Section 71 of POPIA establishes the data subject right not to be subject to a decision which results in legal consequences for or substantially affects them, based solely on the automated processing of personal information intended to provide a profile of certain personal aspects.
The right is not absolute. Exemptions apply. The operational picture is more nuanced than 'POPIA prohibits AI decisions' or 'POPIA permits AI decisions' both suggest. This article walks through what section 71 actually requires for AI in regulated activities, when exemptions apply, and what safeguards need to be operational.
What section 71 covers
The right applies to decisions that meet four cumulative criteria. The decision is based solely on automated processing, no meaningful human involvement. The processing produces a profile of personal aspects of the data subject, performance at work, creditworthiness, reliability, location, behaviour, or similar. The decision has legal consequences for the data subject or substantially affects them. And the data subject would otherwise be entitled to the right.
All four criteria must be met for the right to apply. Decisions that involve meaningful human review fall outside scope. Decisions that do not produce a profile of personal aspects fall outside scope. Decisions that do not have legal or substantial effect fall outside scope.
What 'solely automated' means in practice
Meaningful human involvement removes a decision from 'solely automated' status. The bar is meaningful, not rubber-stamping of automated outputs, not human review without authority to overturn, not occasional human spot-checking of an otherwise automated process.
Operationally, meaningful human involvement requires the human reviewer to have the authority, capability, and information to genuinely evaluate the automated output and reach an independent decision. A human reviewer presented with the automated decision and a button to approve or reject, with no time, no context, and no incentive to deviate from the automated recommendation, does not meet the standard.
What 'legal consequences or substantial effect' means
Legal consequences cover decisions that affect legal status or contractual position, credit applications approved or declined, insurance underwriting decisions, employment hiring or termination decisions, eligibility for regulated services.
Substantial effect extends to decisions that affect the data subject in materially significant ways even without strictly legal consequences, material pricing differentials, exclusion from services, behavioural shaping in ways that affect material life decisions.
The threshold is contextual. Trivial differentials are not substantial effects. Material differentials are. Operationally, responsible parties should consider the data subject's perspective, what would a reasonable affected person consider materially affecting them?
The three exemptions in section 71
Section 71(2) establishes three exemptions where the right does not apply.
Contractual necessity
The decision is necessary for the conclusion or performance of a contract between the data subject and the responsible party. This exemption covers many financial services use cases, credit decisions necessary to enter a credit contract, insurance underwriting necessary to issue a policy, account opening decisions necessary to provide banking services.
The exemption is not unlimited. The exemption applies only where the decision is genuinely necessary for the contract, not merely convenient for the responsible party. And the exemption is paired with safeguards, section 71(3) requires the responsible party to provide appropriate measures to protect the data subject's legitimate interests, including measures the data subject can use to express their view and contest the decision.
Authorised by law
The decision is governed by law that provides appropriate measures to safeguard the data subject's legitimate interests. This exemption applies where specific legislation authorises the automated decision-making, for example, certain regulatory reporting decisions, certain anti-money laundering decisions where specific provisions authorise automated processing.
Express consent
The data subject has expressly consented to the automated decision-making. Consent must be specific, informed, and freely given, generic terms-of-service consent typically does not meet the standard for section 71 purposes.
Operational safeguards under section 71(3)
Where an exemption applies, section 71(3) requires the responsible party to provide appropriate measures to safeguard the data subject's legitimate interests, at minimum, measures the data subject can use to express their view about the automated decision-making and contest the decision.
Operationally:
● Disclosure to the data subject that automated decision-making is being used, with sufficient information about the logic for the data subject to evaluate it
● Mechanism for the data subject to express their view, including submitting additional information they believe relevant
● Mechanism for the data subject to contest the decision, including a substantive review pathway with authority to overturn the automated decision
● Documentation supporting the safeguards, how the responsible party operationalises them, how decisions are documented, what evidence is retained
Where section 71 most commonly applies in financial services
Common section 71-relevant use cases in SA financial services:
● Credit decisions, both initial applications and ongoing credit management
● Insurance underwriting and pricing, both initial decisions and renewal decisions
● AML/CFT-driven account decisions where AI flags or alerts drive operational outcomes affecting customers
● Customer onboarding and KYC outcomes where AI is materially involved
● Retention and product offering decisions that materially differentiate treatment between customers
● Fraud-related account actions where AI involvement is significant
For each, the analysis follows the same pattern. Is the decision solely automated? Does it produce a profile? Does it have legal consequences or substantial effect? If yes to all three, is an exemption available? If exemption applies, what safeguards are operational?
Common implementation pitfalls
● Treating human review as a tick-box such that 'solely automated' becomes effectively true even when nominally false
● Relying on contractual necessity exemption where the decision is not genuinely necessary for the contract, but merely commercially convenient
● Express consent flows that do not meet the standard for specific, informed, freely given consent
● Safeguards under section 71(3) that exist on paper but are operationally inaccessible to data subjects
● Review pathways where the human reviewer lacks authority, information, or time to genuinely overturn automated decisions
● Documentation of section 71 analysis missing or inadequate, leading to weak position under Information Regulator scrutiny
The shift to make
Stop treating section 71 as either a prohibition on AI decisions or a formality satisfied by adding 'human review' as a label.
Start treating it as an operational standard for AI decisions that affect data subjects substantially, with documented analysis of when it applies, deliberate selection of exemptions where they fit, and substantive safeguards that actually protect data subject interests rather than just satisfying a documentation requirement.
Responsible parties that operate section 71 well navigate Information Regulator engagement constructively and build customer trust through demonstrable contestability. Responsible parties that treat section 71 as paperwork eventually discover, through complaints or enforcement, that the operational gaps are exactly what the regulator examines.
