1,400 complaints and not a single fine — why Popia’s promise appears to fall flat

This topic is empty.

Viewing 1 post (of 1 total)

Author

Posts
2023-04-16 at 15:44 #400281
Nat Quinn
Keymaster
While the Protection of Personal Information Act (Popia) has been in effect for nearly two years, it has seemingly done little to curb the scourge of telemarketing or SMS spam.

After coming into effect on 1 June 2021, Popia imposed numerous strict requirements on businesses regarding acquiring, storing, securing, and sharing the personal information of customers or potential customers.

Legal and consumer rights experts believed the Act could help curb unsolicited direct marketing through phone calls and SMSs, as companies found to be violating it faced fines of up to R10 million or imprisonment for up to 10 years.

It was also viewed as a measure to help minimise consumers’ exposure to phishing attacks and identity theft.

The inability to sufficiently guard customer details against exposure could not only lead to malicious parties getting the information, but also rogue telemarketers who have little regard for Popia and never gave you the option to opt-in to communication.

There have been numerous high-profile examples in which Popia was possibly breached and led to the exposure of South Africans’ personal information to unintended parties.

These included:
- Real Promotions data breach confirmed in August 2022 — ID numbers, ID copies, postal and physical addresses of certain Vodacom Fibre customers compromised in data breach. Other companies potentially affected include Cell C, Mweb, and Telkom.
- Shoprite data breach confirmed in June 2022 — Data of customers that performed money transfers to and within Eswatini, and within Namibia and Zambia.
- Dis-Chem data breach confirmed in May 2022 — Unauthorised party gaining access to 3.7 million customers’ first and surnames, email addresses, and cellphone numbers through a third-party provider’s system.
- TransUnion data breach confirmed in March 2022 — 3 million customers impacted by breach exposing names, ID numbers, birth dates, gender, contact details, marital status, employee identities and duration of employment, and vehicle details.
- Debt-In data breach confirmed in September 2021 — Personal information of customers with accounts in arrears with African Bank and Telkom exposed.
These are but a few pubicly-known examples, many of which are confirmed to have been reported to the Information Regulator.

The entity, headed by Pansy Tlakula (pictured above), was established by Popia and is tasked with ensuring that companies comply with its stipulations.

But despite receiving about 1,400 complaints over the past two years, the entity is yet to issue a single fine.

This appears to suggest that there have been few consequences for those who may be guilty of failing to protect their customer data.

However, lawyers from two major legal firms — Webber Wentzel and Werksmans — told Rapport that the regulator was not being complacent.

Ahmore Burger-Smidt, Werksmans’ director for data protection and privacy

Werksmans’ data protection and privacy director, Ahmore Burger-Smidt, pointed out that the regulator had to follow a process after a complaint was laid.

“We can’t just say it doesn’t do anything. It’s already caught a few big offenders, and there are ongoing investigations, notices and enforcement orders being issued,” Burger-Smidt said.

Burger-Smidt said the regulator first mediated with a party before imposing fines, which was a sensible approach considering all the resources required for bringing matters to court.

Even in cases where the regulator might find a company was negligent, the appropriate punishment might not be a fine, Burger-Smidt said.

Fines would only come into play if a party did not abide by an initial enforcement order and recommendations.

Webber Wentzel partner Karl Blom also said the regulator had been involved in mediating consumer complaints and expects the trend to gain momentum the longer Popia is in effect.

The experts also recommended two ways to minimise the spam calls and unsolicited SMS messages South Africans receive.

The first is to tell a marketer to remove your name from their contact list and not to contact you again.

If the same company contacts you again despite your request, lodge a complaint with the Information Regulator using the steps on its website.

Secondly, you can register on the Association of Direct Marketers’ National Opt-out list to stop receiving marketing calls from its members

SOURCE:1,400 complaints and not a single fine — why Popia’s promise appears to fall flat (mybroadband.co.za)
Author

Posts

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

1,400 complaints and not a single fine — why Popia’s promise appears to fall flat

While the Protection of Personal Information Act (Popia) has been in effect for nearly two years, it has seemingly done little to curb the scourge of telemarketing or SMS spam.

After coming into effect on 1 June 2021, Popia imposed numerous strict requirements on businesses regarding acquiring, storing, securing, and sharing the personal information of customers or potential customers.

Legal and consumer rights experts believed the Act could help curb unsolicited direct marketing through phone calls and SMSs, as companies found to be violating it faced fines of up to R10 million or imprisonment for up to 10 years.

It was also viewed as a measure to help minimise consumers’ exposure to phishing attacks and identity theft.

The inability to sufficiently guard customer details against exposure could not only lead to malicious parties getting the information, but also rogue telemarketers who have little regard for Popia and never gave you the option to opt-in to communication.

There have been numerous high-profile examples in which Popia was possibly breached and led to the exposure of South Africans’ personal information to unintended parties.

These included:

Real Promotions data breach confirmed in August 2022 — ID numbers, ID copies, postal and physical addresses of certain Vodacom Fibre customers compromised in data breach. Other companies potentially affected include Cell C, Mweb, and Telkom.

Shoprite data breach confirmed in June 2022 — Data of customers that performed money transfers to and within Eswatini, and within Namibia and Zambia.

Dis-Chem data breach confirmed in May 2022 — Unauthorised party gaining access to 3.7 million customers’ first and surnames, email addresses, and cellphone numbers through a third-party provider’s system.

TransUnion data breach confirmed in March 2022 — 3 million customers impacted by breach exposing names, ID numbers, birth dates, gender, contact details, marital status, employee identities and duration of employment, and vehicle details.

Debt-In data breach confirmed in September 2021 — Personal information of customers with accounts in arrears with African Bank and Telkom exposed.

These are but a few pubicly-known examples, many of which are confirmed to have been reported to the Information Regulator.

The entity, headed by Pansy Tlakula (pictured above), was established by Popia and is tasked with ensuring that companies comply with its stipulations.

But despite receiving about 1,400 complaints over the past two years, the entity is yet to issue a single fine.

This appears to suggest that there have been few consequences for those who may be guilty of failing to protect their customer data.

However, lawyers from two major legal firms — Webber Wentzel and Werksmans — told Rapport that the regulator was not being complacent.

Ahmore Burger-Smidt, Werksmans’ director for data protection and privacy

Werksmans’ data protection and privacy director, Ahmore Burger-Smidt, pointed out that the regulator had to follow a process after a complaint was laid.

“We can’t just say it doesn’t do anything. It’s already caught a few big offenders, and there are ongoing investigations, notices and enforcement orders being issued,” Burger-Smidt said.

Burger-Smidt said the regulator first mediated with a party before imposing fines, which was a sensible approach considering all the resources required for bringing matters to court.

Even in cases where the regulator might find a company was negligent, the appropriate punishment might not be a fine, Burger-Smidt said.

Fines would only come into play if a party did not abide by an initial enforcement order and recommendations.

Webber Wentzel partner Karl Blom also said the regulator had been involved in mediating consumer complaints and expects the trend to gain momentum the longer Popia is in effect.

The experts also recommended two ways to minimise the spam calls and unsolicited SMS messages South Africans receive.

The first is to tell a marketer to remove your name from their contact list and not to contact you again.

If the same company contacts you again despite your request, lodge a complaint with the Information Regulator using the steps on its website.

Secondly, you can register on the Association of Direct Marketers’ National Opt-out list to stop receiving marketing calls from its members

Quick Links

Points of Interest

Legal Info