Growing Data Protection Enforcement Trend from South Africa and Kenya
By: Tsebee Dorcas
In recent times, the data protection authorities in South Africa and Kenya have been quite proactive in the implementation of their data protection laws, particularly in creating awareness about the laws and taking enforcement actions.
The Information Regulator (the Regulator) is the data protection authority in South Africa. Section 39 of the 2013 Protection of Personal Information Act establishes it as an independent body charged with ensuring compliance with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA) by public and private bodies. Section 41(1) of the POPIA provides for the composition of the Information Regulator. Under this provision, the South African President, on the recommendation of the National Assembly, appointed the chairperson and other members of the Information Regulator in 2016 to enforce the provisions of the law. However, though the Information Regulator was set up as early as 2016 following the publication of the POPIA in November 2013, the law only became effective in July 2021. The Regulator has been proactive in raising awareness about personal data protection since the law came into effect. As part of the implementation of the POPIA, the Regulator announced in 2020 that it was investigating the Experian data breach that occurred that year and commissioned an independent investigation in 2021 when there was a repeat of the breach. Since then, numerous other investigations have followed suit.
In Kenya, the Office of the Data Protection Commissioner (ODPC) is established under the Data Protection Act, 2019 (the Act), which was enacted on November 8, 2019. Consequently, the enactment of the law paved the way for the appointment of the first Data Commissioner, Ms. Immaculate Kassait, MBS. The ODPC has been operational since March 2021. During this period, the ODPC has been actively engaging stakeholders and calling for and emphasizing compliance with obligations under the Act and the Regulations. As entities acting as data controllers and processors seek to take steps to ensure continued compliance with the Act, the ODPC continues to create awareness about the rights of data subjects under the Act and subsidiary data protection regulations released by the ODPC. It is responsible for, among other things, the implementation and enforcement of the Act and receiving and investigating complaints by any person about infringements of their rights under the Act.
The Information Regulator has utilized a variety of methods to raise awareness about data protection and assess public comprehension of the law. It has used social media, radio, organizing events, participating in events, and visiting communities to raise awareness. Due to its commitment to public awareness and enlightenment regarding their rights as data subjects, the regulator conducted a public interview as part of a campaign to raise awareness about protecting personal data and the POPIA last month. This was done to determine the public’s understanding of the POPIA and its implications for personal data. Since then, the Regulator has committed to increasing public participation in its regulatory actions, including calling for comments on proposed rules and regulations for law enforcement. Additionally, it has published a number of guidelines to provide clarification on the operationalization of and compliance with the POPIA.
The ODPC has also not relented in its efforts to raise awareness about the DPA and ensure compliance with it. The ODPC has published additional data protection regulations to aid in the effective implementation of the Data Protection Act 2019, such as the Data Protection (General) Regulations, the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The Data Commissioner has also been personally active on social media platforms, educating the public on different data protection issues, such as the concept of international data transfers. In addition, on May 3, 2023, the ODPC launched a countrywide awareness campaign with the aim of interacting with data controllers and processors and encouraging compliance with the data protection law. The ODPC also expressed a willingness to collaborate with the controllers and processors on compliance with the law.
Regulatory and Enforcement Actions of the South African and Kenyan Regulators
In my opinion, South Africa’s Information Regulator has been one of the most proactive, accountable, transparent, and inclusive data protection regulators in Africa. In August 2022, the Chairperson of the Information Regulator, Pansy Tlakula announced the establishment of the Enforcement Committee, which will be responsible for the enforcement of its powers and provide an effective remedy to complainants whose rights to privacy and access to information have been violated, in accordance with the provisions of the POPIA. The establishment of the Committee was done pursuant to Section 50(1) of the POPIA, which directs the Information Regulator to appoint an Enforcement Committee (the Committee). Consequently, all complaints received by the Regulator (under both POPIA and PAIA) are referred to the Enforcement Committee, which will review, investigate, and submit its findings to the Regulator for a determination. The establishment of the enforcement committee increased the Regulator’s enforcement capacity. The law also permits the enforcement committee to make recommendations to the Regulator regarding the appropriate action to be taken against a responsible party (offender).
