LIABILITY & POPIA
The Preamble of the Protection of Personal Information Act No 4 of 2013 (“POPIA”) includes that “…the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information” and in order to “regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations…aimed at protecting other rights and important interests,”
We are often asked what the liability for the various parties may be for noncompliance with POPIA and we have provided an overview below however importantly asides from liability compliance with POPIA is good for business in that for example third parties such as customers & clients will feel more comfortable in doing business with organisations which respect privacy.
Types of liability
| Civil Action based on breach of POPIA provisions | Payment of damages, aggravated damages, interest and legal costs (no criminal record arising from this legal action itself) |
| Offences | Governed by principles of Criminal Law – can involve criminal record being received by convicted party. Penalty on conviction involving imprisonment and or a fine |
| Administrative Fine | Addressed by the Regulator, no prosecution provided that the responsible party pays the fine. |
Civil Action
Responsible Party i.e., the Accountable Party for the Processing of Personal Information and which party alone or in conjunction with others, determines the purpose of and means for processing of personal information.
A Civil Action in a court with jurisdiction can be launched for breach of any of the following provisions of POPI whether or not there was negligence or intent on the part of the responsible party:
| Chapter 3 – breach of one or more of the eight conditions for lawful processing of personal information as referred to in chapter 3 of POPI |
| Section 22 -breach of section 22 of POPI addressing notification of security compromises |
| Section 54 – Breach of duty of confidentiality |
| Section 69 – Direct marketing by means of unsolicited electronic communication |
| Section 70 – Directories |
| Section 71 – Automated decision making |
| Section 72 – Transfers of personal information outside of the republic |
| Section 60 – Breach of a code of conduct issued in terms of this section |
Penalties Under Section 107 of POPIA
Two categories of penalties:
- Fine or imprisonment for a period not exceeding 12 months or both;
- Fine or imprisonment for a period not exceeding 10 years or both
| PENALTY – FINE OR IMPRISONMENT FOR A PERIOD NOT EXCEEDING 12 MONTHS OR BOTH |
| Information processing subject to prior authorisation contemplated in section 57(1) must be notified as such by the responsible party to the regulator. (section 58(1)) Responsible parties may not carry out information processing that has been notified to the regulator to be subject to prior authorisation until the regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted (section 58(2)) (Section 59) |
| Duty of Confidentiality – any person who contravenes section 54 (Section 101) |
| Obstruction of the execution of a Warrant issued in terms of section 87 any person (Section 102) |
| Responsible party failing to comply with an enforcement notice issued in terms of POPIA; Responsible party in purported compliance with an information notice served in terms of section 90 makes a statement knowing it to be false or recklessly makes a statement which is false, in a material respect is guilty of an offence (section 103) |
| Offences by witnesses – any person. For example, a person summoned to be at court fails without sufficient cause to attend at the time and place specified. (Section 104(1)) |
| PENALTY – FINE OR TO IMPRISONMENT FOR A PERIOD NOT EXCEEDING 10 YEARS OR TO BOTH |
| Obstruction of the regulator or person acting on behalf of the regulator in the performance of the regulator’s duties (Section 100) Person liable to receive penalty – Any person |
| Failure to comply with an enforcement or information notice A responsible party (Section 103(1)) |
| Any person who after having been sworn or having made an affirmation, gives false evidence before the regulator on any matter, knowing such evidence to be false or not knowing or believing it to be true, is guilty of an offence (Section 104(2)) |
| Unlawful acts by responsible party in connection with account number (Section 105 (1)) |
| Unlawful acts by third parties in connection with account number (Section 106(1),(3) or (4)) |
Administrative Fines
The Information Regulator can impose administrative fines which are recoverable from the responsible party for offences in terms of POPIA. If paid by the responsible party there will be no prosecution for the offence. (Section 109)
Liability of the Information Officer
An Enforcement Committee may in terms of section 93(b)(ii) of POPIA may make a recommendation to the Regulator necessary or incidental to any action that should be taken against … (i) a responsible party in terms of POPI or (ii) an information officer or head of a private body, as the case may be, in terms of the Promotion to Access to Information Act”. (“PAIA”)
In terms of PAIA an Information Officer may be held criminally liable for the following offences:
| Fine or imprisonment for a period not exceeding two yearsA person who, with intent to deny a right of access in terms of this Act,- (a) destroys, damages or alters a record; (b) conceals a record; or (c) falsifies a record or makes a false record (section 90(1) of PAIA)The Information Officer who wilfully or in a grossly negligent manner fails to comply with the provisions of section 14 of PAIA (section 90(2) of PAIA)The head of a private body who, wilfully or in a grossly negligent manner, fails to comply with the provisions of section 51 of PAIA (section 90(3) of PAIA)A fine or imprisonment for a period not exceeding three years or to both such a fine and such imprisonmentAn Information Officer of a public body or head of a private body who refuses to comply with an enforcement notice (section 77K) |
Article by Lisa Boogaard
Boogaard Attorneys
Date 19 Sep 2021