South Africa South Africa POPIA data protection

South Africa's Information Regulator Brings POPIA Enforcement Into Mining With Sibanye Stillwater Action

A June 2 Section 95 enforcement notice against the platinum-and-gold giant — following a 2024 cyberattack — signals the Regulator's pivot toward heavy industry.

South Africa POPIA Enforcement: 2026 Escalation People of Internet Research · South Africa 2,374 Breach reports 2024/25 Security compromises notified to I… +40% YoY breach notification rise Year-on-year increase in monthly b… R10M Maximum POPIA fine Statutory ceiling for serious brea… 10 Notices issued 2023–2026 Total enforcement notices on the I… peopleofinternet.com

Key Takeaways

A Mining Giant Meets the Enforcement Register

On 2 June 2026, South Africa's Information Regulator issued an enforcement notice against Sibanye Stillwater Limited — one of the world's largest platinum-group metals miners — under Section 95 of the Protection of Personal Information Act 4 of 2013 (POPIA), read with Regulation 12(2)(c) of the 2018 Regulations. The notice appears on the Regulator's official enforcement register and marks the first time POPIA's primary enforcement mechanism has been directed at a major South African mining company.

The specific findings remain partially redacted in the publicly available version. But the timeline points clearly to what prompted the action: in August 2024, Sibanye Stillwater filed a Section 22 POPIA breach notification disclosing a cyberattack first discovered in early July 2024. That notification confirmed the exposure of employee personal information across multiple sensitive categories — names, identity and passport numbers, contact details, employment history, trade union membership, financial data, and health information. Under POPIA, trade union membership and health data qualify as "special personal information" under Section 26, attracting the highest tier of processing obligations and consent requirements.

What Section 95 Actually Does

Section 95 of POPIA gives the Information Regulator authority — after its Enforcement Committee considers a matter — to compel a responsible party to take specific steps within a defined period, refrain from specified processing activities, or cease processing personal information for a particular purpose or in a particular manner. Non-compliance is a criminal offense under Section 103. In urgent cases, the Regulator can require compliance within three days of service.

The mechanism is the Regulator's sharpest operational tool short of a criminal referral or administrative fine. Its use against Sibanye suggests the Enforcement Committee identified compliance failures serious enough to warrant mandatory corrective action — not merely a recommendation or advisory letter. That distinction matters: an enforcement notice creates binding legal obligations with criminal consequences for continued non-compliance.

The Parliament Signal: Proactive Monitoring Announced in May

The Sibanye notice did not arrive without warning. On 5 May 2026, the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament's Portfolio Committee on Justice and Constitutional Development, announcing a deliberate shift from reactive complaint-handling toward proactive sector-by-sector compliance assessment. The priority sectors named included financial services, insurance, health, retail, telecommunications, public sector entities, and higher education.

Mining was not listed explicitly — but the notices that followed tell their own story. Three enforcement notices were issued under POPIA within a 21-day window: Central Johannesburg TVET College on 20 May, Sibanye Stillwater on 2 June, and the Gauteng Department of Health on 10 June. The Regulator's enforcement register now lists ten total notices since 2023, with six issued across 2024–2026. The pace is accelerating.

The macro picture reinforces this: the Regulator reported 2,374 security compromise notifications in the 2024/25 financial year, with a 40% year-on-year increase in monthly breach notifications recorded in early 2025/26. Five entities have been assessed administrative fines ranging from R100,000 to R5 million, against a statutory ceiling of R10 million for serious breaches.

The Case for Vigorous Enforcement — and Its Limits

There is a genuine public interest argument for targeting the mining sector. South African mines hold some of the most sensitive employee datasets in any industry: biometric access records, ongoing health surveillance data under the Mine Health and Safety Act, trade union affiliation records, and salary and provident fund information across workforces that are often large, lower-income, and poorly positioned to manage the downstream consequences of a breach. When those records are compromised — as they were at Sibanye in 2024 — the harms are concrete: identity fraud, labour-relations exposure, and potential targeting based on union membership.

The Regulator's enforcement gap is also real. POPIA only entered full operational effect in 2021, and the private sector's compliance record has been weak. Parliament heard in May 2026 that only 33% of public bodies filed required PAIA annual reports in 2023/24; private-sector compliance is lower still. An enforcement body that issues no notices is not a regulator — it is an administrative placeholder.

But enforcement credibility requires more than volume of notices. The Regulator's current toolset — proactive monitoring, mandatory compliance frameworks, tiered timelines — is proportionate in design. The risk lies in execution. If enforcement notices arrive without clear, actionable compliance specifications, or if the remediation obligations imposed on industrial respondents are administratively burdensome without producing measurable data protection outcomes, the result is compliance theater. Sibanye, like any responsible party, deserves to know exactly what the Regulator expects corrected, by when, and what adequate compliance looks like — not just that it has been found wanting.

What Heavy Industry Must Do Now

For South Africa's mining sector, the Sibanye notice functions as a sector-wide signal. Mining companies systematically process the categories of special personal information that POPIA treats most seriously: health surveillance records, biometric identifiers, and union membership data. These require either explicit informed consent or a specific legislative basis under Section 26, documented processing records under Section 18, and tested incident response procedures that meet the Section 22 breach notification timeline.

The 2024 cyberattack at Sibanye demonstrated that even large, well-resourced mining companies can suffer breaches that expose these categories at scale. The June 2026 enforcement notice suggests that the Regulator's follow-up to breach notifications now extends to examining whether the responsible party had adequate preventive controls in place — not just whether it notified correctly after the fact.

For compliance teams in the sector, the immediate priorities are clear: map which categories of special personal information are processed and under which lawful basis; verify that Information Officers are registered with the Regulator; test incident response procedures against POPIA's notification timelines; and treat the Sibanye notice as the opening move in a sustained enforcement campaign, not an isolated event.

Sources & Citations

  1. Information Regulator — Enforcement Notices Register
  2. Sibanye Stillwater — POPIA Section 22 Breach Notification (Aug 2024)
  3. POPIA Section 95 — Enforcement Notice Powers
  4. Werksmans — Information Regulator 2025/26 Annual Performance Plan (Parliament, 5 May 2026)
  5. Mondaq — Information Regulator's First 2026 Enforcement Notice (TVET College)
  6. ITWeb — POPIA Fine and Enforcement Statistics