Protection of Personal Information Act: More sections take effect

The Protection of Personal Information Act has, since 2013, been rolled out incrementally, with some sections of the Act implemented in April 2014.

Sections pertaining to, amongst others: the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; codes of conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act kicks in on 1 July. Sections 110 and 114(4) kick in on 30 June 2021.

Certain sections of the 2013 Protection of Personal Information Act will take effect on 1 July

In broad terms, “The Act promotes the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information,” a statement from the Presidency said.

Sections 110 and 114(4) kick in on 30 June 2021

The Presidency said the reason for the delay in relation to the commencement of sections 110 and 114(4) is that these clauses pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (PAIA) from the South African Human Rights Commission to the Information Regulator.

Section 114(1) is of particular importance, as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means both private and public entities will have to ensure compliance by 1 July 2021.

The Protection of Personal Information Act has, since 2013, been rolled out incrementally, with some sections of the Act implemented in April 2014. Some of these sections include those relating to the establishment of the Information Regulator whose members took office on 1 December 2016. The Presidency said “many of the remaining provisions of the Act could only be put into operation at a later stage, as they require a state of operational readiness for the Information Regulator to assume its powers, functions and duties – in terms of the Act.”

In this regard, the Commission must finalise or conclude its functions referred to in sections 83 and 84 of the PAIA and all mechanisms must be in place for the Regulator to take over these functions.

The Act is viewed as a fundamental piece of legislation aimed at safeguarding citizens’ personal information, protecting them against data breaches and theft of personal information.

Also read: Data Privacy Day 2020