Authored By: Nokubonga Rosemary Chadi
University of Witwatersrand
INTRODUCTION
Artificial Intelligence (AI) has rapidly altered the gathering, processing, and use of personal information around the world. AI technology is increasingly influencing decision-making in industries such as employment, healthcare, finance, education and law enforcement. These systems rely significantly on the collection and analysis of vast quantities of personal data resulting in unprecedented opportunities for innovation but also posing major risks to privacy.
In South Africa, section 14 provides for the constitutional right to privacy under the Constitution of the Republic of South Africa, 1996. This fundamental right is becoming more essential in today’s digital world as personal information is frequently retrieved, kept and processed by both public and private entities. The Protection of Personal Information Act 4 of 2013 (POPIA) marked an immense legislative effort to govern personal information processing and synchronise South Africa with worldwide data protection standards.
Despite its significance, questions remain about POPIA’s ability to meet the problems provided by modern AI systems. The Act came into effect prior to the extensive use of generative AI, predictive algorithms and automated decision-making technologies which currently dominate many industries. As a result, concerns have been raised about whether POPIA effectively safeguards privacy rights in cases involving algorithmic profiling, large-scale data analytics and automated decision-making.
This article contends that while POPIA provides a comprehensive framework for personal information security, its usefulness in regulating AI- driven data processing is restricted. The article firstly looks at South Africa’s legal structure for privacy and data protection. It then examines the key caselaw and regulatory issues before determining the suitability of POPIA in the context of AI technologies. It further considers comparative viewpoints from European Union followed by recommendations for legislative and regulatory reforms.
THE SOUTH AFRICAN LEGAL FRAMEWORK GOVERNING PRIVACY RIGHTS
Constitutional Protection of Privacy
Privacy is protected under Section 14 of the Constitution which states that everyone has the right not to have their person, home, property, possessions or communications violated. The Constitutional Court has consistently recognised privacy as a necessary component of human dignity, autonomy and personal liberty. The constitutional guarantee of privacy covers not only physical intrusions but also includes informational privacy. Informational privacy refers to an individual’s ability to control and direct how personal information is gathered, used and disclosed. As digital technologies have advanced, informational privacy has becomes increasingly crucial in protecting constitutional rights.
The Protection of Personal Information Act 4 of 2013
POPIA is South Africa’s primary data protection legislation. The Act aims to protect personal information processed by public and commercial entities while balancing competing interest such as access to information and economic development. POPIA stipulates eight conditions for lawful handling of personal information namely:
Accountability;
Processing limitation;
Purpose specification;
Further processing limitation;
Information quality;
Openness;
Security safeguards; and
Data subject participation.
These principles urge companies to handle personal information fairly, transparently and securely. Data subjects have a range of rights including the ability to access information, request corrections and object to certain types of processing. The Act also established the Information Regulator, which is an independent organisation that is responsible for monitoring compliance, investigating complaints and enforcing data privacy requirements.
Automated decision-making under the POPIA
Section 71 of the Personal Information Protection Act governs automated decision-making. The clause typically forbids choices based exclusively on automated processing in situations where such decisions have legal repercussions or have a significant impact on humans. Exceptions do arise where the decision is required for contractual purposes allowed by law or subject to adequate safeguards. Although Section 71 is a vital protection, it was written prior to the emergence of many modern AI systems. This provision does not entirely fit modern machine-learning systems which need to continuously process data and make adaptive decisions.
CASE LAW ANALYSIS
In the digital age, the South African courts are progressively acknowledging the importance of privacy rights. The Constitutional Court in Bernstein v Bester underlined that privacy protects a person’s personal sphere against unlawful interference by the state and private parties. The Court emphasised the importance of privacy in relation to human dignity and personal autonomy.
In such manner, the Constitutional Court in Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd accepted that the rights to privacy must be read in the context of the broader constitutional scheme and the need to balance legitimate state objectives. More recently, in AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services the Constitutional Court held certain parts of South Africa’s monitoring regime illegal for not offering appropriate protection for private rights. The ruling highlighted the significance of protecting personal information from illegitimate surveillance and undue state interference.
Although they do not directly address AI technologies, these rulings articulate constitutional ideas that are particularly pertinent to AI-related privacy problems. The jurisprudence illustrates that privacy protections must adapt to keep up with technological advancements and be effective in changing social circumstances. Interestingly, South African courts have not yet created much doctrine (rules) touching directly on AI generated privacy harms. This vacuum of court direction causes confusion over the application of existing legal principles to algorithmic profiling, predictive analytics and generative AI systems.
A CRITICAL EVALUATION OF POPIA IN THE AGE OF ARTIFICIAL INTELLEGENCE
The POPIA’s strengths
This Act is a significant breakthrough in South African privacy law. It makes it clear what responsible parties; duties are and gives people real rights when it comes to their personal information. The legislation incorporates internationally accepted data protection principles and brings South Africa in line with international privacy standards. The foundation of the Information Regulator has improved institutional monitoring and accountability. Furthermore, Section 71 reveals legislative acknowledgement of the concerns connected with automated decision-making. The Act attempts to safeguard persons from unfair or arbitrary algorithmic judgements by limiting parties some forms of automated processing.
Limitations of POPIA in the context of AI
Despite its advantages, POPIA has major challenges when used to modern AI systems.
First, the law does directly govern AI technologies. Many modern AI systems function through complicated automated learning methods that are constantly adapting and evolving. Such systems frequently make judgements based on mechanisms that are difficult to explain or interpret. This phenomenon is frequently referred to as the “black box” problem. The anonymity of AI systems impedes transparency and accountability. Individuals may find it difficult to grasp how decisions impacting them were reached, making it difficult to dispute unfair or erroneous outcomes.
