©2024 Zhejiang Zhiben Law Firm. All rights reserved.Zhejiang
South Africa is currently the second largest economy in Africa, with a leading level of economy and industrialization, and abundant natural resources. [1] South Africa is also a member of important international organizations such as the G20 and BRICS. According to official statistics, as of 2023, China has maintained its position as South Africa's largest trading partner for 14 consecutive years, and South Africa has also been China's largest trading partner in Africa for 13 consecutive years. In 2022, the trade volume between China and South Africa reached 56.74 billion US dollars, an increase of 5%. From January to August 2023, the bilateral trade volume reached 37.73 billion US dollars, accounting for 20% of the total trade volume between China and Africa. South Africa is one of the most important investment destinations for China in Africa, and also the preferred location for Chinese companies to establish headquarters in the African region.
This article aims to review the relevant laws and regulations on personal information protection in South Africa, providing compliance guidance for Chinese overseas enterprises' personal information processing activities in South Africa.
1、 Legal Framework for Personal Information Protection in South Africa
1. The Constitution of the Republic of South Africa
Article 32 (1) of the South African Constitution provides for the right of citizens to access information held by the government and information held by others necessary for the exercise or protection of their rights (i.e. the right to access information). In order to realize this right, Article 32 (2) of the South African Constitution requires the enactment of corresponding national laws, and the Promotion of Access to Information Act (PAIA) was subsequently promulgated. PAIA came into effect in 2000 and consists of seven main sections, including introductory clauses, access to public subject records, access to private subject records, appeals against decisions, human rights commissions, transitional arrangements, and general clauses.
Meanwhile, Article 14 of the South African Constitution provides for citizens' right to privacy, while Article 9 of PAIA specifies limitations on the right to access information, including reasonable protection of privacy, trade secrets, and promoting good governance.
2. Protection of Personal Information Act (POPIA)
POPIA is South Africa's first comprehensive data protection law, primarily aimed at protecting personal information processed by public and private institutions, setting minimum compliance requirements for processing personal information, and safeguarding the relevant rights of data subjects. POPIA includes a series of revisions made to PAIA [3].
POPIA was signed into law in November 2013, but it did not come into effect at the time. Instead, it was implemented in stages, with Article 1 (definitions), Articles 39 to 54 (information regulatory agencies), Article 112 (regulations), and Article 113 (procedures for formulating regulations) coming into effect in 2014; On June 22, 2020, the President of South Africa announced that most of the remaining substantive provisions of POPIA would come into effect on July 1, 2020, including Articles 2 to 38, Articles 55 to 109 (excluding Article 58 (2)), Article 111, and Articles 114 (1) - (3), mainly including applicable provisions, conditions for lawful processing of personal information, exemptions, activities requiring prior authorization, data subject rights, implementation provisions, administrative penalties, and other provisions. Article 114 (1) of POPIA sets a one-year transition period, which means that personal information processing activities must ensure compliance with POPIA regulations before July 1, 2021. In addition, Article 110 (Legal Amendments) and Article 114 (4) (Regarding Transfer of Responsibilities) of POPIA came into effect on June 30, 2021, and Article 58 (2) (Regarding Investigations by Information Regulatory Agencies) came into effect on July 1, 2021.
As of today, POPIA has been fully implemented.
In addition, according to Article 112 (2) of POPIA, the South African information regulatory agency (see below for details) issued the Regulation Related to the Protection of Personal Information Act (POPIA Regulation) in 2018, further refining the implementation requirements of POPIA.
3. Electronic Communications and Transactions Act (ECTA)
ECTA came into effect in 2002, and its legislative focus is on regulating electronic communication and transactions. Article 51 proposes nine protection principles for personal information collected during electronic transactions, such as obtaining explicit written consent from the data subject, informing the data subject of the purpose of personal information collection, and the obligation to delete personal information.
4. Consumer Protection Act (CPA)
The CPA, enacted in 2011, applies to the direct marketing of goods and services to consumers over the phone from the perspective of protecting consumer privacy. The provisions of CPA regarding direct marketing and unsolicited communication may overlap with the relevant provisions of POPIA, but POPIA provides clearer regulations.
2、 South African Personal Information Protection Regulatory Authority
The Information Regulator (IR) is a personal information regulatory agency established by POPIA, responsible for fulfilling the duties stipulated by both POPIA and PAIA, and accountable to the National Assembly. Starting from June 30, 2021, the functions of the South African Human Rights Commission under sections 83 and 84 of PAIA will be transferred to IR.
(1) The powers, responsibilities, and functions of IR include [6]:
(2) Provide relevant education, guidance, and promote awareness of personal information protection;
(3) Supervise and enforce compliance with POPIA;
(4) Communicate and coordinate with stakeholders to protect personal information;
(5) Handling complaints related to personal information protection;
(6) Conduct research related to personal information protection and report to Congress;
(7) Carry out and publish activities related to codes of conduct;
(8) By participating in activities aimed at promoting international enforcement of privacy laws to facilitate such cross-border cooperation; as well as
(9) Other general matters specified in Article 40 (1) of POPIA.
