South Africa


A fresh perspective: Confessions of a convert to the Popi Act

A fresh perspective: Confessions of a convert to the Popi Act
The author writes that he was initially sceptical of the Protection of Personal Information Act, but upon close examination has changed his mind. But the act is being widely misinterpreted. (Photo: Flickr user Marco Verch)

This new law will ensure that information about those of us living in South Africa is kept where it belongs but it is being widely misinterpreted.

When then-president Jacob Zuma signed the Protection of Personal Information Act (Popia) into law in 2013, I gave the typical South African sigh. Yet another piece of unnecessary legislation, already well covered by common law, I thought. Another costly regulator. I also gave a little sigh of relief — its commencement was postponed. There was a limited implementation in 2014; full implementation on 1 July 2020, with a year for businesses to become compliant. I could look at it later. Now I have.

New regulation creates confusion, irritation, misapprehension, and opportunists looking for a quick buck off the overwhelmed and uninformed. Popia achieved all that.

But, Popia has a history.

Regulation seems to have become overwhelming. Libertarians and free-marketeers want it gone. But ordinary people are prone to abuse in today’s world of fast movements of money and information.

In 1890, Warren and Brandeis wrote in the Harvard Law Review: “The intensity and complexity of life, attending upon advancing civilisation, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”

In 1890, data was kept in vaults — on paper. Now it is on hard drives, memory sticks and in the cloud. Storing and selling personal data is an industry.

Leading South African academics have called for personal data protection regulation since the 1970s. Government had other priorities. In Europe, Germany, Sweden and France passed data protection laws in the 1970s. In 1981, the Council of Europe passed a convention on the issue which was binding on its members. The Paris-based Organisation for Economic Development issued similar guidelines. In 1995, the European Parliament issued data protection directives, prohibiting data sharing with countries that had inadequate data protection regulation. The United Nations also published guidelines encouraging member states to adopt legislation.

In 2000, the South African Law Commission investigated the matter, and a few years later, recommended legislation. Popia came nearly a decade later.

Without Popia, South Africa could be grey-listed by the EU and other countries — bad news for banks and the financial industry, and the country. Hopefully, Popia will comply with the international requirements. Popia does not re-define privacy. It deals with data.

The definition of privacy and the invasion of privacy will remain in the common law as developed in terms of section 14 of the Constitution. The concept of privacy and intrusions into privacy remains amorphous and elusive (as described by Judge Laurie Ackermann in 1995). It is a sliding scale of facts about oneself that deserve protection from publication. It differs from one person to another and is determined by the prevailing public policy, as interpreted by the courts.

Privacy law does not provide a blanket prohibition against releasing private data. Private data can be obtained if another law allows and it can be requested in terms of the Promotion of Access to Information Act (Paia).

Popia does not apply to the media, provided the media is independently regulated. Nor does it deal with the data of organisations or the state.

Popia regulates the data that private persons (called data subjects) disseminate to data receivers (called responsible parties). It regulates what the responsible party may do with that data, how it must secure the data, and under what circumstances it may trade in or disseminate the data. It links to Paia on how third parties may obtain the data and it removes the management of Paia from the Human Rights Commission to the Information Regulator.

The Information Regulator also, without substituting for the courts, now provides an administrative appeal to people who requested, or whose information was requested from responsible persons in terms of Paia, where a request was granted or refused.

Popia has been criticised. Some of the criticism is fair and some is not. Fair criticism is that it is long, that the definition of personal information is perhaps too wide, and that it places an administrative burden on small business.

Perhaps the criticism should not be directed at the law, but at the interpreters of the law. I have heard the most ridiculous claims about Popia — too many to repeat. Popia is wrongly invoked by all who confuse the Act with privacy laws.

Having read the Act and understanding the history, I have changed my view. I can no longer stand with the anti-Popia chorus. Popia is there to ensure that the data that I give to another to be kept in custody remains in custody — and if it does not, I will have a remedy. After all, it is a measure that the intensity and complexity of an advancing civilisation has imposed on us. DM

First published by GroundUp.


[hearken id=”daily-maverick/9041″]


Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted


This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.

Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

[%% img-description %%]

The lowdown on NHI: The why, the impact and your options

Why does the government want to introduce NHI, will this mean the end of medical schemes as we know them, and what can be expected to change in the next two years?

Join our live webinar on Thu 30 May at 12h00, live, online and free of charge.

MavericKids vol 3

How can a child learn to read if they don't have a book?

As the school year starts again, thousands of children will not have the basics (like books) to learn from.

81% of children aged 10 cannot read for meaning in South Africa.

For every copy of MavericKids sold from the Daily Maverick shop, we will donate a copy to Gift of the Givers for learners in need. If you don't have a child in your life, you can donate both copies.

Small effort, big impact.