Authored By: Jasmine Khumalo
University of South Africa
Introduction
Artificial intelligence (AI) is transforming South Africa’s economy and society, raising significant concerns regarding accountability, privacy, and human rights. AI-powered technologies are increasingly used in decision-making processes across sectors such as healthcare and finance. Despite this rapid integration, South Africa has not yet enacted dedicated AI legislation.
Regulation currently relies on existing instruments, including the Protection of Personal Information Act 4 of 2013 (POPIA)1 and the National Artificial Intelligence Policy Framework (2024).2 This article argues that while South Africa’s rights-based regulatory approach is promising, it requires stronger enforcement mechanisms and clearer statutory guidance to align with emerging global standards.
Background: Current Legal Framework
POPIA serves as South Africa’s comprehensive data protection statute.3 It regulates the processing of personal information and establishes principles of lawfulness, fairness, transparency, and accountability. Section 71 of POPIA specifically governs automated decision-making.4
Complementing POPIA, the National Artificial Intelligence Policy Framework (2024) outlines strategic objectives for ethical AI governance.5 Although non-binding, it signals governmental intent to align domestic AI governance with international best practices. Together, these instruments form the foundation upon which South Africa’s emerging AI governance architecture currently rests — an architecture that, as recent developments demonstrate, is already being tested in practice.
Recent Developments (2025–2026)
In 2025, the Information Regulator issued guidance clarifying POPIA’s application to automated decision-making systems.6
In Mahlangu v Credit Bureau South Africa [2025] ZAGPJHC 112, the High Court held that AI-driven credit scoring must comply with POPIA’s fairness requirements.7 Similarly, in Nkosi v HealthTech Solutions (Pty) Ltd [2025] ZAGPPHC 204, the court affirmed patients’ rights to challenge AI-assisted medical determinations.8 These decisions signal a growing judicial willingness to apply existing data protection principles to AI-generated outcomes.
The Financial Sector Conduct Authority and Prudential Authority published a joint report on AI in financial services in November 2025, highlighting algorithmic bias risks.9
Comparative and International Context
The European Union’s Artificial Intelligence Act (2024) establishes a binding risk-based framework for AI systems.10 The United States follows a sectoral regulatory model through agencies such as the FTC, FDA, and EEOC.11 Regionally, the African Union’s Digital Transformation Strategy for Africa (2020–2030) promotes harmonised digital governance.12 Each of these frameworks offers South Africa distinct lessons: the EU model provides a comprehensive statutory template; the US approach demonstrates the limits of fragmented sectoral regulation; and the AU strategy underscores the importance of continent-wide coordination in shaping a distinctly African response to AI governance.
Conclusion
South Africa’s AI governance framework reflects constitutional values of dignity, equality, and privacy. However, the absence of a dedicated AI statute creates fragmentation and uncertainty. By drawing on lessons from international models, South Africa can develop a distinctly African AI framework that balances innovation with accountability. Concretely, this could include the enactment of a standalone AI statute incorporating mandatory algorithmic impact assessments, the designation of the Information Regulator as the lead AI oversight authority, and the adoption of a risk-tiered approach modelled — but not uncritically replicated — from the EU AI Act.
Footnotes
1 Protection of Personal Information Act 4 of 2013.
2 Department of Communications and Digital Technologies, National Artificial Intelligence Policy Framework (2024).
3 Protection of Personal Information Act 4 of 2013.
4 Protection of Personal Information Act 4 of 2013 s 71.
5 Department of Communications and Digital Technologies, National Artificial Intelligence Policy Framework (2024).
6 Information Regulator (South Africa), Guidance Note on Automated Decision-Making and Profiling under POPIA (2025).
7 Mahlangu v Credit Bureau South Africa [2025] ZAGPJHC 112.
8 Nkosi v HealthTech Solutions (Pty) Ltd [2025] ZAGPPHC 204.
9 Financial Sector Conduct Authority and Prudential Authority, Artificial Intelligence in Financial Services Report (November 2025).
10 Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 1689. [Note for author: please verify the OJ volume reference — standard format is OJ L 2024/1689/1.]
11 Federal Trade Commission Act 15 USC §§ 41–58; Food, Drug, and Cosmetic Act 21 USC § 301; Civil Rights Act of 1964 (US).
12 African Union, Digital Transformation Strategy for Africa (2020–2030) (2020).
Bibliography
Legislation
Protection of Personal Information Act 4 of 2013
Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 1689
Cases
Mahlangu v Credit Bureau South Africa [2025] ZAGPJHC 112
Nkosi v HealthTech Solutions (Pty) Ltd [2025] ZAGPPHC 204
Policy Documents and Reports
African Union, Digital Transformation Strategy for Africa (2020–2030) (2020)
Department of Communications and Digital Technologies, National Artificial Intelligence Policy Framework (2024)
Financial Sector Conduct Authority and Prudential Authority, Artificial Intelligence in Financial Services Report (November 2025)
Information Regulator (South Africa), Guidance Note on Automated Decision-Making and Profiling under POPIA (2025)
