Skip to content
Industry Notes 17 April 2026

POPIA, GDPR, and AI: what South African product teams need to know in 2026

South African teams shipping AI features cannot ignore either POPIA at home or the EU AI Act when serving European customers. Here is the practical compliance picture as of mid-2026.

If you are a South African product team shipping anything that uses AI to make or influence a decision about a person, the regulatory picture in 2026 is messier than it was twelve months ago. POPIA still applies the way it always did. The EU AI Act is phasing in fast, with a major deadline on 2 August 2026. GDPR Article 22 has been re-interpreted by the Court of Justice. The UK has changed its own rules. And the South African National AI Policy is still in draft.

This post is a practical orientation, not legal advice. The aim is to give engineering and product leads the lay of the land — what binds you locally, what binds you when you sell into Europe, and what to do about it in your codebase. If anything here matters to your specific situation, get a privacy lawyer; the cost of getting it wrong is materially higher than the cost of getting advice.

POPIA Section 71 is the only binding South African AI rule

Let us start at home. The Protection of Personal Information Act (POPIA) is the only binding South African law that touches AI, and Section 71 covers automated decision-making — that is the entire architecture.

That is a striking sentence and it is broadly correct. Most of POPIA's substantive provisions commenced on 1 July 2020 with a one-year grace period for compliance ending on 30 June 2021. The Act includes dedicated sections on automated decision-making (Section 71), direct marketing, and cross-border data transfers, with penalties for non-compliance that include fines, imprisonment, and compensation to affected data subjects.

Section 71 itself is short and worth reading directly. It establishes that a data subject may not be subject to a decision which results in legal consequences for them, or which affects them to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person — including credit-worthiness, reliability, location, health, personal preferences or conduct.

There are exceptions. The prohibition does not apply if the decision was taken in connection with the conclusion or execution of a contract and either the data subject's request was met, or appropriate measures protect their legitimate interests; or if the decision is governed by a law or code of conduct with appropriate safeguards. Even where exceptions apply, the responsible party must give the data subject an opportunity to make representations about the decision, and provide sufficient information about the underlying logic of the automated processing to enable them to do so.

In practice, for product teams, this means a few concrete things:

  • A purely-automated decision with material consequences is the regulated case. If a human is genuinely in the loop (not rubber-stamping), Section 71 is much weaker.
  • The right to an explanation is real. If your system rejects a loan, prices an insurance policy, declines a job application, or otherwise materially affects someone based on automated processing, you must be able to explain the underlying logic in terms they can act on. "The model said no" is not sufficient.
  • The right to challenge is real. Build a path for human review of automated decisions into the product, not as an afterthought.

The honest characterisation of the local regime: as of now, no algorithmic audits, no AI ombudsperson, no mandatory impact assessments, and no transparency requirements for AI systems used in hiring, lending, or policing. The draft National AI Policy proposes mandatory impact assessments as strategic pillars, but there is currently no legally binding requirement for companies to perform audits or impact assessments. The South African National AI Policy Framework, published in October 2024 by the Department of Communications and Digital Technologies, is a first step rather than a finished regime.

That can read as a regulatory holiday. It is more accurate to read it as a deferred bill. POPIA's Section 71 is narrow but enforceable, and the draft AI Policy proposes alignment with POPIA's Section 71 plus data protection by design as a baseline, transparency as a core principle, mandatory watermarking of training data for large language models, and "sufficient explainability" for high-risk AI systems. Building for those expectations now is cheaper than retrofitting in 2027 or 2028.

GDPR Article 22 is the EU equivalent, and it is more developed

If you serve European customers — and most South African SaaS does, eventually — GDPR Article 22 is the equivalent provision you need to know.

Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects on them. Three exceptions: contract performance, law, or explicit consent. Even with an exception, suitable measures are required: the right to human intervention, to express a view, and to contest the decision.

The shape is similar to POPIA Section 71. The interpretation, however, has gone further. In December 2023 the Court of Justice of the EU ruled in the SCHUFA case that even credit-scoring algorithms fall under Article 22 when they significantly influence downstream human decisions — meaning the "solely automated" threshold is interpreted generously in the data subject's favour. A nominally-human approval that simply ratifies the algorithm's output is treated as if the decision was automated.

