DPA Digital Digest: South Africa [2023 Edition]

South Africa is the leading African nation regarding internet usage (54%), mobile phone penetration (80%), and broadband coverage (99%), according to the World Bank. In the past five years, South Africa’s digital economy has experienced exponential growth in investments, especially in telecommunication networks (approx USD 10.6 billion) and data centres (approx. USD 1.06 billion). South Africa’s Digital Economy Master Plan aims to empower South Africans to partake in digital opportunities for inclusiveness, employment and economic transformation.

But what do South Africa’s domestic digital policies stand for? The tenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and South Africa-specific points of emphasis.

• In data governance, South Africa has implemented its comprehensive privacy law, is currently implementing its Cybercrime Act and has established an enforcement agency.

• In content moderation, South Africa has regulated the online distribution of films, games and publications, and is deliberating a framework for audio/-visual content services.

• In competition, South Africa has introduced rules regarding abuse of buyer power and killer acquisitions by digital providers and conducts market inquiries in digital sectors.

• South Africa’s points of emphasis include digital services taxation, cloud computing, electronic communications and crypto assets.

Jump directly to the section that interests you most:

Discover the details of South Africa’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Tommaso Giardini and Tania Pierotic. Edited by Johannes Fritz.

Since July 2021, South Africa’s comprehensive privacy law, the Protection of Personal Information Act (POPIA), is fully implemented. Adopted in 2013, the POPIA applies to public and private “responsible parties” that process personal information (e.g. collect, receive or use data). The POPIA requires responsible parties to obtain consent for the processing of personal information, enabling justifications such as contractual performance, legal obligations and legitimate interests of the data subject. Data subjects can withdraw consent and have the right to access, correct and delete their data, among others. The Regulations Relating to the Protection of Personal Information outline procedures for responsible parties to comply with processing obligations and for data subjects to exercise their rights.

Since December 2021, the main provisions of the Cybercrimes Act are in force. The Act criminalises several cyber offences and establishes procedures for post-incident investigation and punishment. Codified cybercrimes include the unlawful interception of data, acquisition of passwords and access to data devices. The Act further criminalises the disclosure of “harmful” data messages, e.g. threats of violence. Several provisions of the Act are still to be implemented, including the obligation for “electronic communications service providers” and financial institutions to notify data breaches to authorities within 72 hours.

The POPIA prohibits data transfers unless 1) the recipient is subject to an adequate level of data protection (by law or binding corporate rules), 2) the data subject consents to the data transfer, 3) the transfer is necessary for the performance of a contract, or 4) the transfer is for the benefit for the data subject. The POPIA does not cover standard contractual clauses.

South Africa imposes sectoral data localisation obligations. The South African Revenue Service requires electronic tax records and accounting documents to be kept physically in South Africa, unless non-local storage is authorised. The 2021 Draft National Data and Cloud Policy proposes obligations to process and store critical infrastructure information in South Africa and to maintain a local copy of all transferred data for law enforcement purposes. The draft further states that data generated in South Africa shall be the property of South Africa, regardless of the company domicile.

The POPIA established the Information Regulator (IR) as an independent enforcement body with the power to issue secondary legislation. The IR has issued guidelines on the processing of children’s personal information, the authorisation procedure to process “special personal information”, such as religious beliefs and sexual orientation, and the procedure to develop sectoral codes of conduct. The IR has reviewed such codes of conduct proposed by the Credit Bureau Association and the Banking Association of South Africa. Currently, the IR is deliberating draft rules of procedure for its Data Protection Enforcement Committee.

In terms of enforcement, in the 2022/2023 financial year, the IR’s POPIA division received 895 complaints, 616 of which were resolved. Since 2021, the IR is investigating WhatsApp’s privacy policy on compliance with the POPIA and divergence from WhatsApp’s policy in European countries. The IR raised concerns over both the deadline for users to accept the policy and the processing of user contact information beyond the original purpose (linking information to other Meta services).

