Following the recent Experian data breach, the South African Information Regulator took the opportunity to stress the importance of organisations' compliance with the Protection of Personal Information, 2013 ("POPIA"), stating: "South Africa is currently experiencing a high number of data breaches. In the last four months the Regulator has recorded twenty five (25) data breaches nineteen (19) of which were self-reported."
As data subjects become more educated on their personal information rights in terms of POPIA, organisations can expect to see an uptick in litigation and class actions against errant controllers and responsible parties, particularly after the grace period has ended on 30 June 2021.
What does POPIA say about civil actions?
The Regulator is empowered to proceed with litigation on behalf of any data subject. Given the costly nature of litigation, this is an enticing option for data subjects. However, it is yet to be seen whether the Regulator will have sufficient financial resources to institute and efficiently prosecute any actions requested by data subjects. Also, any action taken by the Regulator is administrative action and is subject to review in terms of the Promotion of Access to Information Act, 2000.
In actions where the Regulator is litigating on the data subject's behalf, if a responsible party is found liable and a court makes an award in terms of POPIA, the damages that the responsible party is ordered to pay must be paid into a designated trust account established by the Regulator. After the Regulator has applied any such award against its reasonable expenses incurred (as a result of bringing proceedings at the request of the data subject), and any costs associated with the distribution to the data subject, the remaining balance must be distributed to the data subject at whose request the proceedings were brought.
In order to circumvent the Regulator needing to drive the litigation and deduct its costs off any award, this may pave the way for litigation funders and class actions to claim damages in cyber-incidents that affect large amounts of data subjects.
- POPIA creates an onerous form of strict liability on the responsible party. Civil action can be instituted whether or not there is intent or negligence on the part of the responsible party.
- There are only limited defences available to defendants in civil actions in terms of POPIA. Unlike other international data protection legislation, POPIA does not provide protection for responsible parties even if they can demonstrate that they have done everything reasonably practicable in their power to comply with POPIA. It would, however, be in a defendant's best interests to demonstrate that it has taken reasonable steps to comply with POPIA, in mitigating any quantum of damages (and preventing any punitive damages) that may be awarded by a court – this is because POPIA provides that a court must "award an amount that is just and equitable".
Damages in South African law and its implications for POPIA
The concepts of patrimonial and non-patrimonial loss are well-known in South African law. Simply put, patrimonial loss relates to the monetary loss suffered by a data subject as a result of the breach. Non-patrimonial loss is the infringement of personality rights or loss suffered as a result of inconvenience, pain and suffering caused by the breach.
POPIA provides a remedy for an aggrieved data subject to claim "aggravated damages" – this is not a concept recognised by South African common law. This is further complicated as POPIA doesn't define or set out whether "aggravated damages" are punitive or compensatory in nature. The concept of punitive and compensatory damages was dealt with in the Constitutional Court's judgment in Fose v Minister of Safety and Security. It was held that punitive damages, such as constitutional damages, would be appropriate in circumstances where such an award would deter the types of abuses that were alleged to have occurred.
This was reaffirmed by the Supreme Court of Appeal ("SCA") in the judgment of Komapo v Minister of Basic Education and others. Here, the SCA went further and stated that the facts and circumstances of a particular case may warrant an award of constitutional damages to mark displeasure.
In making such an award, a court must consider the practical considerations. On application of this principle, a court would have to consider whether it would be appropriate to award further damages in circumstances where the data subjects have been compensated for the loss which they have suffered. To date, awards relating to the infringement of a constitutional right have been linked to the monetary loss suffered as a result of that infringement. In light of this, it is unlikely that an award for "aggravated damages" will relate to damages that have not been suffered by a data subject.
How have other jurisdictions quantified damages in data privacy claims?
Until litigation comes before South African courts, it is necessary to consider how damages have been quantified in other jurisdictions, for guidance on any award that may be made in due course in South Africa:
- In the Netherlands, the courts have adopted the attitude that compensation must be granted for a data breach, even if it was difficult to quantify any specific non-material harm.
- An Austrian court awarded damages to an individual whose data was processed without any legal basis. However, that award of damages was overturned on the basis that the breach was not sufficient to award damages without some specific distress being suffered by the individual.
- In the United Kingdom, in the class action of Lloyd v Google, the court held that where there is an alleged breach of data protection law, an individual's loss of control of their data as a result of the breach is damage for which compensation may be claimed, without having to prove patrimonial or non-patrimonial loss.
The Information Commissioner's Office ("ICO") in the United Kingdom recorded that it received 38 514 data protection complaints in the 2019/2020 year. The ICO found that, in around half of these cases, there was more that data controllers and processors could have done to improve their practices or explain in a more comprehensive way to data subjects how they are complying with their legal obligations. The ICO urged data controllers and processors to revisit concerns and "do more to assure themselves and complainants that they are complying with their obligations under the law".
Undoubtedly, there are many unknowns in respect of POPIA litigation. However, one thing is certain: litigation in terms of POPIA is inevitable. Together with the trends identified in other jurisdictions, this emphasises the importance of ensuring strict compliance with POPIA. Responsible parties are encouraged to obtain legal advice, as early as possible, in order to mitigate and manage possible claims emanating from POPIA breaches and complaints.
ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, incident response plans and coaching, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.