The practical implications for product teams:

  • Be skeptical of "human in the loop" as a compliance argument unless that human has the authority, training, and time to actually overturn the system. If they do not, the regulator may treat the decision as automated regardless.
  • Article 22 violations sit at the top tier of GDPR fines — up to €20 million or 4% of global turnover. This is not a paperwork issue.
  • A Data Protection Impact Assessment is mandatory for any Article 22-scope processing, per Article 35.
  • Articles 13–15 fill the gap on explainability — even where Article 22 itself does not require explanations, the right of access and the requirement to provide meaningful information about the logic, significance, and envisaged consequences of the processing does.

The EU AI Act is the new layer, and 2 August 2026 is the date

The big change in 2026 is the EU AI Act, Regulation (EU) 2024/1689. It entered into force on 1 August 2024 and applies in phases.

The current state of the timeline:

  • 2 February 2025 — prohibitions on unacceptable-risk AI systems and AI literacy obligations applied.
  • 2 August 2025 — rules for general-purpose AI models applied, governance structures (the AI Office) became operational, and Member States needed to designate national competent authorities.
  • 2 August 2026 — the majority of remaining obligations apply, including for high-risk AI systems in Annex III, with enforcement starting on that date. This is the operationally demanding deadline that most product teams need to plan for.
  • 2 August 2027 — full application, including AI systems embedded in regulated products.

On 19 November 2025 the Commission proposed, as part of the Digital Omnibus, to link the application of high-risk rules to the availability of supporting measures such as harmonised standards. That proposal is still under consideration by the European Parliament and Council. As of writing, the prudent planning assumption remains 2 August 2026.

For South African teams selling into Europe, the key clarifications:

  • The Act applies extra-territorially, in the same way GDPR does, where AI systems produce outputs used in the EU.
  • The Act does not replace GDPR; both apply concurrently to AI systems processing personal data. A high-risk AI system making decisions about individuals will need to satisfy GDPR Article 22 and the AI Act's high-risk obligations.
  • The fine ceiling exceeds GDPR's — up to €35 million or 7% of global turnover for the most serious AI Act violations, against GDPR's €20m / 4%.
  • GPAI (general-purpose AI) obligations have applied since August 2025. If you build on top of foundation models, you are not the regulated GPAI provider — but the providers you rely on are, and contractual flow-down of obligations is already standard in vendor agreements.

The six practical steps Orrick and others have been advising sit at about the right level for a mid-market team: map the AI systems you use, develop, import or distribute in Europe; clarify your role for each (provider, deployer, importer, distributor); determine whether the Act applies to each system; classify systems by risk level; document the mapping repeatably because it is an ongoing obligation; and conduct AI mapping exercises as an ongoing rather than a one-off compliance task.

A practical compliance baseline for a SA product team in 2026

If you are a South African product team with European customers and at least one AI-driven feature that touches personal information, the baseline we recommend looks like this. It is not legal advice. It is engineering hygiene that lines up with the rules you can already see.

1. Document where AI sits in your product. Maintain an inventory of every AI-driven feature, what data it uses, what decisions it influences, who is in the loop, and what the user-facing explanation looks like. This is the artefact a regulator will ask for first, and it is the artefact you will need internally regardless.

2. Default to human-in-the-loop for material decisions. Loan approvals, account suspensions, pricing changes, content moderation actions, hiring decisions — any of these going out without a human signal is the highest-risk shape under both POPIA Section 71 and GDPR Article 22. If a human is in the loop, make sure they have the authority and information to actually overturn the model.

3. Build the user-side rights into the product. A path for users to request human review of an automated decision. A path for users to receive a meaningful explanation. A path for users to correct the personal information that fed the decision. These are not optional under POPIA or GDPR; they are also good product design.

4. Pick a Data Protection Impact Assessment template and use it. For any AI feature processing personal information that materially affects users, a DPIA is mandatory under GDPR Article 35 and good practice under POPIA. The output is a written record of the risks identified and the mitigations chosen. Without it, you have no defence; with it, you have a reviewable trail.

5. Watch what your model providers are doing. GPAI obligations under the EU AI Act mean your foundation-model vendors are publishing more disclosure than they used to — training data summaries, copyright compliance posture, evaluation reports. Pull these into your own documentation. You will be asked for them.

6. Treat the draft SA AI Policy as your roadmap, not your obligation. Mandatory impact assessments are "best practice" recommendations rather than statutory obligations at present, but the direction of travel is clear. Building the muscle now — DPIAs, model documentation, change logs, evaluation reports — costs little when added during development and a lot when retrofitted under regulatory pressure.

