Wednesday, 28 January marks World Data Privacy Day. With South Africa’s Information Regulator celebrating its 10th anniversary in 2026, TechCentral spoke to Mukelani Dimba, acting executive for education and communication at the regulator, about the state of information rights in the country.
In this interview, Dimba reflects on the effectiveness of South Africa’s two core information rights laws – the Protection of Personal Information Act (Popia) and the Promotion of Access to Information Act (Paia) – and discusses challenges around enforcement, capacity, cybersecurity and emerging technologies such as artificial intelligence.
TechCentral: Looking back at the past decade, what would you describe as the most significant milestones in South Africa’s data privacy journey?
Mukelani Dimba: One of the biggest achievements is that data privacy has become a mainstream societal issue. Before the regulator was established, you would rarely hear people discussing privacy — particularly data privacy — in everyday conversation. Today, it is a widely understood concept, and that is a significant shift.
TC: How would you assess awareness of data rights among the public, government and corporates?
MD: In our most recent survey, about 49% of respondents indicated awareness of Popia and Paia. So, awareness exists, but it does not always translate into changes in behaviour. People still overshare personal information, particularly on social media.
Among responsible parties – both public and private – awareness levels are generally high. In our engagements with businesses and government entities, Popia is well understood. The compliance penalties in the legislation have certainly helped focus attention.
‘Strong and robust’
TC: How could the regulator improve the implementation of Popia and Paia?
MD: Popia is a strong and robust piece of legislation. It has a long history – discussions began as early as 2005 – and by the time it was enacted in 2013, we had learnt extensively from other jurisdictions.
That said, provisions around direct marketing need strengthening, as they allow for differing interpretations. Greater clarity is required.
Read: Truecaller may face Popia probe by Information Regulator
Paia, however, needs more substantial reform. It was developed in 2000, in a very different technological environment. Unlike Popia, it does not give the regulator sufficient enforcement powers. We need amendments that bring Paia in line with Popia, particularly in terms of corrective action for non-compliance.
TC: Beyond legislative gaps, are there capacity challenges within the regulator itself?
MD: We have capable people across both legal and technical disciplines, which is essential because we operate at the intersection of law and technology.
However, we face two major challenges. First, we simply don’t have enough staff to meet demand, largely due to limited resources. Second, we compete with the private sector for highly specialised technical skills, but we cannot match private sector remuneration.
The result is delays. It’s not that we cannot fulfil our mandate – it’s that high volumes mean processes take longer.
TC: Is the regulator involved in broader, multi-stakeholder cybersecurity initiatives?
MD: Cybersecurity extends beyond our mandate, but our work is part of that ecosystem. Both public and private entities are vulnerable to cyberattacks, which calls for a coordinated response involving law enforcement, state security agencies and regulators.
At present, I don’t think there is a sufficiently strong, multi-agency response to cybersecurity threats in South Africa. That is an area that needs improvement.
TC: How is the regulator approaching emerging technologies like AI, particularly systems that make decisions using personal data?
The AI factor
MD: We are closely monitoring these developments. The key concern is whether privacy protections are embedded throughout the lifecycle of these systems – from development and testing to deployment.
With technologies like large language models, privacy considerations are not always prioritised. That is why we participated in a project with the African Commission on Human and People’s Rights, examining how AI impacts the rights set out in the African Charter.
We also believe in proactive regulation, including collaboration with industry through mechanisms like regulatory sandboxes to ensure compliance is built in from the start.
Read: WhatsApp agrees to greater transparency for South African users
TC: What role does the regulator play in online child safety?
MD: It’s an area of interest, but responsibility sits more squarely with other institutions. This is why we helped establish the ICT and Media Regulators Forum, alongside Icasa, the Film and Publication Board (FPB) and the South African Domain Name Authority.
Within that structure, online child safety falls primarily under the FPB’s mandate, though we support efforts in this space.
TC: Finally, what is your long-term vision for the Information Regulator?
MD: We need to move beyond seeing the regulator as a lawyer-centric institution. Our role is to champion information rights, which inherently sit at the intersection of law and technology.
To do that effectively, we need data scientists and other technical specialists alongside legal experts. Without that balance, regulation risks being disconnected from the realities of the information economy and the digital society we are meant to serve. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.