Artificial intelligence (AI) is advancing at an unprecedented pace globally. The exceptional growth of data and the rapid adoption of AI technologies are reshaping industries. However, these technological developments also bring significant governance challenges, particularly in the field of environmental, social and governance (ESG) obligations.
As organisations integrate AI into their operations, there is a pressing need for strong and effective governance frameworks to ensure that innovation aligns with ethical standards, regulatory requirements, and the protection of stakeholder interests.
Internationally, the European Union (EU) AI Act establishes a risk-based framework for AI regulation. The EU AI Act prohibits harmful AI practices, imposes strict compliance obligations on high-risk systems, and requires robust cybersecurity measures to protect AI systems and related data. Similarly, the Organisation for Economic Cooperation Development (OECD) AI Principles have emerged as a global benchmark for responsible AI use.
The role of PoPIA
Although there is currently no dedicated AI legislation in South Africa, the intersection of AI, data, and ESG is becoming increasingly relevant. The Protection of Personal Information Act, 2013 (PoPIA) is central to how South African organisations use AI in ESG reporting and governance.
PoPIA, which is South Africa’s primary data privacy and protection law, reinforces the principles of lawfulness, fairness, purpose limitation, data minimisation, and transparency. It acts both as a constraint on irresponsible AI use and as a baseline governance framework that strengthens trust in ESG reporting.
Andrew Harding 5 Aug 2024 PoPIA prohibits the processing of personal information for purposes of fully automated decision-making unless such processing is subject to human oversight, protects the legitimate interests of the data subject, or is required or authorised by law or codes of conduct that safeguard data subject rights.
Importantly, individuals who are subject to a fully automated decision-making process must be given an opportunity to make representations after being provided with sufficient information to understand the methodology behind the automated decision. Interestingly, PoPIA provides that this prohibition does not apply where the automated decision-making relates to the conclusion or execution of a contract and the outcome is favourable to the data subject.
PoPIA limits cross-border transfers of personal information by permitting such transfers only in specified circumstances, for instance, where the data subject has provided express consent, or the recipient is subject to laws, binding corporate rules, or agreements that ensure protections equivalent to those under PoPIA.
This limitation has practical implications for organisations that rely on cloud-based platforms, an integral part of ESG data collection and reporting. The Information Regulator has confirmed that a Guidance Note on cross-border transfers is forthcoming, which will provide greater clarity on compliance expectations for companies using global data platforms.
While PoPIA provides the foundational legal framework for the responsible use of data through AI, there is growing recognition that AI governance will require specific regulatory direction. Stakeholders are increasingly calling for AI-specific legislation to ensure ethical, transparent, and accountable implementation.
AI, data, and ESG in South Africa
AI tools are now widely used for the collection and reporting of ESG data. As AI begins to play a greater role in gathering, analysing, and reporting ESG metrics, boards and management must ensure that these tools are governed responsibly. This includes incorporating appropriate human oversight and aligning with recognised ESG reporting frameworks and best practices.
King V Code
The King Code of Corporate Governance, while not binding legislation, remains the cornerstone of ethical leadership, transparency, and sustainable value creation in South Africa. The latest iteration, the draft King V Code of Corporate Governance, was released for public comment in 2025.
King V represents an evolution from King IV, with a strong emphasis on the integration of ESG and technology into governance practices. It explicitly anticipates oversight of AI and emerging technologies, requiring governing bodies to consider ethical use, data protection, cybersecurity, and stakeholder impact.
For South African boards, King V reinforces the principle that AI, data, and ESG are not peripheral concerns but integral components of responsible corporate governance.
Dr Eric Levenstein 30 May 2025 National AI Policy
In October 2024, South Africa reached a significant milestone with the release of the National AI Policy Framework by the Department of Communications and Digital Technologies. This framework sets out a national vision for AI that is ethical, inclusive, and aligned with constitutional values. It identifies strategic pillars such as fairness and bias mitigation, transparency and explainability, human oversight, privacy protection, and environmental sustainability. The framework signals the direction of future AI regulation in South Africa by aligning AI governance with ethical environmental and social objectives. It underscores that AI systems must serve not only economic growth but also social equity and environmental stewardship.
The policy marks the first formal step toward developing comprehensive AI regulation in South Africa, potentially culminating in the codification of these guiding principles.
AI represents the next horizon for ESG. As technology evolves, so too must governance frameworks. There is a clear need for regulation that addresses not only AI itself but also privacy, accountability, and data protection in AI-driven decision-making. In South Africa, the absence of a dedicated AI legal and regulatory framework presents both a challenge and an opportunity.
As AI and data continue to redefine the ESG landscape, governance must evolve in tandem with technological progress. South Africa, while currently relying on instruments like PoPIA and the King Code, stands at a pivotal moment. The National AI Policy Framework sets a promising foundation, but dedicated regulation is essential to ensure that AI serves as a tool for ethical, transparent, and socially responsible governance.
The challenge now is to move from principle to practice whilst establishing laws and standards that safeguard rights, foster innovation and align AI use with the broader goals of sustainable development.