What is likely to change next

A few items worth watching over the next twelve months. None of them affect what you should do today, but all of them are likely to be settled by mid-2027:

  • The South African National AI Policy. Currently in draft consultation. The published policy will likely propose statutory teeth that the current draft only suggests. Realistic timeline to enforceable law: 2027 at the earliest.
  • The Digital Omnibus proposal, which could shift the application date for high-risk EU AI Act obligations linked to the availability of standards. Worth tracking; do not bet your roadmap on a delay.
  • Sector-specific guidance from the South African Information Regulator on AI, particularly in financial services and HR — the two sectors where automated decision-making is most prevalent and most contested.
  • Court interpretation of Article 22's "solely automated" threshold in further CJEU cases. The SCHUFA ruling raised the bar; subsequent cases are likely to clarify it further.

The summary, if you read nothing else: the rules that bind a South African product team in 2026 are POPIA Section 71 at home, GDPR Article 22 when you serve European customers, and the EU AI Act's high-risk obligations when those apply. None of these prevent you from shipping AI features; all of them shape how you ship them. The teams that quietly get this right are the teams who will not be re-platforming under deadline pressure in 2027.


References

  1. South African Government / popia.co.za — Section 71: Automated decision-making. https://popia.co.za/section-71-automated-decision-making/
  2. ITWeb — Artificial intelligence has POPIA implications. https://www.itweb.co.za/content/KA3Ww7dDjK67rydZ
  3. OECD.AI — Protection of Personal Information Act (POPIA). https://oecd.ai/en/dashboards/policy-initiatives/protection-of-personal-information-act-popia
  4. SAPeople — South Africa's AI Regulation: Why a 2027 policy may be too little too late. https://www.sapeople.com/tech/south-africa-ai-regulation-2027/
  5. Cliffe Dekker Hofmeyr — Commentary on South Africa's National Draft Artificial Intelligence Policy. https://www.cliffedekkerhofmeyr.com/en/news/publications/2026/South-Africa/Technology-Communications/corporate-communication-and-technology-communications-alert-commentary-on-south-sfricas-national-draft-artificial-intelligence-policy
  6. Polity / Michalsons — The draft AI policy has been published and parties have 60 days to comment. https://www.polity.org.za/article/speak-now-or-forever-hold-your-peace-the-draft-ai-policy-has-been-published-and-parties-have-60-days-to-comment-2026-04-13
  7. ITLawCo — AI regulation in South Africa. https://itlawco.com/focus-areas/artificial-intelligence-law/ai-regulation-in-south-africa/
  8. European Commission — Navigating the AI Act. https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act
  9. EU AI Act Service Desk — Timeline for the Implementation of the EU AI Act. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
  10. Orrick — The EU AI Act: 6 Steps to Take Before 2 August 2026. https://www.orrick.com/en/Insights/2025/11/The-EU-AI-Act-6-Steps-to-Take-Before-2-August-2026
  11. Kennedys Law — The EU AI Act implementation timeline. https://www.kennedyslaw.com/en/thought-leadership/article/2026/the-eu-ai-act-implementation-timeline-understanding-the-next-deadline-for-compliance/
  12. Legiscope — GDPR Article 22: Automated Decision-Making and Profiling. https://www.legiscope.com/blog/gdpr-article-22-automated-decision-making.html
  13. LegalClarity — Automated Decision-Making and Profiling Under the GDPR. https://legalclarity.org/automated-decision-making-and-profiling-under-the-gdpr/
  14. GDPRInfo — GDPR Article 22 Explained. https://gdprinfo.eu/gdpr-article-22-explained-automated-decision-making-profiling-and-your-rights
  15. Legiscope — EU AI Act Deadlines 2026-2027. https://www.legiscope.com/blog/eu-ai-act-timeline-deadlines.html

Written by JP, Sixees Labs. Last reviewed May 2026. This post is general information, not legal advice. Get a privacy lawyer for specific situations.

JP

Co-founder, Sixees Labs

Co-founder of Sixees Labs. Engineer and systems thinker focused on shipping AI that actually works in production.

We use cookies to understand how you use our site so we can improve it. Choose Necessary only to decline analytics. See our cookies policy for details.