The Protection of Personal Information Act (POPIA) legislation has to be amended, so that a fine is imposed immediately once a violation has been determined.
This is according to advocatePansy Tlakula, chairperson of the Information Regulator (InfoReg), addressing a media briefing yesterday, at its head office in Braamfontein.
Tlakula was responding to a question as to what SA’s data privacy enforcer can learn from the European Union’s General Data Protection Regulation (GDPR), in an effort to improve privacy safeguards through POPIA.
The chairperson explained POPIA is closely fashioned to the GDPR legislation; however, the South African law offers a grace period, which is where she thinks the problem lies.
“In terms of the GDPR, a fine is levied immediately once there is non-compliance. When we issue our enforcement notice as the regulator, we give the responsible party a time period within which they must comply. If they don’t comply within that time period, we then issue a fine.
“What we’re seeing is that in all these security compromises that we are investigating and the compliance assessments, we provide the timeframe for compliance and 99.9% of the time those people will comply, so we can’t fine them. However, they then suffer another data breach.
“I think the law [POPIA] has to be amended and it has to be like the GDPR. We were still learning; it was a new piece of legislation and we were still trying to see how it works, but we have done that in the past seven/eight years. The time has come for us to be firm.”
As a result, the InfoReg willmake a proposal to Parliament to issue a fine immediately once an investigationor assessment has shown a violation of the law.
“I think once we start doing that, or once the law provides that, I tell you most private and public bodies will sit up and they will ensure they comply.”
The InfoReg, headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans under POPIA.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business – repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
In June 2023, the InfoReg imposed its first historic R5 million fine on the Department of Justice and Constitutional Development for breaching POPIA.
Since then, there have been no further fines against POPIA transgressors, although enforcement notices have been issued against TransUnion, Dis-Chem, Lancent Laboratories and WhatsApp.
InfoReg executive for POPIA Tshepo Boikanyo explained: “An enforcement notice issued by the Information Regulator contains certain directives; the responsible party is then afforded a particular timeframe within which to comply with the directives.
“If the responsible party doesn’t comply with those directives after the period has expired, the Information Regulator may issue an infringement notice.”
Tlakula said the timeframe in the enforcement notice is determined by the regulator, as it is not stipulated in the law. “When we issue an enforcement notice, we look at the facts of that particular case and determine whether they should comply within 60 or 90 days.”
She noted there is no specific timeframe as to when the InfoReg will approach Parliament, adding there is no surety on what the attitude of the lawmakers will be once the proposal is made.
“All we can do is to say to them: these are the loopholes that we’ve found and we propose that the law be amended. The loopholes have already been identified.” she stated.
InfoReg CEO Mosalanyane Mosala highlighted it’s a planning issue, and the planning season started in September. “We will go into the new financial year to determine that…we haven’t as yet determined the period [to go to Parliament].”