Regulatory Warning for Companies Selling Personal Information in South Africa

South Africa’s Information Regulator has issued a stern warning to marketing companies and other groups that are abusing the Personal Information Protection Act (POPIA).

The regulator says it has received and completed preliminary investigations into more than 700 complaints from various data subjects since July 2021.

Most of the complaints received relate to direct marketing, indicating that many responsible parties are not complying with the sections of POPIA regarding unsolicited electronic communication and consent, justification and objection.

Speaking at a recent media breakfast, the regulator said it received a notice from the National Credit Regulator regarding a report on individuals involved in the sale of consumer personal information, such as:

  • Names and surnames;
  • identification numbers;
  • Contact phone numbers;
  • Credit scores;
  • Status of consideration of consumer debt.

“We caution responsible parties who continue to trade in personal information that this is a violation of POPIA and we will not tolerate it. We are sending a clear signal to players in the lending and direct marketing sectors of our economy: this must stop.”

The regulator said the country is experiencing an alarming level of security compromise, with more than 330 reports of data breaches since POPIA went into effect just over a year ago.

To address this issue, the regulator decided to create a dedicated unit to conduct extensive investigations and assessments of these security breaches and issue reports with findings and recommendations. These reports will be considered executive notices, the release said.

Commentary by Era Gunning and Rakhi Dullab of ENSAfrica law firm.

Read: WhatsApp will have new features, including “hidden mode”