The new privacy laws every South African needs to know after MiWay’s royal blunder

Zulu King Goodwill Zwelithini made headlines this past weekend after a conversation with a MiWay sales representative was reportedly leaked to the public.

While MiWay has since apologised for the incident, South Africa’s Information Regulator has released a statement explaining why MiWay’s actions were unlawful and outlined what every South African should know when receiving similar marketing calls.

“The Protection of Personal Information Act (POPI) makes provision for the protection of personal information of data subject (individuals) and prescribes the manner in which personal information should be processed by responsible parties (private and public bodies),” it said.

POPIA prescribes conditions for the lawful processing of personal information. These conditions include the following:

  • that the data subject must consent to the processing of his or her personal information; or
  • that personal information is processed for the purpose of performing or concluding a contract to which a data subject is a party; or
  • personal information must be collected directly from data subject; and
  • the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate measures to prevent unlawful access to personal information.

“If King Zwelithini has not given his consent to MiWay to process his personal information or if his personal information was not processed by MiWay for the purpose of performing or concluding a contract to which the King is a party, then his personal information was unlawfully processed by MiWay,” the regulator said.

“The alleged conduct of MiWay could constitute the processing of personal information of the King for the purposes of directing marketing.

“POPIA makes provision for the King to object to MiWay for processing of his personal information for the purpose of direct marketing. Should the King object, MiWay should stop to process his personal information.”

However, it noted that not all the sections of POPI are operative as yet, meaning the King could not yet have lodged a complaint with the Regulator.

When will POPI come into effect?

According to Era Gunning of law firm ENSafrica, the question of when the POPI will come into force has been asked many times since the Bill was signed into law by the president on 19 November 2013.

“Advocate Pansy Tlakula, who was appointed as chairperson of the Information Regulator (the “Regulator”) in terms of POPI on 1 December 2016, stated in her ‘briefing on the work of the Information Regulator’ on 13 February 2017, that the majority of the provisions of POPI will only come into operation once the Regulator is fully operational,” Gunning said.

“The officials of the Justice Department who were responsible for drafting POPI informed the Regulator in December 2016 that, in their experience, the Regulator will only be up and running in two years’ time. Advocate Tlakula, however, expressed a commitment to shortening the implementation period of the Regulator.”

With this shortened time period in mind, Gunning said that the Regulator’s ‘Time Table of Activities’ lists the first week of April 2018 as the anticipated date of publication of the final Regulations in the government gazette.

“Therefore, it is fair to assume that the commencement date of POPI will be proclaimed between the first week of April 2018 and 1 December 2018,” she said.

Following this, a responsible party will be given a one-year transition period after the commencement of POPI to comply with its provisions, she said.

“In our experience, the roll-out of a comprehensive POPI compliance programme takes six months to two years. It is therefore crucial for companies to start their POPI compliance programmes as soon as possible.”


Read: Getting tagged in these types of Facebook posts could land you in big legal trouble

Latest news

Partner Content

Show comments

Follow us

Recommended