On November 27, 2013, the South African government signed into law, the Protection of Personal Information Bill.  This comprehensive Bill regulates how personal information may be collected, processed, and used, and aligns with international standards that prescribe the minimum threshold requirements for the collection, processing and use of personal information.

One significant change from previous law, will give individuals the right control over the collection, processing and subsequent use of their personal information.  Companies must obtain express consent from individuals to collect, process and use their personal information.  The previous practice allowed companies to collect, store and use personal information provided the individual did not object.  As was often the case, the objection, or opt out choice was not readily apparent.   Companies will be required to notify individuals and obtain consent before any communication takes place.  Consent may be revoked by the individual at any time after its been given.

In addition, the Protection of Personal Information Bill establishes a regulatory agency, sets stricter limits on processing of personal information of children and information regarding the individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior.  The Bill requires companies who collect and/or process personal information to implement security measures, to notify individuals of breaches, to set restrictions on processing of personal information for the purpose of direct marketing and limits transfers of personal information to other countries unless that country has data privacy laws at least as strict.

Companies will have one year to demonstrate compliance with the new law, although this transition period may be extended for up to 3 years.

Since South African data privacy laws will now be in line with international norms, the Act could increase multijurisdictional trade and provide a boost to the economy.  To be compliant, companies will have to limit outsourced data storage and processing to vendors in countries that have adopted similar data protection laws.

Similar to other jurisdictions, larger companies will have to appoint data protection officers to ensure compliance with the Act.  Failure to comply can result in significant penalties and/or imprisonment.