Following the establishment of the enforcement committee this year (2023), the Regulator published the proposed rules of procedure for the enforcement committee issued under Section 92(2) of the Personal Information Protection Act 2013. The draft rules outline the procedure for the enforcement committee to follow when resolving complaints. Since its establishment, 544 POPIA complaints have been submitted to the Regulator. The Regulator revealed that this year there was a 30% increase in the number of complaints submitted to it.
In April 2023, the Regulator announced that it was holding a press briefing at its headquarters to discuss the outcome of some of its ongoing investigations with the public. The Regulator gave a breakdown of the process involved in the investigation. According to the provisions of POPIA, the Regulator can undertake investigations based on complaints received from a requester, a third party, or on the initiative of the Regulator. Generally, complaints are resolved by the Regulator through a settlement process, such as mediation or conciliation, or are referred to the enforcement committee for a full investigation if they cannot be resolved through settlement. Section 92 of POPIA states that where the Information Regulator has completed an investigation of a complaint or other matter in terms of POPIA, it may refer the complaint or other matter to the Committee for consideration. For the 2022–2023 financial year, the POPIA division received 899 complaints, of which 616 were resolved, as opposed to the 544 received in the previous year. The press briefing further amplifies the proactiveness, transparency, and accountability of the Regulator.
In a similar development, Kenya’s ODPC has also been extremely proactive in implementing the Data Protection Act, 2019 and the regulations published to aid its implementation. It has also actively received and investigated complaints from data subjects. As part of its functions to receive and investigate complaints from data subjects, the ODPC published the Data Protection (Complaints Handling Procedure and Enforcement) Regulations in 2021 to create a procedure for complaint handling. The regulations became effective in February 2022, paving the way for data subjects to file complaints with the Data Commissioner. The ODPC adopts the alternative dispute resolution process to resolve complaints submitted to it by data subjects. Pursuant to this, the ODPC released the Alternative Dispute Resolution Framework and Guidelines to further the provisions of the 2021 enforcement regulations on conciliation, mediation, and negotiation as an alternative means of resolving data protection disputes arising under the Act outside of the judicial process. In 2022, in a press release the ODPC indicated that, as of September 30, 2022, it had received 1,030 complaints and admitted 555 complaints.
Data Protection Law Smackdown: Compliance Efforts and What We Are Learning
Among the cases reviewed by the Information Regulator during the press briefing was the one that it decided to investigate on its own initiative, particularly because it involved the disclosure of personal information about a vulnerable group (sexual assault victims). At the press briefing, the Information Regulator discussed the outcome of its investigation against the South African Police Service (SAPS), which it decided to undertake on its own initiative following the leak of personal information about data subjects on social media platforms like Facebook and WhatsApp. The investigation focused on whether the handling of personal data by the SAPS was in compliance with the POPIA.
After the investigations, the Information Regulator found that the SAPS had breached the conditions for the lawful processing of personal data, failed to comply with its duty to notify the Regulator and data subjects of the security compromise, and violated the provisions of the POPIA on lawful processing, purpose limitation, and taking appropriate, reasonable, and technical measures to prevent unlawful processing of personal data.
The SAPS has been ordered to immediately notify the data subjects of the breach within 31 days of receipt of the enforcement notice. In addition, it must publish a permanent apology in all national weekly newspapers and social media platforms like Facebook and Twitter for processing personal data unlawfully, investigate the conduct of the SAPS members involved in the data leak, and conduct training on POPIA for all SAPS members. Consequently, the SAPS recently published a public apology to the data breach victims and a statement of compliance with the orders of the Regulator.
