The Information Regulator has found that the Independent Electoral Commission of South Africa (IEC) does not have adequate access control measures to protect the confidentiality of personal information in its possession.
The regulator has issued enforcement notices against the IEC, WhatsApp LLC, Blouberg municipality and Lancet Laboratories after its probe into the possible breaches of the Protection of Personal Information Act (Popia).
Chair Pansy Tlakula said the regulator has issued four enforcement notices since April this year. The regulator started an investigation into the IEC after a security compromise occurred before the May national and provincial elections.
At the time, the candidate nomination lists of the ANC and MK party were leaked and shared on various social media platforms.
“We initiated an assessment of their security systems on the safeguarding of personal information that they processed, and we found they did not have adequate access control measures to protect the confidentiality of personal information in their possession,” she said.
She said IEC’s section 22 notification to notify the data subjects concerned was found to be inadequate.
The regulator initiated a compliance assessment on Lancet Laboratories, which was necessitated by several security compromises they experienced.
Tlakula said the company failed to comply with the notification requirements in terms of section 22 of Popia. The company had also failed to notify the data subjects affected by the security compromise within a reasonable time.
She said a preliminary assessment of WhatsApp revealed, among others, that WhatsApp adopts different terms of service and privacy policies for users in its European region compared with users outside Europe, including South Africans.
According to the information regulator, the privacy safeguards for European users appeared to be better than those in South Africa, even though the general data protection regulations (GDPR) and Popia have similar standards and protections.
The regulator has issued an enforcement notice in which it directed WhatsApp LLC to comply with all conditions for lawful processing by updating its privacy policy, conducting a personal information affect assessment, and complying with the provisions of the Promotion of Access to Information Act (PAIA).
“In this regard, the regulator dismissed WhatsApp’s argument that PAIA does not apply to it as a social network which is extraterritorial,” she said.
The regulator’s executive for Popia, Tshepo Boikanyo, said where there is noncompliance with the enforcement notice, the regulator can issue an infringement notice which carries a penalty of imprisonment or a fine of up to R10m.
“Where the information regulator has issued a notice, there will be certain directives in that enforcement notice, and the responsible party will then be afforded the particular time frame through which to compile with those directives from the information regulator.
“If the responsible party does not comply with those directives after the period has expired, we may issue an infringement notice and can impose a fine,” said Boikanyo.
The Information regulator is also investigating complaints made against social media companies X, Meta and Google over South Africa’s recent general elections.
The regulator accepted the complaints, and all three complaints are under investigation.
According to the regulator, the complainant has requested access to the records relating to the classification of elections, risk assessments concerning South Africa’s electoral integrity, and the application of global policies to local contexts within X, Meta and Google.
“The entities’ refusal of access to the records is based on the general presumption that PAIA does not apply extraterritorially to these private bodies despite them conducting business in South Africa,” said Tlakula.
She said the regulator has heard the plight of members of the public on the growing frustration over spam calls as a result of direct marketing.
She said they have drafted a guidance note on direct marketing, which seeks to guide public and private bodies on how to comply with Popia when processing personal information.
She said in July, they shared the draft guidance note with stakeholders in the direct marketing organised structures and the big industry players who largely use direct marketing as part of their business practices.
“The issue here is how the direct marketing sector and other private bodies have interpreted the words electronic communication in Popia.
“Their interpretation is that electronic communication does not apply to telephones; therefore, the stringent Popia requirements for direct marketing through unsolicited electronic communication do not apply to telephones so that people can just call to market goods to you — but we don’t agree,” she said.
TimesLIVE