This week the Information Regulator issued its first fine. It fined the Department of Justice R5 million for failure to renew antivirus software as instructed. This comes after the deadline for submission by all public and private bodies of a section 32 report under the Promotion of Access to Information Act (‘PAIA’). These acts clearly indicate the approach of the Information Regulator in making sure that the requirements of the Protection of Personal Information Act (‘POPIA’) are followed in South Africa.
The Information Regulator is charged with the administration of both POPIA and PAIA. Its recent request for private bodies to submit a section 32 report under PAIA is a departure from the original mandate of this only being required to be done by public bodies. We feel that the Information Regulator did this to ensure that all private entities registered their Information Officer on the new portal. The submission of the section 32 report was not possible until the Information Officer was registered on the new portal. The Information Regulator was left with volumes of manual Information Officer registrations after their original portal crashed prior to the deadline for registering Information Officers last year. The move to force private bodies onto the new portal indicates the intention of the Information Regulator to enforce POPIA proactively.
Unlike other domestic legislation, POPIA is a piece of legislation driven by two imperatives, one, an internal imperative to align the right to privacy enshrined in our Constitution with the ability to enforce such rights as an ordinary citizen and two, an external imperative to align with the international data privacy framework. The second imperative requires the Information regulator to demonstrate a proactive and enforced approach to protecting data privacy. In order for barriers to trade to be removed, POPIA (and the enforcement thereof) need to have adequacy rulings under the EU and UK General Data Protection Regulation. Without a demonstrable record of enforcing compliance with POPIA, this will not be achieved. As such it is our view the recent actions of the Information regulator show evidence of their ability and intention to enforce compliance with POPIA.