Heinous: hateful, odious, abominable, totally reprehensible.
We are all a little tired of hearing about the Protection of Personal Information Act (POPIA). But for the wrong reasons, this is the right topic for the week of Women’s Day.
Uniquely South African
The POPI Act is similar to the European Union General Data Protection Regulation (GDPR). We don’t know how some of POPIA will be interpreted. The GDPR has been in effect for longer, so it’s natural to look at GDPR cases for some ideas.
But this is South Africa. It will be different.
GDPR case history
I wondered what the first GDPR cases were. It’s not easy to find out, because each country has its own GDPR regulator. So I checked the Data Protection Commission site for news. The oldest news lists these two court cases:
- Prosecution for the sale of personal data.
- Prosecution for unsolicited marketing without an unsubscribe option, after previous warnings.
Since then, the GDPR regulators have gone after the big guns. They’ve fined Amazon, Google, WhatsApp and FaceBook. They’ve also fined British Airways, Vodafone Italy, H&M Clothing and many others.
Where will we start?
In the IT industry, we think about POPIA in terms of encryption, system security and data breaches. And there have been serious data breaches in South Africa.
Since July 2021, the Regulator has investigated over 700 complaints. None of these have made the news. None of the organisations that had data breaches have been fined.
At a media briefing in June 2022, the Information Regulator explained their approach:
“We have been patient enough in trying to take our stakeholders along and assist them, but we’ve now come to a point where we have to exercise our powers.”
I have wondered what the first POPIA investigation will be to make the news. Now I know.
We start here
We know that POPIA is not just about electronic data security. But the ITWeb article this week about the POPIA investigation into SAPS shocked me.
The Information Regulator is investigating the SAPS for leaking details of the Krugersdorp gang-rape victims. A list with the personal details of the victims was leaked across social media, allegedly by SAPS officials.
This is heinous. It’s evil. And, sadly, it seems very South African. I doubt that the GDPR regulators ever faced this kind of data breach. I certainly never imagined such a case.
Next time I am irritated by the effort that POPIA compliance needs, I will remember this. And I hope the perpetrators spend 10 years in prison.