Sep 10,2021 / News / E-Bulletin
With the attention on complying with the Protection of Personal of Personal Information Act No. 4 of 2013 (“POPIA”) by 1 July 2021 having subsided and most of us having received and approved our fair share of consent notices, we consider the consequences, if any, on responsible parties, as defined in POPIA, who have not, as yet, heeded the advice to comply with POPIA.
As a first point of call one considers the offences and penalties section of any legislation to ascertain the consequences of non-compliance. This holds true also for POPIA. In this regard, Section 100 of POPIA lists specific acts which are considered offences in terms of the Act, namely:
POPIA, in our view, takes a peremptory approach in obliging responsible parties to protect a data subject’s right to privacy by, inter alia, registering an Information Officer and processing personal information in terms of the eight conditions of lawful processing set out in POPIA.
However, on a review of the offences listed in Section 100 of POPIA, a failure or omission to comply with the substantive provision of POPIA, including, the provisions of POPIA which require responsible parties to collect personal information directly from a data subject or notify a data subject when collecting personal information, are not included in the listed offences in Section 100 of POPIA.
The legislature may have identified the above gap in POPIA and attempted to rectify it through the inclusion of section 109. Section 109 of POPIA empowers the Information Regulator to impose an administrative fine in instances where a “responsible party is alleged to have committed an offence in terms of this Act”. As section 109 does not, as opposed to section 100, refer to specific sections in POPIA to which it applies. In our view, section 109 may be applicable to a contravention of any section of POPIA.
Although Section 109 appears to provide us with an appropriate answer in response to the query regarding the consequences of non-compliance with POPIA, Section 109 is not without flaws. In this regard:
Thus, a responsible party must first have contravened POPIA and a data subject must then bring the contravention to the attention of the Information Regulator. The Information Regulator may then deliver the infringement notice with the necessary details of the contravention and then investigate the alleged offence and determine an appropriate fine.
Arguably, the necessity for there first to be a contravention of POPIA creates a legal lacuna for responsible parties. In this regard, in so far as a responsible party’s non-compliance with POPIA is never reported by a data subject, the responsible party may, arguably, escape the obligations imposed by POPIA and, in turn, the possibility of being levied with a fine.
However, Section 89 of POPIA empowers the Information Regulator, at his/her own initiative, to assess whether or not a person is processing personal information in accordance with POPIA. Whether or not the Information Regulator is resourced to conduct such investigations, address reported alleged contraventions, as well initiate its own investigations without first receiving a request from, inter alia, a data subject to do so remains to be seen.
However, taking into account the recent media attention that POPIA has received and the fact that consumers are more aware of legislation aimed at protecting their rights, a responsible party who intends on avoiding liability on the basis that “I will never get caught” may find themselves on the receiving end of an infringement notice, followed by an administrative fine but also a sentence of imprisonment.
Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.
Compliance with POPIA should never anchor your business down. Business must protect the data of all South Africans.
by Zamathiyane Mthiyane, Senior associate and Janice Geel, Candidate Attorney
reviewed by: Neil Kirby, Direct and Head of Healthcare and Life Sciences
© 2020 Werksmans Attorneys, All rights reserved.
