South Africa has recently suffered its largest data leak to date with, conservatively, an estimated 60 million South Africans' personal information becoming publicly available. The gravity of the leak (and the risks associated with the sensitive information that has been imparted from it) cannot be overestimated. It has exposed numerous people to threats of identity fraud and related crimes.
Reports indicate that the leak emanated from prominent realty agencies that operate throughout the country and used the database to derive information about prospective buyers and sellers. From the leak's exposé, two things are abundantly clear:
- South Africans are very vulnerable to the non-consensual processing of their personal information; and
- personal information is often not kept securely and, as a consequence, can be easily accessed.
When someone's personal information has been leaked, what legal redress is available to them? Under South Africa's current laws, people are often left without a practical way to enforce their rights. However, once the long-delayed Protection of Personal Information Act ("POPI") comes into force, people in South Africa (including companies) will finally have a practical tool at their disposal to protect their personal information.
The current position:
South Africa's Constitution and its common law recognise the right to privacy for all people (including corporations). As a result, people who violate another person's right of privacy can be held liable. Privacy (in these instances) typically refers to the right of person to choose, within reason, the information they wish to keep hidden from the public. A person's right to privacy is typically infringed in one of two ways:
- when a person deliberately intrudes upon another's personal affairs without permission or justification; and/or
- when a person deliberately shares another's personal information without permission or justification.
In the case of the recent data leak, people who have had their personal information exposed could potentially rely on one of these grounds. Typically, of the two possible claims, the stronger claim would be based on the unlawful publication of person’s personal information (a largescale data leak is a blatantly unlawful publication of personal information to the public without their consent). However, illustrating intention (i.e. that the sharing was deliberate) will always be a challenge as claims based on the negligent (i.e. careless) disclosure of personal information are rarely successful. Importantly, it falls to the person whose information was shared to demonstrate that the invasion of their privacy was intentional. One could argue that the person disclosing the personal information had foreseen the possibility that they were sharing someone's personal information and that they had reconciled themselves with that possibility (the now-famous dolus eventualis debate) however, this is also difficult.
Even if you are successful in proving your claim, the monetary relief obtained by a person to compensate them for the violation of their privacy rights varies. Nevertheless, the damages awarded by courts are typically low (especially when factoring in legal fees, which may exceed the damages awarded). This, along with the difficulty in establishing a claim (i.e. that the breach must be deliberate), are shortcomings of the common law.
As a consequence, there has historically been little incentive for most companies to adopt stringent safeguards in relation to the personal information in their possession.
The future - POPI
Under POPI, the collection, processing and publication of personal information will be stringently regulated, including the manner in which personal information must be safeguarded. This is because POPI prescribes specific requirements as to how personal information may be stored and transferred (among other things). When a person fails to adhere to these new rules, they could suffer significant penalties.
POPI does not require that personal information be made public in order for liability to arise. Similarly, a person does not have to intentionally breach another's right to privacy in order to be liable - POPI imposes liability in the event of either an intentional or negligent non-compliance.
The penalties for non-compliance with POPI are severe. In particular, a person that fail to safely secure and/or process personal information can be held liable for a fine of up to ZAR10 million or even face imprisonment.
However, the majority of POPI's provisions are not currently in force - its commencement having been delayed for a number of years. Until such time that POPI becomes fully effective, people who have suffered from the exposure of their person information in the recent data leak are left with limited recourse. South African's may take some solace in the fact that, once POPI is in effect, the consequences for people recklessly leaking our information will become very real.