PAIA

The Promotion of Access to Information Act 2 of 2000 (PAIA) is legislation in the Republic of South Africa allowing access to any information held by the State, and any information held by private bodies that is required for the exercise and protection of any rights. It applies specifically to South Africa, but is part of the global drive towards freedom of information. The Act is enforced by the South African Human Rights Commission (SAHRC).

Section 32(1)(a) of the Constitution of the Republic of South Africa, 1996, determines that everyone has a right of access to any information held by the State.  Section 32(2) of the Constitution provides for the enactment of national legislation to give effect to this fundamental right.  PAIA is the national legislation contemplated in section 32(2) of the Constitution.

Section 9 of PAIA recognises that the right of access to information is subject to certain justifiable limitations aimed at, amongst others:

(a)     the reasonable protection of privacy;
(b)     commercial confidentiality;
(c)     effective, efficient and good governance.

POPI

The Protection of Personal Information Act 4 of 2013 aims:

  • to promote the protection of personal information processed by public and private bodies;
  • to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
  • to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
  • to provide for the issuing of codes of conduct;
  • to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
  • to regulate the flow of personal information across the borders of the Republic; and
  • to provide for matters connected therewith.

Commencement

GDPR

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who reside in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of data subjects inside the EEA.

Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate). Data controllers must design information systems with privacy in mind, for instance use the highest-possible privacy settings by default, so that the datasets are not publicly available by default, and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a controller in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.