Class actions caused by breaches of the Protection of Personal Information Act are likely to emerge in South Africa in the next few years, and they could be quite costly for companies
Globally, class actions are starting to gather pace in the wake of breaches of data privacy laws. Following the introduction of the Protection of Personal Information Act (POPIA) in July this year, South Africa is likely to follow suit, especially since the groundwork on class actions has been laid in the mining and retail sectors in the past few years.
In the USA, Google has recently faced a USD 5 billion class action lawsuit for tracking the browsing history of users who chose the “Incognito” mode. In the UK, a class action is under way relating to the hacking of the Marriott Hotel chain’s global database in September 2018. This action is being brought on behalf of hotel residents from England and Wales.
In South Africa, there are two potential areas of litigation for a data breach under POPIA. The first is that the party liable for the data breach may have to argue its case before the Information Regulator. The second is that the responsible party may face a civil action.
Section 99 (1) of POPIA states that: “A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act … whether or not there is intent or negligence on the part of the responsible party"
This means strict liability applies, and the potential defences are limited. These are: extraneous events beyond the control of the responsible party; consent of the plaintiff; fault on the part of the plaintiff; if compliance was not reasonably practicable in this context; or if the Regulator granted an exemption under Section 37 (for example, where the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing).
Under Section 99 (3), the courts can award any amount that is “just and equitable”, including damages as compensation for patrimonial and non-patrimonial loss; aggravated damages; interest; and costs of suit.
This is a big deal. It means that the Information Regulator can extract damages from the responsible party even if it is not negligent (e.g. where a data breach occurs).
We think it is only a matter of time before we see the first class action brought under POPIA for a data breach. In South Africa, there have already been some high-profile cases involving the release of personal information of millions of data subjects. Class actions have also been gathering pace, after the successful silicosis action brought against a group of gold mining companies on behalf of workers who contracted the occupational disease, and the listeriosis action brought against Tiger Brands.
In the leading class action case, involving Pioneer Foods (Pty) Ltd, the Supreme Court of Appeal set out the factors that should be weighed in deciding whether to certify a class action. Certification essentially involves bringing an application before a court for a decision on whether a class action is a suitable avenue for addressing the issues at hand. In the absence of certification, a class action will not be able to proceed to the trial stage. Some of the factors that the court will consider include the existence of a class identifiable by reference to objective criteria; whether the proposed class representative is suitable to conduct the action and represent the class; a cause of action raising a triable issue; issues of fact or law common to all members of the class; and that a class action is the most appropriate means by which the claims of the class may be determined.
The Constitutional Court has, however, left open the question whether prior certification for a class action is even necessary in a case involving a fundamental right, such as the right to privacy.
Any potential class action within the context of POPIA could be expected to follow a procedure requiring potential plaintiffs to contact legal representatives to 'opt-in'. This would be in response to the inevitable challenges which would arise in the gathering of evidence. The vast spectrum of affected data subjects would make an 'opt-in' process the most practical choice. The alternative would be an "opt-out" process, whereby potential plaintiffs are automatically bound by the outcome of the judgment if they fail to indicate their objection by a set date.
Class actions scare companies, as the US experience shows. In the Google breach, app developers had obtained access to the profile information of users through what was described as a series of "software glitches". This information included names, birth dates, home towns, addresses, locations, email addresses, photos, and videos. Following notice being given to the data subjects, the class action lawsuit elicited a tender of settlement from Google. Subsequent to approval from the California district court, a settlement of approximately USD 7.5 million was paid over to the plaintiffs.
In the Marriott class action, the personal information of almost half a billion guests was compromised between 2014 and 2018. This information included passport and credit card numbers which had been hacked from the reservation systems of a number of hotels. The result was the launch of 11 different class action lawsuits against Marriott, which were eventually consolidated into a single claim. This matter is still ongoing, but the sheer size of the affected class signals the possibility of a large eventual settlement.
One issue that could inhibit class actions for data breaches in South Africa is the history of modest claims being awarded by courts for non-patrimonial loss. For example, in the case of the naming of three HIV-positive women in a biography of politician Patricia de Lille by Charlene Smith, published by New Africa Books, the Constitutional Court awarded ZAR 35 000 in damages to each of the plaintiffs in 2007. Fifteen years later, that award would be about ZAR 75 000 – still a paltry sum when someone has had their HIV status revealed without their consent.
But if a similar award – and on top of it aggravated damages – were to be made in a case involving a few million plaintiffs brought together in a class action for a data breach (e.g. where bank account details are unlawfully accessed), it could be very costly for the responsible party.
One way or the other, this is certainly an area of the law which will see rapid development in the near future. Fasten your seatbelts.