By Lize de la Harpe, legal adviser
In the last edition we discussed the office of the Information Regulator.
In this edition we will first take a closer look at the enforcement of POPIA and then move on to offences, penalties and administrative fines as set out in the act.
Enforcement – Chapter 10
Interference with the protection of personal information of a data subject – section 73
Chapter 10 starts off with defining what constitutes interference with the protection of personal information of a data subject, being:
- any breach of the Conditions for the lawful processing of personal information (*as discussed in previous editions); or
- non-compliance with certain sections of the act, including but not limited, to the failure to notify a security compromise, direct marketing by means of unsolicited electronic communication in contravention of section 69, and transfers of personal information outside of the Republic in breach of section 72; or
- a breach of any code of conduct issued in terms of section 60 (*as discussed in Part 14).
Complaints – section 74
Any person may submit a complaint to the Information Regulator in the prescribed manner and form alleging interference with the protection of personal information (*see paragraph 7 of the Regulations for details of the prescribed form).
The remainder of Chapter 10 sets out the manner of submitting such a complaint, the actions of the Information Regulator on receipt of the complaint, and the Information Regulator’s decision as to what action will be appropriate.
Enforcement notice – section 95
You will recall we discussed the establishment of an Enforcement Committee (*as set out in section 50) in the last edition. The purpose of the Enforcement Committee is to consider all matters referred to it by the Information Regulator in terms of both POPIA and PAIA and to make recommendations to the Information Regulator relating to further action that should be taken against the responsible party or the Information Officer.
Sections 95 states that if the Information Regulator is satisfied (after having considered the recommendations of the Enforcement Committee) that a responsible party has interfered or is interfering with the protection of personal information of a data subject, it may serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:
- to take specified steps within a specified period, or to refrain from taking such steps; or
- to stop processing personal information as specified in the notice, or to stop processing personal information for a purpose or in a manner as specified within the stated period.
Civil remedies – section 99
Section 99 provides that a data subject or the Information Regulator (at the request of the data subject) may institute a civil action for damages in a court against a responsible party for breach of any provision of the act as referred to in section 73 as discussed above (i.e.: arising from an interference with the protection of personal information), whether or not there is intent or negligence on the part of the responsible party.
Section 99(2) lists various defences that may be raised by a responsible party against an action for damages, being:
- vis major (*being “an act of God”); or
- consent of the plaintiff; or
- fault on the part of the plaintiff; or
- compliance was not reasonably practicable in the circumstances; or
- the Information Regulator has granted an exemption in terms of section 37 (*as discussed previously in Part 14 when we discussed the powers and functions of the Information Regulator).
*PS: responsible parties should take specific note of section 99(3) which empowers the court to award damages to the data subject as compensation for losses suffered as a result of the breach, including aggravated damages (*in the sum determined by the court in its discretion!!), interest and legal costs.
More worryingly: any order issued under this section must be published in the Gazette and such other public media announcement as the court considers appropriate (*see section 99(7)).
Offences, penalties and administrative fines – Chapter 11
Offences – sections 100 to 106
Chapter 11 of the act creates several offences, including but not limited to:
- hindering, obstructing or unlawfully influencing the Information Regulator in the performance of its duties and functions (section 100);
- failure to comply with an information notice or enforcement notice (section 103);
- offences by witnesses (*for example, lying under oath or failing to attend hearings – section 104);
- unlawful acts by responsible parties in connection with account numbers (section 105); and
- Unlawful acts by third parties in connection with account numbers (section 106).
Penalties - section 107
Section 107 sets out the penalties which apply to the offence as listed above.
For the more serious offences (*e.g: unlawfully influencing the Information Regulator or failure to comply with an enforcement notice) the maximum penalty is a R10 million fine or imprisonment for a period not exceeding 10 years or both a fine and imprisonment.
For the less serious offences (*e.g.: offences by witnesses) the maximum penalty is a fine or imprisonment for a period not exceeding 12 months, or both a fine and imprisonment.
Considering the above, it is quite clear that the failure to comply with the requirements of POPIA will have calamitous consequences. Not only financially in the form of considerable fines, but also reputationally should the responsible party be forced to publicly announce a privacy breach in terms of section 99(7) – which can cause irreparable harm in the long run.
Responsible parties are therefore urged to ensure a clear understanding of the operation of the enforcement provisions in Chapter 10 and 11 (as well as the Conditions for lawful processing as set out in Chapter 3!) and to monitor the requirements of the Information Regulator relating to enforcement. In the next edition we will discuss POPIA in the workplace in more detail.