The Protection of Personal Information Bill 2009 (POPI) aims to
bring South Africa in line with international data protection laws.
Currently in its seventh working draft, it has been forwarded to
the Portfolio Committee for final consideration and is widely
anticipated to become law within the next six months.
The impact of this legislation will be far-reaching and will
significantly affect the way companies collect, store and
disseminate personal information.
In this bi-weekly series, members of our Information Law Group
provide some insight into the implications of POPI to assist you in
your preparations for the new legislative regime*.
This edition focuses on penalties that may be imposed under POPI.
A responsible party may be imprisoned for a maximum of 10 years
and/or fined a maximum of ZAR10 million.
The UK insurance arm of Zurich Financial Services was fined a
record Ł2,275 million for losing the personal details of
46,000 customers, including bank account and credit card
information. The fine, the highest ever paid by a single UK company
for a data protection failing, stems from an August 2008 incident
in which an outsourcing company in South Africa lost an unencrypted
back-up data tape.
Similar to the UK jurisdiction, the current draft of POPI also
imposes harsh penalties where a person's personal financial
information is processed in an unlawful manner. POPI states that a
responsible party who processes a person's account number, in a
way that contravenes the conditions for lawful processing of
personal information, will be guilty of an offence if:
the contravention is of a serious and persistent nature and
likely to cause substantial damage or distress (in other words, it
need not have actually caused actual damage or distress); and
the responsible party knew or ought to have known that there
was a risk that the contravention would occur and failed to take
reasonable steps to prevent the contravention; or
the responsible party, knew or ought to have known that such
contravention would likely cause substantial damage or distress to
the person and failed to take reasonable steps to prevent the
A responsible party convicted of such an offence is liable to
pay a fine or to be imprisoned for a period not exceeding 10 years,
or to both a fine and such imprisonment.
In addition, where a responsible party is suspected of committing
any offence in terms of POPI (and before any conviction is
achieved), an administrative fine can also be imposed by the
Regulator, which fine may not exceed ZAR10 million. When
determining an appropriate fine, the Regulator must consider the
The nature of the personal information involved;
the duration and extent of the contravention;
the number of data subjects affected or potentially affected by
whether or not the contravention raises an issue of public
the likelihood of substantial damage or distress, including
injury to feelings or anxiety suffered by data subjects;
whether the responsible party or a third party could have
prevented the contravention from occurring;
any failure to carry out a risk assessment or a failure to
operate good policies, procedures and practices to protect personal
whether the responsible party has previously contravened the
provisions of POPI in this manner.
To avoid such a fine, the responsible party must defend the
imposition of the fine in court.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Data security and cyber breaches are becoming an almost daily occurrence, as is widely reflected in increased publicity and media reports, which also demonstrate that data breaches are growing both in frequency and scope each year.
Is it high time for technology-driven regulation? Unmanned areal vehicles become a commodity with an exponential increase in their use for commerce, agriculture, industry, law enforcement and recreation.
The District Court for the Central District of Israel denied a Facebook motion to dismiss a 400 million dollars class action, on grounds of improper venue, lack of jurisdiction and erroneous application of the Israeli law.
It took the Israeli Justice Department almost 7 years to pass the new regulations. For over 30 years, the Israeli market and public authorities were subject to a vague and outdated set of information...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).