Abstract
A person whose privacy has been infringed through the unlawful, culpable processing of his or her personal information can sue the infringer’s employer based on vicarious liability or institute action based on the Protection of Personal Information Act 4 of 2013 (POPI). Section 99(1) of POPI provides a person (“data subject”), whose privacy has been infringed, with the right to institute a civil action against the responsible party. POPI defines the responsible party as the person who determines the purpose of and means for processing of personal information of data subjects. Although POPI does not equate a responsible party to an employer, the term “responsible party” is undoubtedly a synonym for “employer” in this context. By holding an employer accountable for its employees’ unlawful processing of a data subject’s personal information, POPI creates a form of statutory vicarious liability.
 Since the defences available to an employer at common law, and developed by case law, differs from the statutory defences available to an employer in terms of POPI, it is necessary to compare the impact this new statute has on employers. From a risk perspective, employers must be aware of the serious implications of POPI. The question that arises is whether the Act does not perhaps take matters too far.
 This article takes a critical look at the statutory defences available to an employer in vindication of a vicarious liability action brought by a data subject in terms of section 99(1) of POPI. It compares the defences found in section 99(2) of POPI and the common-law defences available to an employer fending off a delictual claim founded on the doctrine of vicarious liability. To support the argument that the statutory vicarious liability created by POPI is is too harsh, the defences contained in section 99(2) of POPI is further analogised with those available to an employer in terms of section 60(4) of the Employment Equity Act 55 of 1998 (EEA) and other comparable foreign data protection statutes. 
 
Highlights
No good deed goes unpunished.[1]The common-law doctrine of vicarious liability, in terms of which an employer is held accountable for the wrongful acts or omissions committed by an employee, is controversial and much-discussed.[2]
For the purpose of argument the following fictional scenario will be used. The facts of this fictional case study will be applied to the common law, contrasted with the Employment Equity Act (EEA), and compared to foreign data-protection statutes to illustrate the glaring inadequacy of the statutory defences available to the employer when faced with a civil claim brought by a data subject in relation to an infringement caused by an employee in contravention of POPI
The student whose right to privacy has been infringed may either base her claim against the university on her common-law right to privacy or on her statutory right as confirmed by POPI. This is evident from two cases which dealt with sexual harassment in the workplace, and POPI is not concerned with the issue of sexual harassment the principle that a complainant has "two roads" to an employer's vicarious liability is evident from the Grobler v Naspers and Ntsabo v Real Security CC cases.[89]
Summary
POPI provides data subjects with rights and remedies to protect their personal information from processing that is unlawful.[147]. Any unlawful interference with a data subject's privacy will render the employer, as the responsible party, civilly liable for the acts of its employees.[154] The defences that the employer may raise are set out in section 99(2)(a) to (d) of POPI:. The disclosure of the student's personal information by Mrs A could hardly be regarded as an act of God.[155] It is clear that the student never gave permission for her academic records to be disclosed to random third parties with whom she has no relations.[156] It could neither be said that compliance was not reasonably practicable nor that the Regulator granted an exemption.[157] Apart from the above defences, the employer will be unable to avert a claim for damages brought by a data subject whose privacy has been infringed by the said employer's employee. Recognise good deeds, intentions or aspirations as defences to a civil claim brought in terms of section 99
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
