Conference PaperPDF Available

A High-Level Comparison between the South African Protection of Personal Information Act and International Data Protection Laws

Authors:

Abstract and Figures

Data protection and management of personal information has become an integral aspect for organisations and individuals in conducting business in the modern era. It has also become a major issue for legislators, regulators and consumers worldwide due to the widespread repercussions when personal information is negligently or maliciously used. Despite increased attention on personal information and the existence of data protection legislation internationally, data breaches remain a common occurrence. It has become crucial now, more than ever, for organisations to manage and safeguard personal information. As a nation, South Africa has addressed the need for increased protection - the Protection of Personal Information (PoPI) Act was signed into law in November 2013. This paper presents a comparison between the South African PoPI Act and other international data protection laws in order to highlight similarities and differences. These privacy legislations will be compared based on the principles set out by the PoPI Act. Other areas to be considered include data protection officers, enforcement, electronic marketing, online privacy and the year enacted. Data protection compliance is not straightforward and having the correct measurements and procedures in place is of utmost importance. These findings can be applied in future work to examine where South Africans can make use of already established international best practices to best enforce their privacy regulation.
Content may be subject to copyright.
A High-Level Comparison between the South African Protection of
Personal Information Act and International Data Protection Laws
J. Botha1, 2, M.M. Grobler1, 4, J. Hahn3, M.M. Eloff2
1Council for Scientific and Industrial Research (CSIR), Pretoria, South Africa
2Institute for Corporate Citizenship, University of South Africa (UNISA), Pretoria, South Africa
3Boston University, Boston, United States of America
4University of Johannesburg, Johannesburg, South Africa
1jbotha1@csir.co.za
1mgrobler1@csir.co.za
3jadehqc@bu.edu
2eloffmm@unisa.ac.za
Abstract: Data protection and management of personal information has become an integral aspect for
organisations and individuals in conducting business in the modern era. It has also become a major issue for
legislators, regulators and consumers worldwide due to the widespread repercussions when personal
information is negligently or maliciously used. Despite increased attention on personal information and the
existence of data protection legislation internationally, data breaches remain a common occurrence. It has
become crucial now, more than ever, for organisations to manage and safeguard personal information. As a
nation, South Africa has addressed the need for increased protection - the Protection of Personal Information
(PoPI) Act was signed into law in November 2013. This paper presents a comparison between the South
African PoPI Act and other international data protection laws in order to highlight similarities and differences.
These privacy legislations will be compared based on the principles set out by the PoPI Act. Other areas to be
considered include data protection officers, enforcement, electronic marketing, online privacy and the year
enacted. Data protection compliance is not straightforward and having the correct measurements and
procedures in place is of utmost importance. These findings can be applied in future work to examine where
South Africans can make use of already established international best practices to best enforce their privacy
regulation.
Keywords: Data Breach; Compliance; Personal Information; PII, PoPI Act; Privacy Laws
1. Introduction/Background
The risk of breaching data protection legislation and regulation has grown significantly with the increase of the
amounts of personal data being kept by various organisations and individuals (The Privacy Advisor, 2008).
Since it is a global right for individuals to have their personal information protected against any unlawful
collection, retention, dissemination and use, a significant number of data protection laws have been enacted
internationally. Europe, for example, adopted the European Union’s (EU) Data Protection Directive (DPD)
already in 1995 (Birnhack, 2008). This Directive has been revised in 2015 and unified into a law known as the
General Data Protection Regulation (GDPR). The United Kingdom (UK) adopted the Data Protection Act (DPA)
in 1998 (United Kingdom Government Gazette, 1998), together with the EU DPD and was implemented in
2000. The United States does not have a specific data protection legislation, but has enacted a number of
privacy laws since 2001 (Information Shield, N.D.).
In South Africa, the Protection of Personal Information (PoPI) Act has been signed on November 26th 2013
(South African Government Gazette, 2013), although the full enforcement date of the PoPI Act is still to be
determined by the country’s privacy regulator. South Africa is in the process of complying with the Act, but is
facing implementation challenges. The objective of this paper is thus to perform a comparison between the
PoPI Act and selected available international data protection laws in order to assess the PoPI Act’s
comparability with international laws. Although the positions and criticism raised against the PoPI Act are
controversial (Heyink, 2015; Luck, 2014), this comparative research study aims to show that the PoPI Act is not
a step back in terms of law evolution, but rather a step towards the worldwide tendency to modern personal
information protection. It is undeniable that regulating the digital world is difficult as it evolves faster than
legislation can be passed, but it should be noted that technology does not have to complicate regulation, it can
also be harnessed to assist regulators in their efforts.
2. Methodology
A brief overview is presented on international data protection laws and the PoPI Act, based on a desktop
study. The principles of the PoPI Act are compared at a high level with African and non-African data protection
laws (see sections 4 and 5). A basic literature review is conducted to gain a better understanding in terms of
the PoPI Act and similar Acts globally. This will give a sense of the actions required for PoPI compliance. Data
has been collected using existing literature as well as governmental and private industry reports.
3. An overview of International Data Protection Laws and the South African PoPI Act
Globally more than 100 countries, independent jurisdictions and territories have adopted comprehensive data
protection/privacy laws to protect personal data held by governments and private companies (Banisar, 2016).
Figure 1 presents a map indicating which jurisdictions have adopted laws and which are currently addressing
this need: countries highlighted in blue have enacted comprehensive data protection laws, whereas countries
in red have a pending obligation to enact such a law. The countries highlighted in white either have no
initiatives to enact a specific singular data protection law or no information about such laws is available online.
South Africa is the 15th African country to implement a data protection law (Fichet, 2015). The PoPI Act will not
be compared to all the countries highlighted in Figure 1, but only to a selected few countries, chosen primarily
for their territorial location, large economies and mature regulations.
Figure 1: National Comprehensive Data Protection/Privacy Laws and Bills 2016 (Banisar, 2016)
The PoPI Act presents a set of conditions and principles that prescribe the way in which personal information
may be processed (Michalsons, 2014). The Act was created based on the EU DPD (Birnhack, 2008;
DataGuidance, 2013) and the Organisation for Economic Co-operation and Development (OECD) principles
(PLI, 2016). It was further inspired by models of data privacy from the United States (US), Canada, Australia
and the UK (Kokutse, 2011). The intention was to have personal information privacy regulated in South Africa
in harmony with international laws in order to stimulate business and cross-border transfer (Pillay, 2016).
