The European Union’s General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected ‘Content Principles’

Abstract

After a lengthy legislative process, South Africa implemented the Protection of Personal Information Act 4 of 2013 (POPI Act) on 1 July 2020. The POPI Act is an omnibus data-protection Act that conforms to the former benchmark for data-protection laws worldwide, namely, the 1995 EU Data Protection Directive. At the time of drafting the proposed Bill that would later become the Act, the South African Law Reform Commission emphasised the importance of a South African data-protection Act that complies with international standards on data protection, especially with the EU’s Directive. The Directive, in Article 25, imposed a prohibition on the transfer of personal data to non-member countries that do not ensure an adequate level of protection when personal data of their citizens are processed. South Africa’s Act needed to comply with the standard set in the Directive for the protection of personal information if South Africa wanted to remain part of the international information technology market. In 2016, the EU adopted the General Data Protection Regulation (GDPR) that replaced the 1995 Directive with effect from May 2018. The question now arises whether the South African Act still meets the minimum standards for data protection set out by this Regulation and whether amendments to the Act are needed. This article compares certain provisions of the GDPR with similar provisions of the POPI Act in order to establish whether the South African Act meets the standard set in the GDPR.