The Information Regulator (IR) is gearing up for “a test case” that it hopes will vindicate its position that telemarketing constitutes electronic communication under the Protection of Personal Information Act (POPIA).
In December last year, the IR issued a Guidance Note on Direct Marketing. The non-binding Guidance Note regards telephone calls, including live calls and automated voice messages, as “electronic communications” under section 69 of POPIA.
During a media briefing on 13 November, Advocate Pansy Tlakula, the chairperson of the IR, acknowledged that the direct marketing sector contests that phone calls qualify as electronic communications.
Section 69 regulates direct marketing via electronic communication. It prohibits sending unsolicited marketing communications unless the recipient has given consent or is an existing customer who has been given a reasonable opportunity to object.
POPIA defines “electronic communication” as any text, voice, sound, or image message sent over an electronic communications network that is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
Direct marketers contend that the definition does not apply to phone calls because the message is not stored in the network or in the recipient’s device until it is collected by the data subject.
Tlakula said the IR is firmly of the view that direct marketing by telephone constitutes electronic communication. “Now this is one of the matters that have to be tested in court.”
The Regulator has received numerous complaints about direct marketing via telephone. “We have investigated some of those complaints, but we only need one test case,” she said.
The investigation report into one of the complaints is due to come before the IR’s enforcement committee, which will consider the report and issue an enforcement notice.
If the private body concerned does not abide by the enforcement notice, the matter will go to court, “and that’s the battle that we will fight in court because this matter cannot go on forever. It has to be clarified and settled once and for all by our courts,” Tlakula said.
POPIA and PAIA litigation
Tlakula provided an update of a few POPIA and Promotion of Access to Information Act (PAIA) cases that are or were the subject of litigation. She described the matters relating to POPIA as “critical in shaping jurisprudence on POPIA and the right to data privacy in general”.
WhatsApp’s privacy policy
The IR and WhatsApp have settled their dispute over the messaging platform’s privacy policy.
In January 2021, WhatsApp issued an updated privacy policy that users had to accept or risk suspension. The Regulator concluded that the South Africa-facing policy lacked the lawful-processing detail, specific consent mechanisms, and purpose-limitation disclosures required by POPIA, and WhatsApp had different (more detailed) wording for users in the European Union than it did for those in South Africa.
The IR issued an enforcement notice requiring WhatsApp to fix the deficiencies and prove compliance. WhatsApp launched legal proceedings seeking a review of the Regulator’s decision.
In November, the two sides reached a settlement agreement, which will be made an order of court. Tlakula said WhatsApp has agreed to introduce enhancements to the transparency information it provides to South African users.
IR officials declined to answer questions about the details as to what has been agreed, saying doing so could jeopardise the agreement and the pending court order.
Publication of the matric results
The IR and the Department of Basic Education (DBE) are engaged in litigation over the publication of the matric results.
In November last year, the IR issued an enforcement notice against the DBE following its assessment of how the department processes the personal information of learners who sit for the matric exams. The assessment found that the DBE’s practices violated POPIA, particularly the manner of publication of the results, which the Regulator deemed likely to compromise the personal information of learners.
The notice ordered the DBE not to publish the results for the 2024 matriculants in the newspapers and must make these results available to the learners using methods that are compliant with POPIA.
In January this year, the Regulator approached the High Court in Pretoria seeking an urgent interdict against the publication of the matric results. The application was dismissed but was placed on the ordinary court rule.
The DBE released the 2024 results on 13 January 2025 in newspapers and online media (using exam numbers only, no names).
The Regulator issued an infringement notice in which it ordered the DBE to pay an administrative fine of R5 million (the maximum fine is R10m).
The merits of the IR’s decision were argued in the High Court on 27 and 28 October. Judgment was reserved.
Department of Justice security compromise
The Department of Justice and Constitutional Development experienced a ransomware attack in 2021. The IR’s May 2023 enforcement notice cited breaches of section 19 (security measures) and section 22 (notification) of POPIA, blaming lapsed antivirus licences.
In July 2023, the Regulator issued an infringement notice, imposing its first POPIA-related fine of R5m for non-compliance with the enforcement notice.
