Under the Protection of Personal Information Act 4 of 2013 (POPIA), organisations must notify both the Regulator and affected individuals without unreasonable delay after discovering a breach. Failing to do so can lead to enforcement notices, fines of up to R10 million, or criminal charges.

Recent cases show that enforcement is more likely in relation to the issuing of fines:

• Lancet Laboratories paid a R100,000 fine for ignoring an official warning and for not promptly informing the people affected by multiple data breaches. The Regulator ordered Lancet to improve its security measures, create a reliable system for reporting breaches, and update its policies to follow section 22 of POPIA.
• FT Rams Consulting was fined R100,000 for sending unwanted marketing messages and ignoring an official warning and is now being taken to court for not paying the fine.
• Blouberg Municipality received a R500,000 fine for exposing a former employee’s personal information online and failing to fix the issue, and it also faces court action for non-payment.
• The Regulator also reported in a media briefing on 13 November 2025 that enforcement notices were issued to OUTA, SSA, Kudung CPA and Oceana Empowerment Trust, however, these were not uploaded to the Regulator’s website.

Despite a rise in cyber threats, most data breaches are not reported. Research indicates that South African companies face thousands of cyber threats each week, but only a small number are officially disclosed to the Regulator.

The Regulator acknowledges that limited resources are impacting investigations, forcing it to focus on major cases. Notwithstanding this, in 2023/24, it resolved hundreds of complaints, reviewed many organisations for compliance, and took action against major companies, including WhatsApp and the Department of Basic Education. The message is clear: companies must invest in better security, improve how they respond to incidents, and notify the Regulator and data subjects promptly to avoid unnecessary enforcement action and associated fines.

A recent data breach at Pepkor Lifestyle shows the importance of notifying authorities. The incident was linked to an outside company hired for SMS marketing, where customer phone numbers and message content were exposed. Pepkor informed the Regulator and advised customers to be cautious. This situation highlights the need for companies to manage risks associated with their suppliers and to be transparent when incidents occur.

Direct marketing under POPIA: Who polices spam calls?

There is an ongoing debate about whether POPIA applies to telemarketing calls. The Regulator believes the term “electronic communication” is broad enough to include phone calls, making spam telemarketing its responsibility to regulate. The Regulator plans to start a test case by issuing an enforcement order against a company accused of calling people without their permission and will take the company to court if it fails to comply.

However, industry groups argue that the Consumer Protection Act 68 of 2008 (CPA) should be the law to manage unwanted calls, with the National Consumer Commission as the main regulator. The Direct Marketing Association of South Africa agrees that while telemarketers must follow POPIA’s data rules, telemarketing calls falls under the CPA. This debate is happening as the Department of Trade, Industry and Competition restarts work on a national “opt-out” registry, 14 years after the CPA mandated it.

The Regulator’s approach is causing confusion because POPIA lets companies contact someone once to ask for permission (opt in), while the CPA uses an opt out system. Industry leaders warn that these conflicting approaches could disrupt business and cause job losses.

It is likely that the Regulator will have to reconsider its application of the POPIA to telephone calls as the Department of Trade, Industry and Competition reports that the “opt-out” registry project is progressing and this should be the primary basis for how to address telephone calls pursuant to the CPA.

WhatsApp resolves South African court case

WhatsApp has settled its court case with the Regulator regarding its 2021 privacy policy update, which required users to accept new terms to continue using the service. The dispute began in January 2021, when concerns about data sharing with other Facebook services were raised. While WhatsApp’s end-to-end encryption of message content was not in dispute, the broader data-sharing terms alarmed many users.

The Regulator subsequently issued an enforcement notice after finding that the update violated POPIA, especially concerning transparency and data sharing with other Meta products. Although WhatsApp challenged the Regulator’s decision in court, both parties have now reached a settlement that will be made a formal court order.

The details of the settlement have not been made public, but WhatsApp has indicated that it agreed to provide clearer privacy information to its South African users. While a judgment in the matter would have provided much-needed legal clarity on the application of POPIA, it is clear that the Regulator will continue to insist on more clarity and fairness in privacy notices for consumers in South Africa.

Litigation over publishing matric results

The Gauteng High Court in Pretoria has reserved judgment in a case between the Regulator and the Department of Basic Education, which has once again returned to court. The case is about whether publishing matric results complies with POPIA. The Regulator argues that making results public online or in newspapers could violate data protection laws and tried to enforce these rules after the 2023 results were released. This is the first time a court is closely reviewing how data privacy principles affect this long-standing tradition.

For many years, matric results were published publicly. In 2022, this was stopped due to privacy concerns, leading to a court challenge. The court then permitted results to be published using only exam numbers, to balance privacy with access. The upcoming court decision will be a key indicator of how South Africa balances public access, general interest and learners’ privacy under POPIA. For now, there is uncertainty about the release of results scheduled for 13 January 2026, with the national pass rate due to be announced on 12 January 2026.

Release of Zuma’s tax records ordered

In a major decision on access to information, the Regulator has ordered the South African Revenue Service to release former President Jacob Zuma’s tax records. This order was made under the Promotion of Access to Information Act 2 of 2000 (PAIA). The decision is a significant step for accountability and shows the Regulator is willing to enforce transparency. It also underscores the Regulator’s growing importance in handling complex public interest cases.

International privacy updates

The Digital Omnibus is the European Union’s (EU) proposed digital rule book to simplify and harmonise EU data legislation. The official version was released on 19 November 2025. In relation to the General Data Privacy Regulation (GDPR), the Digital Omnibus proposes several interesting changes to the law.

Below is a summary of the key GDPR and privacy-related proposals in the EU’s Digital Omnibus:

• The definition of personal data would be narrowed so that information is not personal data for everyone in all situations. If an organisation has no reasonable way to identify a person, the information is not personal data. This is similar to POPIA, which treats data as personal only when an organisation has, or can reasonably get, information to link it to a person.
• Privacy notices could be skipped in limited cases where the processing is low risk and people can reasonably be expected to know who the controller is, how to contact them and why their data is used. This should help smaller organisations, while larger ones will still need full notices.
• A new rule would allow organisations to rely on legitimate interests to use personal data to develop and run AI systems, if the use is necessary, no other law requires consent, and people’s rights are not overridden (with extra care for children).
• A new lawful basis would allow the use of special category data for AI development and operation, but only with strong safeguards. Sensitive data should not be collected or further used; if it appears in training, testing or models, it should be removed, or if that is disproportionate, other measures must ensure it cannot produce outputs or be disclosed. POPIA does not have AI‑specific bases, so organisations typically rely on the lawful basis of legitimate interests in practice.
• Data breach reporting would move to a 96‑hour deadline and only be required where the breach is likely to pose a high risk to people’s rights and freedoms. There would also be a single EU reporting portal and template, reducing administrative effort.
• The ePrivacy Directive would be repealed and its cookie rules moved into the GDPR. If someone refuses cookie consent, you cannot ask again for six months. For non‑essential cookies, organisations could rely on other lawful bases such as legitimate interests. Browsers and operating systems would need to send machine‑readable preference signals that controllers must honour, with an exemption for media service providers, although how this will work in practice is still unclear.

The proposals must still be approved by the European Parliament and the Council of the EU before becoming law.

What this means for organisations and consumers

These events show a trend towards stricter privacy and transparency rules. For businesses, the message is to explain data use in plain language, get proper consent for marketing, collect only necessary data, improve security, and report incidents quickly. For consumers, the best protection is to be aware: treat personal data as valuable, be wary of unexpected calls or messages, and know your rights to opt out. As rules become clearer and enforcement stronger, building trust and following the law will be essential for any organisation that handles personal information.