Your legal rights when your personal data gets leaked in south africa database management systems 3rd edition

South africa recently suffered its largest data leak to date with, conservatively, an estimated 30 million south africans’ personal information becoming publicly available.

The gravity of the leak (and the risks associated with the sensitive information that has been imparted from it) cannot be overestimated. It has exposed most of the country’s population to threats of identity fraud and related crimes.

Reports indicate that the leak emanated from prominent realty agencies that operate throughout the country and used the database to derive information about prospective buyers and sellers. From the leak’s exposé, two things are abundantly clear:

personal information

Under south africa’s current laws, people are often left without a practical way to enforce their rights, according to karl blom, associate and daniel vale, candidate attorney at law firm, webber wentzel.


However, once the long-delayed protection of personal information act (POPI) comes into force, people in south africa (including companies) will finally have a practical tool at their disposal to protect their personal information, the experts said.

“south africa’s constitution and its common law recognise the right to privacy for all people (including corporations). As a result, people who violate another person’s right of privacy can be held liable,” the firm said.Data leak

“privacy (in these instances) typically refers to the right of person to choose, within reason, the information they wish to keep hidden from the public.”

In the case of the recent data leak, the legal team said that people who have had their personal information exposed could potentially rely on one of these grounds.

“typically, of the two possible claims, the stronger claim would be based on the unlawful publication of person’s personal information (a largescale data leak is a blatantly unlawful publication of personal information to the public without their consent).”

However, illustrating intention (i.E. That the sharing was deliberate) would be a challenge, as claims based on the negligent (i.E.Webber wentzel careless) disclosure of personal information are rarely successful, it said.

The webber wentzel team said that one could argue that the person disclosing the personal information had foreseen the possibility that they were sharing someone’s personal information and that they had reconciled themselves with that possibility (the now-famous dolus eventualis debate).

“even if you are successful in proving your claim, the monetary relief obtained by a person to compensate them for the violation of their privacy rights varies. Nevertheless, the damages awarded by courts are typically low (especially when factoring in legal fees, which may exceed the damages awarded).”

webber wentzel

“this, along with the difficulty in establishing a claim (i.E. That the breach must be deliberate), are shortcomings of the common law,” it said.

As a consequence, there has historically been little incentive for most companies to adopt stringent safeguards in relation to the personal information in their possession.

According to webber wentzel, under POPI, the collection, processing and publication of personal information will be stringently regulated, including the manner in which personal information must be safeguarded.

“this is because POPI prescribes specific requirements as to how personal information may be stored and transferred (among other things),” it said.Right privacy “when a person fails to adhere to these new rules, they could suffer significant penalties.”

POPI does not require that personal information be made public in order for liability to arise. Similarly, a person does not have to intentionally breach another’s right to privacy in order to be liable – POPI imposes liability in the event of either an intentional or negligent non-compliance.

“the penalties for non-compliance with POPI are severe. In particular, a person that fail to safely secure and/or process personal information can be held liable for a fine of up to R10 million or even face imprisonment,” the legal experts said.

Until such time that POPI becomes fully effective, people who have suffered from the exposure of their person information in the recent data leak are left with limited recourse.Webber wentzel

“south africans may take some solace in the fact that, once POPI is in effect, the consequences for people recklessly leaking our information will become very real.”

banner