SA firms ‘blatantly’ not adhering to POPIA, says InfoReg

South Africans continue to be inundated with unsolicited calls and direct marketing by means of electronic communication.

This is despite the country’s data privacy legislation − the Protection of Personal Information Act (POPIA) − being in effect, according to the Information Regulator.

Responding to ITWeb’s request for comment on the occasion of International Data Privacy Day, the regulator reveals there is a high volume of complaints received relating to unsolicited calls and direct marketing.

Unsolicited direct marketing messages do not comply with the provision of section 69 of POPIA, which prohibits direct marketing by means of unsolicited electronic communications. This includes automatic calling machines, fax machines, SMSes or e-mail, unless the data subject has given their consent to the processing, or is a customer of the responsible party.

The sale of personal information is another data privacy contravention the regulator is witnessing. This, it says, has led to it working closely with the National Credit Regulator on reported cases.

In addition, the regulator is concerned by the increased rate in security compromises (data breaches) and over-processing of personal information.

Says the regulator: “Responsible parties are blatantly not adhering to this condition for lawful processing of personal information, which speaks to processing limitations. This is with reference specifically to minimality,which states that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”

Initiated in 2007, Data Privacy Day is an international effort commemorated annually on 28 January, to create awareness of the importance of respecting privacy, safeguarding data and enabling trust.

The day is dedicated to reminding nations, businesses and individuals of the importance of good data protection practices.This year marked the second year that SA marked international Data Privacy Day since POPIA came into law.

The Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.

The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Even though POPIA came into force on 1 July 2021, the regulator admits to challenges in enforcing the data privacy law.

Among these is the non-responsiveness of responsible parties to information notices (section 90 of POPIA), it reveals. “An information notice is issued by the regulator to the responsible party who has interfered or is interfering with a data subjects’ personal information, and the regulator issues the notice to obtain more information from the responsible party in regard to the incident.

“The delay or non-responsiveness by responsible parties within the stipulated timeframe (21 days) delays investigation, and therefore the processing of complaints and subsequently enforcement.

“It is an offence to not respond to an information notice and is an obstruction to the regulator being able to conduct investigations, and as such, those responsible parties are being handed over to the enforcement committee and possible fines will be imposed.”

Amid the spate of data compromises in SA, the regulator last June revealed none of the perpetrators had been brought to book, indicating no fines had been issued.

Not much has changed since last year, with the regulator saying: “There are cases that are currently being processed by the Enforcement Committee. No fines have been issued yet.”

To ensure data subjects are aware of the data privacy laws, the regulator says it’s conducting a public opinion survey on the right to privacy as it relates to the protection of personal information.

“The opinion survey will assist the regulator with evidence-based levels of understanding by the public on POPIA, the regulator’s powers and functions. This will enable us to have an accurate basis for understanding the range of different needs among communities and thereof implement improvements to our public education and outreach programmes.”

In addition, the regulator says it is concentrating on creating awareness in the community and has prioritised heightened awareness to disadvantaged groups and communities.

“We recently held community awareness [sessions] in Soweto and uMshwathi in KwaZulu-Natal. As part of International Data Privacy Day, we hosted an engagement with children on their right to privacy and online safety.”

The regulator concludes: “We are conducting various assessments on our own initiative…on public and private bodies. Some of the assessments on these bodies are a direct response to the consistent complaints made by data subjects.”