The Protection of Personal Information Bill is currently making its way through Parliament and is expected to be passed into law before the end of 2012. At that point it will become the Protection of Personal Information Act. This post is a brief introduction to POPI and part of an ebook about this law Paul is currently writing.
Just as the Promotion of Access to Information Act is designed to give meaningful effect to the right of access to information in the Bill of Rights, the Promotion of Access to Information Act gives substance to the right to privacy in the Bill of Rights and, to an extent, codified aspects of the Common Law developed by our courts over the years.
The Protection of Personal Information Act creates a privacy model based on the idea of privacy as more a matter of informational self-determination then as a concept based on secrecy. Conceptually, the Protection of Personal Information Act’s focus is on giving people (referred to as “data subjects”) more structured control over how their personal information is collected and what is done with it. There is also a fair amount of attention given to who may “process” personal information and under what circumstances.
Another important aspect of the Protection of Personal Information Act is the compliance framework which the Act establishes and which includes a new Information Regulator which is given broad powers to enforce aspects of the Act and address non-compliance with the Act.
The Act will also impact on existing legislation including the Consumer Protection Act and the Electronic Communications and Transactions Act which incorporate an opt out privacy model as opposed to the opt in privacy model adopted by the Protection of Personal Information Act. This shift is bound to have a dramatic impact on a number of businesses and industries, not least of which the direct marketing industry.
Just how effective the Protection of Personal Information Act will be as a privacy framework remains to be seen, as does the Regulator’s effectiveness in enforcing the Act but what is already clear is that the Protection of Personal Information Act will create a new set of structures and frameworks around privacy law and data protection which South Africa has lacked until now.