Justice dept takes on InfoReg over R5m POPIA fine

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 10 Oct 2023
The Information Regulator issued the justice department with a R5 million fine.
The Information Regulator issued the justice department with a R5 million fine.

The Department of Justice and Constitutional Development (DoJ&CD) and the Information Regulator are at loggerheads over a multimillion-rand fine.

The DoJ&CD has decided to challenge a R5 million fine imposed on it earlier this year for allegedly contravening South Africa’s data privacy law − the Protection of Personal Information Act (POPIA).

In July, the information watchdog slapped the DoJ&CD with the historic multimillion-rand fine following its alleged failure to comply with an enforcement notice issued by the regulator on 9 May.

At the time, the regulator said it issued the enforcement notice following the finding of the contravention of various sections of POPIA by the DoJ&CD.

The enforcement notice had required the DoJ&CD to submit proof to the regulator within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence and the intrusion detection system licence have been renewed.

It also required the department to institute disciplinary proceedings against the official/s who failed to renew the licences, which are necessary to safeguard the department against security compromises.

Broad attack consequences

The enforcement notice came after the department suffered a ransomware attack on its IT systems in 2021, leading to all its information systems being encrypted and unavailable to internal employees, as well as members of the public.

As a result of the attack, all electronic services provided by the department were affected, including the issuing of letters of authority, bail services, e-mail and the departmental website.

At least 1 200 files containing the names, banking details and contact details of those who had submitted personal information to the DoJ&CD were compromised during the ransomware attack.

Shamaa Sheik, attorney and head of legal monitoring at Michalsons.
Shamaa Sheik, attorney and head of legal monitoring at Michalsons.

The attack also spilled over to the office of the Information Regulator, disrupting the watchdog’s IT systems. This resulted in the regulator’s website being unavailable for three days, while the e-mail system went offline.

In a statement, the DoJ&CD says it considered its options after receipt of the infringement notice.

“It was decided to challenge the fine and a review application was launched to set aside both the decisions to issue the enforcement notice and the infringement notice in terms of section six of the Promotion of Administrative Justice Act, 2000 (Act No 3 of 2000),” the department says.

“It is submitted that the enforcement notice prima facie does not comply with POPIA and it is, therefore, irregular. There is no provision in POPIA in terms of which the Information Regulator may issue a section 89(1) deemed enforcement notice and thereafter issue another, presumably independent, enforcement notice based on the same incident.”

The department further submitted that the Information Regulator did not apply its mind to the application of reasonable time periods in which the orders were to be implemented.

Factors to consider

There is also no proof that personal information was lost, damaged, unlawfully accessed or processed, and subsequently misused to the prejudice of anyone, the department argues.

“It is also submitted that the infringement notice fell short of information required in terms of section 109 of POPIA; for example, specification of offences and the dates of the offences, and there is no indication as to what factors were taken into consideration when the Information Regulator decided on the amount of the fine.

“The decision to proceed with a review application was not taken lightly. It is premised on the precedent this case sets and the interpretation of POPIA and the flawed process followed by the Information Regulator.

“If it is not challenged, the implications for the work of the Information Regulator itself and all entities will be negatively impacted.”

The application was issued on 29 September, and was delivered to the sheriff on 2 October for purposes of serving it on the Information Regulator.

Responding to ITWeb on the latest development, Nomzamo Zondi, spokesperson of the Information Regulator, confirmed the department has taken the watchdog’s decision to fine it on review.

“The regulator is an independent statutory body that is accountable to the National Assembly and is not an entity of the department,” she says.

“The department and the regulator have an administrative arrangement in terms of management of its funds received from National Treasury, and this is due to the regulator not being listed in terms of the Public Finance Management Act as yet.”

Pay up or fight in court

Shamaa Sheik, attorney and head of legal monitoring at Michalsons, comments that under POPIA, the infringement notice will contain full particulars of the responsible party, details about the offence, and the amount of an administrative fine the party must pay.

She notes that anyone who receives an infringement notice has options available to them – they can pay the fine, or make a payment arrangement with the regulator to pay the fine in instalments.

“Clearly, the DoJ has opted to take the matter to court, as is their rights in terms of section 109(d) of POPIA,” Sheik says.

“The court may agree with the fine, it may reduce the fine, or it may overturn the regulator’s decision.”

Sheik adds the DoJ&CD has said it is taking the matter to court to review the fine. She points out there is a difference between an appeal and a review process.

“If a matter goes on appeal, the court will look at the case’s merits. Courts look at the law and how it was applied to the facts of a matter.

“If it goes on review, the court looks at whether the process [in this case, deciding to fine the DoJ&CD] was fair. The court will look to see if there were any irregularities; was there elements of one party being unreasonable?

“I will say though that POPIA Rules of Procedure for Handling Complaints does not refer to ‘taking a matter on review’ but a person can take an enforcement or information notice on ‘appeal’.

“It will be interesting to see how the court interprets this provision, because section 109 does not state whether a party can appeal or review an infringement notice. It only states that an infringer can take the matter to court,” she concludes.