We monitor topical developments in the law all year round. At the beginning of each year, we gather our research and analyse it to predict the major trends for the year. This helps you prioritise your next steps and streamline your focus for the year. We try to predict what will happen and what it will mean for you. What will you need to focus on when and how much of your time is it going to take?
Predictions are a tricky business and can make a fool out of anybody. Even the Financial Times, who like us, are leaders in their industry, find themselves proven wrong. That’s the nature of the beast we suppose. With that said though, many of our previous predictions have proven to be right.
It’s our hope that with this forecast we’ll be able to empower you to plan your year ahead. Stay ahead of the rest by reading our 2022 predictions.
Many will not have prior authorisation from the SA regulator after 1 February 2022
We know that the regulator grossly misinterpreted prior authorisation initially. There has been little clarity and understanding of how the regulator will handle applications for prior authorisations. There are only four types of high-risk processing activities that would require you to obtain prior authorisation from the regulator. Based on our engagements with clients, the incorrect interpretations of prior authorisation will result in many people processing personal data without the authorisation to do so.
The SA regulator will issue a few codes of conduct
But not by 1 February 2022. Late last year the information regulator called for comment on a draft Banking Association of South Africa (Basa) Code of Conduct. Basa’s Code of Conduct intended to ‘promote appropriate practices’ when processing personal information under POPIA. The deadline for submitting comments has now closed so we should see the code finalised and published in 2022.
The POPIA complaints procedure will start functioning
We know that people have started thinking about or have already lodged complaints with the information regulator. In October 2021, the information regulator published rules on the procedure a complainant should follow to submit a complaint to them. The rules outline a comprehensive process to manage and resolve complaints effectively. We think that a commencement date may be announced within the first half of this year. With such a detailed set of rules governing the process, we may even start to see rulings handed down before the end of the year.
Courts and authorities will be called on to apply the principles
Privacy judgments have already come into the spotlight early in the year. The matric results matter was the most recent matter to come to the courts. The high court did not hand down a judgment but issued an order declaring that the results should be published. The court missed an opportunity to apply POPIA principles to formulate a judgment. We think that with a functioning complaints procedure in the works, the regulator is paving the way for courts to apply POPIA to privacy and data protection cases.
The Cybercrimes Act will come into full force, but the NPA will not prosecute anyone
On 1 December 2021, most Parts of the Cybercrimes Act came into effect. We think that more Parts of the Act will come into effect in 2022. In particular, Part VI on court orders to protect complainants from the harmful effect of malicious communications may come into effect.
Access to information in South Africa will come into the spotlight
This year, access to information will gather momentum. We’ve seen already how the Zondo report signaled the importance of access to information, transparency, and accountability in South Africa. In our interactions with the regulator, we know that the regulator will stress the importance of access to information because data protection is as important as access to information. With many members of the regulator having a strong background in access to information, we believe that they will strengthen their efforts to improve access to information.
Information security will be more important than ever
Information security is already well established in many countries and South Africa not far behind. As more companies drive their business internationally, we find that they are looking more closely at the countries they operate in and the laws they must comply with. Many of these laws, like the GDPR, have information security provisions. One of the main drivers of information security will be Data Processing Agreements (DPA). This is because DPAs require you to set out the security mechanisms you have in place. Your DPAs will also require you to set out your legal framework i.e. which laws apply to you, for example, GDPR, POPIA etc.
It will be even more important to respond properly to an increasing number of data breaches
The regulator is paving the way to respond to data breaches. They have already established a task team in this regard. How we deal with cybersecurity will come into focus this year as more companies expand their operations locally and internationally.
Organisations will realise that they can’t govern data without software
Over the past year, we found that as more companies work on their data protection programme, they quickly realise how challenging it is to implement a data protection programme manually. We believe that more companies will see value in using software to implement their data protection programmes.
Parliament will amend the POPI Regulations, 2018
In September 2021, the information regulator invited comments on draft regulations that will amend the POPI regulations, 2018. The deadline for submitting comments ended on 15 November 2021 so we should see a final version published this year.
Employees will resent their employers monitoring them
There will be growing resentment from employees against invasive employee monitoring practices following the work-from-anywhere revolution hastened by the global coronavirus pandemic.
Big Tech and Governments will clash more
The growing power of big-tech companies (Meta, Google, etc.) is leading to increased conflicts with governments playing out in their interactions with data protection supervisory authorities, which will result in increasing efforts to grant data subjects control of their data and compromises with governments where these big-tech companies campaign to hold onto their power; and
Parliament will not enact the National Health Insurance Bill
Parliamentary hearings on the Bill are expected to reach a conclusion by the end of January. After this step, the Department of Health must still respond to any input received during the hearings. These submissions are known to be extensive, so it does take time. The Bill is still sitting with the National Assembly and must pass through two more stages before it becomes law. It is therefore unlikely that this Bill will be finalised this year.
