The information regulator may send you a POPIA enforcement notice after investigating you and finding that you have contravened POPIA by failing to lawfully process personal information. In comparison, the information regulator may send you an infringement notice if it believes you have breached a provision of POPIA.  An enforcement notice will follow after you have received some of the other notices in the process of your dispute with the regulator. For example, you will have already received an information notice asking you to provide information as part of the regulator’s investigation into your processing activities. Unlike the enforcement notice, receiving an information notice will be one of the first opportunities you have to interact with the regulator and convince them not to pursue any action against you.

By the time you get to an enforcement notice, the regulator will have even consulted with the Enforcement Committee (Committee) and gotten their recommendation to proceed with action against you. For these reasons, getting an enforcement notice is worrying, because it means that the regulator has found evidence that you are not complying with POPIA.

The good news? It is not over. You can still convince the regulator to vary or cancel the enforcement notice.

What is the Enforcement Committee?

POPIA provides for the establishment of an Enforcement Committee (section 93). The Committee will consider all matters that the regulator presents to them. The Committee will then make a finding in respect of the matter. The findings will be presented to the regulator with proposed recommendations. The Committee is empowered to make recommendations to the regulator on proposed actions that the regulator can take against a responsible party or an information officer that infringes on someone’s rights to privacy.

What is a POPIA enforcement notice?

An enforcement notice (section 95) is a written recommendation of actions that the Enforcement Committee sends to the information regulator. It is similar to a ruling from an authority. The enforcement notice sets out requirements for the responsible party to do either or both of the following:

  • to take specified steps within a period specified in the notice, or to refrain from taking such steps; or
  • to stop processing personal information specified in the notice, or to stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice.

When do you get an enforcement notice?

An enforcement notice is like a train station you get to after having passed various other stops along the way. The information regulator will issue a POPIA enforcement notice to a responsible party on two grounds:

  • once the regulator has considered the Committee’s recommendations, and
  • the regulator is satisfied that the responsible party has interfered or is interfering with the protection of the personal information of a data subject.

It is highly unlikely that the regulator will issue an enforcement notice if they have not found some wrongdoing on your part.

Can you fight an enforcement notice?

Yes, you can. A responsible party can lodge an appeal against a POPIA enforcement notice by making an application to the High Court to set aside or vary the enforcement notice.  It may not be wise to fight an enforcement notice because a High Court application is expensive. But if you are going to fight it, there are a few things for you to consider like:

  • The cost and effort involved in a High Court application.
  • Reputational harm to your brand or business with a drawn-out court process.
  • Approaching the regulator to request a cancellation or variation of an enforcement notice. This is a cost-effective way of resolving a dispute before it gets to litigation. (See section 96 for details)

Very often, appeals succeed because of procedural issues. Therefore, you should ensure that the notice complies with all procedural requirements for service. For example:

  • Make sure that the notice contains a statement indicating the nature of the interference with the protection of the personal information of the data subject.
  • Ensure that the notice sets out the regulator’s reasons for reaching its conclusion.

If you decide not to fight an POPIA enforcement notice, the regulator will stipulate the timelines to comply with the notice. You must ensure that you promptly comply with the terms set out in the enforcement notice.

Examples of enforcement notices from the Information Regulator

  • Blouberg municipality. The municipality was issued an enforcement notice due to the unlawful processing of personal information of a former employee when the employee’s personal information was exposed on the internet.
  • Lancet Laboratories. The Information Regulator conducted a POPIA compliance assessment as a result of the number of security compromises Lancet Laboratories experienced. The regulator found that the company failed to comply with the notification requirements in terms of section 22 of POPIA. Lancet Laboratories had also failed to notify the data subjects affected by the security compromise within a reasonable time.
  • Electoral Commission. The Information Regulator issued a POPIA enforcement notice on the Electoral Commission following a security compromise that occurred just before the 2024 national and provincial elections.

Actions for you to take