Johannesburg’s CCTV By-Law Repealed: Implications for Businesses, Homeowners, and POPIA Compliance

Category: Infrastructure and Telecommunications,IT Law,Privacy Law and POPIA,Privacy Law, Infosec, and POPIA,Technology Law
written by Luyanda Maema | September 12, 2025
CCTV cameras mounted to a wall.

The City of Johannesburg (“CoJ” or “the City”) previously published a draft CCTV By-Law (“the By-Law”) which required individuals or companies who installed CCTV cameras on their private property with a view of public areas to apply for approval and register those cameras with the City.   The stated purpose of the By-Law was to promote lawful use of CCTV cameras, regulate their registration, and assist in deterring crime.

According to the draft, the By-Law applied to, “…all CCTV Camera and mobile camera, including drone camera, in Public Space; in a private property with a view or angle of coverage to a Public Space, installed or intended as provided for, in the area and jurisdiction of the City.”

The By-Law mandated that no CCTV camera that fell within the above purview could be installed or operated without written approval from the COJ.  Such approval required the submission of documentation on a prescribed form, supported by plans or diagrams.  Even alterations to approved CCTV systems required the CoJ’s approval.

The By-Law sparked significant pushback from civil society and business associations.  The Organisation Undoing Tax Abuse (“OUTA”) and the South African Property Owners Association (“SAPOA”) criticised the By-Law for being overreaching and unnecessary.  In particular they raised concerns around privacy (particularly for private property owners) and transparency (in terms of public consultation processes).

Following legal challenges by OUTA and SAPOA, the By-Law has been reported as repealed.  Notably, while OUTA released a public statement celebrating the repeal, the City of Johannesburg itself has not yet issued an official statement confirming the decision.

So, the question now becomes how businesses remain compliant with the law considering that there is no clear regulation on CCTV surveillance.  That is where the Protection of Personal Information Act 4 of 2013 (“POPIA”) comes in.  POPIA seeks to, “promote the protection of personal information processed by public and private bodies; [and] to introduce certain conditions so as to establish minimum requirements for the processing of personal information.”  This framework is highly relevant to businesses using CCTV cameras, as these systems are likely to process the personal information of data subjects.

POPIA establishes eight conditions for lawful processing and requires the responsible party to ensure compliance.  Examples of such compliance include:

  • transparency: signage or notices indicating recording is taking place;
  • retention: storing footage only for a reasonable period;
  • access control: limiting access to ensure data security;
  • data subject rights: providing copies of footage to individuals captured, upon lawful request; and
  • sharing restrictions: footage should not be shared without a legal basis.

In practice, filming and storing data constitutes “processing” under POPIA, and businesses must align their CCTV use with these obligations.

While the repeal of the By-Law has been welcomed as a win for privacy and business certainty, it raises important questions:

  1. To what extent should municipalities regulate private surveillance?
  2. How can local authorities balance public safety with constitutional privacy rights?
  3. Should future regulation focus on harmonising with POPIA rather than creating overlapping systems?

For now, businesses and residents remain bound primarily by POPIA when using CCTV, dashcams, or other surveillance tools. Compliance with POPIA’s conditions remains critical to ensure the lawful processing of personal information.

For more good, clear, precise advice, contact us.