Source Library

Protects computer programs as a distinct category of work (s 2(1)(i)); defines the author of a program as the person who exercised control over its making (s 1(1)); preserves moral rights (s 20); sets the default ownership rules (s 21); and requires every copyright assignment to be in writing and signed by the assignor (s 22(3)).

Gives electronic signatures legal effect (s 13) and electronic contracts legal force (s 22), validates automated transactions concluded by software agents (s 20), protects online consumers (ss 42–46), and lists the transactions that still cannot be concluded electronically, such as wills and sales of land (Sch 2).

South Africa's data protection statute: lawful grounds for processing (s 11), further-processing limits (s 15), notification duties (s 18), security safeguards (s 19), mandatory operator agreements (s 21), breach notification (s 22), special personal information (ss 26–32), children's information (s 34), direct marketing (s 69), automated decision-making (s 71) and cross-border transfers (s 72).

Shapes consumer-facing SaaS, EULA and website terms: fixed-term contract limits (s 14), cooling-off after direct marketing (s 16), plain-language drafting (s 22), the ban on unfair, unreasonable or unjust terms (s 48), outright prohibited terms (s 51) and the right to quality service (s 54).

Creates South Africa's cybercrime offences — unlawful access, unlawful interception, malware and hacking tools, cyber fraud, cyber forgery and cyber extortion (ss 2–11) — and obliges electronic communications service providers and financial institutions to report offences and preserve evidence (s 54).

Prohibits minimum resale price maintenance outright (s 5(2)) — the reason a software vendor may recommend, but never dictate, the price its resellers and distributors charge end customers.

Imposes the 15% withholding tax on royalties paid to non-residents (ss 49A–49G) — the tax engine behind cross-border software licence fees, subject to reduction under an applicable double-tax treaty.

The exchange-control framework: regulation 10 prohibits exporting capital — which the SARB treats as including intellectual property — from South Africa without approval, which is why moving software IP offshore needs FinSurv sign-off. The Regulations are administered by SARB FinSurv (see Regulators below).

Transfers employees automatically, on their existing terms, when a business or service is transferred as a going concern (s 197) — the hidden employment consequence of IT outsourcing, insourcing and managed-services transitions.

Establishes SITA and channels national and provincial government information-technology procurement through it — the statute that determines how software is sold to the South African state.

Makes all health records confidential (s 14) and tightly limits when they may be disclosed (s 15) — the statutory baseline for health-tech, telehealth and any system that processes patient data, alongside POPIA's special-personal-information rules.

The control test for software authorship: the "author" of a computer program is the person who exercised control over its making — the client who directed and controlled development owned the copyright without any assignment.

What control is not: merely supplying requirements, data and feedback and reviewing the result does not amount to control over the making of a program — the developer who wrote the code remained the author.

Employee-written software: programs created in the course and scope of employment belong to the employer — even where writing code was not the employee's formal job description.

The South African originality standard: copyright requires sufficient skill, labour and effort — not creative genius — so functional, workmanlike works (including code) readily qualify for protection.

Sets out the requirements for protectable confidential information and trade secrets — the fallback protection for algorithms, datasets and know-how where copyright does not reach.

US comparative authority cited in our AI-generated-code analysis: human authorship is a requirement of US copyright law, so an AI system cannot be an "author" — a useful contrast with South Africa's computer-generated-works rule.

The regulator that enforces POPIA — guidance notes, codes of conduct, prior-authorisation applications, breach (s 22) notifications and enforcement action all run through it.

SARS's official page on the royalties withholding tax (WTR) — rates, the WTR declaration forms and the treaty-relief mechanics that apply to cross-border software licence fees.

The Reserve Bank department that administers the Exchange Control Regulations — approvals for exporting capital and IP, cross-border royalty agreements and outward payments.

The Department of Communications and Digital Technologies' Draft National AI Policy, gazetted April 2026 — the policy direction for AI regulation in South Africa. It is a draft policy, not binding legislation; we link the gov.za documents library (search "National AI Policy") because gazette deep-links move.

The conduct regulator for financial institutions — relevant wherever software powers credit decisioning, robo-advice, insurtech or other regulated financial services.

The prudential regulator for banks and insurers — its operational-risk and outsourcing standards flow directly into the technology and cloud contracts those institutions sign.

The statutory council whose telemedicine guidelines govern practitioner-facing telehealth platforms. Its guidance PDFs are re-shuffled periodically, so we link the Council's site rather than a deep document URL.