Everyone is asking the question, what has happened to the Protection of Personal Information Act 4 of 2013 (POPI)? Has this piece of legislation been forgotten in the wake of COVID-19?
To date only certain provisions of POPI have come into force (such as those mandating the establishment of the Information Regulator contained in Chapter 5). However, the primary provisions dealing with personal information are not yet operative. In December 2018, the Information Regulator published regulations as contemplated in section 112(2) of POPI, however, these regulations are not yet operative. In addition, in terms of section 114 of POPI, a transitional one year period will apply in respect of the processing of personal information postimplementation of the Act.
As an Act which regulates the collection, storage and dissemination of personal information, and promotes the protection of personal information processed by public and private bodies (and introduces certain conditions to establish minimum requirements for the processing of personal information), its implementation is surely imperative? This is particularly pressing as there have been several significant data breaches in South Africa in recent times. The Chairperson of the Portfolio Committee on Justice and Correctional Services, Mr Bulelani Magwanishe, expressed concern that the delay in the proper implementation of POPI means that the personal information of South Africans remains at risk. He commented that “in the advent of the fourth industrial revolution, a strong regulator is needed that is well capacitated.”
On 12 May 2020, the Portfolio Committee made it clear that it wants the urgent enactment of the remaining provisions of POPI so that the full Act comes into force. In a recent statement issued by Mr Magwanishe on behalf of the Portfolio Committee concerns were expressed about the partial enactment of the Act. The statement notes that POPI was passed almost seven years ago in 2013. These concerns appear to stem from a presentation delivered by the Information Regulator on its Annual Performance Plan and Budget for 2020/2021 in which it made a plea for the remaining provisions of POPI to be enacted without further delay. The Information Regulator has now formally requested the Minister of Justice and Correctional Services and the President to bring the remaining sections of POPI into force and effect.
However, it has also been reported that Mr Magwanishe acknowledged that fully implementing the Act is not enough: the Information Regulator’s funding (or lack thereof) is an issue which needs to be urgently addressed if it is to have any chance of properly fulfilling its mandate. As the body charged with the general oversight of enforcement of POPI, the Information Regulator will obviously be hamstrung by a lack of appropriate funding. According to the meeting summary, the Information Regulator is still in the process of capacity building, setting up its processes and procedures, and completing its appointments which has now been stayed by COVID-19. According to the media statement, the Committee heard that that it is necessary for a meeting to be held between the Department of Justice and Constitutional Development and the Information Regulator to further discuss implementation. Mr Magwanishe is quoted as having said that “[w]e need specific timeframes. Immediately after the budget process of the department and entities has been finalised, the Committee will convene a meeting for an update on this matter. By then we want to hear that all meetings that need to happen have taken place and that the matter is with the President.” As it stands, there is no firm indication as to when the remaining provisions of POPI will come into force, although it seems that, against the backdrop of COVID-19, full implementation of the Act and the protection of personal information is now more imperative than ever.