Last review date: 31 December 2024
Yes – there is one data privacy regulator in South Africa namely, the Information Regulator.
The Information Regulator was established on 9 September 2016 to exercise certain powers and to perform certain duties and functions pursuant to POPIA and PAIA.
Last review date: 31 December 2024
During 2024, the Information Regulator issued three POPIA enforcement notices against various public and private entities relating to security compromises and inadequate security and breach notifications. The Information Regulator also issued one enforcement notice against a social media platform for having terms and conditions in place for South African users that afforded lesser data privacy protections for South Africans when compared to the terms applicable to users in other jurisdictions. The Information Regulator imposed its first administrative fine on the Department of Justice due to its failure to comply with an enforcement notice issued by the Information Regulator. During 2024, the Information Regulator also conducted over 30 PAIA compliance assessments, including against 3 social media platforms, 17 law firms and various government and public institutions. It is anticipated that the Information Regulator will continue to issue enforcement decisions against non-compliant responsible parties within the next 12 months and will continue with its program of conducting PAIA assessments. As the Information Regulator has been faced with certain legal difficulties pertaining to its ability to take effective enforcement action, it has indicated that it intends to approach Parliament to amend POPIA and PAIA in order to increase its enforcement powers, It is expected that other industry representative organizations are likely to engage with the Information Regulator in respect of industry specific codes of conduct for their stakeholders. The Information Regulator has also begun to focus on direct marketing activities that are not in compliance with POPIA and we expect to see increased enforcement action in respect of non-compliant direct marketing activities. We also expect the Information Regulator to continue to issue regulations and guidance notices in order to give effect to POPIA's operational provisions.
The Information Regulator has increased its enforcement action against non-compliant responsible parties in 2024. This increased enforcement action is an indication that the Information Regulator will continue to take action against non-compliant responsible parties in the coming 12 month period.
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 31 December 2024
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
☒ criminal penalties from regulators and law enforcement
☒ private remedies