The Information Regulator published a notice calling for comments on the draft POPIA Rules for the Enforcement Committee (Committee). The draft Rules outline the Procedure that the Enforcement Committee must follow when the regulator refers a POPIA complaint to them for a finding and recommendation.

The deadline for submitting comments is 24 March 2023.

We will update this post when the regulator publishes the final version of the Rules.

Purpose of the draft Rules

The purpose of the Rules is to ensure that the Committee operates in a fair and transparent manner, and that it has the necessary powers to investigate and enforce compliance with POPIA.

What do the draft Rules cover?

Role of the Committee

  • The primary role of the Enforcement Committee is to investigate and decide on POPIA complaints that the regulator may refer to them.
  • The Committee is also responsible for conducting inquiries, making a finding, and then making recommendations to the regulator in respect of complaints. Once the regulator refers a complaint to the Committee, the Committe must make a finding and submit its recommendation to the regulator withing 90 calendar days.
  • The Committee will make all their hearings public unless the Chairperson decides otherwise.

We finally have a first glimpse of what an Enforcement Notice may look like!

Structure of Enforcement Notice

Yes! After months of wondering what an Enforcement Notice may look like, we finally have a detailed draft to look at. The Enforcement Notice has six components:

  1. Part A will state how a data subject’s personal information has been interfered with. For example, the Committee can conclude that someone has infringed a data subject’s rights by breaching the conditions for the lawful processing of personal information, not complying with certain provisions under POPIA, or breaching a provision of a Code of Conduct.
  2. Under Part B, the Committee provides reasons for its conclusion.
  3. Part C will state the Committee’s order. For example, the Committee can order the responsible party to:
    • Stop processing the data subject’s personal information.
    • Destroy or delete the data subject’s personal information.
    • Correct or update the data subject’s personal information.
    • Take steps to prevent future breaches.
  4. If the matter is urgent, the Committee can order the responsible party to comply with the Notice urgently by providing reasons. (Part D)
  5. Part E has time frames for the responsible party to comply with the Notice. It’s either 30 days or four days (probably for urgent matters but it does not say).
  6. The Committee informs the responsible party of their right to appeal the Notice under Part F.

The Enforcement Notice does not have provisions for administrative fines. This is what Infringement Notices are for.

The rules are 45 pages long. It also provides guidance on several other matters. For example:

  • the format and submission of complaints,
  • the investigation process, and
  • the rights of parties involved.

The regulator’s secretariat will provide secretarial services to the Committee. The secretariat will also be responsible for managing the Committee’s records and for issuing and serving summons.

Actions you can take

  • Dive into the details of the Rules by downloading it.
  • Submit your comments on the draft Rules by 23 March 2023 to Mr Jaco Jansen by email.