A Legitimate Security Concern
South Africa's government faced a genuine security dilemma on June 30, 2026. The March and March movement — which demands the deportation of undocumented migrants — had set a public deadline, and preceding weeks had seen xenophobic attacks, at least two deaths, and enough violence to prompt foreign governments to fly their citizens out of the country. South African police have never forgotten the July 2021 unrest, when poor intelligence coordination allowed looting and 350 deaths across KwaZulu-Natal and Gauteng. Acting Police Minister Firoz Cachalia had clear reason to want overwhelming force on the streets.
The state's response was the most technologically sophisticated domestic security deployment in South African history: 33,000 CCTV cameras, drones, and helicopters monitored by a real-time surveillance downlink system, backed by 13,000 law enforcement officers, at a cost of R600 million ($35.5 million). Critically, Lieutenant-General Tommy Mthombeni, the Gauteng Police Commissioner, coordinated with private-sector security firms — including Vumacam, South Africa's largest private surveillance network — to integrate their camera infrastructure with state operations in real time.
That integration is where South Africa's Protection of Personal Information Act runs headlong into an accountability gap.
What POPIA Requires
POPIA (Act 4 of 2013) has been fully in force since July 1, 2021. The Act classifies biometric information as special personal information requiring heightened protection: organisations cannot process it without explicit authorisation and must apply strict purpose limitation, data minimisation, and security safeguards. Contrary to a common assumption, the South African Police Service is not exempt. A legal analysis commissioned by ACFE South Africa established that SAPS has no blanket exemption from POPIA's core requirements, and that general law enforcement purposes do not automatically override data protection duties.
POPIA does include a formal pathway for mass surveillance activities. Section 37 empowers the Information Regulator to exempt responsible parties from compliance conditions where the public interest "outweighs, to a substantial degree, any interference with privacy." National security and crime prevention are explicitly listed as qualifying public interests. But the mechanism is not self-activating: exemptions must be published in the Government Gazette, and the Regulator may attach conditions covering scope, access, and retention. No such Gazette notice appears to have been published ahead of the June 30 deployment. No public statement from SAPS, the Gauteng government, or the Information Regulator disclosed the scope of data collection, the parties permitted to access it, or the retention periods that would apply to the movement and biometric data captured.
The Private-Public Integration Problem
The accountability gap is deepest at the point where private and state infrastructure merge. Vumacam, which operates more than 11,000 cameras across Gauteng, has built a formal POPIA compliance structure for its private-sector clients. Third parties accessing its footage must sign data processing agreements; law enforcement can ordinarily access recordings only on submission of a case number or court order. Vumacam has publicly committed to permitting law enforcement access solely under vetted, lawful channels.
But those protocols were designed for routine policing — not for a scenario where an entire private network is co-opted into a real-time state security operation. When Acting Police Minister Cachalia met with private security representatives on June 26 to coordinate surveillance infrastructure, the contractual mechanisms that govern Vumacam's POPIA compliance were likely displaced by operational command authority. No public statement clarified what data governance framework applied during integration, who holds access rights after June 30, or when the data must be deleted.
This is not a hypothetical concern. Vumacam itself flagged, in its response to the City of Johannesburg's draft CCTV by-laws, a "lack of clarity on the rights of private security companies to access surveillance data versus the rights granted to public sector law enforcement agencies." That by-law remains in draft form. The June 30 deployment stress-tested a governance question for which South Africa still has no public answer.
The Regulator's Unanswered Question
The Information Regulator signalled in March 2026 that its 2026-2027 enforcement priorities include proactive monitoring of government institutions — a meaningful shift from purely complaint-driven enforcement. Its first enforcement notice of 2026, issued against Central Johannesburg TVET College on May 20, demonstrated willingness to pursue public-sector bodies for foundational compliance failures. But the Regulator has said nothing publicly about the June 30 operation.
That silence is a choice, and a consequential one. POPIA's maximum administrative fine is ZAR 10 million — modest relative to the scale of the deployment — but an investigation and public enforcement notice would accomplish something more valuable than a fine: it would establish that POPIA's protections apply to the state during civil unrest, not only to private firms during ordinary times. A law that applies on paper and not in practice is a political fiction.
What Proportionate Governance Looks Like
None of this requires South Africa to forgo technology-assisted policing. Surveillance during mass civil disorder can be POPIA-compliant with appropriate governance structures. What such a framework requires is not complicated: a Gazette notice specifying the legal basis, scope, and retention limits for data collected during the operation; a formal data-sharing agreement between SAPS and private surveillance providers governing state access to civilian footage; and a defined post-event audit of what was collected and who accessed it.
Countries with comparable data protection frameworks — the UK under its Surveillance Camera Code of Practice, and EU member states under the Law Enforcement Directive — have developed templates for exactly this kind of proportionate, time-limited police surveillance governance. South Africa's POPIA is modelled partly on GDPR principles; importing these procedural safeguards would not require new legislation, only the regulatory will to apply them consistently.
The June 30 deployment demonstrated that South Africa can mobilise impressive surveillance capacity quickly. What it did not demonstrate is that the data collected on tens of thousands of people — including the movement patterns and biometric signatures of protest participants, bystanders, and migrants who had already fled their homes — will be governed by any disclosed rule. Under POPIA as written, it must be. The Information Regulator should say so, loudly, and soon.