According to the Norton Cybercrime Report, South Africa ranks third in the world for cybercrime victims
(Business Media Live, 2015). South Africa was only surpassed by China and Russia (Lamprecht, 2013). The high
ranking in cybercrime clearly raises the need for enforcing data protection laws and raising compliance
awareness. Crime however is not the only reason companies should endeavour to comply with the PoPI Act.
When dealing with personal identifiable information (PII), the PoPI Act mandates significant changes in both
governmental departments and commercial organisations. Legislated penalties for failing to comply with the
Act are significant and can even lead to incarceration for negligent corporate officers. Having this legislation in
place opens new implications for disclosing PII (South African Government Gazette, 2013). Organisations will
not be allowed to use, store or process PII without individuals’ consent and will face consequences for non-
compliance to this Act. Consequences include but may not be limited to:
Damage to a company's reputation.
Losing customers.
Inability to attract new customers.
Pay-outs in damages as a result of civil class action.
Fines of up to R10 million.
Facing jail time of up to 10 years.
These consequences, as well as the organisations’ will to protect individuals’ sensitive information, enforce the
need for organisations to conduct themselves in a responsible manner regarding PII. It is predicted that PoPI
will become enforceable towards the end of 2017. Organisations should therefore focus on conducting PoPI
audits and putting PoPI policies in place to prevent these consequences. It is believed that implementing the
PoPI Act would aid global competitiveness, cybercrime and the right to privacy (Gunning, 2016).
Table 1 gives a short description of each of the eight principles that guide the PoPI Act. In addition to these
principles, there are other important definitions and structures set by the PoPI Act. For example, the Act
entitles an independent Information Regulator to promote and monitor the compliance with the law. Similar
to the EU DPD, the PoPI Act also applies to a non-resident in the country as long as the automated or non-
automated processing is within the country’s borders (Svantesson, 2014).
Table 1: Principles of the PoPI Act
PoPI Principle
Description
Accountability
The responsible party must ensure that the principles are adhered to.
Processing
Limitation
There must be limits to the processing of information; processing must be lawful and not
excessive.
Purpose
Specification
Personal information must be collected for a specific, defined and lawful purpose that is related
to the responsible party’s activity; the subject should be aware of this purpose.
Further Processing
Limitation
Any further processing must be compatible with the purpose that the information was collected
for.
Information Quality
The responsible party must ensure that the personal information is complete, accurate and not
misleading; the information can be updated if necessary.
Openness
A notification must be given to the Information Protection Regulator before the information is
processed the subject must be notified that data is being collected about them.
Security Safeguards
The responsible party must ensure that the integrity of the collected personal information is
maintained.
Data Subject
Participation
The subject has the right to ask and be given the details of any information on him/her that the
responsible party might have, at no cost.
(South African Government Gazette, 2013)
Since the PoPI Act requires changes in the way organisations conduct themselves in terms of the use and
processing of PII, a comparative study was conducted to determine how the PoPI Act compares with
international data protection laws. Table 2 compares the PoPI Act first to other African countries, whilst Table
3 compares it to other well established non-African countries. Each country’s Act will first be compared to the
principles set out by the PoPI Act, before comparing it to the following criteria (selected based on a number of
online resources found comparing data protection laws):
Data Protection Officer (DPO) required;
Breach notification;
International data transfer permitted under certain conditions (country specific);
Electronic marketing prohibited;
Online privacy addressed;
Enacted date.
The next sections present a high-level comparison of selected data protection laws.
4. Comparison to African Countries
The prevalence of data protection laws in Africa is increasing, probably as a result of many organisations in
Africa doing business globally. As a result of Africa’s fast mobile technology adoption and increase in
technological exposure and engagement (ENECA, 2014), personal information is often transferred across the
borders of various African countries and also from African countries to other international regions. As such,
organisations doing business across multiple regions should be familiar with privacy laws applicable in the
various African countries and whether they have adequate protection levels.
The laws in different countries vary and both criminal and civil sanctions may apply for violations. When doing
business with these countries one must take into account the laws and relevant territories to consider its risks
and costs (Michalsons, 2015). Up to date, 16 African countries have adopted data protection legislation, five
have instantiated data protection bills and nine are rumoured to instantiate such a bill (Fichet, 2015). Since
June 2014 when the African Union (AU) adopted a Convention on Cybersecurity and Personal Data Protection,
more African countries have made some progress in terms of data protection legislation (Ncube, 2016). As
with South Africa, in several African countries, the process has been initiated but not fully completed. The
remainder of this section will present some common elements found among those countries.
Table 2 presents a comparison of the PoPI Act to data protection laws in Africa. The countries listed are African
countries that have a specific data protection law in place, refer to Figure 2. Some countries such as Egypt,
Nigeria and Zimbabwe, cater for privacy in other laws and do not have a specific data protection law in place
(Craig, Mcormack, Halpert, Lucente, & Cheuk, 2012); these countries will not be included in the comparison.
Figure 2. Data Protection Laws in Africa (Fichet, 2015)
4.1 PoPI Principles
The PoPI Act principles are in line with most of the African data protection laws, according to the results in
Table 2. In most of the African countries, the data protection laws are referred to as the Protection of Personal
Data (PPD) Act, or some variation thereof. Angola refers to the Personal Data Law (PDL), whereas Ghana refers
to the Data Protection Act (DPA). In Morocco, the law is called the Protection of Individuals in Relation to the
Processing of Personal Data (PIRPPD). Not enough information could be found on the Comorian data
protection law and will therefore not be included in the comparison. Based on the results of Table 2, all of the
laws have processing limitations, purpose specification and information quality in common. All of the laws
require organisations to retain the personal information for the time required to achieve the purpose of the
processing. However, in most cases, the specific time periods are not defined in these laws. In addition, South
Africa is the only country that states accountability as one of the principles (Rich, 2014). Although other African
countries might not have accountability as a principle, they might make provision for this in the context of the
legislation. In every jurisdiction, there are security obligations that are enforced. There is also some sort of
notice requirements for organisations to disclose the kind of personal information that is being collected, why
it is collected, whether it is shared and for what time period. Moreover, organisations are required to prove
that the securing of data integrity is being respected (Rich, 2014). All laws state that the data subject has rights
(access, rectification and opposition) and should be fully informed of the data processing related to him/her
(Fichet, 2015). These common elements enforce the applicability of data privacy regulation within the African
countries.
