“I will never get caught”: The consequences of non-compliance with POPIA

Non-compliance with POPIA

With the attention on complying with the Protection of Personal of Personal Information Act No. 4 of 2013 (“POPIA”) by 1 July 2021 having subsided and most of us having received and approved our fair share of consent notices, we consider the consequences, if any, on responsible parties, as defined in POPIA, who have not, as yet, heeded the advice to comply with POPIA.

As a first point of call one considers the offences and penalties section of any legislation to ascertain the consequences of non-compliance. This holds true also for POPIA. In this regard, Section 100 of POPIA lists specific acts which are considered offences in terms of the Act, namely:

• hindering or obstructing or unlawfully influencing the Information Regulator;
• failing to comply with an enforcement notice;
• lying under oath or failing to attend hearings; and
• unlawful acts by responsible parties or third parties in connection with account numbers.

POPIA, in our view, takes a peremptory approach in obliging responsible parties to protect a data subject’s right to privacy by, inter alia, registering an Information Officer and processing personal information in terms of the eight conditions of lawful processing set out in POPIA.

Offences listed in Section 100 of POPIA

However, on a review of the offences listed in Section 100 of POPIA, a failure or omission to comply with the substantive provision of POPIA, including, the provisions of POPIA which require responsible parties to collect personal information directly from a data subject or notify a data subject when collecting personal information, are not included in the listed offences in Section 100 of POPIA.

The legislature may have identified the above gap in POPIA and attempted to rectify it through the inclusion of section 109. Section 109 of POPIA empowers the Information Regulator to impose an administrative fine in instances where a “responsible party is alleged to have committed an offence in terms of this Act”. As section 109 does not, as opposed to section 100, refer to specific sections in POPIA to which it applies. In our view, section 109 may be applicable to a contravention of any section of POPIA.

Although Section 109 appears to provide us with an appropriate answer in response to the query regarding the consequences of non-compliance with POPIA, Section 109 is not without flaws. In this regard:

• the penalties set out in Section 100 are criminal in nature and must, thus, be handed down by a court and are, in our view, more severe;
• the powers of the Information Regulator are limited only to Section 109. In terms of Section 109 the Information Regulator may only impose a fine;
• however, in order to impose the fine or act in any manner in terms of Section 109, the Information Regulator must first issue a responsible party an infringement notice; and
• the above infringement notice must “specify the particulars of the alleged offence”.

Thus, a responsible party must first have contravened POPIA and a data subject must then bring the contravention to the attention of the Information Regulator. The Information Regulator may then deliver the infringement notice with the necessary details of the contravention and then investigate the alleged offence and determine an appropriate fine.

Arguably, the necessity for there first to be a contravention of POPIA creates a legal lacuna for responsible parties. In this regard, in so far as a responsible party’s non-compliance with POPIA is never reported by a data subject, the responsible party may, arguably, escape the obligations imposed by POPIA and, in turn, the possibility of being levied with a fine.

Section 89 of POPIA

However, Section 89 of POPIA empowers the Information Regulator, at his/her own initiative, to assess whether or not a person is processing personal information in accordance with POPIA. Whether or not the Information Regulator is resourced to conduct such investigations, address reported alleged contraventions, as well initiate its own investigations without first receiving a request from, inter alia, a data subject to do so remains to be seen.

However, taking into account the recent media attention that POPIA has received and the fact that consumers are more aware of legislation aimed at protecting their rights, a responsible party who intends on avoiding liability on the basis that “I will never get caught” may find themselves on the receiving end of an infringement notice, followed by an administrative fine but also a sentence of imprisonment.

Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.

Compliance with POPIA should never anchor your business down. Business must protect the data of all South Africans.

by Zamathiyane Mthiyane, Senior associate and Janice Geel, Candidate Attorney
reviewed by: Neil Kirby, Direct and Head of Healthcare and Life Sciences