Perpetrators of SA’s largest data leak will go unpunished – because the Protection of Personal Information Act is not yet operational.

Toby Shapshak at the Financial Mail reported recently on the largest data leak in SA history: a property company put the personal details of 60m South Africans into an insecure database on an insecure website. It must have been quite a feat to put all this information together in the first place, but that is beside the point. It’s clear this data was gathered without permission and theoretically falls foul of the Protection of Personal Information (Popi) Act, but as Popi is not yet fully operational, any aggrieved member of the public would have to pursue the matter through common law. It Popi was fully operational, a R10m may have been imposed.

“Under existing common law, there are implications for companies that intentionally or negligently disseminate private information, but the process is arduous and the remedies are not significant,” Webber Wentzel media law expert Dario Milo is quoted as saying.

Popi, when implemented, will introduce certain conditions “so as to establish minimum requirements for the processing of personal information.”