Again, on May 9, 2023, the Information Regulator issued an enforcement notice against the Department of Justice and Constitutional Development for failing to comply with the provisions of the Protection of Personal Information Act (POPIA) which led to unauthorized access to personal information. The Department failed to renew its Security Incident and Event Monitoring licenses, which had expired since 2020 and this led to the interception of its networks without notice since the monitoring licences had expired. Once again the Regulator ordered the Department to, within 31 days, renew the expired Security Incident and Event Monitoring licences, and institute disciplinary proceedings against the officials who are responsible for renewing the licences or risk paying a fine of R10 million or a conviction.
This decision of the Information Regulator in the case against SAPS and the Department of Justice is worthy of note because of the data protection principles relied on by the Information Regulator to arrive at its verdict in each case, which most data protection regulators are ignorant of. The decisions also stress the Information Regulator’s commitment to carry out its mandate to enforce the provisions of the law and ensure that both public and private bodies comply with the law. The SAPS and the Department of Justice, being public bodies, are equally not exempt from the enforcement action of the Information Regulator. In the SAPS case, the Regulator rejected the claim of the SAPS members that the leak of personal information about the sexual assault victims was necessary to further its investigation. According to the Information Regulator, the information released was excessive and not relevant for the purpose intended, and the processing was generally unlawful.
On the other hand, the ODPC has also undertaken a few enforcement actions between 2022 and 2023. In 2022, the ODPC issued its first penalty notice against Oppo Kenya, imposing a fine of KES 5 million (approximately USD 41,000), which is the highest penalty that can be imposed under the DPA. The penalty notice was preceded by an enforcement notice issued on November 3, 2022, wherein the ODPC directed Oppo Kenya to review some of its data handling practices following a complaint by a data subject whose photo was used on Oppo Kenya’s Instagram account without consent. Prior to this enforcement action, the ODPC had announced that it was conducting a preliminary documentary assessment and audit of 40 digital credit providers for the allegedly unlawful processing of the personal data of customers. However, details of the complaints were not publicly available, and neither was the outcome.
In April 2023, the ODPC issued an instructive decision that involved three popular companies domiciled in Kenya. The ODPC issued two penalty notices against Whitepath Company Limited and Regus Kenya for failing to comply with the ODPC’s enforcement notice and respond to notifications of complaint and enforcement notice, respectively. The companies have been ordered to pay a penalty of five million Kenyan shillings (KES 5,000,000).
Failure to comply with obligations under the DPA and the Regulations attracts the issuance of an enforcement notice, which sets out the steps to be followed to remedy the non-compliance and the period to remedy the non-compliance. If a company fails to comply with an enforcement notice and takes steps to remedy the non-compliance without a reasonable excuse, it will be issued a penalty notice, through which a penalty will be imposed.
In addition, the ODPC also issued an enforcement notice against Ecological Industries Limited due to their non-cooperation with several notifications of complaints against them for the unlawful use of personal photos of a data subject. Failure by the company to comply with the enforcement notice will equally lead to the issuance of a penalty notice.
While the Information Regulator and ODPC sometimes get criticised for not imposing sanctions, it is important to note that the issuance of sanctions cannot be the only metric used to measure the efficiency of a data protection authority. Based on their actions, the two authorities are carrying out their mandates gracefully while adhering to their values. The ODPC has equally displayed efficiency in its implementation of the Data Protection Act through awareness creation and enforcement actions while adopting accountability and transparency, which are lacking in the activities of some African regulators. Although the South African and Kenyan regulators are not without their limitations, their impressive enforcement actions should serve as a wake-up call to other African regulators to become more proactive in law enforcement by steering an effective enforcement mechanism.
Author Bio: Tsebee Dorcas is a lawyer who is licensed to practice in Nigeria. She is an aspiring legal researcher and writer who is passionate about Data Protection and Privacy in Africa, Technology Policy, Intellectual Property Law, and Startup Advisory. She can be reached via firstname.lastname@example.org or +2348093933875.
LinkedIn: Dorcas Tsebee