CODE calls for Stronger Digital Protections in South Africa’s New Whistle-blowing Law

South Africa is finally on the road to replacing its 26-year-old whistleblower law. The Protected Disclosures Bill, 2026 is a genuine step forward: clearer procedures, proactive protections, liability for retaliation. CODE welcomes it.

But the Bill was written as if disclosure still happens in sealed envelopes.

It doesn't. It happens over email, web forms, and messaging apps – each carrying metadata trails, IP addresses, and digital fingerprints that can unmask a discloser before any protection kicks in. Additionally, retaliation no longer stops at the office door. It follows people across platforms, through deepfakes, doxxing, and coordinated harassment campaigns that no employment tribunal was designed to address.

CODE's submission to the Department of Justice focused on exactly this gap. Our recommendations include:

• Secure disclosure channels: end-to-end encrypted, metadata-stripped, with anonymous two-way communication so disclosers don't have to identify themselves just to receive feedback.

• A database built to be attacked: the central disclosure database will be a high-value target for the very people it documents. It needs encryption, audit logging, penetration testing, and independent oversight.

• Digital retaliation recognised as retaliation: doxxing, deepfakes, and coordinated harassment must be named in the Bill as detrimental action, with platform-directed remedies available to courts.

• Digital witness protection: physical relocation alone doesn't protect someone whose face is still on LinkedIn.

• AI guardrails: disclosure data must not flow into commercial AI systems without explicit constraint.

Read CODE's full submission.