More than a decade after the Protection of Personal Information Act (Popi) was first tabled, the information regulator says that 2020 is the year it has to come into effect.
Popi makes lofty promises to consumers about world-class protection against information-age problems, such as people being pestered by call centres and businesses experiencing data theft.
But it will also cause a headache for many cash-strapped businesses as they will have to find additional money to ensure they are in compliance.
Popi was signed in 2013, but most of its provisions have yet to come into effect.
Whether the protections espoused by Popi will have real-world advantages for consumers will depend on the regulator, tasked with applying the act.
The regulator has now finally begun to take steps to create a legal framework for the implementation of the act, after an 18-month delay prompted by a deadlock with Treasury over the amount of money the regulator would get.
The regulator had argued that its budget of R45 million for the 2020/21 financial year was far too little. Now, it has undertaken to start doing the work needed to implement the act while continuing with negotiations for more money.
Since the dispute over finances was resolved in this manner, a CEO and five executive managers have been appointed. Only the post of head of education and communication is still vacant; the regulator hopes to fill it in the first half of the year.
Karl Blom, a senior associate at law firm Webber Wentzel, said the action taken boded well for South Africa, which was now in a better position than it had been two or three years ago.
However, he warned, full implementation could still be a long way off.
When the law comes into effect fully, companies will have a one-year grace period to comply with the act’s provisions.
Blom said the regulator had published additional regulations and draft guidelines for establishing codes of conduct in various industries. But despite this initial momentum, establishing codes of conduct could take some time. He said compliance would be much easier for professions that were used to observing rules pertaining to confidentiality, such as the medical and law professions. But for other sectors, such as education, the road could be much longer.
Once finalised, the codes of conduct will be submitted to the regulator for approval before they come into effect.
Elizabeth de Stadler, the founding director of legal compliance company Novation Consulting and an expert on Popi and consumer legislation, said that, while she had sympathy for the challenges faced by the regulator, it would have been irresponsible of the regulator to implement the act without the necessary infrastructure and personnel in place.
Despite this, she added, delays in getting the regulator up and running had negative repercussions for South African consumers, who remained unable to enforce their full right to protection of their personal information.
Currently, the regulator can consult and receive information about cases involving data breaches but cannot impose any sanctions for noncompliance.
Blom said that as soon as the law came into effect, chances were high that the regulator would be swamped with complaints.
It is understood that there are already 1 000 complaints about telemarketing.
Blom said the uncertainty over when the law would come into effect disadvantaged companies and service providers, who had to prepare for the costs associated with compliance.