POPIA and the expanding reach of the right to privacy

From CompliNEWS | Financial Service Intelligence Watch

Practice Note: POPIA and the expanding reach of the right to privacy

The constitutional right to privacy, enshrined in section 14 of the Constitution, continues to play a critical role in legal developments and regulatory enforcement—often in surprising and evolving contexts. Below is a roundup of recent cases and developments where the right to privacy intersected with surveillance, data processing, and the regulatory obligations under POPIA (the Protection of Personal Information Act).

Surveillance in Litigation: Eye on the Evidence

In a recent Pretoria High Court ruling, a defendant used a private investigator to record surveillance footage of a plaintiff claiming damages from an unsuccessful eye operation. The judge was called upon to determine whether surveillance footage—akin to programmes like Uyajola 99—violates the right to privacy under the Constitution. Two legal academics were invited as amici curiae to assist in resolving the conflict between uncovering the truth and upholding the privacy of individuals.

Ultimately, the court admitted the footage into evidence, but ordered the redaction of images or data involving non-parties, especially children. The ruling highlights that POPIA does apply, and that balancing relevance and privacy remains a judicial tightrope.

SARS vs Tobacco Manufacturers: CCTV Monitoring Interdicted

In a separate matter, SARS faced legal pushback for deploying CCTV surveillance on tobacco production premises as part of its anti-illicit trade initiatives. The Pretoria High Court granted an interim interdict in May 2023, restraining SARS from continuing the surveillance pending the outcome of the main application.

SARS argued that in regulated industries, expectations of privacy are diminished, particularly for juristic persons. However, the applicants contended that continuous CCTV recording (with playback ability) was far more invasive than occasional inspections. The court agreed, granting relief on privacy grounds. SARS’s subsequent appeal to the SCA was unsuccessful.

City of Johannesburg CCTV By-laws: POPIA Now Applies at Your Gate

The City of Johannesburg’s new CCTV by-laws, finalised after public consultation in April 2024, underscore the growing overlap between surveillance and privacy compliance. Key provisions include:

• Prohibition on unauthorised drone surveillance over public or private property;
• Mandatory registration and approval for CCTV installations that capture public spaces—even from private property;
• Explicit requirement that CCTV owners comply with POPIA, including those with cameras pointed at sidewalks or roads outside their homes.
• These by-laws mark a clear shift toward municipal enforcement of privacy obligations, including for private citizens and neighbourhood security schemes.

The Information Regulator’s Expanding Activity

The Information Regulator has become increasingly assertive in its enforcement of POPIA:

In January 2025, it unsuccessfully sought an interdict to prevent the Department of Basic Education from publishing matric results. Despite the court’s ruling, the Regulator insists the publication contravenes its directive.

The Regulator also welcomed the Minister of Justice’s decision to halt the publication of the National Register of Sex Offenders, citing POPIA-related concerns.

During its March 2025 consultative session, the Regulator reported:
• Over 2 000 complaints relating to data breaches in a single year
• 1 092 complaints related to direct marketing, estate complexes, and local organisations failing POPIA compliance
• A general pattern of non-compliance among public bodies, which treat POPIA as an afterthought, in contrast to private sector efforts to integrate compliance into operations.

Takeaway for Compliance Professionals

Across courts, municipalities, and regulatory forums, privacy is no longer confined to data subjects and IT policies—it now permeates litigation strategies, operational surveillance, and local governance. All organisations, whether public or private, must:

• Treat POPIA compliance as a core governance responsibility, not a peripheral checkbox
• Regularly assess surveillance practices, including CCTV, PIs, drones, or monitoring software
• Ensure any processing of personal information, especially in public or semi-public spaces, complies with the eight conditions of lawful processing under POPIA.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

POPIA and the expanding reach of the right to privacy

Practice Note: POPIA and the expanding reach of the right to privacy

Recent Posts