The department is challenging the notices in the High Court, and the matter is still awaiting a hearing.
Swartkops Sea Salt
The IR issued an enforcement notice under PAIA compelling Swartkops Sea Salt (Pty) Ltd in the Eastern Cape to disclose certain records. These records relate to proof of whether the inhabitants living in the area where the company operates a salt mine benefited from these operations.
Swartkops is challenging the enforcement notice in the High Court, arguing that commercial confidentiality overrides disclosure. The matter is awaiting a hearing.
Infringement notices
The IR issued three infringement notices to bodies that failed to comply with enforcement notices that were served in terms of section 95 of POPIA.
“Responsible parties must note that non-compliance with an enforcement notice is an offence, and we do not take this lightly as the Regulator. The infringement notices now issued compel the institutions to pay administrative fines as determined by the Regulator,” Tlakula said.
Blouberg Municipality
An enforcement notice was issued against the Blouberg Municipality in Limpopo after it was found to have grossly violated a former employee’s right to privacy. According to the IR, the municipality published her personal information online without consent.
Tlakula said the municipality failed to adhere to the corrective instructions in the enforcement notice and was therefore fined R500 000. The municipality has not paid the fine, and the Regulator has initiated court proceedings to recover the amount owed.
Lancet Laboratories
Lancet Laboratories, a major pathology provider, was issued with an enforcement notice following a compliance assessment. The assessment was conducted following numerous security compromises or data breaches.
The company failed to notify the Regulator about the security compromises as required by section 22 of POPIA. “What was also of grave concern was that the body did not notify the data subjects affected by the security compromise,” Tlakula said.
The IR issued an infringement notice requiring Lancet Laboratories to pay a fine of R100 000 because it did not comply with the enforcement notice. Tlakula said Lancet has paid the fine.
FT Rams Consulting
In February last year, the IR issued FT Rams Consulting, a training firm, with an enforcement notice after investigating a complaint of about persistent unsolicited emails despite opt-out requests. This was the Regulator’s first enforcement notice in respect of for direct marketing.
FT Rams did not comply with the enforcement notice, and the IR issued infringement notice with an administrative fine of R100 000.
Tlakula said FT Rams has not paid the fine, and the Regulator has initiated court proceedings to recover the amount owed.
Increase in security compromises
In the 2024/25 financial year, 2 374 security compromise incidents or data breaches were reported, with an average of 198 notifications a month, Tlakula said.
From the beginning of the current financial year (in April) to date, 1 947 compromises were reported, with an average of 284 notifications received a month, an increase of 40% in reported security compromises.
Tlakula said the Regulator is deeply concerned about the increased number of security compromises and called on public and private bodies to invest in developing and maintaining appropriate technical and organisation measures to secure the integrity and confidentiality of the personal information in their possession.
New services to deal with complaints
The number of complaints and queries received by the Regulator continues to rise as consumers become aware of their right to privacy, Tlakula said.
The IR received 1 355 POPIA-related complaints in the 2024/25 financial year, compared with complaints in 2024/24. Since April this year, the IR has received 988 complaints – an increase of about 34% compared with the same period last year.
Tlakula said the Regulator has “embarked on a robust digital transformation journey to enhance efficiency, accessibility, and responsiveness”.
The new services are:
iSupport
This is a query-management system designed to improve turnaround times.
Historically, the IR received queries through multiple fragmented channels, which resulted in significant inefficiencies, delays, and challenges in tracking, categorisation, follow-ups, and reporting. The platform consolidates all enquiries into a single platform, generating tickets, tracking, and allocation for timely resolution.
Security compromise reporting system
This system digitises the reporting and management of security compromises by responsible parties. Previously, responsible parties had to download a form from the IR’s website, complete it manually, and email it to the Regulator. The new service enables secure, structured submissions.
POPIA complaints submission system
This system enables members of the public to submit complaints directly on the eServices platform against any individual or responsible party that allegedly violated their right to privacy as it relates to the protection of personal information. The platform has two complaint categories: general POPIA complaints and direct marketing complaints, each managed through a structured workflow.
The IR plans to introduce the same mechanism for PAIA complaints.
