Who must comply with POPIA?
Section 3(1) applies the Act to the processing of personal information entered in a record, by automated or non-automated means (for non-automated processing, only where the records form, or are intended to form, part of a filing system), where the responsible party is domiciled in South Africa — or is not domiciled here but uses means in the Republic, unless those means are only used to forward information through it.
There is no small-business exemption, no turnover threshold and no industry carve-out. A one-person consultancy and a listed bank are equally bound. The State is bound too — the largest fines so far have been imposed on government departments: the Department of Justice and the Department of Basic Education were each fined R5 million (see the enforcement tracker for how those matters ended).
What does section 6 exclude from the Act?
Section 6 takes certain processing outside POPIA entirely — not as an exemption you apply for, but by operation of law. The full provision:
“(1) This Act does not apply to the processing of personal information— (a) in the course of a purely personal or household activity; (b) that has been de-identified to the extent that it cannot be re-identified again; (c) by or on behalf of a public body— (i) which involves national security... or (ii) the purpose of which is the prevention, detection... investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation...; (d) by the Cabinet and its committees or the Executive Council of a province; or (e) relating to the judicial functions of a court...”
The household exclusion: the answer to the WhatsApp panic
Section 6(1)(a) is the answer to the 2021 WhatsApp panic: your family group, your friends’ braai-planning group, your personal address book — purely personal or household activity, outside the Act. No consent message required, no “POPIA notice” to the group. A business running a customer WhatsApp channel is a different matter: that is commercial processing, and if it involves marketing, section 69 applies. The full picture — including school groups and body-corporate groups — is on the WhatsApp groups page.
De-identified data: analytics and research breathe here
Section 6(1)(b) matters for analytics and research: properly de-identified data — stripped of anything that identifies, can identify or can be linked to a person by any reasonably foreseeable method — is not personal information, and POPIA does not apply to it. The qualifier carries the weight: if the data can be re-identified by a reasonably foreseeable method, the exclusion fails and the Act applies. This is also why the High Court held in the matric-results litigation that results published by examination number, without names, could be published — information that identifies nobody is not personal information at all (see the definitions page).
Journalism, literature and art
Section 7 adds a further exclusion for processing “solely for the purpose of journalistic, literary or artistic expression”, to the extent necessary to reconcile the right to privacy with freedom of expression. A newsroom investigating a story is not collecting consent forms from its subjects — and the Act does not ask it to.
The crime-prevention exclusion is narrower than assumed
Public bodies sometimes read section 6(1)(c)(ii) as a blanket pass for anything crime-related. It is not. When SAPS members circulated the personal details of the Krugersdorp crime victims on WhatsApp groups in 2022, the Information Regulator held that the exclusion did not cover that conduct and found breaches of sections 8, 9, 10, 11, 15, 19 and 22 — and ordered SAPS to apologise in the national press. The exclusion covers processing whose purpose is prevention, detection, investigation or prosecution, and only to the extent that adequate legislative safeguards exist — not every disclosure that happens to involve a crime.