The enforcement of POPI

With the long awaited enforcement of the Protection of Personal Information Act (POPI) on 1 July 2020, this scenario is now highly unlikely.

Nevertheless, do you ever get one of these types of calls –  “Hello Mrs./Mr. X, we are calling from ABC Company and you have qualified for a massive discount on our range of cookware” (or something similar) and wonder when on earth you ever shopped at ABC Company and how on earth they got your information? A definite uneasiness follows wondering how your privacy has been breached.

Well, this may be something of the past. Or at least, that is the intention.

What is POPI?

Not a flower (a poppy), POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, No 4 of 2013. It is also sometimes referred to as POPIA, the abbreviations being seemingly interchangeable. It is South Africa’s answer to the European Union’s General Data Protection Regulation (GDPR) and it gives effect to section 14 of the Constitution which provides that everyone has the right to privacy. It is intended to safeguard personal information whilst balancing that right against other rights such as the right of access to, and the free flow of information. A difficult balancing act, you must admit. And this is reflected in the complex nature of POPI.

But what does POPI actually do?

POPI regulates the processing, management, storage, and protection of personal information to protect the right to privacy of the individual, protecting against identity fraud. According to Francis Cronje in the article No more hiding as POPI Act kicks off on 1 July –

“The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way”.

But, whilst the Act is complex, it will bring South Africa into a new era in the regulation of how private and public sector organisation’s handle the data and personal information of customers and clients. Seemingly bringing an end to the incessant impromptu sales calls as POPI strictly prohibits unsolicited direct marketing. According to POPI Act Compliance –

“Section 69 of POPI outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines.  A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused forever.

Slightly different rules apply if the subject is a customer.  Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent”.