PoPI would, among many other things:
• ?govern the cross-border movement
of personal information to require
that those transferring data ensure
that companies in other countries
have binding corporate rules or
other agreements establishing a
level of data protection consistent
with PoPI requirements;
• require companies to appoint data
protection officers to ensure compliance
with the new law and coordinate with
the Information Protection Regulator;
• mandate data breach notification to
affected individuals and the new DPA;
and
?• demand that businesses employ
reasonable data security safeguards.
The new law will allow individuals
to file, or have the DPA file on their
behalf, lawsuits seeking injunctive
redress and damages. Stein said that
it is significant that PoPI introduces
“st rict liability for the data controller”
and adds aggravated damages as “a
new statutory form of damages.”
Amendments Limit Fines
PoPI would give the DPA authority to
carry out investigations and seek fines
of up to ZAR 10 million ($960,934).
The version of the bill sent to the
National Council of Provinces would
have allowed unrestricted fines.
A previous fifth draft of the bill,
released in October 2011, limited
fines to ZAR 1 million ($96,093)
(11 PVLR 213, 2/6/12).
PoPI would allow for the imposition
of up to 10 years in prison for
obstruction of the activities of the
Information Protection Regulator, and
a prison term of up to 12 months
for other violations of the new law.
Accolade
OCTOBER 2013
23