The Information Regulator has identified that the Electoral Commission of South Africa (IEC) lacks adequate access control measures to protect the confidentiality of personal data in its possession.
As a result, enforcement notices have been issued against the IEC, WhatsApp LLC, Blouberg Municipality, and Lancet Laboratories following an investigation into possible breaches of the Protection of Personal Information Act (Popia).
According to Chairperson Pansy Tlakula, the regulator began an investigation into the IEC after a security breach occurred before the May national and provincial elections. During this breach, the candidate nomination lists of political parties, including the ANC and MK Party, were leaked and circulated on social media.
“We initiated an assessment of their security systems on the safeguarding of personal information that they processed, and we found they did not have adequate access control measures to protect the confidentiality of personal information in their possession,” Tlakula explained. Additionally, the IEC’s notification under section 22 of Popia was found to be insufficient in informing affected individuals.
Lancet Laboratories also came under scrutiny for multiple security breaches. The regulator found that the company failed to meet Popia’s notification requirements, particularly regarding informing affected data subjects in a timely manner.
WhatsApp was similarly flagged after a preliminary assessment revealed that the platform implements different privacy policies and terms of service for European users compared to users outside Europe, including in South Africa. The regulator noted that European users enjoy better privacy safeguards despite Popia and the General Data Protection Regulation (GDPR) offering comparable protections.
As part of the enforcement notice, WhatsApp has been instructed to update its privacy policy, conduct a personal information impact assessment, and comply with the Promotion of Access to Information Act (PAIA). Tlakula emphasized that WhatsApp’s argument that PAIA does not apply to it due to its extraterritorial nature was rejected.
Tshepo Boikanyo, the regulator’s executive for Popia, highlighted that failure to comply with an enforcement notice could lead to an infringement notice. This could result in penalties of imprisonment or fines up to R10 million. “If the responsible party does not comply with those directives after the period has expired, we may issue an infringement notice and can impose a fine,” said Boikanyo.
Additionally, the Information Regulator is investigating complaints against social media giants X (formerly Twitter), Meta, and Google regarding their handling of South Africa’s recent elections. The complaints revolve around access to records related to the classification of elections and global policy applications to South Africa.
The regulator is also addressing public concerns over spam calls resulting from direct marketing practices, having issued a guidance note on how businesses should comply with Popia when processing personal information. Tlakula noted that some companies have misinterpreted Popia’s requirements for electronic communication, believing they do not apply to telephone marketing. She made it clear that the regulator does not agree with this interpretation.