There are two potential areas of litigation for a data breach under the Protection of Personal Information Act 4 of 2013 (POPIA). The first is that the party liable for the data breach may have to argue its case before the Information Regulator. The second is that the responsible party may face civil action.
Section 99(1) of POPIA states that: “A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act, whether or not there is intent or negligence by the responsible party.” This means strict liability applies, and the potential defences are limited.
Under Section 99(3), the courts can award any “just and equitable” amount, including damages as compensation for patrimonial and non-patrimonial loss, aggravated damages, interest and costs of suit. This is significant because it means that the Information Regulator can extract damages from the responsible party even if it is not negligent (for example, where a data breach occurs).
One should also note that class actions are gathering pace globally in the wake of data privacy law breaches. South Africa is likely to follow suit, especially since the groundwork for class actions has already been laid in the retail and mining sectors. Therefore, if an award in terms of Section 99(3) were to be made in a case involving a few million plaintiffs brought together in a class action for a data breach (for example, where bank account details are unlawfully accessed), it could be very costly for the responsible party.
To find out how SEESA can help your business visit our website at:
#TeamSEESA