On 30 April 2026, South Africa's Information Regulator gazetted (Government Gazette No. 54594) a draft Own-Initiative Code of Conduct on the Processing of Personal Information at Gated Accesses, issued under section 60 of the Protection of Personal Information Act (POPIA). Public comment closed on 14 May 2026. The 65-page code takes aim at the access-control apparatus that has become a fixture of South African life: the facial-recognition cameras, fingerprint readers, ID scanners and CCTV networks now standing guard at residential estates, office parks, shopping malls, schools, hospitals and government buildings. Its central demand is that data capture at the gate be necessary and proportionate — not the reflexive scan-everyone default that has spread unchecked across the country.
The law the code is enforcing
This is not a new prohibition dressed up as guidance. Biometric data has been tightly regulated since POPIA's operative provisions took effect. Section 1 defines "biometrics" expansively — "a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition." Section 26 then lists biometric information among the categories of special personal information whose processing is prohibited by default unless a specific authorisation applies, and the Regulator's own guidance requires responsible parties to apply for authorisation to process it under section 27(2). The estate that scans every visitor's face has, in other words, been operating against the grain of the statute for years. The draft code does not invent the rule; it tells an under-compliant sector how to meet the one already on the books.
The strongest case for the Regulator's move
The Regulator's case deserves to be stated at its strongest, because much of it is sound. Access control is a genuine point of mass biometric collection that almost no one consents to in any meaningful sense. As the draft and its commentators note, consent given at a gate — where the practical choice is to comply or be turned away — is rarely the freely given consent POPIA contemplates, and POPIA does not recognise implied or indirect consent. Signing a visitor register is not agreement. The data, once captured, sits in privately-run databases of uneven security, retained for unclear periods; as one analysis put it, a fingerprint or face, unlike a password, cannot be reset if it leaks. The backdrop is a country already saturated with private surveillance: Vumacam alone runs more than 6,600 cameras nationally, over 5,000 of them in Johannesburg, with no statute specifically governing public-space cameras (MIT Technology Review, 2022). The Electronic Frontier Foundation's 18 May 2026 guide makes the broader point — societies normalise surveillance by treating each deployment as too trivial to resist, until the aggregate is a dragnet no one agreed to, and every interference should face "rigorous necessity and proportionality analysis." A gate-by-gate biometric rollout is exactly that kind of creep.
Why proportionality, not prohibition, is the right instrument
Where the draft earns support is that it reaches for proportionality rather than a ban. The distinction matters. A blanket prohibition would be a blunt overcorrection — stripping consenting users of a convenient, often more secure option and ignoring that high-crime sites have a defensible security rationale. The proportionality test asks the better questions: is face capture of every visitor necessary, or would a logged name-against-ID check, a temporary permit, an access code, a detachable sticker, or an opt-in resident-only biometric lane achieve the same purpose? POPIA's minimality condition already requires processing be "adequate, relevant and not excessive," and as Werksmans' Ahmore Burger-Smidt notes, "because it's always been done this way" will no longer justify collection. Operationalising that principle for a specific, high-volume context is good regulatory craft.
Where the draft over-reaches
But a proportionate framework is only as good as its drafting, and here the code stumbles on the technology it regulates. Legal specialist Carine Marais, quoted by ITWeb (13 May 2026), flags the core defect: the draft appears to treat basic fingerprint template-matching as AI-driven automated decision-making. "That's not an automated decision by AI," she argues. "That is a standard operating procedure." Conflating a one-to-one verification check with advanced behavioural profiling is not a pedantic quibble — it would saddle the most mundane, privacy-preserving biometric method with the heaviest compliance burden, while doing nothing to curb genuinely intrusive facial-recognition surveillance. Marais also calls the CCTV definitions "draconian" and the risk framework "conceptually correct, but practically it's hollow." These are precisely the failure modes a proportionate code should avoid:
- Technology-specific drafting that ages badly. Rules should be outcome-based and technology-neutral. A code that mislabels template-matching as AI freezes the market against the privacy-minimising designs — on-device matching, non-reversible templates — that regulators should want to encourage.
- Compliance theatre and a two-tier outcome. A 14-day comment window for a sector this fragmented is tight, and well-resourced estates will hire counsel while small body corporates and under-funded schools may simply switch off useful technology rather than navigate vague obligations. The compliant path must be the cheap, default path.
The mechanism is right; the drafting is the whole game
Using a section 60 own-initiative code — binding 28 days after final gazetting — rather than a one-off enforcement blitz is itself the proportionate choice: it sets consulted-upon, sector-wide expectations instead of picking off individual estates after the fact. For a publication that defends both open networks and proportionate rules, this is close to the model we want: identify a real harm (non-consensual mass biometric capture), reach for the least-restrictive instrument, and consult before imposing. The principle is right. If the final code is corrected to distinguish verification from profiling, rewards genuinely privacy-minimising design, and keeps compliance affordable for a small estate, South Africa will have a template worth studying. If it ships with its current technical misreading intact, it will burden the careful while the careless carry on scanning.