It has been a few months since the grace period for the coming into full operation of the Protection of Personal Information Act, 4 of 2013 (“POPIA”) lapsed. The hype and frenzy around POPIA compliance is slowly dying down. This may be because most organisations have taken the steps to ensure they are POPIA compliant or they are ‘testing the waters’ to see if the Information Regulator will take affirmative action. The one question that is increasingly being asked is whether the Information Regulator will be able to enforce POPIA compliance and address any data subject complaints. My views are that while chapter 5 of POPIA sets out the powers, duties and functions of the Information Regulator, there are good chances that they do not have the capacity to deal with POPIA enforcement.
The major challenge that may affect the level of enforcement powers of the Information Regulator is the lack of financial resources to carry out its functions. The Annual Financial Statements for 2020/2021 reflect that the Information Regulator was allocated a budget of 105 Million Rands. This amount of money may not be enough in the long run considering the different functions of the Information Regulator. For instance, conducting investigations, hearings and litigation requires a good budget to be set aside. Under the General Data Protection Regulation (GDPR), investigations and litigation have stretched for as long as 3 years. If the Information Regulator is going to be involved in such lengthy processes, there is need to have sufficient funds available.
Understaffing can potentially be another setback on the ability of the Information Regulator to enforce its powers. With less than 100 employees in the whole country, the Information Regulator may not be able to deal with high volumes of complaints, queries, investigations and concerns raised by data subjects, while also meeting their other statutory mandates such as providing awareness on POPIA.
POPIA permits the Information Regulator to impose administrative fines as high as 10 million Rands.((Section 109 POPIA.)) While this may seem like a lot of money for local SMEs and local businesses, it is certainly an insignificant amount for multinational corporations. When one compares the recent fines imposed by the Irish Data Protection Commission (DPC) on WhatsApp((The DPC imposed a fine of €225 million on WhatsApp. This is equivalent to approximately 3,7 Billion Rands. https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry. )), one can note that the POPIA fines are not enough deterrent for big tech companies.
The office of the Information Regulator is very important in the protection of personal data and privacy. Having adequate human resources and financial resources can go a long way in avoiding the identified potential challenges. As the term of office of the current members of Information Regulator is coming to an end, new appointments are currently underway. We hope that following the appointment of new members, there will be additional appointments of more employees to assist with POPIA monitoring and compliance.
Contact PPM Attorneys for good, clear, precise advice.