Table 2. The PoPI Act Compared to Selected African Privacy Laws
Country
Act
PoPI Principles
Accountability
Processing Limitation
Purpose Specification
Further Processing
Limitation
Information Quality
Openness
Security Safeguards
Data Subject
Participation
DPO Required
Breach Notification
Cross-border Data
Transfer Limitations
Electronic Marketing
Online Privacy
Enacted Year
South Africa
PoPI
2013
Angola
PDL
2011
Benin
PPD
2009
Burkina
Faso
PPD
2004
Cape Verde
PPD
2013
Gabon
PPD
2011
Ghana
DPA
2012
Ivory Coast
PPD
2013
Madagascar
PPD
2015
Mali
PPD
2013
Mauritius
DPA
2004
Morocco
PIRP
PD
2009
Senegal
PPD
2008
Seychelles
DPA
2003
Tunisia
DPA
2004
(Craig et al., 2012; Fichet, 2015; Rich, 2014)
4.2 Breach Notification
South Africa is the second African country to adopt the breach notification requirement, after Ghana (Rich,
2014). When it comes to notice obligation, all the laws in Africa are uniform in requiring the organisation to
disclose the type of personal information being collected, the reason for that and with whom it is shared.
Consent is still not uniform though. In Benin, only sensitive personal information requires consent (Rich, 2014);
while the PoPI Act dictates consent for any personal data. None of the other African data protection laws
requires notification of breaches (Craig et al., 2012).
4.3 DPO Required
In all legal systems, the challenge is to make a new law enforceable once it is promulgated. Having clear
governance steps and punishment mechanisms in place is the common approach to this challenge, although
the majority of African countries have not yet appointed a regulator. South Africa recently appointed a privacy
regulator in May 2016. In Madagascar, the role of a data privacy officer was incorporated in legislation and a
special commission is to be established as the independent regulator (Craig et al., 2012). In Ivory Coast, the
enforcement mission was given to an independent administrative body of telecommunications (Rich, 2014).
Mauritius has one of the most active enforcement regimes in terms of volume of imposed administrative fines
(Rich, 2014). No other African country has appointed a privacy regulator (or no information is available online).
4.4 Cross-Border Data Transfer
The PoPI Act prohibits offshore transfers of personal data, but provides a number of exceptions where the Act
includes rules and regulations for international data sharing (Kirby, Meiring, & Burger-Smidt, N.D.). All African
countries, with the exception of Ghana, impose restrictions on cross-border data transfer. In Angola, the
transfer of personal information to countries that do not ensure an adequate level of protection requires, as a
rule, the individual’s unambiguous, explicit and written consent, and prior authorisation from the DPA. In
Burkina Faso, consent is not necessary as long as the receiving country presents the same level of protection
(Rich, 2014). In Cape Verde, Gabon, Madagascar and Mauritius, the individual’s consent overrules the lack of
adequate protection offered by the receiving country. In contrast, the DPA in Seychelles has the whole power
to define if a transfer would violate the principles (Rich, 2014).
4.5 Electronic Marketing
PoPI provides data subjects with certain rights with respect to unsolicited electronic communications and also
prohibits automated processing of personal information. Benin, Cape Verde and Morocco also provide rights
to electronic marketing whereas there is no provision for this in the remainder of the African countries (Craig
et al., 2012).
4.6 Online Privacy
In terms of online privacy, only Angola and Cape Verde made certain provision (Angola City Government, N.D.).
It might be a concern that the PoPI Act does not contain any provision for online privacy (Craig et al., 2012).
4.7 Enacted Year
With regards to maturity, the PoPI Act is relatively new, enacted in 2013. Madagascar’s PPD is the most recent,
enacted in 2015. Some African countries have data protection laws in place for over ten years. Seychelles has
the oldest legislation, enacted already in 2003, but has not yet been in operation (Craig et al., 2012). Age,
however, does not necessarily equate to maturity or completeness.
As the digital economy grows in Africa, adequate regulation requirements are getting tougher. Many African
countries have yet to incorporate data protection legislation; those countries that have adopted data
protection laws are facing difficulties in terms of implementation. However, all 53 African states agreed on a
legal framework for regulating ICT activities such as electronic transactions, enhancing cyber security, control
cybercrime and protecting personal data. This is a major step forward for Africa in terms of data protection
(Fichet, 2015).
5. Comparison to Selected International Non-African Countries
This section compares the PoPI Act to selected non-African countries. The countries were selected based on
their global influence and the maturity of their regimes. The purpose of comparing the PoPI Act to these
countries is to assist in the identification of growth opportunities in data protection for South Africa, in terms
of benchmarking against global influential countries.
The EU regulation has a great influence on data protection laws in Africa (Fichet, 2015). Since the EU DPD has
been revised and unified into the GDPR (only to be enforced in 2018 (Ashford, 2016)), both these laws are
included into the comparison in Table 3. The GDPR includes child privacy protections that are similar to the US
Children’s Online Privacy Protection Act (COPPA). The UK data protection law, the DPA, are in line with the EU
DPD. The exception is the DPA’s stronger legal protection for more sensitive information, including ethnic
background, political opinions, religious beliefs, health, sexual health and criminal records (United Kingdom
Government Gazette, 1998).
Canada has two federal laws. The Privacy Act (PA) covers the personal information-handling practises of
federal government departments and agencies, whilst the Personal Information Protection and Electronic
Documents Act (PIPEDA) cater for the private sector only (Privacy Commissioner of Canada, 2014). Data
protection in Australia is currently a mix of Federal and State/Territory legislation (Craig et al., 2012).
Australian States and territories (except for Western Australia and South Australia) each have their own data
protection legislation applying to State Government agencies.
