3. | 3Hogan Lovells
• Expected implementation date
• Sanctions for non-compliance
Agenda
4. Hogan Lovells | 4
• On 11 April 2014, the President proclaimed the commencement of the
following sections in the POPI Act, 2013:
– Section 1 (Definitions)
– Part A of Chapter 5 (Information Regulator) - provides for the establishment of the
Information Regulator
– Section 112 (Regulations) - The Minister may issue regulations in terms of the POPI Act,
2013
– Section 113 (Procedure for making regulations) - Process of engagement in respect of
regulations
Transitional period
5. Hogan Lovells | 5
• On 29 May 2017, Hogan Lovells hosted the Information Regulator who
indicated that POPIA is likely to come into effect in 2018
• The Information Regulator is also in the process of drafting regulations,
which should be tabled in Parliament before the end of the year
• The Information Regulator is benchmarking the data protection practices
of European countries as well as the United Kingdom
Expected implementation date
6. Hogan Lovells | 6
• Currently, the POPI Act provides that the "processing of personal
information, must within one year after the commencement date ... be
made to conform to this Act"
Time for compliance
7. Hogan Lovells | 7
• Interference with protection of personal information of a data subject
– Section 73 – "For the purposes of this Chapter, interference with the protection of
personal information of a data subject consists, in relation to that data subject, of -
– (a) any breach of the conditions for the lawful processing of personal information as
referred to in Chapter 3; …"
• Civil remedies
– Section 99(1) – "A data subject or, at the request of the data subject, the Regulator, may
institute a civil action for damages in a court having jurisdiction against a responsible
party for breach of any provision of the POPI Act as referred to in section 73, whether
or not there is intent or negligence on the part of the responsible party."
Sanctions for non-compliance
8. Hogan Lovells | 8
• In the event of a breach the responsible party may only raise any of the
following defences against an action for damages:
– Vis major
– Consent of the plaintiff
– Fault on the part of the plaintiff
– Compliance was not reasonably practical in the circumstances of the particular case
– The Regulator has granted an exemption
Legal defences
9. Hogan Lovells | 9
• Section 107 – A person convicted of an offence in terms of POPIA, 2013,
is liable if he/she …
– obstructed the Information Regulator, disclosed the account number of a customer or
failed to comply with a compliance notice, such person may be subject to a fine and/or
imprisonment not exceeding 10 years, or
– if a person committed certain other offences in terms of the POPI Act, such person may
be subject to a fine and/or imprisonment not exceeding 12 months
An administrative fine not exceeding R 10 million may also be imposed on such a person
Sanctions of non-compliance continued