The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, for the Act to be enforced against a responsible party who has transgressed any of its provisions, the responsible party needs to be brought under its jurisdiction. To that end, POPIA makes provision for a territorial scope provision (section 3) based on the notion of domicilium and the use of automated and non-automated means for processing personal information situated in the Republic. This article makes use of comparative analysis to interpret the content of these provisions with reference to the European Union (EU)'s 1995 Data Protection Directive (DPD), on which they were modelled, and its successor, the 2016 General Data Protection Regulation (GDPR). The article demonstrates that section 3 can give rise to interpretative uncertainties which could result therein that personal information processed by responsible parties who are outside the Republic would not be regulated by the Act, or that these parties could move their processing activities out of the country to escape liability. An expansive interpretation of these provisions by the courts is needed to plug these gaps; alternatively, legislative revision must be undertaken in line with developments in the EU, where the GDPR endeavoured to address some of these aspects.
Read full abstract