Second, AI systems are often trained on large data sets that are assembled from a variety of sources. As a result, it is more difficult for people to provide meaningful consent if they cannot fairly foresee how their information can be utilised in future AI applications.
Third, algorithmic profiling is fraught with serious hazards of discrimination. AI systems trained on biased data sets can duplicate or even worsen socioeconomic disparities. Although POPIA governs the processing of personal information, it does not offer any means of detecting or dealing with algorithmic bias.
Fourth, enforcement issues are still severe. Given the size and complexity of digital data handling activities happening in South Africa, the Information Regulator does not have a lot of resources to provide. Regulating advanced AI systems effectively takes a lot of technical know-how and institutional capabilities.
The need for AI-Targeted Regulation
POPIA’s shortcomings indicate that generic data protection policies may not suffice to handle growing AI dangers. The use of AI technologies raises unique issues of explainability, transparency, accountability, and justice, which are distinct from privacy concerns.
This may therefore need a more sophisticated regulatory strategy to add to existing data protection legislation.
COMPARATIVE PERSPECTIVES
European Commission (EC)
The European Union is a world leader in digital legislation. General Data Protection Regulation (GDPR) Provides broad protection for personal data and automated decision making.
Most recently, the European Union has passed the AI Act, which creates a risk-based regulatory environment for AI systems. High-risk AI applications will be subject to stringent criteria for transparency, accountability, human oversight and risk management. The European approach accepts that legislation on data protection alone is not enough to regulate AI systems. And we need specific AI legislation on top of the standard privacy protections.
Lessons to South Africa
Lessons from the European experience for South Africa. POPIA is a good start for privacy protection, but we may need more AI-specific regulation to address the threats posed by algorithmic decision-making and complicated data analytics. South Africa does not have to adopt the European model in its entirety. Yet, a governance framework for AI based on constitutional values would more effectively protect privacy rights and promote responsible innovation.
RECOMMENDATIONS FOR CHANGE
The first is that in addition to POPIA, Parliament should consider drafting AI-specific law and lay down guidelines for high-risk AI systems.
Secondly, organisations using automated decision-making systems should have to supply more information. People should be informed when AI systems are in use and provided meaningful explanations of significant decisions that affect them.
Third, high-risk applications should be subject to mandatory AI impact assessments. Before being implemented, these reviews would address privacy issues, potential discrimination, and compliance with constitutional rights.
Fourth, the Information Regulator has to be better resourced, in terms of technology and expertise, to properly regulate AI-related data processing.
Finally, public awareness efforts should be conducted to let people know about their privacy rights and the potential outcomes of data processing based on AI.
CONCLUSION
Artificial intelligence brings both remarkable opportunities and serious obstacles to privacy protection. An important basis for regulating new technologies is South Africa’s constitution, which protects privacy, human rights, and respect. POPIA has been very important in making sure that data is safer and that people handle information responsibly.
However, as the article has shown, the Act was not designed to deal with the specific needs of modern AI programs. The drawbacks in the current approach are revealed by the challenges around algorithmic transparency, automated decision-making, large-scale data analytics and algorithmic bias.
Similar trends, especially in the European Union, show the growing need of separate AI regulations. POPIA is still a fundamental part of South Africa’s privacy law but needs further revisions to ensure that privacy protections keep pace with the age of artificial intelligence.
The future of digital governance in South Africa will depend on the ability of lawmakers and regulators to find a balance between the technical innovation and the protection of fundamental rights. One of the most pressing legal concerns of the twenty-first century will be to ensure that privacy rights are relevant in an AI-driven society.
BIBLIOGRAPHY
Cases
AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others 2021 (3) SA 246 (CC).
Bernstein and Others v Bester NO and Others 1996 (2) SA 751 (CC).
Investigating Directorate: Serious Economic Offences and Others v Hyundai Motor Distributors (Pty) Ltd and Others 2001 (1) SA 545 (CC).
Legislation
Constitution of the Republic of South Africa, 1996.
Promotion of Access to Information Act 2 of 2000.
Protection of Personal Information Act 4 of 2013.
Government and Regulatory Materials
Information Regulator (South Africa), Guidance Note on Direct Marketing (2021).
Information Regulator (South Africa), Protection of Personal Information Act (POPIA): Frequently Asked Questions (2023).
Journal Articles
C Leipsig, ‘Regulating Automated Decision-Making: An Analysis of Section 71 of POPIA and Its Implications for Privacy and Data Protection’ (2025) 18 Pretoria Student Law Review.
F Cachalia and J Klaaren, ‘Towards a Public Law Perspective on the Constitutional Law of Privacy in South Africa in the Age of Digitalization’ (2024) 68 Journal of African Law 89.
H Schultz and W Freedman, ‘Plugins and POPI: A Critical Discussion into the Legal Implications of Social Plugins and the Protection of Personal Information’ (2024) 27 Potchefstroom Electronic Law Journal.
B Townsend, A Gooden, M Botes and D Thaldar, ‘Repurposing Research Data for Commercial Use: POPIA, a Foil or a Facilitator?’ (2023) 119 South African Journal of Science.
D Thaldar, ‘Does Data Protection Law in South Africa Apply to Pseudonymised Data?’ (2023) 14 Frontiers in Pharmacology.
International Materials
European Commission, Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) COM (2021) 206 final.
United Nations, Global Digital Compact (2024)
![Salomon v Salomon & Co Ltd. [1897] AC 22 (HL)](https://recordoflaw.in/wp-content/uploads/2025/12/ChatGPT-Image-Dec-17-2025-08_24_07-PM.png)