The US is the exception in this regard as it does not have a specific data protection law in place. It has roughly
20 sector specific or medium specific national privacy or data security laws, and hundreds of state-specific
laws. California, for example, has more than 25 state privacy and data security laws (Craig et al., 2012). Due to
its global influence, the US will be added to the comparison despite not having a specific data protection law.
Table 3 presents the high-level comparison between the PoPI Act and selected non-African countries. The
remainder of the section details the compared legislation in support of the PoPI discussion in Section 3. This
section will therefore not compare the PoPI Act with all categories for the second time.
Table 3. The PoPI Act Compared to Privacy Laws in Leading Countries
Country
Act
PoPI Principles
Accountability
Processing Limitation
Purpose Specification
Further Processing
Limitation
Information Quality
Openness
Security Safeguards
Data Subject
Participation
DPO Required
Breach Notification
Cross-border Data
Transfer Limitations
Electronic Marketing
Online Privacy
Enacted Year
South Africa
PoPI
2013
Australia
PA
1988
Canada
PA /
PIPE
DA
2000
Europe
EU
DPD
1995
Europe
GDP
R
2016
UK
DPA
2000
USA
*
*
(Bird & Bird, 2016; Botha, Eloff, & Swart, 2015; Craig et al., 2012; Australian Government, 2014; United Kingdom Government Gazette, 1998)
* The United States does not have a specific data protection legislation, but has enacted a number of privacy laws since 2001 (Information
Shield, N.D.). As such this row will not be populated based on a single act.
5.1 PoPI Principles
Based on the results in Table 3, the PoPI Act is largely in line with data protection legislation from selected
international countries. The PoPI Act, PIPEDA and the GDPR are the only data protection laws that make
provision for accountability as a principle. All of the laws compared require a DPO. The UK does not specifically
state data subject participation as a principle, but it does state that information should be handled according
to people’s data protection rights (United Kingdom Government Gazette, 1998). The PIPEDA allows individuals
to challenge an organisation’s compliance on any of its privacy principles. Although Table 3 shows an
alignment between the GDPR and the PoPI Act, there is a concern that the PoPI Act might have to be amended
(Michalsons, 2016). The GDPR also introduces new concepts such as ‘the right to be forgotten’ and data
portability (Bird & Bird, 2016).
5.2 Breach Notification
The Australian PA does not currently cater for mandatory data breach notification, but this is likely to be
incorporated soon (Park & Griffin, 2016). The EU DPD does not cater for breach notification; but the newly
implemented GDPR introduce this concept (Bird & Bird, 2016). The UK is currently under no obligation with the
DPA to notify authorities of a data breach (Hasan, 2016). In the US, security breach notifications have been
enacted in a number of laws in most of the states.
5.3 Cross-Border Data Transfer
In Australia the cross-border transfer of data is permitted but the sending agency or organisation remains
largely accountable for that personal information (Australian Government, N.D.). Cross-border data transfers
are permitted by both the EU DPD and the GDPR on the basis of ad hoc clauses. The EU has identified a small
number of countries with adequate protection for personal information. Although the US is not included in this
list, US businesses meeting the ‘adequate’ standard for privacy protection can certify with the US-EU Safe
Harbor program (Packal & Haggerty, 2014).
5.4 Electronic Marketing
Electronic marketing is governed by the Canadian PA and PIPEDA, as well as Canada’s Anti-Spam Legislation
(CASL). The EU DPD does not specifically address electronic marketing. The GDPR forces the consent terms to
be defined more clearly when collecting and processing personal information for the purpose of electronic
marketing (Smart Insights, N.D.). The UK DPA does not prohibit the use of personal information for electronic
marketing purposes. The US has extensive regulations on electronic marketing (Craig et al., 2012).
5.5 Online Privacy
In Australia there is no law specifically relating to online privacy. The Canadian regulatory authorities have
been very active in addressing online privacy. No information could be found that the EU DPD specifically
caters for online privacy. However, some European countries do cater for this in a certain way in different
laws. Similarly in the UK, the DPA does not cater for online privacy but it is catered for in other UK regulations
(Craig et al., 2012). The GDPR does make provision for online privacy in a number of ways such as the e-Privacy
Directive (Beaumont, 2016). In the US, online privacy is catered for in a number of laws as well as online
privacy for children with COPPA (Jay, 2015).
5.6 Enacted Year
The Australian PA 1988 was amended in 2012 and came in to force in 2014. The Canadian PA has evolved,
since the first instance in 1977, to include data privacy in 2000 and has also been amended in 2015. The
PIPEDA received approval in April 2000 (Privacy Commissioner of Canada, 2014). Based on the countries in
Table 3, the GDPR is the youngest Act, adopted in 2016 and will supersede the EU DPD in 2018 (Bird & Bird,
2016). The UK DPA has been updated since 2000 and all changes will be in force from 20 October 2016 (United
Kingdom Government Gazette, 1998).
Based on the literature review, provisions are made for most or all of the criteria measured on in Table 3. Data
protection can no longer afford to be ignored as it is becoming a major issue for legislators, regulators and
consumers worldwide. Using this comparison as benchmark, South Africa can be regarded as on par with
international privacy laws.
6. Conclusion
The amounts of personal data stored by individuals and organisations have grown significantly. This can result
in potential high data breach risks and other unlawful activities. In an attempt to provide protection to citizens,
a significant number of data protection laws have been enacted internationally. With these laws in place, it can
be regarded as a right for individuals to have their personal information protected against unlawful collection,
retention, dissemination and use. The world’s privacy landscape has evolved as a result.
The privacy landscape in Africa has also evolved, with South Africa adopting the PoPI Act in 2013. Based on the
comparisons presented in Table 2 and Table 3, the PoPI Act’s principles are on par with selected African and
non-African data protection laws. South Africa seems to be one of only four African countries that appointed a
privacy officer/regulator. In this regard, the PoPI Act is ahead of other African countries without a DPO.
