Information Regulator too lenient with POPIA transgressors
Today marks exactly one year since South Africa’s data privacy law came into force, but not a single entity has faced the wrath of this legislation.
While the Protection of Personal Information Act (POPIA) is touted as a world-class piece of legislation that is on par with similar laws, such as the European Union’s General Data Protection Regulation (GDPR), SA’s Information Regulator seems too lenient to fully bring to book transgressors of this law.
This is despite South African organisations facing countless data breaches since POPIA came into play on 1 July last year.
Headed by advocate Pansy Tlakula, the Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.
As of 30 June 2021, the Information Regulator took over the regulatory mandate functions relating to the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission.
Following a one-year grace period to comply with POPIA, organisations that do not meet the conditions prescribed by the legislation will be held liable.
Previously, the Information Regulator did not have the teeth to deal with violators of the data privacy law.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business – repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
However, it came as a surprise when the Information Regulator this week during a media briefing announced that none of the organisations that suffered a data breach have been fined.
According to the Information Regulator, since 1 July last year, it has been notified of 330 reports of security compromises. Nonetheless, not even a single entity has paid the price.
Said Lebogang Stroom-Nzama, advocate and full-time member at the Information Regulator: “We can levy fines up to the maximum of R10 million but we haven’t levied any fines at this stage.”
One would have thought that with the escalating number of breaches, the Information Regulator would have flexed some muscle to show it is in control.
How will the public trust that their information will be kept safe when the regulator is not showing any teeth amid all these breaches?
Organisations such as TransUnion and Experian have exposed millions of people’s personal information to cyber criminals, but the Information Regulator has not even flinched.
Personal identifiable data that was retrieved from retailer Shoprite is being sold on the dark web, but the watchdog is not still taking action.
Worse yet, Experian has been a repeat offender, with its compromised data being dumped on public platforms, getting nothing more than a reprimand from the Information Regulator.
In some instances, companies only report data breaches or leaks to the watchdog after the news had been widely reported in the media.
So how will the public trust that their information will be kept safe when the regulator is not showing any teeth amid all these breaches?
The companies were given a one-year grace period to comply with POPIA, but one wonders why they are still not keeping their customer data safe.
When the organisations see there are no consequences for violating POPIA, they will continue dishing out personal information to cyber criminals and still walk away scot-free.
Why take a patient approach on the violators when there is a law in place specifically for those transgressions? What would it take for the Information Regulator to eventually bring someone to book? Perhaps we are still in the grace period…
While South African organisations continue to be reckless with personal information, Tlakula, during the press briefing, said POPIA is on par with international data protection and privacy laws.
“It compares quite favourably with the General Data Protection Regulation, which people put out there as the ultimate data protection law, but ours is better.”
How is it better when local organisations seem to be behaving with such impunity?
Under the GDPR, the EU’s data protection authorities can impose fines of up to €20 million (R342 million), or 4% of worldwide turnover for the preceding financial year.
According to e-mail security firm Tessian, since the GDPR took effect in May 2018, there have been over 900 fines issued across the European Economic Area and the UK. It notes that GDPR fines have ramped up significantly.
Some of the biggest fines imposed under the GDPR include Amazon (€746 million), WhatsApp (€225 million), Google Ireland (€90 million), Facebook (€60 million) and Google LLC (€60 million).
It is through such hefty fines that organisations at home will start taking data privacy seriously. They should start understanding that personal information is something they need to safeguard at all cost.
Besides failing to punish organisations, the Information Regulator has also been accused of taking too long to resolve queries brought to it by data subjects.
However, the regulator defended itself by saying there is a rapid increase in the demand for its services. These include the processing of POPIA complaints, the investigation of data breaches, PAIA complaints, applications for prior authorisations, applications for codes of conduct, applications for exemptions and applications for registration of information officers.
Surely, if the Information Regulator is up to the task, the public needs to see some repercussions for those that are negligent with the handling of sensitive data. How can an organisation, for example, get away with using the word “password” as their password and get hacked in the process, as alleged by TransUnion’s hackers?