In addition, according to the revised Article 10 of PAIA, IR shall update the guidelines for individuals to exercise their rights under PAIA and POPIA based on the individual exercise guidelines compiled by the South African Human Rights Commission, and the update frequency shall not be less than once every two years.
In July 2023, IR imposed its first administrative penalty by imposing an administrative fine of 5 million South African rand (approximately RMB 2.03 million) on the Department of Justice and Constitutional Development (DoJ&CD) of South Africa. The reason is that DoJ&CD experienced a security breach in 2021, which had a serious impact on its electronic systems and resulted in the loss of approximately 1204 files containing personal information. IR determined that DoJ&CD did not implement sufficient security measures and fulfill its obligation to notify security vulnerabilities, and issued a enforcement notice in May 2023.
3、 Basic concepts under South African personal information protection laws [8]
Under the legal framework of personal information protection in South Africa, the definition of personal information and personal information related processing activities is basically consistent with international mainstream data regulations, including:
(1) A person refers to a natural person or legal entity.
(2) Data subject refers to individuals associated with personal information.
(3) Personal information refers to information related to identifiable living natural persons and identifiable existing legal entities (if applicable). Meanwhile, POPIA also provides non exhaustive examples of personal information.
(4) A responsible party refers to a public or private organization or any other individual who independently or jointly decides the purpose and method of processing personal information. Similar to the role of a data controller under GDPR.
(5) An operator refers to an individual who processes personal information for the responsible party in accordance with a contract or authorization, but is not directly supervised by the responsible party. Similar to the role of a data processor under GDPR.
(6) Processing refers to any operation, activity, or series of operations related to personal information, whether or not carried out through automated means, including:
Collect, receive, record, organize, proofread, store, update or modify, restore, modify, view or use;
Through transmission, distribution, or any other form of dissemination; or
Merge, link, restrict, damage, delete, or destroy information.
4、 Main Personal Information Protection Regulations under POPIA
1. Scope of application
POPIA applies to the processing activities of public or private institutions or any other individual (including natural and legal persons) related to identifiable living natural persons, as well as information related to identifiable existing legal persons (if applicable).
In terms of regional applicability, POPIA applies not only to responsible parties registered in South Africa, but also to responsible parties that are not registered in South Africa but process personal information within South Africa (excluding transit personal information).
However, POPIA does not apply to the following situations of personal information processing [10]:
(1) Purely for personal or family activities;
(2) The relevant personal information has been de identified and cannot be re identified;
(3) Conducted by or on behalf of public institutions for purposes related to national security or for the prevention or investigation of illegal activities (provided that relevant legislation provides safeguards for the protection of such personal information);
(4) Conducted by the Cabinet and its committees or provincial administrative committees;
(5) Related to the judicial functions of the court; as well as
(6) Purely for the purpose of news, literature, or artistic expression.
2. Legitimacy basis for processing personal information
The legality basis for processing personal information as stipulated by POPIA includes [11]:
(1) With the consent of the data subject or the guardian when the data subject is a child;
(2) Necessary for the signing or performance of a contract to which the data subject is a party;
(3) Comply with the legal obligations of the responsible party;
(4) To protect the legitimate rights and interests of data subjects;
(5) It is necessary for public institutions to fulfill their public law obligations appropriately; or
(6) To pursue the legitimate interests of the responsible party or third parties obtaining information.
3. Handling special personal information
POPIA stipulates in a dedicated section that the responsible party shall not (unless otherwise specified) process special personal information, including the data subject's religious or philosophical beliefs, race or ethnic origin, union membership, political beliefs, health or sexual life, biometric information; Alternatively, any information related to the alleged criminal behavior of the data subject or any litigation related to the alleged criminal behavior or the handling of such litigation [12].
But in the following situations, the responsible party may handle special personal information [13]:
(1) Processing carried out with the consent of the data subject;
(2) The processing required to establish, exercise or maintain the rights or obligations stipulated by law;
(3) The processing required to fulfill international public law obligations;
(4) Processing conducted for historical, statistical, or research purposes, and,
It is in the public interest and the processing is necessary, or obtaining consent is impossible or requires disproportionate effort; as well as
It should be fully ensured that such processing will not have an excessive negative impact on the privacy of the data subject; perhaps
(5) This information is intentionally disclosed by the data subject.
4. Personal Information Processing Obligations and Responsibilities
POPIA incorporates the rights and responsibilities of responsible parties into its Chapter 3 Personal Information Protection Conditions. In summary, the responsible party must meet the following conditions in order to process personal information:
(1) The processing of personal information meets the conditions listed in Chapter 3 of POPIA [14];
(2) The processing method is reasonable, does not infringe on the privacy of the data subject, and the processing purpose is specific, clear, legal, and related to the functions or activities of the responsible party [15];
(3) The data subject has been informed of the nature of the collected personal information, the identity of the responsible party, and the purpose of collecting the information [16];
(4) The processing of personal information is sufficient, relevant, and not excessive [17];
(5) Directly collecting personal information from data subjects (unless the data subject has publicly disclosed the information, has agreed to collect information from other sources, the collection of information will not harm the interests of the data subject, it is necessary to collect information according to POPIA regulations, the legitimate purpose of collecting information will be compromised, or compliance with regulations is not reasonable and feasible) [18];
(6) The data subject has the right to access their personal information (subject to certain exemptions) [19];
(7) The responsible party has taken appropriate technical and organizational measures to ensure the security of personal information [20].
