As data breaches have become a major driver of class action litigation in the United States, two leading experts in competition and consumer law predict it is only a matter of time before South Africa sees a rise in “non-attack” data claims.
The Allianz Commercial Cyber Security Resilience 2024 report highlights a 14% increase in large cyber claims exceeding €1 million, with data and privacy breaches contributing to two-thirds of these losses.
One key trend is the global surge in “non-attack” data breaches, such as wrongful data collection, which rose from 7% of claims in 2022 to 21% in early 2024. These privacy breach claims now often rival or surpass ransomware incidents in cost.
“Non-attack” data claims involve data privacy breaches not caused by direct cyberattacks such as hacking or ransomware. Instead, they result from issues such as the improper handling, collection, or sharing of personal information, often because of negligence or non-compliance with data privacy laws.
Read: The rise of ‘non-attack’ data claims in a changing cyber landscape
To explore the South African context and how companies can safeguard themselves and their clients against such claims, Moonstone spoke to Rosalind Lake, director and global head of Consumer Markets at Norton Rose Fulbright, and Lisa Swaine, a partner at Webber Wentzel.
The letter of the law
South Africa’s main data protection law, the Protection of Personal Information Act (POPIA), came into effect in July 2021. It is heavily modelled on the predecessor to the General Data Protection Regulation (GDPR), the European data privacy law widely regarded as the highest standard for data protection globally.
Lake explains that, as such, POPIA follows best practice in terms of the key principles of data privacy and in many instances is aligned with the GDPR.
“South Africa goes even further than GDPR and some state data privacy laws by protecting the personal information of corporate entities. This is because the South African Constitution grants the right of privacy to all persons in South Africa, which includes corporate persons – making POPIA’s coverage broader than most other jurisdictions,” says Lake.
POPIA is compliance-driven, with responsible parties typically given the opportunity to remediate their conduct before being penalised. According to Lake, the Information Regulator has recently indicated its intention to amend POPIA to align it more with global standards, allowing for penalties on first-time contraventions.
“This is a positive development for data privacy, as global developments since POPIA was drafted in 2013 mean that some of its provisions are out of step with best practice. Stronger enforcement would certainly drive enhanced compliance,” she says.
In addition to POPIA protecting both natural persons and juristic persons, whereas GDPR only protects natural persons, Swaine highlights another key difference: POPIA focuses on where personal data is processed.
“It must be processed in South Africa for POPIA to apply, whilst the GDPR applies extra-territorially. Under the GDPR, even if a data controller or processor is based outside the European Union, the GDPR will apply if they handle the personal information of a data subject within the EU. It is for this reason that many South African businesses should be POPIA and GDPR compliant,” says Swaine.
Lake also notes the GDPR’s broader application beyond borders explains why its penalties are more severe, “as these are based on global turnover”.
While GDPR fines are higher, Swaine points out that no criminal offences were created by the GDPR.
Enforcement of privacy laws
Complaints about breaches of lawful personal information processing conditions and non-compliance with direct marketing obligations through unsolicited electronic communications have been addressed by the Information Regulator.
During a press briefing in September, the Regulator’s chairperson, Advocate Pansy Tlakula, provided updates on investigations into complaints related to the Promotion of Access to Information Act and POPIA from organised groups and individuals since the start of the financial year in April 2024.
One notable case involves an ongoing investigation into allegations of interference with personal information protection by the South African Police Service (SAPS) concerning their handling of victim data. This matter has been referred to the Regulator’s Enforcement Committee for further action.
Read: Regulator battles for data privacy: major cases against SARS, SAPS and IEC
Lake notes that a situation like this could potentially lead to claims.
“However, most claimants tend to wait until an investigation is complete. There is a real opportunity here for corporates, which are also protected under POPIA, to lead the way in bringing these claims, as they often have the resources to challenge non-compliance.”
POPIA allows for follow-on claims for any section of the Act being violated, such as over-processing personal information or non-compliance.
However, Lake says South Africa is far less litigious compared to the US or Europe, and even when cyber-attacks occur, the response in terms of credit monitoring or claims is limited.
“There are likely several reasons for this, including the sheer volume of attacks and a level of indifference among potential claimants who may not trust institutions or perceive the costs or inefficiencies in the legal process to be prohibitive.”
Damages – what claimants can expect
The Allianz report found that more than 1 300 data breach cases were filed in the US in 2023, more than double the number from 2022. Industries such as healthcare and social media faced lawsuits for using tracking tools, with the top 10 data breach class action settlements amounting to $516m (about R9.64 billion), up significantly from $350m (about R6.54bn) in 2022.
Lake says there is certainly potential for data privacy-related claims under POPIA, particularly given the law’s broad scope.
“One significant aspect of POPIA is that claimants do not have to prove fault by the responsible party, and they can seek aggravated damages, which is an uncommon concept in South African law. This gives the courts ample discretion in awarding damages.”
Lake foresees that it is just a question of when South Africa will experience a surge in non-attack data claims.
“As awareness of POPIA and its provisions grows, and as the Information Regulator continues its enforcement efforts, I expect to see more claimants stepping forward.”
She adds courts will then have an opportunity to set important precedents that could shape the future of data privacy law in South Africa.
“Although individual claimants may be under-resourced, we have seen a marked increase in foreign class action litigation funding which may also drive increased likelihood of claims.”
Regarding the damages that future successful claimants might receive in court, Swaine explains that the amount awarded in civil lawsuits depends on the specific circumstances of each case.
“Civil awards for damages in South Africa are unlikely to be as high as those in the US. The cost of potential reputational damage to companies is, however, unquantifiable,” she says.
Lake adds that South African law does not allow for punitive damages, unlike in the US, where such awards can be substantial. She says in South Africa, damages are typically compensatory, aimed at restoring the claimant to the position they were in before the harm.
“In data privacy cases, this can be particularly difficult because much of the harm – such as emotional distress, reputational damage, or identity theft – is intangible.”
Like Swaine, she expects that any damages will be far lower than what is seen in the US.
“However, I believe the courts may need to adapt their approach when it comes to data privacy. Given the growing importance of privacy rights, I wouldn’t be surprised if South African courts begin to push the boundaries of compensatory damages in such cases, although without the possibility of punitive damages, we won’t see US-level awards anytime soon,” says Lake.
Mitigating legal risks
To mitigate legal risks effectively, Swaine advises that companies prioritise a thorough understanding of the relevant legislation and ensure their compliance. She underscores that organisations need to establish robust information security policies and systems.
“The policies and systems must deal with and regulate internal and external information security and management, as well as the management of, access to, and use of systems, infrastructure, networks, devices, resources, and information,” says Swaine.
She adds that these policies must be not only implemented but also regularly maintained, reviewed, and upgraded as necessary.
And it’s not enough to have policies on paper. Lake says companies must ensure they are living these policies every day.
“Regular audits, employee training, and continuous monitoring are key. Employees remain the weakest link, so companies should invest heavily in building a culture of compliance. Without continuous vigilance, companies will always be exposed to these risks,” says Lake.
Both Lake and Swaine agree that, given the increase in global litigation, South African companies should ensure they are adequately insured to address cyber and privacy risks.
