Attention on complying with the Protection of Personal Information Act no 4 of 2013 (Popia) may have subsided – and most of us have received our fair share of consent notices.
But now that the initial fuss has died down, it's worth considering the consequences on responsible parties if they fail to comply with the Act.
What constitutes an offence?
Offences in terms of the Act include:
- hindering or obstructing or unlawfully influencing the Information Regulator;
- failing to comply with an enforcement notice;
- lying under oath or failing to attend hearings; and
- unlawful acts by responsible parties or third parties in connection with account numbers.
A possible loophole?
Popia takes a peremptory approach in obliging responsible parties to protect a data subject's right to privacy by – among other things – registering an Information Officer and processing personal information in terms of eight conditions set out in Popia.
But there is a potential gap here: a failure or omission to comply with the substantive provision of the Act - including the provisions of the legislation which require responsible parties to collect personal information directly from a data subject, or notify that subject when collecting personal information - are not included in the above listed offences in Section 100 of Popia.
Does this mean you can fail to collect information directly from the data subject? Or fail to notify them when you do?
Not necessarily. Section 109 of Popia empowers the Information Regulator an administrative fine in instances where a "responsible party is alleged to have committed an offence in terms of this Act".
Section 109 does not, as opposed to section 100, refer to specific sections in Popia to which it applies – and in our view, this means section 109 may be applicable to a contravention of any section of Popia.
Although Section 109 appears to provide an answer to the question of consequences of non-compliance, it is not without flaws.
- The penalties set out in Section 100 are criminal in nature and must, thus, be handed down by a court and are, in our view, more severe;
- The powers of the Information Regulator are limited only to Section 109. In terms of Section 109 the Information Regulator may only impose a fine;
- However, in order to impose the fine or act in any manner in terms of Section 109, the Information Regulator must first issue a responsible party an infringement notice; and
- The above infringement notice must "specify the particulars of the alleged offence".
How are offenders caught?
This means a responsible party must first have contravened Popia and a data subject must then bring the contravention to the attention of the Information Regulator. The Information Regulator may then deliver the infringement notice with the necessary details of the contravention and then investigate the alleged offence and determine an appropriate fine.
Arguably, the necessity for there first to be a contravention of Popia creates a legal lacuna for responsible parties. In this regard, in so far as a responsible party’s non-compliance with Popia is never reported by a data subject, the responsible party may, arguably, escape the obligations imposed by Popia and, in turn, the possibility of being levied with a fine.
However, Section 89 of Popia also empowers the Information Regulator, at his/her own initiative, to assess whether or not a person is processing personal information in accordance with Popia. Whether or not the Information Regulator is resourced to conduct such investigations, address reported alleged contraventions, as well initiate its own investigations without first receiving a request from, inter alia, a data subject to do so remains to be seen.
However, taking into account the recent media attention that Popia has received and the fact that consumers are more aware of legislation aimed at protecting their rights, a responsible party who intends on avoiding liability on the basis that "I will never get caught" may find themselves on the receiving end of an infringement notice, followed by an administrative fine but also a sentence of imprisonment.
Zamathiyane Mthiyane, Senior Associate and Neil Kirby, Direct and Head of Healthcare and Life Sciences at Werksmans Attorneys. Views are their own.