Compared to other countries outside of Africa, though, appointing a privacy officer/regulator is the norm. In
Africa, only three countries mandates data breach notification, including South Africa. Australia and the UK do
not cater for data breach notifications. Europe did not include this in the EU DPD but did make provision for
this in the GDPR. Most countries agree that the cross-border transfer is prohibited if the destination country
has no adequate protection in place. This fact gives sustainability to the conclusion that having regulation in
place, as South Africa is aiming to do, facilitates international commerce. Rights against electronic marketing
are implemented in the PoPI Act and only three other African countries. Comparing this to the selected non-
African countries, only Australia and the EU DPD does not make provision for electronic marketing. The GDPR
does cater for this. Online privacy is only included in the laws of Angola and Cape Verde in the African
countries. All the non-African countries considered, include online privacy legislation.
According to the comparisons done in this paper, the PoPI Act compares relatively well with other countries
more mature in terms of data privacy legislation. This comparison is valuable in terms of reflecting a true need
of international work on future harmonisation of laws.
References
Angola City Government. (N.D.). City of Angola - Privacy Policy. Retrieved from
http://www.angolain.org/privacy/ [Accessed Oct/4, 2016]
Ashford, W. (2016). EU data protection rules affect everyone, say legal experts. Retrieved from
http://www.computerweekly.com/news/4500270456/EU-data-protection-rules-affect-everyone-say-legal-
experts [Accessed Aug/27, 2016]
Australian Government (2014). Privacy fact sheet 17: Australian privacy principles. Retrieved from
https://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-fact-sheets/privacy-fact-
sheet-17-australian-privacy-principles_2.pdf [Accessed Oct/7, 2016]
Australian Government. (N.D.). Cross-border data flows. Retrieved from
http://www.alrc.gov.au/publications/31.%20Cross-border%20Data%20Flows%20/summary-%E2%80%98cross-
border-data-flows%E2%80%99-principle [Accessed Oct/7, 2016]
Banisar, D. (2016). National comprehensive data protection/privacy laws and bills 2016 Map. Privacy
Laws and Bills. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416 [Accessed
Oct/6 2016]
Beaumont, R. (2016). The GDPR, cookie consent and customer centric. Retrieved from
https://www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/
[Accessed Oct/7, 2016]
Bird & Bird. (2016). Guide to the general data protection regulation. Retrieved from
http://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-
regulation.pdf?la=en [Accessed Oct/6, 2016]
Birnhack, M. D. (2008). The EU data protection directive: An engine of a global regime. Computer
Law & Security Review, 24(6), 508-520.
Botha, J., Eloff, M., & Swart, I. (2015). Evaluation of online resources on the implementation of the
protection of personal information act in South Africa. Paper presented at the ICCWS 2015-the
Proceedings of the 10th International Conference on Cyber Warfare and Security, South Africa. 39.
Business Media Live. (2015). SA ranks world’s third highest cybercrime victims. Retrieved from
http://www.businessmedialive.co.za/sa-ranks-worlds-third-highest-cybercrime-victims-2/ [Accessed Aug/5,
2016]
Craig, C., Mcormack, P., Halpert, J., Lucente, K. & Cheuk, A. (2012). DLA Piper’s data protection laws
of the world. Retrieved from http://www.edrm.net/resources/data-privacy-protection/data-protection-laws
[Accessed Jun/28, 2016]
DataGuidance. (2013). South Africa: New privacy law will have 'significant impact 'on businesses.
Retrieved from http://www.dataguidance.com/dataguidance_privacy_this_week.asp?id=2104 [Accessed
November/28, 2014]
ENECA. (2014). Tackling the challenges of cybersecurity in Africa. Retrieved from
http://www.uneca.org/publications/tackling-challenges-cybersecurity-africa [Accessed Sep/15, 2016]
Fichet, C. (2015). Emerging data protection regulations in Africa. Retrieved from
http://www.elexica.com/~/media/Files/Training/2015/05%20May/Emerging%20data%20protection%20regula
tions%20in%20Africa.pdf [Accessed Aug/12, 2016]
Gunning, E. (2016). How to prepare for POPI. Retrieved from https://www.ensafrica.com/news/how-to-
prepare-for-POPI?Id=2285&STitle=ENSight [Accessed Sep/27, 2016]
Hasan, I. (2016). New rules for data protection. Retrieved from http://www.lawgazette.co.uk/law/legal-
updates/new-rules-for-data-protection/5054463.fullarticle [Accessed Oct/6, 2016]
Heyink, M. (2015). Why are South African lawyers remaining in the dark with POPI? Retrieved from
http://www.derebus.org.za/why-are-south-african-lawyers-remaining-in-the-dark-with-popi/ [Accessed
Sep/15, 2016]
Information Shield. (N.D.). International privacy laws. Retrieved from
http://www.informationshield.com/intprivacylaws.html [Accessed July/7, 2014]
Jay, R. P. (2015). Data protection & privacy. Retrieved from https://www.huntonprivacyblog.com/wp-
content/uploads/sites/18/2011/04/DDP2015_United_States.pdf [Accessed Oct/7, 2016]
Kirby, N., Meiring, I. & Burger-Smidt, A. (N.D.). Protection of personal information. Retrieved from
http://www.werksmans.com/keep-informed/current-legal-developments/protection-of-personal-information/
[Accessed Sep/22, 2016]
Kokutse, F. (2011). African nations moving slowly forward to establish data protection framework.
(Electronic Commerce & Law Report). Bloomberg BNA. Retrieved from http://www.bna.com
[Accessed Oct/6]
Lamprecht, I. (2013). Few organisations ready for PoPI. Retrieved from
http://www.moneyweb.co.za/archive/few-organisations-ready-for-popi/ [Accessed Jun, 2016]
Luck, R. (2014). POPI is South Africa keeping up with international trends? Retrieved from
http://www.saflii.org/za/journals/DEREBUS/2014/84.html [Accessed Sep/15, 2016]
Michalsons. (2015). Data protection laws of Africa. Retrieved from http://www.michalsons.co.za/focus-
areas/privacy-and-data-protection/data-protection-laws-africa [Accessed Aug/08, 2016]
Michalsons. (2014). Protection of personal information act POPI. Retrieved from
http://www.michalsons.co.za/protection-of-personal-information-act-popi/11105 [Accessed April/1, 2014]
Michalsons. (2016). What does the GDPR mean for the PoPI Act. Retrieved from
https://www.michalsons.com/blog/gdpr-mean-popi-act/19959 [Accessed Oct/17, 2016]
Ncube, B. C. (2016). Recent developments in African regulation of cybercrime: An overview of
proposed changes to the South African framework.
