As reported by Bloomberg BNA, the South African Parliament passed the Protection of Personal Information Bill on August 22, 2013. The bill, which was sent to President Jacob Zuma to be signed into law, represents South Africa’s first comprehensive data protection legislation.
The Protection of Personal Information Bill sets forth several measures to protect personal data, including:
- Establishing an Information Protection Regulator with investigatory and enforcement powers
- Requiring the data subject’s consent to process personal information
- Requiring that notice be provided to the data subject and the Information Protection Regulator in order to process personal information
- Setting limitations on processing of children’s personal information and information regarding data subjects’ religious of philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior
- Requiring entities who process personal information to implement security measures to maintain the integrity of the personal information
- Requiring notification of data breaches to affected data subjects and the Information Protection Regulator
- Requiring public and private entities to designate information protection officers
- Setting restrictions on processing of personal information for the purpose of direct marketing by “automatic calling machine,” fax, text messaging and email
- Limiting cross-border transfers of personal information unless the recipient is subject to laws, binding corporate rules or contracts that establish the same level of data protection as the Protection of Personal Information Bill
Compliance with the Protection of Personal Information Bill would be required within one year of the law taking effect, but the Information Protection Regulator may extend this transitional period to up to three years.