South Africa POPIA - Proposed Amendments to POPIA Regulations Published for comment

On 15 October 2021, the Information Regulator published proposed draft amendments to the Regulations Relating to the Protection of Personal Information (“Draft POPIA Regulations”) issued under the Protection of Personal Information Act, 4 of 2013 (“POPIA”).

The Draft POPIA Regulations seek to amend the Regulations Relating to the Protection of Personal Information which commenced on 1 March 2021.

The salient proposals mooted in the proposed Draft POPIA Regulations include inter alia:

1. A substitution of Regulation 2 dealing with objections to the processing of personal information in terms of section 11(3) of POPIA:
   • It is proposed that data subjects may be allowed to object in terms of section 11(3)(a) and 11(3)(b) of POPIA either in a form substantially compliant with Form 1 or in any manner that may be expedient, free of charge and reasonably accessible to the data subject, including via electronic mail, telephonically, SMS or by facsimile.
   • It is specifically proposed that where any objection to the processing of personal information is made telephonically, such must be electronically recorded by a responsible party and the recording must be made available free of charge as well as a transcription to the data subject upon request. 
2. Deletion of Regulation 4(1)(c) from Information officer duties:
   • It is mooted that regulation 4 dealing with responsibilities of information officers be renamed to “additional duties and responsibilities of Information Officer”, and further proposes the deletion of Regulation 4(1)(c) which imposes an obligation on information officers to develop, monitor, maintain and make available a manual in terms of sections 14 and 51 of the Promotion of Access to Information, Act 2 of 2000 (“PAIA”).
   • Notably, this proposed amendment does not however impact on the existing duties imposed on the information officer of a public body or head of a private body under PAIA to comply with sections 14 and 51 of PAIA.
3. Substitution of Regulation 6 dealing with a request for a data subject’s consent to process personal information:
   • Currently, the POPIA Regulations require responsible parties to obtain the written consent of data subjects in accordance with Form 4 to be able to directly market to the data subjects through electronic communication as required in terms of section 69(2) of POPIA.
   • The proposals mooted provide that the written consent from the data subject must be in a form substantially similar to Form 4 or in any manner that may be expedient, free of charge and reasonably accessible to the data subject, including via electronic mail, telephonically, SMS, or facsimile.
   • In addition, the proposed amendment includes a provision which specifically states that opt-out mechanisms will not constitute consent in terms of section 69(2) of POPIA which governs how a responsible party may approach a data subject to obtain consent for direct marketing purposes. Practically, this proposal entrenches the requirement that consent must be in the form of an opt-in obtained from a data subject voluntarily and that consent cannot be assumed in any circumstances.
4. Amendment of Regulation 7 dealing with submission of complaint:
   • The proposed amendment provides clarity regarding which persons may lodge a complaint under POPIA, namely (i) a data subject whose personal information has been interfered with in terms of section 73 of POPIA; and (ii) any person acting on behalf of a data subject, who has a sufficient personal interest in the complaint or a person acting in the public interest.  
   • The proposed amendment also states that those persons wishing to lodge a complaint may do so via an online complaint form or by post, email or facsimile and sets out certain categories of personal information (e.g. name, surname, address of responsible party, reasons for complaint etc.) that must be included in the form.
   • In addition, it is also mooted that the Information Regulator must acknowledge receipt of a complaint within 14 days of receiving a complaint and that a data subject may be allowed to submit complaints without disclosure of their identity subject to such non-disclosure having be considered by the Information Regulator.
5. Proposed new Regulation 13 dealing with administrative fines:
   • The proposed amendments indicate that the Information Regulator may allow a responsible party to pay an administrative fine (referred to as an infringement notice in POPIA) in instalments on the basis of the financial circumstances of the responsible party and any other prevailing reasons that have impacted the payment period of an infringement notice in terms of section 109(1) of POPIA.

The public is invited to submit written comments to the Information Regulator on or before 15 November 2021.

If you require any assistance in respect of the proposed amendments to the Draft POPIA Regulations and how such developments impact your compliance in terms of the provisions of POPIA, please reach out to Ernie van der Vyver and Nicole Britton.