17 years later, POPI Act delays continue

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 16 Jan 2020
South Africans’ personal data has repeatedly been exposed to third-parties.
South Africans’ personal data has repeatedly been exposed to third-parties.

Seventeen years after the process of formulating the Protection of Personal Information Act (POPIA) started, there is still no commencement date for the much-anticipated data protection law in SA.

The country is still waiting for the law to become fully operational, while the information regulator remains incapacitated to deal with the increasing number of data breaches besetting the country.

Although there are still no clear indicators as to when the long-awaited law will come into force, there have been some recent POPI Act-related developments.

The POPI Act will only commence on a date to be determined by the regulator by proclamation in the Government Gazette.

The Information Regulator in December published, for comment, draft guidelines to develop codes of conduct under the POPI Act. The submission of comments closes tomorrow at 4pm.

The guidelines set out the form and contents to which the codes of conduct must adhere.

Peter Grealy, partner at law firm Webber Wentzel, says for example, according to the guidelines, a code of conduct could provide clarity to an industry or body as to how the conditions for the lawful processing of personal information are to be applied and complied with, given the particular features of an industry or body in which the responsible parties are operating.

Toothless regulator

Nonetheless, while the wait for the law continues, South Africans’ personal data – which the POPI Act seeks to protect – has repeatedly been exposed to third-parties.

For example, only last month, Conor, a subsidiary of JSE-listed IT company Adapt IT, suffered a data breach that exposed users’ data.

GPS and fitness accessory maker Garmin SA last year exposed personal data of about 6 700 South Africans.

In 2018, insurer Liberty also fell victim to unauthorised access to its IT infrastructure by an external party.

In 2017, the personal information of about 30 million South Africans was compromised.

In most of the incidents, the chairperson of the Information Regulator, advocate Pansy Tlakula, lamented the office was not yet fully functional to deal with the issues.

John Giles, managing attorney at Michalsons.
John Giles, managing attorney at Michalsons.

When the POPI Act is in force, businesses that don't comply, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach.

The purpose of the POPI Act is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way.

More harm than good

John Giles, managing attorney at law firm Michalsons, says the POPI Act process started in about 2003 and the law was enacted in 2013.

“The information regulator was appointed on 1 December 2016. So it has now been 17 years since the process started and POPIA is still not in effect.”

Giles notes there are many reasons for the delays in the POPI Act but it is imperative to look to the future.

“At the moment, more harm than good is being done due to POPIA not being in effect. The harm being done is to data subjects, companies and the country as a whole. We can't afford to delay it any more. Ready or not, we need to make POPIA effective. Everyone needs to start reading it and applying it.”

Priyanka Naidoo, associate designate at Norton Rose Fulbright, comments that 2013 was the year the POPI Act was officially passed.

However, she notes that only some aspects of the POPI Act came into force. The sections of POPI that are in force are only those that established the regulator and her office, she notes, pointing out the substantive sections that relate to the requirements of how organisations should process information are not in force yet.

“We have just been waiting for the regulator to get her ducks in a row. Over the past years, the regulator has been slowly setting up her office. We think now that the organisational structure of the regulator’s office has been finalised, it shouldn’t be too long before the president signs the law.”

Penalty provisions

According to Naidoo, globally, the world is moving towards data protection, privacy and security. POPI remains mostly consistent with the instruments that are already out there; for example, Europe’s General Data Protection Regulation.

“The only harm these delays are causing is that POPI doesn’t have the teeth in regards to penalty provisions. Elsewhere in the world, if you don’t comply with data privacy laws, you face very severe penalties.

Priyanka Naidoo, associate designate at Norton Rose Fulbright.
Priyanka Naidoo, associate designate at Norton Rose Fulbright.

“Now that the law isn’t in force, a number of companies that are responsible for processing people’s personal information see no need to comply with the law as there are no penalties yet.”

However, she says an increasing number of organisations have started complying even if it’s not yet in force. “This is mainly because it makes a lot of sense for any company to comply with this law because it shows transparency, which is good for investments.”