In addition, the responsible party must ensure that a written agreement is signed with each processing party [21]. The responsible party must ensure that the processor or any entity processing personal information on behalf of the responsible party must [22]:
(1) Only conducted with the knowledge or authorization of the responsible party;
(2) Take minimum security measures to protect the personal information under their control; as well as
(3) The personal information obtained by them shall be kept confidential and shall not be disclosed, unless required by law or in the legitimate process of performing their duties.
5. Personal information processing activities that require prior authorization
The responsible party must obtain prior authorization from IR before carrying out the following processing activities [23]:
(1) Processing the unique identification information of the data subject [24], but such processing:
Not for the purpose of collecting this information; as well as
The purpose is to associate this information with information processed by other responsible parties.
(2) Representing third parties in handling information related to criminal or illegal activities;
(3) Processing information for the purpose of issuing credit reports; or
(4) Transferring special personal information or children's personal information to foreign third parties whose level of personal information protection does not meet relevant standards.
6. Regarding direct marketing
In terms of direct marketing, POPIA has specific regulations for direct marketing activities conducted through electronic communication methods. POPIA prohibits the processing of personal information of data subjects for direct marketing purposes, unless the data subject agrees or is a customer of the responsible party.
If the consumer is not a customer of the responsible party, the responsible party must obtain the consumer's consent before sending direct marketing information to the consumer. In this case, the responsible party may only contact the consumer once to obtain the necessary consent [26].
If the consumer is a customer of the responsible party, the responsible party may only send direct marketing information to the customer in the following circumstances [27]:
(1) The responsible party obtained the customer's contact information during the process of selling products or services;
(2) This contact information is for direct marketing of the responsible party's own products or services; as well as
(3) The responsible party shall provide the customer with a reasonable opportunity to raise objections to the processing of their personal information when collecting it. If the customer does not raise any objections when collecting personal information, the responsible party must provide the customer with an opportunity to raise objections under any circumstances.
In addition, according to the CPA, consumers have the right to prioritize blocking any direct marketing activities. Any consumer who has received marketing information has the right to request the person who sent the marketing information to stop sending any further marketing information to them.
7. Data Protection Impact Assessment
The POPIA regulation requires responsible parties to conduct personal information impact assessments to ensure that there are sufficient measures and standards in place to meet the conditions for lawful processing of personal information.
When determining fines, IR will take into account whether the responsible party has conducted a risk assessment or implemented good policies, procedures, and practices to protect personal information [29].
8. Cross border flow of personal information
According to POPIA regulations, the responsible party shall not transmit the personal information of the data subject to third parties in foreign jurisdictions unless [30]:
(1) The recipient is bound by relevant laws, binding company rules or contracts, and such laws, binding company rules or contracts:
Adhering to the principle of reasonable handling of personal information that is substantially similar to POPIA; also
Contains provisions similar in substance to POPIA regarding the further transfer of personal information to third parties by the recipient;
(2) The data subject agrees to the transmission;
(3) Transmission is necessary for fulfilling contracts between data subjects and enterprises, or for taking pre contractual measures based on data subject requests;
(4) Transmission is necessary for the formation or performance of contracts; or
(5) It is not reasonably feasible to obtain the consent of the data subject, but if their opinion can be sought, the data subject is likely to give such consent for the benefit of the data subject.
9. Legal Liability
Compared to GDPR, POPIA specifically stipulates criminal liability, and violations of POPIA may result in up to 10 years in prison or administrative fines of up to 10 million South African rand (approximately 4.05 million RMB).
In addition, POPIA grants data subjects in South Africa additional relief rights. POPIA has introduced new civil remedies, allowing data subjects to file lawsuits against parties handling their personal information under the principle of no fault liability. This means that individuals affected by data breaches can file claims against companies that have failed to properly protect their personal information, without having to prove that these companies were at fault in processing the data.
epilogue
The South African personal information protection regulatory system formed by POPIA and other relevant laws and regulations is generally consistent with the international mainstream personal information protection regulatory framework and ideas. POPIA in South Africa strictly requires the legality, reasonableness, and security of personal information processing. Its regulations on the processing of special personal information, restrictions on direct marketing, and cross-border data transmission all reflect respect and protection for personal information.
Enterprises going abroad to South Africa can combine their own data compliance system to further refine their local data compliance plans, especially in the areas of data protection officer (DPO) certification, privacy policy writing, personal information protection impact assessment, and cross-border flow of personal information, in order to prevent and reduce compliance risks in personal information protection.