Packal, E. A., & Haggerty, P. H. (2014). Cross-border transfers: Cutting through the complexity.
Retrieved from https://www.dataprivacymonitor.com/cybersecurity/cross-border-data-transfers-cutting-
through-the-complexity/ [Accessed Oct/7, 2016]
Park, M., & Griffin, J. (2016). Australian mandatory data breach notification on the agenda again.
Retrieved from http://www.dataprotectionreport.com/2016/09/australian-mandatory-data-breach-
notification-on-the-agenda-again/ [Accessed 6/Oct, 2016]
Pillay, L. (2016). US safe harbor and PoPI. Retrieved from
http://www.lexology.com/library/detail.aspx?g=2a10bacb-15df-4803-a7bf-debbff1e5e30 [Accessed Aug/23,
2016]
PLI. (2016). Cloud computing 2016: Key issues and practical guidance. PLI New York Center, New
York. (800) 260-4754.
Privacy Commissioner of Canada. (2014). Privacy legislation in Canada. Retrieved from
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/ [Accessed Jun, 2016]
Rich, C. (2014). Privacy and security law report. (Law Report No. 13 PVLR 717). The Bureau of
National Affairs Inc. (800-372-1033). Bloomberg BNA. Retrieved from http://www.bna.com [Accessed
Oct/6]
Smart Insights. (N.D.). What does general data protection regulation actually mean for marketers?
Retrieved from http://www.smartinsights.com/marketplace-analysis/digital-marketing-laws/what-general-
data-protection-regulation-actually-means/ [Accessed Oct/7, 2016]
South African Government Gazette (2013). Protection of Personal Information Act. Retrieved from
www.justice.gov.za/legislation/acts/2013-004.pdf. [Accessed Oct/7, 2016]
Svantesson, D. J. B. (2014). Extraterritoriality of EU Data Privacy Law-Its Theoretical Justification and
Its Practical Effect on US Businesses, the. Stanford Journal of International Law, 50, 53.
The Privacy Advisor. (2008) An introduction to privacy enhancing technologies. Retrieved from
https://iapp.org/news/a/2008-05-introduction-to-privacy-enhancing-technologies/ [Accessed Aug/12,
2016]
United Kingdom Government Gazette (1998). Data Protection Act, Act. Retrieved from
http://www.legislation.gov.uk/ukpga/1998/29/contents [Accessed Oct/7, 2016]
... It was during the post-1994 period that labour legislation such as the new Labour Relations Act (66 of 1995) (Nel et al., 2008), new Basic Conditions of Employment Act (75 of 1997) (Grogan, 2014b:5), new Skills Development Act (97 of 1998) (Venter & Levy, 2014) and, finally, an absolutely new legislation called the Employment Equity Act (55 of 1998) (EEA) (Grogan (2014b) were promulgated by the South African government. Another legislation of significance was promulgated in 2013 called the Protection of Personal Information Act 4 of 2013 (or the PoPI Act), which has a direct impact on the operation of small and medium businesses (Botha, Eloff & Swart, 2015) and government institutions in South Africa (Botha et al., 2017;Baloyi & Kotze, 2017a). ...
... The reason for this is that there are still questions as to how these enterprises will survive as their business mostly depends on direct marketing, which is based on personal data. This notion is supported by Botha et al. (2017), who state that it is a fact that, in terms of the PoPI Act, organisations will no longer be allowed to collect, use, store or process personal information without the permission of the person concerned. ...
... It will be determined by mechanisms that are made available by the legislation to challenge any violation thereof and receive the expected recourse thereto. In response to the argument, Botha et al. (2017) reveal that those who fail to comply with the PoPI Act will not go unpunished as there are legislated penalties for failing to comply with the stipulations of the Act. These penalties are severe and may include incarceration. ...
... There has been a global increase in the number of legislations aimed at protecting personal information (Botha et al., 2017). Between 1973 and 2017, new data privacy laws have been enacted at a rate of 2.7 new countries annually; resulting in the enactment of more than 120 laws worldwide (Greenleaf, 2017). ...
... In addition to the eight conditions POPIA also includes provisions relating to direct marketing and unsolicited electronic communication which were specifically included in the scope and tested in this experiment. The POPIA principles are in harmony with those of other leading countries, as highlighted by work conducted by Botha et al. (2017). ...
Article
South Africa enacted the Protection of Personal Information Act 4 of 2013 (POPI) in an effort to curb the misuse of customers’ personal information by organisations. The aim of this research was to establish whether the South African insurance industry is adhering to certain prescripts of POPI, focusing on direct marketing requirements. An experiment was utilised to monitor the flow of personal information submitted to 20 insurance companies requesting short-term insurance quotations, using new e-mail addresses and phone numbers. The results of the experiment indicate that 92% of the marketing communication received did not have prior consent from the researcher. Contact was made by companies outside the sample, indicating third-party sharing. 86% of the unsolicited short message service (SMS) communication received required customers to pay for unsubscribing from SMSs, which is not in line with regulatory requirements. The non-compliance evident in this experiment acts as an early warning to the insurance industry and South Africa, prompting a more concerted effort towards preparation of compliance with POPI. A personal information processing management framework is proposed to aid the insurance industry in understanding how personal information can be processed in line with the requirements of the Act.
... According to Botha, Grobler, Hahn and Eloff (2017) South Africa is in the process of complying with the Act, but is facing enforcement challenges. In order to fast track the enforcement PoPI Act the study recommends policy makers to carefully look at how other nations managed to enforce information privacy laws. ...
