The information regulator briefed the public and the media on 11 September 2024 on some enforcement activities over the last quarter (since 1 April 2024). The central theme was that the regulator has taken various enforcement actions but hasn’t succeeded in holding anyone accountable through fines or imprisonment. The regulator is working hard and is having a significant impact, but many organisations are still not complying and are not being punished for their failures.

The regulator said that the time had come to be firm. The regulator wants to be taken seriously and fine people. However, as of today, no organisation has paid a fine or been imprisoned for failing to comply with the two pieces of legislation the regulator regulates. Until there are consequences, non-compliance will continue. The regulator is, however, investigating and aims to increase its enforcement power by asking Parliament to increase it powers.

Whilst the regulator is working hard, they are not successfully taking action against infringers.

The regulator has conducted compliance assessments

Since April 2024, the regulator has done many compliance assessments for both PAIA and POPIA on its initiative.

  • The regulator has conducted over 30 PAIA compliance assessments, including against:
    • three social media platforms (Google, Facebook & TikTok), and
    • 17 law firms, including the top five law firms in South Africa.
  • The regulator has assessed Schedule 2 public entities such as the Development Bank of Southern Africa, ESKOM, Telkom SA, and Transnet.
  • The regulator assessed Lancet Laboratories and issued them a POPIA enforcement notice regards breach notification.
  • The regulator conducted a POPIA compliance assessment against WhatsApp.
  • The regulator looks into the security safeguard measures when conducting a compliance assessment. Organisations must be ready to demonstrate this to the regulator as the regulator assesses them.

A key question is – Who must comply with PAIA? Organisations based outside South Africa have argued that they do not need to comply with it.

The regulator has investigated PAIA complaints

The regulator has investigated a complaint against Sibanye Stillwater Ltd and the Department of Mineral Resources & Energy regards its failure to provide access to its annual compliance reports on community projects and the regulator has referred it to the enforcement committee.

The regulator is currently investigating complaints against X (formerly known as Twitter), Meta, and Google for their failure to provide information regards the South African elections.

The regulator has issued notices

The regulator has issued a PAIA enforcement notice against the SSA, whos has taken it on review.

The regulator has issued four POPIA enforcement notices since April 2024 against a variety of organisations.

  1. Blouberg Municipality (former employee).
  2. Lancet Laboratories (security compromises and poor breach notification).
  3. IEC (inadequate security and breach notifications).
  4. WhatsApp (lesser protection to South Africans).

If you want to avoid a fine, comply with the enforcement notice.

The regulator cannot enforce PAIA enforcement notices

The regulator cannot enforce PAIA compliance notices and it is therefore seeking Parliament to change the law. The regulator was only created after PAIA was enacted and therefore does not have the same powers under PAIA as it does under POPIA.

No infringing party has paid a fine or been imprisoned

The regulator has only fined one infringer (the DoJ), but the DoJ has not paid the fine. Instead, they have taken the DoJ infringement notice on review. So this means that still, not a single person or organisation has been fined for an infringement for POPIA. The regulator explained that one of the reasons is that there is a “grace period”. In other words, the regulator must first send an enforcement notice and only if the infringer does not comply, can the regulator fine the organisation.

The regulator wants to change the law so that it can fine an infringer immediately.

Regulator cannot take action against those who do not submit PAIA reports

The regulator stressed that PAIA reports are important and that all public and private bodies must submit PAIA reports annually. There are still low levels of compliance (by public bodies, political parties and private bodies) but there isn’t much the regulator can do to force compliance or punish people for non-compliance. The regulator will approach Parliament to get more power to enforce.

Stopping SPAM telephone calls

The regulator spoke in some detail (especially in answering questions) about the status of the Guidance Note on Direct Marketing. The regulator appears to be sticking to its guns and a fight is looming.