In a recent interview with ITWeb, Advocate Pansy Tlakula, the chairperson of the Information Regulator (the Regulator), provided updates on enforcement activity and whether telemarking constitutes electronic communication in terms of the Protection of Personal Information Act (POPIA). 

Rising cyber threats, swift(er) responses 

High-profile cyber-attacks continue to grab the Regulator’s attention. The Regulator notes that credit bureaus, government departments and banks remain attractive targets for cybercriminals. 

The Regulator has seen a marked increase in data breach notifications, receiving some 150 security compromise notifications per month. This compares to roughly 56 notifications per month received in 2023 following the issue of its first administrative fine to the Department of Justice.

The Regulator emphasised the importance of prompt security compromise notification. POPIA does not specify a time period for security compromise notifications, but the Regulator referenced the GDPR’s 72-hour reporting period as a comparable benchmark. The Regulator stressed that notifications should be made without delay, save for instances where IT system integrity is being restored or law enforcement is being notified.

Telemarketing constitutes electronic communication

The Regulator has taken a firm stance against unsolicited direct marketing and confirmed that direct telemarketing constitutes electronic communication. The Regulator intends to clamp down on non-compliant direct marketing companies. 

Businesses using direct telephone marketing communications are regulated in terms of section 69 of POPIA, which prohibits the use of direct marketing in most circumstances. 

The Regulator published a media statement on 27 February 2024 explaining that an enforcement notice was issued recently against a direct marketing company for section 69 non-compliance. A data subject complained to the Regulator that it had opted out of receiving such communications and requested to be removed from the company’s emailing list. 

The Regulator ordered the company to:

  • ensure that the first communication sent to data subjects must obtain consent to receive direct marketing messages;
  • immediately cease its unsolicited direct-marketing messages to any data subject that has previously withheld consent and/or not given the necessary consent; and
  • compile and maintain a database of all data subjects who had previously withheld or did not consent to receive unsolicited direct-marketing messages.

A guidance note is being developed by the Regulator that will delineate the processing of personal information for direct marketing using unsolicited electronic communication. 

Artificial Intelligence (AI) under consideration

The Regulator confirmed that various bodies are working together to consider how best to regulate the use of AI. The Regulator stated that that any legal developments to this effect would have to be dealt with by the executive branch of government, but believes that POPIA is adequate to deal with AI and its impact on data privacy in South Africa.

PAIA success despite capacity issues

While POPIA has been the focus in terms of data protection, the Regulator noted that positive strides have been made in the regulation of the Promotion of Access to Information Act (PAIA). 

The Regulator has been assessing PAIA compliance, including for JSE-listed companies and universities. It recently compelled an organisation to release certain information relating to music royalties that had not previously been paid - a significant victory for musicians. 

Comment

  • Since the start of 2024, our Cyber One team has seen a substantial increase in cybercrime and ransomware attacks against healthcare, manufacturing, retail, e-commerce and professional services businesses in South Africa.
  • The Regulator’s comments on security compromise reporting help clarify expectations in the reporting of data breaches and similar incidents. The uptick in security compromise notifications to the Regulator is not surprising and is reflective of the low threshold for notification of security compromises under section 22 of POPIA.
  • Encouragingly, this indicates that organisations recognise and are complying with their obligations under POPIA to notify the Regulator and affected data subjects.
  • Direct telephone marketing communications in terms of section 69(2) of POPIA will have to be accompanied by the prescribed Form 4 under the POPIA Regulations to obtain the necessary consent. We anticipate that the use of the prescribed form may be controversial and are hopeful that the Regulator’s guidance note will address this concern.

Clyde & Co’s Cyber team specialises in all aspects of cyber risk, data protection, insurance and legal advice on cyber incidents and claims. Our end-to-end One cyber solution is designed to boost cyber resilience and is built around pre-incident planning, effective incident response and post-incident recovery.

Please reach out to our team should you require further insights on these recent POPIA and PAIA developments.