Thesis
Full-text available
Despite the fast pace of development within the mobile commerce industry globally, marketers in developing countries are still lagging in understanding why and how consumers participate in mobile marketing transactions. The literature reporting on mobile marketing transactions’ adoption in a South African context remains largely inconsistent and fragmented as most previous studies are based on the experience of consumers in a non-South African (and non-developing country) context. Therefore, this study identifies a literature gap, in that there lacks a sufficient critical mass of studies into the moderating effect of information security on consumer adoption of mobile marketing transactions in South Africa particularly among the youth who have a strong affinity for constant mobile connectivity. Furthermore, confronted with rapid changes in emerging technology, previous models of technology adoption are slowly becoming outmoded. Consequently, this study considered testing a proposed model on the predictive power of marketing-related mobile activity to help improve understanding and prognosis of the adoption of mobile marketing transactions in South Africa. Specifically, in order to render these tests robust, perceived information security was applied as a moderator variable to increase the explanatory power of the model. The objectives set out for this research were measured utilising a single cross-sectional approach, guided by the positivist paradigm. In keeping with the dictates of ensuring the highest levels of reliability and validity, a measuring instrument developed from past studies was used. Using a self-administered questionnaire, data were collected from a sample of 810 students from selected South African universities. Descriptive and multivariate statistical tests including the moderated hierarchical regression analysis were used to analyse data. The implication of the study is that it provides both marketers and policymakers with a set of controllable variables that may be manipulated to promote the adoption of mobile marketing transactions.
... Another important component, which informs the way access control will operate, is South Africa's PoPI Act, which is similar to the European Union's General Data Protection Regulation (GDPR) (Botha et al., 2017). The PoPI Act aims to protect personal information by specifying the conditions for the lawful processing of personal information (RSA Government Gazette, 2013). ...
Article
Full-text available
Countries such as South Africa have attempted to leverage eHealth by digitising patients' medical records with the aim of improving the delivery of healthcare. This involves the use of an electronic health record (EHR) which is a longitudinal electronic record of a patient's information. The EHR includes all the patient's encounters that have been made with different health facilities. In the national context, the EHR is also known as a national EHR, which enables the sharing of patient information between points of care. However, a lack of interoperability exists between many South African health information systems making communication between these disparate systems impossible. As a result, the sharing of patient information is inhibited and the benefit of improving healthcare delivery cannot be realised. This paper proposes a system architecture for addressing interoperability challenges and indicates how interoperability can be ensured in a national EHR system. The proposed system architecture is differentiated from other national EHR system architectures found in the literature in order to emphasise its novelty. Secondary data obtained from a systematic literature review was analysed using content analysis, resulting in 9482 tags which informed the development of the proposed system architecture.
... The EU revised this directive into the General Data Protection Regulation (GDPR) in 2015 and updated it in 2018 on the reformed it (Srncova et al., 2019). The United Kingdom adopted the Data Protection Act in 1998 (United Kingdom Government Gazette, 1998) in addition to the EU DPD and this was implemented in 2000 (Botha et al., 2017). The United States of America does not have a single comprehensive law regulating the use and collection of personal information but has enacted several privacy laws since 2001 (Information Shield, nd). ...
Conference Paper
Full-text available
The protection and management of data, and especially personal information, is becoming an issue of critical importance in both the business environment and in general society. Various institutions have justifiable reasons to gather the personal information of individuals but they are required to comply with any legislation involving the processing of such data. Organisations thus face legal and other repercussions should personal information be breached or treated negligently. Most countries have adopted privacy and data protection laws or are in the process of enacting such laws. In South Africa, the Protection of Privacy Information Act (POPIA) was formally adopted in 2013 but it is yet to be implemented. When the implementation of the Act is announced, role players (responsible parties and data subjects) affected by POPIA will have a grace period of a year to become compliant and/or understand how the Act will affect them. One example of a mandate that follows from POPIA is data breach notification. This paper presents the development of a prototype ontology on POPIA to promote transparency and education of affected data subjects and organisations including government departments. The ontology provides a semantic representation of a knowledge base for the regulations in the POPIA and how it affects these role players. The POPIA is closely aligned with the European Union’s General Data Protection Regulation (GDPR), and the POPIA ontology is inspired by similar ontologies developed for the GDPR.
... The latter directive has recently been updated and is now called the General Data Protection Regulation (GDPR) [5], which addresses the latest technological developments [6]. A comparison study has been done and results show that POPIA is largely in line with the principles of GDPR and other countries [7]. ...
... The study also displays a lack of dedicated privacy policy and uncertainty about how other relevant policy/law/regulation can and should be used to guide the privacy practices. This is consistent with previous studies (eg, Botha & Grobler, 2017;Yilma, 2017) who put Rwanda on the list of the countries that need to enact comprehensive national privacy regulation and principles. National regulation not only facilitates effective organizational practices but also gives users a ground to believe that organizations will protect their information, which increases their trust in e-services (Xu et al., 2012). ...
Article
Full-text available
Privacy of information is a critical issue for e‐government development as lack of it negatively influences users' trust and adoption of e‐government. To earn user trust government organizations need to provide reliable privacy assurance by implementing adequate information privacy protection (IPP) practices. African least developing countries (LDCs) today develop e‐government, but focus is on quick technical development, and the status of IPP issues is not clear. Little research has yet studied the status of IPP practices in e‐government in African LDCs. To fill this gap, we assess the status of existing IPP practices in e‐government in Rwanda, using international privacy principles as an assessment baseline. We adopt a case study approach including three cases. Data were collected by interviews and a survey. The findings call into question the efficacy of existing IPP practices and their effect in ensuring e‐government service users' privacy protection in Rwanda. The study extends existing literature by providing insights related to privacy protection from an African LDC context. For practitioners in Rwanda and other LDCs, this study contributes to the protection of information privacy in e‐government by providing recommendations to mitigate identified gaps.
... Table 1 provides a comparison of the data protection legislation of the countries in the sample compared with the data privacy principles of the FIP and the OECD. The categories in the first row relates to research work conducted by Botha et al. (2017). Collection limitation was added to ensure that all the FIP and OECD privacy principles are included, which are covered by all the acts listed in table 1. Sensitive personal information and direct marketing were also added for a more comprehensive comparison. ...
Conference Paper
Full-text available
The information security culture of an organisation is influenced by various factors, of which one could be related to legal and regulatory requirements. While employees must comply with organisational policies, external factors like data protection legislation might influence the manner in which employees protect information assets. This research sets out to investigate whether the information security culture level is consistent across offices of an organisation located in jurisdictions with and without data protection legislation and if the timeframe of the implemented data protection regulation might have had an impact. An information security culture survey was conducted in an organisation that follows a centralised approach to information security. Statistical analysis was conducted to compare the information security culture data of offices across six data protection jurisdictions where the organisation operates, namely Mauritius, Switzerland, Guernsey, South Africa, United Kingdom and Australia. It was found that the three offices (Mauritius, Switzerland and Guernsey), that had significantly more positive results, were all based in jurisdictions with implemented data protection legislation. However, the timeframe of the implemented data protection legislation did not seem to influence the information security culture mean scores, although the legislation incorporates the data protection principle of security. While data protection legislation might play a role to cultivate a more positive information security culture, other factors such as a large staff component could also play a role which can be further investigated.
