Regulator pushes for stronger PAIA enforcement amid low compliance by public bodies

Posted on

The Information Regulator (IR) is preparing to submit proposed amendments to the Promotion of Access to Information Act (PAIA) to Parliament, aimed at strengthening its enforcement powers.

At a press briefing yesterday, Advocate Pansy Tlakula (pictured), the chairperson of the Regulator, expressed concern about the current provisions of PAIA, stating they are too lenient.

“We postulate that this may contribute to the laxness in the public bodies’ compliance with the law,” Tlakula said.

On 25 April, the Regulator issued a notice calling on public and private bodies to submit their PAIA reports for 2023/24. A total of 34 460 public bodies, including political parties, submitted reports. Of the 122 198 access requests received, 114 69 were granted in full.

Although there was a slight improvement in submissions compared to last year, Tlakula said compliance levels remain low. She emphasised the importance of these reports in monitoring the implementation of PAIA.

“The non-submission of these reports impedes the Regulator’s ability to monitor the effectiveness of PAIA and ensure that the right of access to information is fully exercised. Those who do not make submissions are infringing on this right and contravening the law.”

The Regulator highlighted the dismal submission rates among public bodies. Of the 853 public bodies – including national and provincial departments, local governments, public entities, universities, and TVET colleges – only 278 submitted reports, reflecting a compliance rate of 33%.

Non-compliance by local governments was of particular concern, with only 51 of 257 municipalities submitting their reports, marking a 20% compliance rate.

Public entities fared slightly better, with a 38% compliance rate.

Although some improvement was seen from public bodies, Tlakula expressed disappointment with political parties’ submission rates. Of 52 larger registered political parties, only 11 submitted reports.

The Regulator raised particular concern over political parties’ non-compliance, noting that these entities are not only lawmakers but also bear responsibility for transparency, particularly in the post-election period. This lack of compliance raises broader concerns about accountability, particularly when it involves the handling of voter information during elections.

The Regulator’s position is clear: political parties should be setting an example in adhering to the legislation they helped to create, rather than being among the non-compliant entities.

Enforcement powers under PAIA

The Regulator outlined several critical loopholes and gaps in its enforcement powers under PAIA, particularly compared to the more robust provisions of the Protection of Personal Information Act (POPIA). The Regulator identified a key disparity: under POPIA, an assessment report generated by the Regulator is treated as an enforcement notice, meaning it carries significant legal weight. In contrast, PAIA assessment reports lack this enforcement power, leaving the Regulator unable to act directly on non-compliance.

Tlakula said this gap in enforcement is compounded by the Regulator’s reliance on external security agencies, such as the police, to enforce PAIA violations. This dependency undermines the Regulator’s autonomy and weakens its ability to respond swiftly and decisively to breaches.

Unlike POPIA, PAIA also does not provide the Regulator with the authority to impose fines or penalties for non-compliance, further diluting its enforcement capabilities.

Tlakula said the issue is particuarly problematic given that many public bodies and political parties have consistently failed to submit their required annual reports to the Regulator, a clear violation of PAIA. Without the necessary enforcement powers, the Regulator has been unable to hold these entities accountable.

To close these gaps, the Regulator is proposing key amendments to PAIA. These include aligning its enforcement provisions with those of POPIA, such as granting assessment reports enforceable status and empowering the Regulator to impose penalties directly. Additionally, the proposed amendments would eliminate grace periods, allowing the Regulator to impose fines or sanctions immediately upon finding non-compliance. The Regulator also seeks stronger authority to act against public bodies and political parties that fail to meet their reporting obligations.

Making the call on direct marketing

Tlakula addressed concerns about direct marketing through unsolicited electronic communication, acknowledging the public’s frustration with the increase in spam calls.

Earlier this year, the Regulator announced it had drafted a guidance note on direct marketing to help public and private entities comply with POPIA when processing personal information for marketing purposes.

In June, the Regulator shared this draft with stakeholders in the direct marketing sector and major industry players.

“We are at the advanced final stage of considering their input, and on 25 September 2024 will hold a stakeholder engagement on the final version of the guidance note ahead of its publication,” Tlakula said.

The Regulator also highlighted that the direct marketing sector and other entities have interpreted POPIA’s electronic communication provisions in a way that excludes telephone calls from requiring consent.

