South Africa’s Information Regulator has ruled that telemarketing falls under electronic communication and thus, is subject to regulation according to the Protection of Personal Information Act (POPIA). Any non-compliant parties face potential penalties including fines up to R10 million or imprisonment. Violators would first be processed through an investigation and the issuing of an enforcement notice. If the enforcement notice is ignored, an infringement notice and penalty is issued.
The Information Regulator can either initiate the section 89 assessment itself or upon request, which would then be followed by an assessment report. This report is comparable to an enforcement notice, and if instructions in it are not followed, the violator can be issued with an infringement notice entailing a hefty fine or imprisonment.
Nomzamo Zondi, Senior Manager for Communications at the Information Regulator, said the watchdog body would send out its first enforcement notice this week. The said notice is a result of investigations into complaints about direct marketing. The Information Regulator has found the concerned entities in breach of POPIA provisions and has identified 14 other potential offenders it intends to issue enforcement notices to.
Information Regulator Chair Pansy Tlaukula noted potential legal challenges from direct marketing companies to the changes, which includes a telemarketing clause within Section 69 of POPIA. The issue lies not in these companies making marketing phone calls, but in their persistent calling even when customers decline communication.
South Africa’s Information Regulator proved its regulatory power in July 2023 by issuing an infringement notice and a R5-million fine to the country’s Department of Justice and Constitutional Development (DoJ&CD). This penalty was the consequence of the department’s failure to comply with an enforcement notice following a ransomware attack suffered in September 2021.
The Information Regulator found the department negligent in protecting its systems, thus making them vulnerable to an attack. The department was required to submit evidence of renewed security software licenses, which the regulator believed could have prevented or mitigated the attack.
However, the DoJ&CD did not respond to or comply with the enforcement notice by the stipulated deadline of 9 June 2023. Consequently, the department was given 30 days from 3 July 2023 to settle the fine or negotiate installment payments. Alternatively, it could choose to challenge the alleged POPIA offense in court. In response, the Justice Department stated its intent to appeal the penalty in court.