Data
Full-text available
Over 100 countries and independent jurisdictions and territories around the world have now adopted comprehensive data protection/privacy laws to protect personal data held by private bodies. Over 40 countries and jurisdictions have pending bills or initiatives. The laws in these countries apply to personal information held in both electronic and physical form and to all or nearly all subject areas. In nearly all of the countries, the laws apply to personal information held by private bodies and by governments. Most countries have created an independent data protection or information commission to oversee and enforce the laws. Most have also included specific exemptions for the media while a few also specifically refer to national right to information laws. This map shows which jurisdictions have adopted laws or have pending initiatives. This update includes a number of new countries including Chad, Qatar and an updated Caribbean map.
Conference Paper
Full-text available
The recent adoption of the privacy law, Protection of Personal Information (PoPI) Act in South Africa, mandates notable changes from both government departments and the public sector when dealing with personal identifiable information (PII). Recent research has shown that the level of change still required to comply with the new Act is significant. Surveys indicated that approximately only forty percent of organisations in South Africa have started with the compliance process. Private empirical research has found widespread leakage of PII within South African cyber infrastructures. The leaked information affected well over two million South African citizens in some or other manner and with penalties instituted by the PoPI of up to R10 million, it is crucial for organisations to clean up these incidents of non-compliance. Even without the monetary incentive, leaked PII holds a significant threat, not only for individuals but also for companies and governmental organisations alike. Several documented instances exist where targeted phishing attacks, that has a 70% success rate once PII is included, has been successfully used against organisations. While technical controls may limit the leakage of PII, significant security vulnerabilities exist that allows for the circumvention of these controls. Cyber security awareness is still the primary defence against these technical control failures, but the notable challenge remains in educating users and responsible personnel. As with any cyber activity, there is a human factor that requires a significantly diverse skill set to understand the infrastructure that comprises an organisation. With cyber security education a continuous developing field, there is a dire need for additional research to supplement this knowledge base. This paper examines online resources available for individuals, organisations and governmental departments to comply with the PoPI Act. The approach used will be to examine content made available through popular social media platforms such as YouTube (YouTube, N.D.), Facebook (Facebook, N.D.), Twitter (Twitter, N.D.) and search engines. These data sources were chosen since it may be the most likely common route individuals will take to gain fundamental understanding of the requirements the PoPI Act places on them. Identified resources will be evaluated for the audience they serve (e.g. business owners, privacy officers, managers and employees), technical content (e.g. informative, guidelines or step by step instructions) and finally the cost involved to access or download resources (e.g. free or commercial).
Poster
Full-text available
Over 90 countries and jurisdictions around the world have adopted comprehensive data protection/privacy laws to protect personal data held by both governments and private companies. This map shows which countries have adopted laws or have pending initiatives to adopt one. The new version now includes small jurisdictions and island states. Note: This map has been updated- see National Comprehensive Data Protection/Privacy Laws and Bills 2021. https://ssrn.com/abstract=1951416
Article
Due to its extraterritorial effect, the European Union's trailblazing data privacy law has long been a major concern for US. businesses. With the proposalfor a new EU data privacy framework with potential penalties of up to two percent of an offending enterprise's annual worldwide turnover, and with the European Union at the same time expanding the extraterritorial reach of its data privacy law, such concerns are justified indeed. This Article examines the extraterritoriality of current and proposed EU data privacy law and analyses whether reference to international law can either strengthen or weaken those claims of extraterritoriality. In doing so, this Article demonstrates that international law lends support to the approach to extraterritoriality adopted in the EU data privacy law. At the same time, however, the examination of EU law highlights that, from the perspective of extraterritoriality, the current EU Directive is dysfunctional in its unnecessary complexity, and the proposed EU Regulation is in desperate need of refinement.Finally, the Article presents a doctrine of "market sovereignty," established by reference to the effective reach of "market destroying measures," as a mechanism for determining the extraterritorial reach of jurisdictional claims.
Article
The article explores a unique form of legal globalization, in which one jurisdiction induces other countries to adopt similar legal mechanisms, without coercion, taking advantage of ignorance or abusing political power. The 1995 EU Directive on data protection regulates the collection, processing and transfer of personal data within the EU, with the dual goal of enabling the free flow of data while maintaining a high level of protection. It includes a mechanism which addresses the export of such data. Article 25 stipulates that member states should allow transfer of data to a third country only if the third country ensures an adequate level of data protection. Thus, countries that wish to engage in data transactions with EU member states are indirectly required to provide an adequate level of protection. The article shows that the Directive has had a far greater global impact than thus far acknowledged and that it is currently the main engine of an emerging global data protection regime. Studying the Directive and its actual impact and comparing it to other mechanisms of legal globalization, I conclude that unlike some American scholars who described the Directive as “aggressive”, it is better understood as a non-coercive mechanism of soft legal globalization.
City of Angola -Privacy Policy. Retrieved from http
  • City Angola
  • Government
Angola City Government. (N.D.). City of Angola -Privacy Policy. Retrieved from http://www.angolain.org/privacy/ [Accessed Oct/4, 2016]
An introduction to privacy enhancing technologies Retrieved from https-introduction-to-privacy-enhancing-technologies
  • The Privacy Advisor
The Privacy Advisor. (2008) An introduction to privacy enhancing technologies. Retrieved from https://iapp.org/news/a/2008-05-introduction-to-privacy-enhancing-technologies/ [Accessed Aug/12, 2016]
POPI – is South Africa keeping up with international trends? Retrieved from http
  • R Luck
Luck, R. (2014). POPI – is South Africa keeping up with international trends? Retrieved from http://www.saflii.org/za/journals/DEREBUS/2014/84.html [Accessed Sep/15, 2016]