EXPLAINER | Can Popia land you in jail? Here's how you may – or may not – get caught

play article
Subscribers can listen to this article
Most of us have received our fair share of consent notices.
Most of us have received our fair share of consent notices.
The Protection of Personal Information Act provides for offenders to be fined or imprisoned. But this also means their offences must be either reported by a data subject, or their conduct must be assessed by the Information Regulator. So just how risky is a contravention? The authors explain.

Attention on complying with the Protection of Personal Information Act no 4 of 2013 (Popia) may have subsided – and most of us have received our fair share of consent notices.

But now that the initial fuss has died down, it's worth considering the consequences on responsible parties if they fail to comply with the Act.

What constitutes an offence?

Offences in terms of the Act include:

  • hindering or obstructing or unlawfully influencing the Information Regulator;
  • failing to comply with an enforcement notice;
  • lying under oath or failing to attend hearings; and
  • unlawful acts by responsible parties or third parties in connection with account numbers.

A possible loophole?

Popia takes a peremptory approach in obliging responsible parties to protect a data subject's right to privacy by – among other things – registering an Information Officer and processing personal information in terms of eight conditions set out in Popia.

But there is a potential gap here: a failure or omission to comply with the substantive provision of the Act - including the provisions of the legislation which require responsible parties to collect personal information directly from a data subject, or notify that subject when collecting personal information - are not included in the above listed offences in Section 100 of Popia.

Does this mean you can fail to collect information directly from the data subject? Or fail to notify them when you do?

Not necessarily. Section 109 of Popia empowers the Information Regulator an administrative fine in instances where a "responsible party is alleged to have committed an offence in terms of this Act".

Section 109 does not, as opposed to section 100, refer to specific sections in Popia to which it applies – and in our view, this means section 109 may be applicable to a contravention of any section of Popia.


Although Section 109 appears to provide an answer to the question of consequences of non-compliance, it is not without flaws.

  • The penalties set out in Section 100 are criminal in nature and must, thus, be handed down by a court and are, in our view, more severe;
  • The powers of the Information Regulator are limited only to Section 109. In terms of Section 109 the Information Regulator may only impose a fine;
  • However, in order to impose the fine or act in any manner in terms of Section 109, the Information Regulator must first issue a responsible party an infringement notice; and
  • The above infringement notice must "specify the particulars of the alleged offence".

How are offenders caught?

This means a responsible party must first have contravened Popia and a data subject must then bring the contravention to the attention of the Information Regulator. The Information Regulator may then deliver the infringement notice with the necessary details of the contravention and then investigate the alleged offence and determine an appropriate fine.

Arguably, the necessity for there first to be a contravention of Popia creates a legal lacuna for responsible parties. In this regard, in so far as a responsible party’s non-compliance with Popia is never reported by a data subject, the responsible party may, arguably, escape the obligations imposed by Popia and, in turn, the possibility of being levied with a fine.

However, Section 89 of Popia also empowers the Information Regulator, at his/her own initiative, to assess whether or not a person is processing personal information in accordance with Popia. Whether or not the Information Regulator is resourced to conduct such investigations, address reported alleged contraventions, as well initiate its own investigations without first receiving a request from, inter alia, a data subject to do so remains to be seen.

However, taking into account the recent media attention that Popia has received and the fact that consumers are more aware of legislation aimed at protecting their rights, a responsible party who intends on avoiding liability on the basis that "I will never get caught" may find themselves on the receiving end of an infringement notice, followed by an administrative fine but also a sentence of imprisonment.

Zamathiyane Mthiyane, Senior Associate and Neil Kirby, Direct and Head of Healthcare and Life Sciences at Werksmans Attorneys. Views are their own. 

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Voting Booth
Facebook is facing a fresh crisis after a former employee turned whistle-blower leaked internal company research . Do you still use Facebook?
Please select an option Oops! Something went wrong, please try again later.
Yes, the benefits outweigh the risk for me
23% - 159 votes
No, I have deleted it
47% - 329 votes
Yes, but I am considering deleting it
30% - 206 votes