Since March 2022, the amended Films and Publications Act regulates the online distribution of films, games and publications, including user-generated content on social media and video-sharing platforms. The amendment prohibits the online distribution of specific content, including private sexual material, child pornography and war propaganda, among others. Distributors, including “commercial online distributors”, and “internet service providers” must register with the Film and Publication Board (FPB), as detailed by the implementing regulation. Distributors must further submit online content, including user-generated content, for classification. The classification is regulated by the revised Classification Guidelines for the Classification of Films, Games and Certain Publications. The guidelines aim to enable informed viewing, gaming and reading choices, and to protect children from harmful content.

The 2020 White Paper on Audio and Audiovisual Content Services Policy Framework sets the blueprint for a policy framework regarding online audio and audiovisual content consumption. The framework would require broadcasting services, on-demand content services and video-sharing platform services to obtain a license to operate. The goal of the framework is to protect against content including war propaganda, incitement of violence, and hatred based on race, ethnicity, gender or religion.

There are no public, official sources on the South African government’s online content enforcement actions.

The 1998 Competition Act established the Competition Commission and introduced rules regarding unilateral conduct and mergers. The Act was repeatedly amended, including in 2020 regarding price discrimination by dominant firms, and clarified by secondary legislation. The 2020 Buyer Power Regulations designate the e-commerce and online services sectors, among others, subjecting them to specific rules regarding “unfair” prices and trading conditions. The Regulations prohibit dominant firms from imposing unfair prices on suppliers, namely prices that are lower than the prices for other suppliers of like products or previous prices. In addition, the Regulations provide a provisional list of unfair trading conditions, e.g. risk transfers to suppliers.

Regarding mergers, since 2022, the Revised Guideline on Small Merger Notification empowers the Competition Commission to require notification of mergers and share acquisitions below the normal notification thresholds. The revision addressed the concern that transactions in digital markets circumvent regulatory scrutiny through early-stage acquisitions, conducted before the target generates sufficient turnover or assets to trigger mandatory notification.

South Africa’s Competition Commission regularly enforces competition rules in the digital economy. The Commission’s 2020 report on Competition in the Digital Economy outlines its enforcement approach and specifies issues relating to abuse of dominance, merger control, cartel conduct, and vertical restraints in digital markets. In February 2022, the Commission issued a joint statement with the competition authorities of Egypt, Kenya, Mauritius and Nigeria, committing to increase cooperation in addressing competition challenges in digital markets. 

The Commission conducts market inquiries when a feature in a market restricts, impedes or distorts competition in that market. In March 2023, the Commission consulted on the terms of reference for a market inquiry into media and digital platforms. The inquiry focuses on the distribution of news content on digital platforms and news aggregation services, specifically by search engines, social media platforms, news aggregators, video-sharing platforms and generative AI services. Furthermore, the Commission scrutinises South African news companies' dependency on digital platforms. On 30 June 2023, the final report of the Commission’s market inquiry into online intermediation platforms is expected. Launched in 2021, the inquiry focuses on unilateral conduct and conglomeration, among others, by providers of online intermediation platform services, such as e-commerce and mobile application stores. The provisional report, published for consultation in July 2022, stated that Google Search grants preferential placement of Google’s own specialist search units. 

The Commission further engages in case-based enforcement of unilateral conduct rules. In February 2022, the Commission referred Meta to the Competition Tribunal for abuse of dominance relating to the WhatsApp Business Application Programming Interface (API). Allegedly, Meta imposed and selectively enforced exclusionary terms and conditions for firms to access the API, and blocked certain start-ups’ access. 

Regarding mergers, in April 2023, the Commission approved the proposed Microsoft/Activision Blizzard acquisition since it was unlikely to result in a substantial prevention or lessening of competition. The investigation addressed whether Microsoft could restrict the distribution of Activision Blizzard games (“Call of Duty”) to its console or otherwise disadvantage competing console manufacturers. es mergers. In 2020, the Commission approved the Google/Fitbit acquisition with several conditions, to prevent Google from excluding Fitbit’s competitors in the market for wrist-worn wearable devices, entrenching its dominance in the online advertising and search markets, and restricting access to collected health data. Google committed, for 10 years, not to reduce other wrist-worn wearable device manufacturers’ access to Android functionalities, to separate Google and Fitbit data and to allow third parties continued access to health data through the Fitbit Web API.