However, the Regulator’s position is that telephone calls do qualify as electronic communication under POPIA. As such, direct marketing via phone calls must meet the following requirements:

  • The marketer must have lawfully obtained the recipient’s phone number.
  • The first call must seek consent for receiving marketing messages and clarify the preferred communication method (for example, SMS or email).
  • The marketer must specify the goods or services being marketed.

The Regulator emphasised that although direct marketing through phone calls is permitted, it must comply with POPIA’s consent rules.

Security compromise incidents

The Regulator expressed serious concern over the sharp rise in security compromise incidents reported since its enforcement powers came into effect in July 2021. This growing trend signals potential weaknesses in how organisations handle personal information, the IR stated.

“Since the beginning of April 2024, we have received 980 security compromise notifications. This indicates that public and private bodies may not have sufficient organisational and technical measures to protect the integrity and confidentiality of personal information in their possession or control. We have since focused our complaints assessments on evaluating the security and safety measures that public and private bodies have implemented,” Tlakula said.

A recent example of this ongoing issue occurred in May, when the Department of Justice (DOJ) suffered its second data breach, a cyber incident that impacted child maintenance payments.

In response, the Regulator wrote to the DOJ to determine whether any personal information was compromised during the breach. The DOJ assured the Regulator that no personal data had been affected by the security lapse, but the Regulator remains engaged with the department and continues its investigation.

The Regulator said that based on the findings from this ongoing dialogue, it will decide whether to launch a formal investigation or assessment of the DOJ’s data-handling practices.

This isn’t the first time the DOJ has faced cybersecurity challenges. In September 2021, a cyber-attack encrypted the department’s IT systems, blocking access to more than 1 200 files critical for service delivery and disrupting the operations of the lower courts. In May, the Regulator fined the DOJ R5 million for failing to comply with an enforcement notice following the earlier attack.

Notably, this marked the first time the Regulator had imposed a fine for non-compliance with POPIA. The R5m fine represents 50% of the maximum penalty the Regulator is authorised to issue under POPIA.

The DOJ has since decided to review this decision in the High Court.

Social media

Another matter the Regulator is investigating complaints made against social media companies X, Meta, and Google. The complainant has requested access to records relating to the classification of South Africa’s electoral integrity and the application of global policies to the local context.

“The entities’refusal of access to the records is based on the general presumption that PAIA does not apply extraterritorially to these private bodies despite them conducting business in South Africa. The Regulator accepted the complaints, and all three complaints are currently under investigation,” Tlakula said.

In addition, the Regulator has taken significant action regarding WhatsApp LLC’s compliance with POPIA. Enforcement notices issued on POPIA-related matters included one directed at the messaging giant, a case that Tlakula described as “a very long-outstanding matter with numerous complexities”.

The Regulator’s preliminary assessment revealed, among others, that WhatsApp adopts different terms of service and privacy policies for users in the European region compared to users outside Europe, including South African users.

“The privacy safeguard for users in the European region appeared to be better than those for users in South Africa, even though the General Data Protection Regulation (GDPR) and POPIA have similar standards and protections,” Tlakula said.

Concerned by these disparities, the Regulator conducted a compliance assessment under section 89 of POPIA. This decision was based on WhatsApp’s privacy policy, which was found to be insufficient in demonstrating full compliance with POPIA’s provisions.

As a result, the Regulator issued an enforcement notice to WhatsApp LLC, directing the company to comply with all conditions for the lawful processing of personal information. These directives included updating its privacy policy, conducting a personal information impact assessment, and complying with PAIA, specifically its obligation to maintain documentation of all processing operations under its control.

“In this regard, the Regulator dismissed WhatsApp’s argument that PAIA does not apply to it as a social network which is extraterritorial,” Tlakula added.

WhatsApp LLC was given 60 days to comply with the Regulator’s enforcement notice. The Regulator mentioned that WhatsApp has raised the issue of its jurisdiction, challenging its authority to enforce compliance. However, the Regulator maintains that if a company is providing services in South Africa, it must comply with South African legislation.

The Regulator is awaiting WhatsApp’s response to the enforcement notice and said it is prepared to take further action if WhatsApp does not comply.