Legal & Risk: What Businesses Need to Watch
2026-05-27
South African and UK businesses must navigate a volatile regulatory landscape, with two developments from this week demanding close attention: the delayed release of South Africa’s AI policy and the cross-border data integration in Vodacom’s partnership with PayPal. These stories underscore often-overlooked compliance risks tied to innovation and global collaboration.
---
The Department of Communications and Digital Technologies has pushed back the final draft of South Africa’s national AI policy to January 2027, citing a need for expert review (as reported by TechCentral and MyBroadband). This delay leaves a gap in regulatory clarity for businesses relying on AI systems, particularly those in sectors like cybersecurity (e.g., Datatec, which reported strong earnings from AI investments).
Missed Legal Angle: While the policy’s delay provides temporary flexibility, it also increases compliance risk. Businesses using AI must self-regulate in areas likely to be targeted by the policy, such as hallucination mitigation (ensuring AI-generated outputs are fact-checked) and data accountability (traceability of AI decisions under POPIA). Under POPIA Section 44, businesses must ensure AI tools don’t process personal data in a way that violates transparency or fairness principles.
Compliance Action: Review AI systems for alignment with current ethical standards and prepare for imminent regulatory requirements (e.g., audit trails for AI-driven decisions).
---
Vodacom’s integration of M-Pesa with PayPal enables seamless global money transfers, but this partnership raises cross-border data sharing compliance concerns under POPIA Chapter 8. The agreement requires Vodacom to ensure that PayPal adheres to South Africa’s data minimization, encryption, and consent protocols when processing user data.
Missed Legal Angle: Businesses often overlook the legal obligation to audit third-party data processors (like PayPal) under POPIA. If Vodacom fails to verify that PayPal’s systems meet POPIA requirements, it could face penalties for non-compliance. Similarly, under UK GDPR Article 26, international data transfers must ensure “adequacy decisions” from the EU, which may not apply to Tanzania-based operations.
Compliance Action: Conduct due diligence on third-party vendors handling South African users’ data and ensure contractual clauses mandate POPIA alignment.
---
---
**
**
The above analysis assumes that hallucination risks and cross-border data transfers are currently outside formal regulatory focus. However, as the AI policy evolves, interpretations of accountability and liability for AI errors may require qualified legal opinion. Similarly, the Vodacom-PayPal model may necessitate review by an experienced compliance officer to ensure alignment with both domestic and international data laws.