Regulator battles for data privacy: major cases against SARS, SAPS and IEC

Posted on

From the State Security Agency (SSA) to the South African Revenue Service (SARS) and the Independent Electoral Commission (IEC), the Information Regulator (IR) had its hands full this past year, monitoring and enforcing compliance by public and private bodies with the provisions of the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA).

The IR operates as an independent body, accountable to the National Assembly and governed by the law and the Constitution. Its primary mandate is to ensure that public and private entities comply with PAIA and POPIA.

PAIA grants individuals the legal right to access information held by public and private bodies. PAIA aims to balance the right of access to information with the need to protect sensitive information, including personal privacy and national security.

POPIA, designed to protect personal information processed by organisations, sets out specific conditions for lawful data-handling. The aim is to establish minimum standards for processing personal information, ensuring that individuals’ privacy rights are respected and safeguarded.

The IR plays a critical role in enforcing these standards, overseeing public and private sector compliance with these laws.

At a media briefing last week, Advocate Pansy Tlakula, the chairperson of IR, provided updates on investigations into PAIA- and POPIA-related complaints from organised groups and individuals since the beginning of this financial year (April 2024).

State Security Agency

One prominent case involves the SSA. On 2 August, the IR issued an enforcement notice directing the SSA to release certain records, following a complaint lodged by an investigative journalist from Daily Maverick.

The journalist had requested information in June 2022 about SSA’s expenditure from 2015 to 2019, specifically relating to services procured from the African News Agency. The request sought detailed descriptions of the goods and services rendered, along with proof of deliverables.

However, the SSA failed to respond to the request within the legally required timeframe. As a result, the lack of response was deemed a refusal under PAIA.

“SSA attended to the matter after the prescribed time frame when it issued a refusal to grant access to the records, a response that was also deemed too late,” Tlakula explained.

Following an investigation and review by the IR’s Enforcement Committee, the Regulator concluded that the SSA had not provided sufficient grounds for withholding the records.

Tlakula said the agency failed to prove that releasing the information would impede justice, expose a confidential source, or compromise national security. Consequently, the IR issued an enforcement notice instructing the SSA to disclose the requested records.

The SSA has decided to challenge the Regulator’s decision in court.

Social media giants – X, Meta and Google

Still focused on PAIA infringements, Tlakula highlighted an ongoing investigation involving social media giants X, Meta, and Google. The case stems from a complaint requesting access to records on the classification of elections, risk assessments concerning South Africa’s electoral integrity, and how global policies are applied locally within these companies.

“The entities’ refusal of access to the records is based on the general presumption that PAIA does not apply extraterritorially to these private bodies, despite them conducting business in South Africa,” Tlakula explained.

The Regulator has accepted the complaints, and all three cases are under investigation.

SARS

Another high-profile case under review involves SARS. A complaint was lodged following the SARS Commissioner’s refusal to grant access to former president Jacob Zuma’s tax returns for the years 2010 to 2018.

Tlakula confirmed that “the investigation into this matter is at an advanced stage”.

Sibanye-Stillwater

The primary purpose of the IR’s Enforcement Committee is to investigate complaints, assess breaches of the law, and recommend appropriate actions, such as issuing enforcement notices or fines.

Among the cases referred to the Enforcement Committee is one involving Sibanye-Stillwater, a global precious metals mining company, and the Department of Mineral Resources and Energy.

The IR received a complaint from a human rights organisation against the mining company.

The complaint concerned a request for access to the annual compliance reports submitted by Sibanye-Stillwater to the department in respect of social labour plans for the Eastern and Western platinum mines.

“The annual compliance report to which the complainant requested access related to progress on community projects as part of their licensing requirements. The investigation report has been finalised and is being considered by the Enforcement Committee,” Tlakula said.

Gauteng Department of Health

Among the matters settled through mediation is a complaint the IR received from an investigative journalist who had written several articles about allegations of fraud and corruption at Gauteng hospitals.

Tlakula said it is alleged that this had resulted in the assassination of the whistleblower Babita Deokaran. The complaint lodged with the regulator was against the decision of the head of the Gauteng Department of Health to refuse access to records relating to scheduled payments to suppliers.

After receiving the complaint, the regulator set up a meeting with the head of the Gauteng Department of Health. During the meeting, they agreed to release the requested records.

Blouberg Municipality

With regards to enforcement notices issued related to POPIA matters, the IR said it had issued four enforcement notices since April this year – Blouberg Municipality, Lancet Laboratory, the IEC, and WhatsApp LLC.

In the case of Blouberg Municipality, Tlakula explained that this related to the unlawful processing of personal information of a former employee, whose personal information was exposed on the internet following her submission of declaration of interest containing their personal information.

Lancet Laboratory

The enforcement notice against Lancet Laboratory, a diagnostic service provider, was issued as a result of a compliance assessment, “which was necessitated by the number of security compromises that they had experienced”, Tlakula said.

According to Tlakula, the company failed to comply with the notification requirements in terms of POPIA.

“The company had also failed to notify the data subject affected by the security compromise within a reasonable time,” she said.

IEC

An enforcement notice was issued to the IEC as a result of a security compromise that occurred just before the 2024 national and provincial elections.

Tlakula said this resulted in the candidate nomination lists of the African National Congress (ANC) and the Umkhonto we Sizwe (MK) party being shared on various social media platforms.

“We initiated an assessment of their security systems on the safeguarding of personal information that they processed, and we found that they did not have adequate access control measures to protect the confidentiality of personal information in their possession,” she said.

In addition, Tlakula said, the IEC’s section 22 notification, to notify the data subject consent, was found to be inadequate.

WhatsApp LLC

The IR’s preliminary assessment in terms of POPIA has revealed notable discrepancies in WhatsApp’s terms of service and privacy policies, with distinct differences between those applied to users in the European region and those for users outside Europe, including South Africans.

“The privacy safeguards for users in the European region appeared to be better than those for users in South Africa, even though the General Data Protection Regulation (GDPR) and POPIA have similar standards and protections,” remarked Tlakula.

In response, the IR has issued an enforcement notice directing WhatsApp LLC to adhere to all conditions for the lawful processing of personal information. This includes updating their privacy policy, conducting a personal information impact assessment, and complying with the provisions of PAIA, particularly regarding the maintenance of documentation for all processing operations under its responsibility.

“In this regard, the regulator dismissed WhatsApp’s argument that PAIA does not apply to it as a social network which is extraterritorial,” Tlakula added.

Read: Regulator pushes for stronger PAIA enforcement amid low compliance by public bodies

South African Police Service

The IR is currently investigating a complaint regarding alleged interference with the protection of personal information by the South African Police Service (SAPS).

Tlakula explained that the personal information in question was processed by SAPS during a criminal investigation and was subsequently disseminated through WhatsApp messages.

“Due to the sensitivity of the case and considering that this is a similar matter where personal information was leaked, the Regulator has embarked on an own-initiative investigation into the alleged interference with personal information of data subject,” Tlakula stated.

This issue has now been referred to the Enforcement Committee for further action.