Since 2020, South Africa’s National Treasury has mentioned the possibility of establishing a digital service tax in every annual Budget Review, most recently in February 2023. The government has refrained from advancing specific proposals in view of international developments, specifically mentioning the OECD/G20 Inclusive Framework on BEPS in its Budget Reviews.

​​Since 2019, South Africa requires foreign suppliers to levy a value-added tax of 15% on a broad variety of electronic services. Namely, the tax applies to any service supplied by means of an electronic agent, electronic communication or the Internet. Electronic or digital content transmitted via telecommunications services is beyond the scope of the tax.

In 2021, the government published the draft National Data and Cloud Policy for consultation, which has not advanced since. The draft aims to both support the local sector and regulate cloud providers. 

To support the local cloud sector, the draft proposes investment in data and cloud infrastructure and a strategy to improve digital infrastructure. To attract investment, the draft proposes the formation of Digital/ICT Special Economic Zones. To improve capacity and interconnection, the draft suggests the establishment of a High-Performance Computing and Data Processing Centre. To improve network connectivity, the draft proposes the development of a State Digital Infrastructure Company. Finally, the draft suggests a review of competition rules to address the dominance of established players and enable local companies to compete with global rivals.

In terms of regulation, the draft includes measures on data protection, requiring the processing of personal information metadata to comply with international best practices, and cybersecurity, suggesting the renewal of the National Cybersecurity Policy Framework to address cybercrimes. Finally, the draft proposes to establish a single agency responsible for data matters.

The Electronic Communications Act of 2005 imposes a variety of regulatory requirements for providers of electronic communications, including a two-tiered licensing regime. Implemented in March 2023, the National Policy on Rapid Deployment of Electronic Communications Networks and Facilities establishes a process for licensees to access properties in order to deploy electronic communications networks and facilities. Also in March 2023, the Independent Communications Authority of South Africa amended the End-user and Subscriber Service Charter Regulation. The regulation sets minimum standards for electronic communications services provided to end-users, to ensure quality of service and safeguard user rights, which are expanded by the amendment to enable monitoring and enforcement regarding customer care.

South Africa has both imposed rules on crypto assets, through various regulators, and experimented with a central bank digital currency.

In October 2022, a declaration by the Financial Sector Conduct Authority (FSCA) classified crypto assets as financial products under the Financial Advisory and Intermediary Act. Providers of crypto asset services must obtain authorisation as financial services providers from the FSCA. Crypto assets are defined as the digital representation of a value that could be transferred, traded or held electronically, that was not issued by a national central bank and that uses distributed ledger technology and cryptographic techniques. In August 2022, the South African Reserve Bank issued a guideline on risk management, illegal financing, and anti-money laundering standards for banks handling crypto assets. The guideline requires banks to decide case-by-case whether the business partners are safely handling crypto assets. In January 2023, the South African Advertising Regulatory Board expanded the Code of Advertising Practice regarding crypto assets. Crypto advertisements must state that investing in crypto assets may result in capital loss, be easily understandable and provide a balanced view regarding risks. Promoters of crypto assets cannot offer advice on crypto trading and promise returns.

The South African Reserve Bank (SARB) launched a feasibility study for a central bank digital currency (CBDC) in 2021, to investigate a CBDC’s use as electronic legal tender for general-purpose retail use, complementary to cash. South Africa’s Project Khokha, conducted in two phases until April 2022, analysed the potentials and risks of a wholesale central bank digital currency and wholesale digital settlement token. At the international level, until March 2022, SARB participated in Project Dunbar with the Bank for International Settlements and the central banks of Australia, Malaysia and Singapore. The project developed prototypes for platforms enabling international settlements using multiple central bank digital currencies.