On Friday, 6 October, I listened in on an interesting interview with Adv Pansy Tlakula. She shared some interesting insights about the regulator’s work, the status of certain enforcements and some projects they are working on. I decided to share some of the highlights from her interview with you.

POPIA and PAIA Judgments are coming

POPIA

In July this year, the information regulator issued an infringement notice on the Department of Justice (DoJ) where it fined them R5 million for non-compliance with an order in an enforcement notice against the DoJ. The DoJ will be challenging the fine in court. According to Adv Tlakula, the DoJ is taking the matter on review.

  • If a matter goes on appeal, the court will look at the case’s merits. For example, courts look at the law and how the regulatory body applied the law to the facts of a matter.
  • If it goes on review, the court looks at whether the process [in this case, deciding to fine the DoJ] was fair. The court will look to see if there were any irregularities, were there elements of one party being unreasonable?

The POPIA Regulations and the Rules of Procedure for Handling Complaints do not make provisions for “taking a matter on review”. An aggrieved party can take an enforcement or information notice on “appeal”. It will be interesting to see how the court interprets this provision because section 109 does not state whether a party can appeal or review an infringement notice. It only states that an infringer can take the matter to court.

PAIA

The record label company Risa Audio Visual Licensing NPC (RAV) will be challenging their enforcement notice in court. Earlier this year the regulator issued an enforcement notice against RAV ordering the company to disclose records relating to royalties to requesters.

All is well with Dis-Chem

You’ll recall that Dis-Chem was very disgruntled when the regulator issued the enforcement notice against them. However, Dis-Chem has provided proof of compliance with the enforcement notice orders to the regulator.

Data breaches are at a record high

The regulator has received more than 1000 reports of security compromises. They’ve since set up the Security Compromise Unit to focus on data breach reports. Adv Tlakula reminded listeners that even single instances of breaches must be reported. If your employees negligently share personal data, it is a data breach and you must report it.

Failure to report a data breach that impacts personal data is a criminal offence.

Global Privacy Assembly

The regulator will be traveling to Bermuda soon. South Africa is a member of the Global Privacy Assembly, and the regulator wants to put Africa on the map. Therefor they’ve put their names forward to be part of the executive. Adv Tlakula says that SA has tough competition but she’s optimistic.