More POPIA fines on the horizon, warns InfoReg

PoPiA prosecutions of GovPNG

The Information Regulator says the historic R5 million fine imposed on the Department of Justice and Constitutional Development (DoJ&CD) is just the beginning. This week, the information watchdog slapped the government department with the multimillion-rand mulct for breaching the country’s Protection of Personal Information Act (POPIA). This is the first time a South African organisation has been fined under the country’s POPIA data privacy law. Following the penalty, Nomzamo Zondi, spokesperson of the Information Regulator, told ITWeb that more such fines are coming for organisations that violate POPIA.

In the case of the DoJ&CD, it was fined after it failed to take measures to protect personal information following a ransomware attack in 2021.

The regulator had asked the department to update its anti-virus software, SIEM licence, as well as its intrusion detection system following the cyber attack.

The enforcement notice was issued on 9 May, and the DoJ&CD was given 31 days to put its house in order.
Shamaa Sheik

However, according to the information watchdog, after 31 days, the department had not done anything to patch up its IT systems.

This left the regulator with no choice but to issue the fine to the department.

ITWeb’s efforts to get a response from the DoJ&DC after the fine was issued on Monday have been unsuccessful.

POPIA sets down firm frameworks that organisations have to abide by to avoid fines, criminal persecution and potential reputation loss.

Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
Bracing for more

Shamaa Sheik, attorney and head of legal monitoring at law firm Michalsons, believes more fines are coming for organisations that fail to comply with POPIA enforcement notices.

As an example, she says the South African Police Service (SAPS) was also recently issued with an enforcement notice from the regulator.

Last year, the watchdog asked SAPS to provide it with details related to the police releasing the personal information of the Krugersdorp rape victims.

This followed the failure by the SAPS to provide sufficient details by the 15 August deadline, regarding the circumstances that led to the disclosure of the personal information of eight women who were allegedly raped by a mob in West Village, Krugersdorp.

According to Sheik, besides defying an enforcement notice, the other reasons why organisations find themselves being punished include obstructing the regulator’s investigations during a probe, or providing false information.

Ahmore Burger Smidt
Ahmore Burger-Smidt, head of regulatory practice for data privacy and cyber at Werksmans Attorneys.
Ahmore Burger-Smidt, head of regulatory practice for data privacy and cyber at Werksmans Attorneys.

Commenting on the DoJ&DC fine, she says: “The consequences for non-compliance with the enforcement order were clear. If the DoJ did not comply, they would be guilty of an offence, and the regulator may impose an administrative fine of up to R10 million.

“The regulator found the DoJ did not comply with some of the conditions of the enforcement notice issued to them on 9 May 2023. For example, the regulator ordered the DoJ to submit proof that the DoJ renewed their anti-virus licence, the SIEM licence and the intrusion detection system licence.

“The regulator also required the DoJ to institute disciplinary proceedings against the officials who failed to renew the licences. The regulator gave the DoJ 31 days to comply with these orders, but the DoJ failed to do so. The DoJ could have appealed against the enforcement notice, but they did not do so.”
Absolutely justifiable

Asked if the fine is justified, Ahmore Burger-Smidt, head of regulatory practice for data privacy and cyber at Werksmans Attorneys, says: “Absolutely. There mere fact that the DoJ did not abide by the law itself points to the justifiability.”

She points out that the POPIA legislation is very clear of the way forward once a party does not comply with an enforcement notice.
See also
InfoReg slaps justice department with historic R5m fine
Justice dept cyber attack spills over to Info Regulator

On more POPIA fines being on the horizon, Burger-Smidt believes this would depend on what the parties do.

“Clearly, the fine signals to all parties that if you ignore an enforcement notice, there will be consequences and that the Information Regulator will use its powers to enforce the legislation.

“This outcome is positive. The Information Regulator has been questioned in society as to why people do not see action. We tend to forget there is a process to be followed and the current example is a clear demonstration of the process to get to the Information Regulator issuing a fine. It serves as a learning opportunity for all to understand the application of the POPI Act,” says Burger-Smidt.

Meanwhile, EWN reports the Democratic Alliance says it’s a disgrace that the justice department has been slapped with the R5 million fine for not protecting personal information.

According to the publication, the party’s justice spokesperson, Glynnis Breytenbach, says she is pleased the Information Regulator has issued its first fine in its two years of operation.

“We’ve been watching almost with bated breath for nearly two terms [for the InfoReg] to do something and now they’ve done something, so I’m very happy,” EWN quotes Breytenbach as saying.

What is INFO-CRYPT?

  1. INFO-CRYPT is a secure real-time identification service that offers organisations a complete identity management that is automatically PoPiA legislation compliant.
  2. INFO-CRYPT identification uses proprietary encryption and block-chain to secure identification and authority data.
  3. INFO-CRYPT also offers an  Identity Event Audit Trail to manage authority and automatic governance.
  4. KiT offers easily implimented cost effective integration  solutions to organisations that want to implement the INFO-CRYPT identity management solution no matter what their legacy infrastructure is.
  5. NB!   
    INFO-CRYPT does not sell"biometric solutions" ...   
                       ... INFO-CRYPT offers full Identity, Authority, Governance and Privacy Management Solutions!
  6. INFO-CRYPT is a Private Data Trust offering the individual a safe non invasive way to securely store their natural identity eliments along with their personal information into an encrypted identity vault running on blockchain.
  7. This allows the enrolled individuals to identify them-selves safely in realtime and easily access secure services offered by subscribed organisations while protecting themselves from ID-Fraud and Privacy invasion.
  8. With INFO-CRYPT the individual automatically has their identity with them at all times, without the need to carry objects like keys, cards, Identity Documents or even cash, as INFO-CRYPT does Natural Human Element Identification.
  9. INFO-CRYPT enables any enroled individual to instantly interact with any subscribed organisation utilising the INFO-CRYPT identification platform.
  10. Entrust INFO-CRYPT with protecting your Privacy and your Identity!

InforCrypt logo