Beware of the wide investigative powers and enforcement powers of the information regulator in terms of POPI

The Protection of Personal Information Act 4 of 2013, (POPI) came into force on 1 July 2020. Although corporations are provided with a one-year grace period in which to ensure compliance with POPI, it is crucial to understand the wide and far reaching investigation and enforcement afforded to the Information Regulator by POPI.

11 Aug 2020 6 min read Dispute Resolution Alert Article

Section 39 of POPI makes provision for the establishment of the Information Regulator (Regulator). The purpose of the Regulator is to ensure that the rights as provided in POPI are respected, promoted, enforced and fulfilled.

The Regulator is an independent body and is subject only to the Constitution and to the law. It is required to be impartial and perform its functions and exercise its powers without fear, favour or prejudice and is accountable to the National Assembly. It is however essential that the Regulator exercises its powers and perform its functions in accordance with POPI and the Promotion of Access to Information Act 2 of 2000.

The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that:

  • the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing; or
  • the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.

One of the important duties and functions of the Regulator, as set out in section 40 of POPI, is the receipt and handling of complaints relating to non-compliance with the provisions of POPI.

The Regulator is tasked with receiving and investigating complaints about alleged violations of the protection of personal information of data subjects and reporting to complainants in respect of such complaints. The Regulator needs to gather information which, in its opinion, will assist the Regulator in discharging the duties and functions assigned to it under POPI. A further duty of the Regulator is attempting to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation and serving any notices in terms of POPI and promoting the resolution of disputes in accordance with the principles of POPI.

In terms of section 74 of POPI any person may submit a complaint to the Regulator, alleging inter alia, non-compliance by a responsible person of any of the provisions of POPI, or any code of conduct published by the Regulator in terms of POPI. POPI requires that such complaints be made in writing and should an aggrieved party experience any difficulties complying with this condition, the Regulator is responsible to assist such party to put the complaint in writing.

Upon receipt of a complaint, the Regulator may conduct a pre-investigation, act as conciliator, decide to take no action on the complaint or require no further action in respect of the complaint, conduct a full investigation of the complaint or refer the complaint to the Enforcement Committee.

The Regulator is obliged, as soon as is reasonably practicable, to advise the complainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt. Importantly the Regulator must inform the responsible person to whom the complaint relates of its right to make written submission to the Regulator responding to the complaint. It must also be noted that there is nothing preventing the Regulator from launching an investigation on its own initiative if it suspects that the aim of the Act is not complied with.

If the Regulator makes the decision to not take action, the complainant needs to be notified of such decision and furnished with reasons. The Regulator may further refer a complaint to another more suitable regulatory body such as bodies dealing with the National Credit Act or the Consumer Protection Act if the circumstances deem such referral better suitable to the nature of the complaint.

The Regulator has wide investigative powers for the purposes of investigating a complaint. The Regulator may:  

1)    summon and enforce the appearance of persons before the Regulator and compel them to give oral or written evidence on oath and to produce any records and things that the Regulator considers necessary to investigate the complaint;

2)    administer oaths;

3)    receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Regulator sees fit, whether or not it is or would be admissible in a court of law;

4)    at any reasonable time enter and search any premises occupied by a responsible party;

5)    conduct a private interview with any person in any premises, subject to certain provisions; and

6)    otherwise carry out in those premises any inquiries that the Regulator sees fit.

The Regulator may only enter a premises with a warrant issued by a judge or a magistrate, if satisfied by information on oath supplied by the Regulator that certain reasonable grounds exist. It is however crucial to note that a judge or magistrate must not issue a warrant unless satisfied that: 

1)    the Regulator has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises; and

2)    such access was demanded at a reasonable hour and was unreasonably refused; or

3)    although entry to the premises was granted, the occupier unreasonably refused to comply with a request by any of the Regulators’ members or staff to permit the members or the members of staff to do any of the things permitted in terms of the Act; and

4)    that the occupier has, after the refusal, been notified by the Regulator of the application for the warrant and has had an opportunity of being heard on the question whether the warrant should be issued.

However, if the judge or magistrate is satisfied that the case is one of urgency or that compliance with the aforesaid requirements would defeat the object of the entry, there may be deviation from certain requirements.

After the investigation has been completed, the Regulator may decide not to take any action or refer the complaint to the Enforcement Committee to consider, make a finding and a recommendation in respect of the proposed action to be taken by the Regulator.

After receipt of the Enforcement Committee’s recommendations, the Regulator must issue the responsible party with an Enforcement Notice setting out specific steps to be taken or to stop processing personal information.

Both a responsible party and complainant are afforded a right to appeal against any decision of the Regulator.

A responsible party on whom an Enforcement Notice has been served may, within 30 days of receiving the notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.

A complainant, who has been informed of the result of the investigation conducted, may also, within 180 days of receiving the result, appeal to the High Court having jurisdiction against the result, if no action was taken or an Enforcement Notice was cancelled.

A data subject or, at the request of the data subject, the Regulator, may furthermore institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act.

Non-compliance with certain provisions of POPI constitute criminal offences for instance obstructing the functions of the Regulators or non-compliance with any Enforcement Notice received. These criminal offences carry a fine, imprisonment of between 1 and 10 years, or both a fine and imprisonment.

POPI also makes provisions for the Regulator imposing an administrative penalty, in lieu of criminal charges being proffered for up to R10 million.

It is clear from the brief overview of the scope of functions, duties and powers discussed that the Regulator and its accompanying Enforcement Committee will play a pivotal role in data protection, compliance with the Act, investigating complaints and ensuring enforcement of the legislation in data processing in South Africa. It is therefore essential not only that data subjects are aware of their rights and remedies but that responsible parties are informed regarding what the legislation requires for lawful processing of personal information.

This Act is still new to our law, and it is important that responsible parties, like companies, are aware of their duties and comply with their legislative obligations in order to protect the rights of data subjects and ensure they remain compliant and to seek legal advice and assistance as soon as the Regulator comes knocking on their doors.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.