After 10 years of building its capabilities, this week the Information Regulator issued its first infringement notice against the Department of Justice and Constitutional Development after it failed to comply with an enforcement notice requiring it to beef up its cyber security software following a 2021 data breach.

This landmark moment for data privacy enforcement in South Africa could be a sign of things to come.

The Information Regulator is the body in charge of enforcing the provisions of the Protection of Personal Information Act (Popia), which was signed into law in 2013.

The regulator was officially created three years later in 2016, but was only given the power to issue enforcement and infringement notices to organisations two years ago.

An enforcement notice is a legal document that states when action needs to be taken to fix a breach, in this case a data breach.

An infringement notice is issued by a regulatory body setting out the particulars of an alleged contravention, in this case the enforcement notice, and setting out a penalty.

On Monday, the Information Regulator issued its first infringement notice when it slapped the department with a R5-million fine.

The department was issued an enforcement notice on 9 May, requiring it to renew antivirus licenses that expired in 2020 and to implement disciplinary procedures against those members of staff responsible for renewing the software, among other things.

"Those licenses then didn't protect their systems, which is why they were hacked," said Nomzamo Zondi, senior manager for communications and media at the Information Regulator.

The regulator says this resulted in the loss of 1 204 files from the department's system.

The department had the opportunity to appeal the infringement order, but it did not.

It also had to fulfil the requirements of the order within 31 days, and on 3 July the regulator still had not received a response. It then fined the department.

The department told News24 that it was considering its options and would not be commenting at this time.

Of the regulator's first infringement order and what it means for the future of South Africa's information regulatory landscape, Zondi said: "A lot is being tested."

More to come

Nadine Mather, a partner at Bowmans SA and data privacy law expert, said she expects more enforcement notices to come from the Information Regulator.

She said: "It has taken some time for the Information Regulator to get off the ground," but there was a similar wait with the enforcement of General Data Protection Regulation rules, the European data protection laws, but now there are cases nearly every week.

This expectation was echoed by Mercia Fynn, the head of the commercial department at KISCH IP, an intellectual property law firm.

Fynn said more enforcement from the Information Regulator would send the message that implementing adequate data protection systems "can't be ignored" by organisations.

When to act

Mather said the Information Regulator can only issue an enforcement notice when it can be shown that an organisation, whether public or private, hasn't put in place adequate protection measures for personal information.

"Under Popia, you have an obligation to put in place adequate and reasonable technical and organisational measures to secure your personal information and to prevent it from loss or damage or destruction or unauthorised access."

So, regardless of whether personal data is lost and can never be found again or is leaked publicly, Popia is applicable, according to Mather.

The Information Regulator is interested in whether "appropriate safeguards" were put in place by an organisation when processing personal information and it can bring an enforcement order if these were not in place, Zondi says.

"As the regulator, if there is a security breach and we do an investigation and find that there was negligence in terms of identifying risks, mitigating risks and putting measures in place to ensure there were reasonable safeguards for personal information, we can institute that enforcement notice."

The Information Regulator makes no distinction between the adequate safeguards required of private and public organisations, according to Zondi.

Infringing parties have the right to appeal an enforcement notice, says Fynn.

Ad hoc or principles-based regulation?

Zondi says what constitutes a reasonable safeguard depends on the organisation and the nature of the data that is being processed.

"We can't really prescribe what it would be because each organisation processes personal information differently. Even the different types of personal information and the size matters," she said.

Fynn said the department case doesn't necessarily provide a template for how the Information Regulator will act in the future.

"I think it has to be on a case-by-case basis. I don't think this means the Information Regulator can now just stipulate what measures have to be in place," she said.

She added that the measures which the Information Regulator orders an organisation to put in place must factor in what the organisation can reasonably afford.

Craig Pederson, a forensic investigator and cybercrime expert who is a director at TCG Forensics, said there must be principles and rules by which the Information Regulator abides.

"At the end of the day, we do need to see teeth to the regulator," said Pederson, "but it has to set principles, establish set practices and [its notices] reflect the severity [of infringements]."

He said a cautious approach was required from the Information Regulator.

In the case of the department, the regulator required that it renew particular licenses for antivirus software to comply with its enforcement notice, which Pederson said could set a dangerous precedent. 

The software that an organisation does and doesn't run is "really none of the regulator's business", as it is an operational and business decision, he said.

He said the threat of action by the Information Regulator could be used by antivirus software providers to pressure organisations into renewing their licences.

Running strong antivirus software is best practice for an organisation said Pederson, but it was not clear in the Department of Justice case whether the Information Regulator had the right to enforce the standard of antivirus software the department should have used.

"The implication here is broader ... What's next? Will the regulator be wanting to visit all the businesses around the country and dictate what software they need to purchase and when?" he asked.