Liability under the trifecta – POPIA, ECT and Cybercrimes Act

Previously, we discussed the role of the Information Officer under Protection of Personal Information Act 4, 2013 ("POPIA") and the subsequent liability. Given the consequences for information officers in issues of non-compliance with POPIA, it is imperative that organizations appoint the correct individuals to fulfil this role. In this short article, we will unpack the liability under the POPIA, the Electronic Communications and Transactions Act 35, 2005 ("ECTA"), and the Cybercrimes Act 19, 2020 ("Cybercrimes Act").


 With the implementation of POPIA, obligations are created and placed on organizations to secure personal information in their possession or under the organization's control. Organizations are thus obligated to take the necessary measures to prevent loss of, damage to, or unlawful access and processing of personal information. Within the organization, this obligation ultimately rests with the information officer. As a rule of law, the organization (through its information officer) must notify the Information Regulator. In terms of Section 93 of POPIA, liability may fall on the information officer as well as the head of the organization itself. Penalties herein may range from a fine being imposed or alternatively imprisonment.


 ECTA is applicable to transactions that are concluded electronically or by way of data messages, essentially concluded via technological means. ECTA has also made provision for instances of data breaches and, specifically, the unauthorized access, interception or interference of data. The Act also goes further in creating cybercrime offences, inclusive of a data breach. It thus provides and regulates the access and interception of data. Should an individual or an organization be convicted of an offence under the Act, or non-compliance herein relating to a data breach, the relevant person or organization could be liable for a fine or alternatively imprisonment, depending on the offence.

 Cybercrimes Act 19, 2020 ("Cybercrimes Act")

 With ECTA creating a number of cybercrime offences, the Cybercrimes Act was promulgated in May 2021, although it must still come into effect at a later date. This will replace the provisions of ECTA dealing with the creation of cybercrime offences. The Cybercrimes Act goes further in that a duty is imposed on responsible institutions (service providers and financial institutions) to report an offence within a 72-hour time period. Non-compliance herein could result in a fine being imposed.



It is therefore evident that POPIA, ECTA and the Cybercrimes Act are all interlinked in dealing with data breaches and the protection of personal information of data subjects. A cybercrime offence will thus result in all three pieces of legislation affording rights and obligations herein. For example, hacking information is listed as a cybercrime under ECTA and the Cybercrimes Act whilst also being a breach under POPIA. Therefore, it is imperative as an organization to ensure that the necessary mechanisms are in place and are constantly tested for compliance with the Acts. In seeking professional legal advice herein, your organization will be comfortable in the knowledge that it is complying with its obligations and the necessary mechanisms are in place to ensure liabilities are mitigated in the event of a data breach or cybercrime.