In November, 2013, the Parliament of the Republic of South Africa enacted the Protection of Personal Information Act, 2013 (POPIA):
To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
Potential consequences of non-compliance
Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offence”. Specifically, Section 105 (Unlawful Acts by responsible party in connection with account number) states that “the responsible party must…have known or ought to have known that…[a violation of personal data privacy] would likely cause substantial damage or distress to the data subject.”
Additionally, Section 106 (Unlawful Acts by third parties in connection with account number) states that “a person who knowingly or recklessly, without the consent of the responsible party...obtains or discloses an account number of a data subject…or procures the disclosure of an account number of a data subject to another person is…guilty of an offence.”
Section 107 details which penalties apply to respective offenses. Specifically, “Any person convicted of an offence…is liable…to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or…to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.”
As detailed in Section 109 of the Act, the maximum fine “may not exceed R10 million.”