On 3 July 2023, the Personal Data Protection Authority of South Africa, hereinafter referred to as the “Regulator”, in charge of personal information protection, issued a sanction against the Department of Justice and Constitutional Development for failure to comply with the South African Protection of Personal Information Act 2013 (POPIA).
This penalty follows a formal notice issued by the regulator to the department on 9 May 2023, following suspected breaches of IT security in September 2021. Following the regulator’s investigations, it emerged that the interruption of the Ministry’s services to the public in September 2021 and the difficulties experienced by employees in accessing the Ministry’s operating systems were indeed due to a compromise of the computer system by malicious software, resulting in a leak of more than 1,200 files. This data leakage was the result of the non-renewal of the licence package for three antivirus products that had expired more than a year previously.
Following the discovery of these serious breaches of the national law on the protection of personal information, the regulator formulated a series of measures to be implemented by the Ministry. Firstly, the Ministry was to renew or provide the regulator with proof of renewal of expired licences within 31 days; secondly, it was to impose disciplinary sanctions on the officials responsible for renewing these licences.
As it turned out, the Ministry had not implemented any of these measures by the deadline. The regulator finally imposed an administrative penalty of 5 million rand (a fine of more than €250,000) on 3 July 2023. This penalty was accompanied by the possibility for the department to appeal the decision, which it did not do, thus making the penalty final.
Were the regulator’s recommendations well-founded and feasible?
As a reminder, in its formal notice, the regulator asked the Ministry to provide proof that its antivirus package had been updated, i.e. current proof of the robustness of its IT security system, in order to prevent a similar breach from recurring. In addition, disciplinary measures were to be taken against the officials responsible for IT security, specifically those responsible for renewing expired antivirus licences, presumably for negligence.
First of all, as regards the legality and feasibility of technical security measures, it turns out that this is an obligation laid down by the POPIA. Article 19 of the said law states that the data controller is obliged to guarantee the security, integrity and confidentiality of personal data. To this end, they must make every effort to comply with this obligation in line with the state of the art. However, it was clear from the regulator’s investigations that three anti-virus systems responsible for detecting, alerting and updating data to prevent attacks on the computer system were all defective. They had expired more than a year earlier. Consequently, the technical recommendations were well-founded and feasible. By retaining its expired antivirus system despite the regulator’s recommendations, the Ministry persisted in failing to comply with its legal obligation, thereby breaching article 103 (1) of the POPIA relating to non-compliance with enforcement notices.
As far as penalties are concerned, South Africa has a two-tier system. The penalty may consist of a prison sentence and an administrative penalty, or one of the two penalties only.
The prison sentence can range from 12 months to 30 years, depending on the seriousness of the offence, and is imposed on an individual in accordance with article 107 of the POPIA. In the case of this decision, these sanctions could have been directed against the civil servants responsible for renewing licences, but the regulator saw fit to invite the Ministry to impose only a disciplinary sanction. In order for a disciplinary penalty to be imposed, however, it is necessary to determine whether the civil servants in question were at fault or whether the error came from the hierarchy, as provided for in section 14 of the Public Administration Management Act and section 16B of the Public Service Act for disciplinary penalties for civil servants in South Africa.
Administrative sanctions, on the other hand, are directed at the data controller as an entity. Section 109 of the Act stipulates that administrative penalties may not exceed 10 million rand. This means that the South African regulator has imposed on the department up to half of the maximum amount for its failure to comply with POPIA.
However, the South African regulator’s approach is unusual. While it is common practice in Africa for laws to provide for criminal penalties for breaches of personal data protection provisions, this regulator’s approach is one of the first of its kind on the continent. Indeed, it has not hesitated to take the initiative in proposing disciplinary action against civil servants for misconduct committed in the performance of their duties, if such misconduct is indeed established. This opens the way for an individual penalty to be imposed in addition to the main penalty imposed on the entity responsible for processing.
However, in this case we are talking about employees of a public authority. Would the regulator’s recommendations have been the same if the employees of a private entity had been involved? In any case, this cyber-attack is not isolated. Indeed, it comes against a backdrop marked by a series of cyber-attacks that have affected several state and regional institutions in Africa. It cannot be ruled out that a similar approach and reasoning could be adopted by other supervisory authorities in the event of a breach of data protection laws, especially at a time when data protection authorities in Africa are awakening.
By Franck ADOPO, PhD Student in digital law and data protection.