More POPIA fines on the horizon, warns InfoReg
The Information Regulator says the historic R5 million fine imposed on the Department of Justice and Constitutional Development (DoJ&CD) is just the beginning.
This week, the information watchdog slapped the government department with the multimillion-rand mulct for breaching the country’s Protection of Personal Information Act (POPIA).
This is the first time a South African organisation has been fined under the country’s POPIA data privacy law.
Following the penalty, Nomzamo Zondi, spokesperson of the Information Regulator, told ITWeb that more such fines are coming for organisations that violate POPIA.
In the case of the DoJ&CD, it was fined after it failed to take measures to protect personal information following a ransomware attack in 2021.
The regulator had asked the department to update its anti-virus software, SIEM licence, as well as its intrusion detection system following the cyber attack.
The enforcement notice was issued on 9 May, and the DoJ&CD was given 31 days to put its house in order.
However, according to the information watchdog, after 31 days, the department had not done anything to patch up its IT systems.
This left the regulator with no choice but to issue the fine to the department.
ITWeb’s efforts to get a response from the DoJ&DC after the fine was issued on Monday have been unsuccessful.
POPIA sets down firm frameworks that organisations have to abide by to avoid fines, criminal persecution and potential reputation loss.
Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
Bracing for more
Shamaa Sheik, attorney and head of legal monitoring at law firm Michalsons, believes more fines are coming for organisations that fail to comply with POPIA enforcement notices.
As an example, she says the South African Police Service (SAPS) was also recently issued with an enforcement notice from the regulator.
Last year, the watchdog asked SAPS to provide it with details related to the police releasing the personal information of the Krugersdorp rape victims.
This followed the failure by the SAPS to provide sufficient details by the 15 August deadline, regarding the circumstances that led to the disclosure of the personal information of eight women who were allegedly raped by a mob in West Village, Krugersdorp.
According to Sheik, besides defying an enforcement notice, the other reasons why organisations find themselves being punished include obstructing the regulator’s investigations during a probe, or providing false information.
Commenting on the DoJ&DC fine, she says: “The consequences for non-compliance with the enforcement order were clear. If the DoJ did not comply, they would be guilty of an offence, and the regulator may impose an administrative fine of up to R10 million.
“The regulator found the DoJ did not comply with some of the conditions of the enforcement notice issued to them on 9 May 2023. For example, the regulator ordered the DoJ to submit proof that the DoJ renewed their anti-virus licence, the SIEM licence and the intrusion detection system licence.
“The regulator also required the DoJ to institute disciplinary proceedings against the officials who failed to renew the licences. The regulator gave the DoJ 31 days to comply with these orders, but the DoJ failed to do so. The DoJ could have appealed against the enforcement notice, but they did not do so.”
Asked if the fine is justified, Ahmore Burger-Smidt, head of regulatory practice for data privacy and cyber at Werksmans Attorneys, says: “Absolutely. There mere fact that the DoJ did not abide by the law itself points to the justifiability.”
She points out that the POPIA legislation is very clear of the way forward once a party does not comply with an enforcement notice.
On more POPIA fines being on the horizon, Burger-Smidt believes this would depend on what the parties do.
“Clearly, the fine signals to all parties that if you ignore an enforcement notice, there will be consequences and that the Information Regulator will use its powers to enforce the legislation.
“This outcome is positive. The Information Regulator has been questioned in society as to why people do not see action. We tend to forget there is a process to be followed and the current example is a clear demonstration of the process to get to the Information Regulator issuing a fine. It serves as a learning opportunity for all to understand the application of the POPI Act,” says Burger-Smidt.
Meanwhile, EWN reports the Democratic Alliance says it’s a disgrace that the justice department has been slapped with the R5 million fine for not protecting personal information.
According to the publication, the party’s justice spokesperson, Glynnis Breytenbach, says she is pleased the Information Regulator has issued its first fine in its two years of operation.
“We’ve been watching almost with bated breath for nearly two terms [for the InfoReg] to do something and now they’ve done something, so I’m very happy,” EWN quotes Breytenbach as saying.