BY Rakhee Dullabh AND Nicole Gabryk
Beware the enforcer: Enforcement and liability under POPIA
In the Regulator’s Operational Readiness Plan, which was published pursuant to the commencement of the Protection of Personal Information Act, 2013 (“POPIA”) on 1 July 2020, it was indicated that it will (by March 2021 and ahead of the expiry of the one-year grace period for compliance with POPIA) have:
- developed its rules of procedure on the handling of complaints;
- developed an “Electronic Complaints Management System”;
- established its Complaints and Investigating Unit; and
- developed its pro forma warrants, subpoenas and processes (together with the relevant stakeholders such as the SAPS and the NPA) in order to carry out its search and seizure powers.
These are all necessarily steps that demonstrate that the Regulator will be in a position to take enforcement action against responsible parties who are alleged to have interfered with the protection of personal information of data subjects, after 1 July 2021. Below, we set out some aspects of the enforcement process and possible implications for responsible parties:
- POPIA allows any person to submit a complaint to the Regulator in the prescribed form. What impact could this have your business?
- The source of a complaint could come from almost anywhere: aggrieved data subjects, competitors or even the Regulator itself.
- High volumes of complaints to the Regulator could likely result in delays in the resolution of complaints. After the General Data Protection Regulations (“GDPR”) came into effect in May 2018 in the EU, there were reportedly over 144 000 complaints and inquiries to the various data protection authorities in the first year. Bearing in mind that POPIA requires that the Regulator must advise both the complainant and the responsible party (to whom the complaint relates) of the course of action that the Regulator intends taking pursuant to any complaint, as soon as reasonably practicable, if the Regulator is inundated with complaints in the first year, it may take some time before organisations know:
- Whether any compliant has been made against them;
- What steps the Regulator intends taking; and/or
- What liability (if any) they may face in terms of POPIA.
This could have serious reputational effects and cost implications for organisations, who may be faced with protracted public scrutiny and mounting defence costs arising from any complaint to the Regulator.
- If the Regulator decides to conduct an investigation into any complaint (either by way of a pre-investigation or a full investigation) the Regulator is afforded with sweeping and far reaching powers, subject to compliance with the provisions of POPIA, and may:
- summon and enforce the appearance of witnesses “before the Regulator and compel them to give oral or written evidence on oath and to produce any records and things that the Regulator considers necessary to investigate the complaint, in the same manner and to the same extent as the High Court”;
- receive and accept any evidence or information that the Regulator sees fit “whether or not it would be admissible in a court of law”; and/or even
- enter and search any premises occupied by a responsible party, carry out any inquiries at that premises that the Regulator sees fit and issue any required warrants.
It is important to note that the Regulator cannot seize or use in evidence any communications/documents subject to legal professional privilege.
- The Regulator is empowered to secure settlements between complainants and responsible parties (with or without conducting any investigation) – it is likely that enforcement action can be avoided by a responsible party where it is able to procure early settlement of complaints with any complainant. However, the Regulator may not accept any settlement agreed absent its involvement, particularly in instances where there are allegations of gross violations of POPIA. It is accordingly important to take proper legal advice during any settlement process.
- The Regulator can issue Enforcement Notices which can lead to responsible parties being guilty of an offence – if the Regulator (after having considered any recommendation by the Enforcement Committee) is satisfied that a responsible party has interfered or is interfering with the protection of personal information of a data subject, it may prescribe, via an enforcement notice, that a responsible party must:
- take specified steps within a period specified in the notice, or refrain from taking such steps; or
- stop processing personal information specified in the notice, or stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice.
Failure to comply with an enforcement notice is an offence and can lead to personal liability for the Information Officer, imprisonment for up to 10 years and/or the imposition of an administrative fine not exceeding ZAR10-million.
- The enforcement process does not preclude any civil action being brought against a responsible party (in terms of section 99(1) of POPIA). This means that, in addition to facing any fine or penalty in terms of the enforcement process, responsible parties may also be found civilly liable for damages by a court of law. Early settlement and resolution of complaints could therefore be of paramount importance to avoid costly litigation.
While complaints against responsible parties for breaches of POPIA cannot be entirely prevented or avoided, being able to demonstrate compliance with POPIA in the face of any complaint is imperative to avoid liability.
ENSafrica is able to assist your organisation with becoming POPIA compliant through our POPIA Toolkit. ENSafrica also provides comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, incident response plans and coaching, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.
Executive | Dispute Resolution
+27 82 787 9792
Senior Associate | Corporate Commercial
+27 82 509 6565