The Copyright Amendment Bill will remain in limbo
According to a previous record of Committee Meetings on Parliament’s schedule, the National Assembly’s Trade & Industry Committee met three times in December to decide which clauses in the Copyright Amendment Bill should be reopened for public comment. The Committee will also decide which additional amendments should be made to the Act to address certain issues raised during the August round of hearings. This process (inviting comments) takes time, and it is very unlikely that the Bill will become law this year.
Whistle blowers will receive greater protection
Changes are coming in the form of the EU’s Whistleblowing Directive.
The UK will continue to split from the EU
Changes are coming for the relationship between UK and EU Data Protection in the wake of Brexit and the UK’s ongoing departure from the specifics of EU data protection law which may result in them no longer being an adequate jurisdiction.
The EU’s Artificial Intelligence Act (AIA) will undergo more changes
It’s common knowledge that AI technologies give humanity many economic and societal benefits. Specifically, AI’s advance multiple sectors, such as health, public administration, insurance, consumer services, finance, mobility, and agriculture.
Crucially, AI’s disrupting these sectors rapidly. And the rapid disruption forces governments across the world to regulate AI. However, this task is challenging as the law needs to facilitate the growth of AI technologies and ensure that humans are adequately protected.
In April 2021, the European Commission presented its proposal for an EU regulation known as the ‘Artificial Intelligence Act’ or ‘AIA’. It’s the world’s first try at comprehensively regulating AI systems and their applications.
Then, towards the close of November 2021, the EU’s Council presented a compromise draft after receiving much feedback on its proposal. However, the November draft is not AIA’s final version. We predict that it will undergo further changes during this year’s legislative process.
Importantly, like the GDPR, the AIA will probably have the ‘Brussels effect’. This effect means that the AIA will likely set a global benchmark for regulating the design and application of AI systems. And, although the AIA is not yet law, it will impact the development of AI systems within the EU and across the world.
So, it is crucial that South African organisations track the AIA because it will govern how we create and use AI systems for the near future.
India will enact their data protection law
India’s Personal Data Protection Bill will deal with both personal and non-personal data. The Joint Parliamentary Committee submitted a report that listed the country’s digital priorities with recommendations on the way forward. The report highlighted the need to balance the need for data-driven innovation while catering to national security demands. The committee recommended that the Act should be implemented in phases over a 24-month period. This would enable data fiduciaries and data processors to make the necessary changes to their policies, infrastructure, and processes.
Israel’s will amend its Protection of Privacy Law
Israel announced that the Privacy Protection Bill is undergoing its first reading. If passed, it will require certain companies to appoint a data protection officer (‘DPO’), the introduction of enforcement powers for the Privacy Protection Authority (‘PPA’), and refined definitions for key terms to reflect societal and technological developments, in line with the General Data Protection Regulation or GDPR. The Bill would authorise the PPA to impose administrative sanctions according to the nature of the violation, and the volume and sensitivity of the data involved.
Data protection will come to the middle east
In November 2021, the UAE Cabinet announced that it enacted UAE’s Federal Law on Protection of Personal Data. Cabinet issued the Law in September 2021. The law applies to the processing of personal data by every data controller or data processor in the UAE processing the personal data of data subjects within or outside the UAE. The law references the UAE Data Office (‘the office’) which will issue decisions to determine whether people have breached the Law. The office will also determine the appropriate sanctions thereof.
We’ve done some research into this one, so we expect the UAE cabinet to publish the executive regulations by March this year. According to the Law, Cabinet must implement the regulation within a 12-month period from its date of issue. This means that the UAE will implement the regulations by September this year.
Data privacy is coming to America
New York will get a law like California’s CCPA. Law makers reintroduced the Senate Bill for the New York Privacy Act in the State Senate early this year. The Bill aims to provide consumers with new rights such as the rights of access, correction, and to challenge automated decision-making.
Law makers also reintroduced the Assembly Bill for the New York Privacy Act to the State Assembly early this year. This Bill is like the Senate Bill with some differences. For example, the Assembly Bill requires businesses to maintain reasonable security measures, to notify consumers of foreseeable harm, and to obtain specific consent.
These Bills failed to progress last year. There could be many reasons behind it. However, the fact that these Bills were reintroduced early this year may mean that it will soon become law. We will be monitoring these ones closely.
