South Africa's Information Regulator has, according to reports, issued an enforcement notice against the Department of Justice and Constitutional Development following a second significant Protection of Personal Information Act (POPIA) breach. The action lands at an awkward moment: the European Commission is still weighing whether South Africa meets the standard for an adequacy decision under Article 45 of the General Data Protection Regulation, and cross-border data flows are accelerating under the African Continental Free Trade Area's Digital Trade Protocol, adopted by African Union member states in 2024.
The story is not just about one ministry's IT failures. It is about whether African data protection regimes can build the institutional credibility required to plug into the global data economy on fair terms — and whether the EU's adequacy framework, designed in 2016, can keep pace with the south-south and Africa-EU data flows that AfCFTA is now unlocking.
POPIA, Enforcement, and the Department of Justice
POPIA, modelled in part on the GDPR, came into full force in July 2021. It establishes eight conditions for lawful processing, mandatory breach notification, and a maximum administrative fine of R10 million (roughly €500,000) — modest by GDPR standards but significant in the South African public-sector context. The Information Regulator, an independent statutory body chaired by Advocate Pansy Tlakula, has powers to investigate, audit, and issue enforcement notices that can escalate to criminal referral if ignored.
The Department of Justice has already been a problem case. A 2021 ransomware attack on its network disrupted court services, child maintenance payments, and the Master's Office for weeks. The Regulator subsequently fined the Department R5 million in 2023 for related failures — the first ever POPIA penalty against a public body. A second enforcement notice, if confirmed, suggests the remediation that followed was inadequate.
That is a serious problem, but it is also a familiar one. Government IT estates around the world — from the US Office of Personnel Management breach to the UK Electoral Commission incident — have proven structurally harder to secure than well-resourced private sector platforms. The lesson is not that POPIA is failing. It is that public sector data stewardship needs sustained capital investment, not just a stricter rulebook.
The EU Adequacy Question
South Africa is not currently on the European Commission's list of jurisdictions with an adequacy decision under GDPR Article 45. Companies transferring personal data from the EU to South Africa today rely on Standard Contractual Clauses, Binding Corporate Rules, or specific derogations under Article 49. That works, but it imposes a real compliance tax on European firms doing business with South African counterparts — from cloud providers and fintechs to BPO operators servicing EU customers from Cape Town and Johannesburg.
An adequacy decision would change the calculus materially. It would also send a signal that the EU recognises POPIA, the Regulator's enforcement track record, and South Africa's surveillance oversight framework (notably the RICA reforms following the Constitutional Court's 2021 amaBhungane ruling) as broadly equivalent to European standards.
But adequacy is a high bar. The Court of Justice's Schrems II judgment (Case C-311/18) tightened the test substantially, requiring not just paper rules but practical enforcement and effective redress against state surveillance. A pattern of unresolved public-sector breaches will weigh against South Africa in that assessment — fairly or not.
AfCFTA's Digital Trade Protocol Raises the Stakes
The African Continental Free Trade Area's Protocol on Digital Trade, adopted by the AU Assembly in February 2024, commits 54 African states to enable cross-border data flows, recognise electronic transactions, and harmonise consumer protection online. It is one of the most ambitious regional digital trade instruments in the developing world, and it positions South Africa — Africa's most mature data protection jurisdiction — as a likely data hub for the continent.
That hub role only works if South African processors can receive EU data without legal friction. Without adequacy, every Africa-EU data corridor running through Johannesburg has to be papered with SCCs and transfer impact assessments. Multiply that across thousands of SMEs and the cost becomes a real drag on the digital single market AfCFTA is trying to build.
A Proportionate Path Forward
Three principles should guide the response — for the Regulator, for Brussels, and for industry:
- Calibrate enforcement to capacity. Aggressive sanctions against under-resourced public bodies rarely fix the underlying security problem. Conditional enforcement notices tied to concrete remediation milestones — and to budget allocations from National Treasury — are more likely to produce real outcomes than punitive fines that simply move money between government accounts.
- Decouple public-sector failures from private-sector compliance burdens. The Department of Justice's problems should not become a pretext for layering additional reporting duties on South African start-ups already navigating POPIA, the Cybercrimes Act, and sectoral rules.
- Pursue adequacy on its merits. Brussels should evaluate South Africa's framework against the standard applied to comparable peers like Japan, the UK, and Brazil — not against an idealised benchmark few jurisdictions, including some EU member states, could meet. A partial or sectoral adequacy decision would still be a meaningful unlock for digital trade.
South Africa's POPIA experiment is, on balance, working. An independent regulator is using its statutory teeth against the most powerful department of state. That is the kind of evidence the European Commission claims to want. The remaining question is whether the EU's adequacy process can move at the speed of the digital economy it is trying to govern — or whether AfCFTA's digital corridors will be built around it.