The Information Regulator held a media briefing on 13 November 2025 to outline the latest developments in POPIA and PAIA enforcement, ongoing litigation, regulatory priorities. The briefing, led by Chairperson Adv Pansy Tlakula, came at a fitting moment as South Africa marks 25 years of PAIA – a reminder of the country’s long-standing commitment to transparency and accountability.
1. Major Litigation Matters
DBE Matric Results Case
The Regulator previously instructed the Department of Basic Education not to publish matric results in newspapers. After the department failed to comply, the Regulator issued an Infringement Notice and a R5 million fine. The matter is now before the courts, and judgment is reserved.
Department of Justice Data Breach
A 2021 security compromise and subsequent non-compliance with an Enforcement Notice led to another R5 million fine. The DOJ&CD is contesting the penalty.
WhatsApp Privacy Policy Settlement
A noteworthy development is the Regulator’s settlement with WhatsApp LLC concerning the platform’s 2021 Privacy Policy update. WhatsApp has agreed to implement improved transparency measures for South African users, and the agreement will be made an order of court.
2. POPIA Enforcement
The Regulator reported a sharp rise in data breaches and highlighted several enforcement actions taken during the past year.
Infringement Notices
• Blouberg Municipality: R500 000 for exposing personal information of a former employee.
• Lancet Laboratories: R100 000 for failing to notify both the Regulator and affected individuals of data breaches.
• FT Rams Consulting: R100 000 for ignoring an Enforcement Notice relating to direct marketing; legal proceedings have begun to recover the fine.
Data Breach Figures
• 2024/25: 2 374 reported breaches
• 2025 (to date): 1 947 breaches
This represents a 40% increase, with an average of 284 breach notifications per month. The Regulator urged organisations to significantly improve their security controls.
3. New POPIA Regulations
The amended POPIA Regulations, effective April 2025, introduced stricter requirements for:
• Direct marketing
• Telemarketing call recordings
• Managing objections
• Overall compliance frameworks
4. Ongoing PAIA compliance concerns
PAIA compliance remains a challenge across both public and private bodies. The Regulator noted:
• Many organisations still fail to publish PAIA manuals.
• Annual PAIA reporting remains poor.
• Municipalities, TVET colleges, and certain provincial entities recorded especially low submission rates.
Enforcement Notices were also issued to OUTA, SSA, Kudung CPA, and Oceana Empowerment Trust. One of the most prominent matters involved SARS, which has been directed to release former President Jacob Zuma’s tax records from 2010–2018 after failing to justify withholding them.
Conclusion
The Regulator’s briefing makes it clear that protecting personal data and ensuring access to information is a top priority in South Africa. With stricter enforcement, updated regulations, and a stronger focus on digital efficiency, organisations should be ready for a more hands-on regulatory approach and make sure their compliance framework are up to the task