Popia myths busted: Local attorney explains what the law really means
West Rand attorney Elizma Kempen unpacks four of the biggest misconceptions surrounding South Africa’s Popia law and why it is often misunderstood.
How many times has it happened to you where you post a picture, or even mention someone’s name, and a person told you: ‘You can’t do that because of the Popi Act’?
The Protection of Personal Information Act (Popia) can be considered as one of the most misunderstood laws in South Africa, being incorrectly cited more often than not. West Rand attorney, Elizma Kempen, broke down some of the most common myths regarding this piece of legislation.
She explained that, almost overnight, it turned into a convenient shield to the disclosure of personal information.
Also read: ‘Child safety is everyone’s responsibility’
“We hear it everywhere, in schools, offices, sectional title schemes, WhatsApp groups and even at our local sports clubs,” she explains.
But is Popia really the universal veto many believe it to be?
“The short answer is no. Popia was never designed to shut down ordinary communication or prevent reasonable information sharing and/ or disclosure. Its purpose is far more balanced and nuanced. If one reads the preamble of Popia carefully, it is clear that Popia seeks to balance the constitutional right to privacy with other important rights also entrenched in the Constitution of South Africa, including access to information, public interest, and the effective functioning of commerce and society,” she adds.
In reality, there are numerous misconceptions about this act.
Elizma breaks down the four most common myths of this act:
Myth one: All personal information enjoys the same level of protection.
She said this is not the case, and that the act distinguishes between different categories of personal information.
The processing of normal personal information is regulated under Sections 8 to 25. However, special personal information, including health or biometric data, receives heightened protection under Sections 26 to 33.
“Information relating to children is governed separately under Sections 34 to 35. The level of protection afforded under the act depends on what type of information is involved and why it is being processed,” she explains.
Myth two: Consent is always required to process personal information.
She stated that consent is a legal ground for processing; however, it is wrong to say it is the only ground.
“Section 11 of the act makes it clear that personal information may also be processed where there is a legal obligation on a party to fulfil a contract, a court order, law enforcement function, protection of vital interests of either the data subject [as defined in Popia] or the responsible party or a third party to whom such personal information is supplied or where it serves the public interest. To summarise, it would appear that the law recognises that society cannot function if consent were the only basis for the lawful processing of information,” she says.
Myth three: You can refuse to disclose information simply by citing Popia.
She explained that a blanket refusal is not automatically justified.
“When there is no lawful basis for disclosure of information, you may refuse it. The request is that such disclosure would infringe on a data subject’s rights as set out in Section 11(1) of Popia, or for direct marketing other than direct marketing by means of unsolicited electronic communications, which is specifically governed under Section 69 of Popia. However, invoking Popia without understanding its framework may undermine one’s credibility rather than strengthen it,” she says.
Myth four: Popia applies to all personal communications.
Elizma explained the act mainly regulates ‘responsible parties’, such as people, businesses, organisations or entities processing information as part of their day-to-day operations. Typically, private, personal communication generally does not fall under this framework. She used the example of posting a photo of a family member on the family WhatsApp group, which may not fall within the scope and ambit of the protection under Popia.
“Ultimately, Popia is not about fundamentally protecting personal information. It is about accountability and lawful processing. It protects against abuse of personal information, not the legitimate, necessary information sharing and processing. When properly understood and applied, it strengthens trust, protects privacy and promotes responsible conduct in the information era we live in,” she added.
Before invoking Popia as a reflex response, it is worth asking: Does the act truly prohibit this disclosure, or is it simply being misunderstood?
“A well-informed understanding of the application of Popia is key,” Elizma concludes.



