The Information Regulator has asked President Cyril Ramaphosa to declare that the remaining provisions of the Protection of Personal Information Act (POPIA) commence on 1 April 2020.
Speaking in an interview with eNCA, Pansy Tlakula, the chairperson of the Information Regulator of South Africa, said that the act gives serious enforcement powers to the regulator including the ability to levy fines of over R10 million and the ability to pursue criminal prosecution.
Law firm Webber Wentzel said that if the president acts on the regulator’s request, the remaining provisions in POPIA regulating the processing of personal information will become effective on 31 March 2021.
“While certain sections of POPIA are already effective, including those provisions concerning the establishment of the Information Regulator and the manner in which regulations may be promulgated, the remaining provisions of POPIA are yet to become fully operational.
“Once the remaining provisions of POPIA are in effect, they will regulate the way public and private bodies process personal information of both natural and juristic persons (such as companies and trusts) in South Africa.
“Given that non-compliance with POPIA may result in significant civil and criminal sanctions, it is important that all businesses ensure compliance with POPIA prior to its commencement,” Webber Wentzel said.
The end of marketers?
Tlakula said that the act will provide protection from unwelcome marketers and spam callers, however she warned that information posted online on social media will remain in the public domain.
She added that the POPIA will ensure that companies have adequate security measures when dealing with your private information.
According to Justine Krige, a director at law firm Cliffe Dekker Hofmeyr, the POPIA is premised on an “opt-in” approach in terms of which consumers are deemed to have opted out of receiving communication via direct marketing unless they have expressly opted-in.
Although certain provisions of POPIA are already in force (such as those mandating the establishment of the regulator), the primary provisions dealing with direct marketing have not yet been enacted, she said.
Krige said there is currently a great deal of confusion about the rules of direct marketing.
“For example, it is unclear if ‘cold-calling’ prospective customers will still be allowed, if and how consent must be requested, and what will generally be required when the remaining provisions of POPI (in particular those in respect of direct marketing) come into force.
“At the moment (while only the provisions of the CPA and not POPIA which regulate direct marketing are in force), provided that marketing campaigns clearly allow for consumers to ‘opt-out’ or ‘unsubscribe’ from any direct marketing, such communication is seemingly lawful.
“However, POPIA will change this. It will impact how the initial contact with a prospective consumer can take place, and will impose a significant administrative burden as regards the collection, storage and distribution of personal information.”
Krige said that POPIA regulates direct marketing by means of any form of electronic communication including automated calling machines, faxes, SMSes and email.
She added that the POPIA’s direct marketing provisions are going to make using contact details obtained from lead generation businesses for direct marketing a great deal trickier.
“Companies are also going to need to manage their customer databases a lot more effectively, and keep records of where, how and when was the personal information initially obtained; whether the person is an existing customer and, if so, in respect of what products or services; whether the person has consented to receiving direct marketing; and whether the person has unsubscribed from receiving direct marketing.”