Joanne Bailey, Ancillary Financial Services]
Data protection laws (such as the GDPR in the EU, DPA in the UK or PoPIA in South Africa) generally agree that anyone processing personal data may only transfer it to someone outside of the country under certain circumstances. Bearing in mind that PoPIA is largely based on the European Data Protection Directive (EU Directive), which was replaced by the General Data Protection Regulation in May 2018 (GDPR), and that PoPIA prescribes that processing conditions should be established ‘in harmony with international standards’, some reliance can be placed on those countries which the European Commission has declared as having such adequate safeguards.
While the European Commission had previously adopted the EU-US Privacy Shield Framework (which replaced the previous Safe Harbor agreement) that permitted the free transfer of personal information under the GDPR from the EU to the US, on 16 July 2020, in one of the most important data-protection cases in history, the European Court of Justice invalidated the EU-US Privacy Shield Framework (Schrems II) on the basis that it failed to protect EU citizens’ rights in accordance with EU laws.
This decision has left personal data transfers between the EU and the US in turmoil. This case did not invalidate the use of EU approved contractual clauses that set safeguard standards for the transfer of personal information known as Standard Contractual Clauses (SCCs).
PoPIA recognises the need to transfer personal information from South Africa and states that its purpose is to protect ‘important interests, including the free flow of information within the Republic and across international borders’.
Section 72 of PoPIA deals with transfers of personal information outside South Africa or transborder information flows. It essentially says that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless certain protections are in place, such as:
- Adequate legal protection: The recipient of the personal information must be subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that effectively upholds the principles for reasonable processing, and that include provisions that are substantially similar to the conditions for the lawful processing of personal information and for the further transfer of personal information.
- Consent: The data subject consents to the transfer.
- Necessary for the performance of a contract: The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request.
- Interests of the data subject: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
- Benefit of the data subject: The transfer is for the benefit of the data subject in circumstances where it is not reasonably practicable to obtain the consent of the data subject for the transfer, and the data subject would be likely to give consent had it been obtained.
Importantly, these are not cumulative requirements, and only one of the above would need to be present in order for the cross-border data transfer to be acceptable.
The experience in other jurisdictions has shown that one of the easiest and most convenient ways to effect cross-border data transfers is where the transfer takes place to a country with a law which provides ‘an adequate level of protection’, with principles for processing that are ‘substantially similar to the conditions for the lawful processing of personal information’, as contemplated under section 72(1)(a) of PoPIA.
Although the European Court of Justice’s decision in Data Protection Commissioner v Facebook Ireland and Maximillian, Schrems is not binding for South Africa, it is likely that South Africans seeking to transfer personal information to the United States may similarly find that the US does not provide an adequate standard of protection comparable to PoPIA. This means that if you want to transfer personal information from South Africa to the US, you need to rely on one of the other protections.
The substantive provisions of PoPIA (and in particular, section 72) have only recently come into force, and its content has not yet been tested by the South African courts. In the absence of binding case law in South Africa for the time being that deals with the provisions of PoPIA, the considerations taken into account by the ECJ in the Facebook Case serve as a good indication of how South African courts may choose to consider ‘adequate protection’ when applying section 72 of PoPIA.
Fortunately, responsible parties are not alone. Section 40(1)(g) of PoPIA provides that the Information Regulator has a duty ‘to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation’. It will therefore be an important part of the role of the Regulator to assist to facilitate the cross-border transfers of personal information in a manner that is both effective and compliant with PoPIA.
Whilst the Information Regulator has not yet established a procedure for the approval of ‘Binding Corporate Rules’, nor has it provided any guidelines on what should be housed under a ‘Cross Border Transfer Agreement’, it is imperative that in future, all organisations in South Africa have:
- a policy setting out the organization’s rules and procedures when it comes to the sharing of Personal Information amongst the various entities which form part of the organisation – both locally and cross-border; and
- an agreement, which will be concluded with any Recipient of Personal Information which the organization sends outside South Africa, and which compels the recipient contractually to handle and use the personal information in accordance with the South African law, PoPIA.
A binding agreement often takes the form of a data processing agreement (DPA) between the parties and is one of the most common ways of achieving cross-border data transfers in compliance with the law. Other solutions, such as binding corporate rules (BCRs) are often deemed too unwieldy and demanding.
PoPIA vs GDPR
In Section 72 of Chapter 9, PoPIA states the following:
‘A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country …’ and then proceeds to list a number of exceptions which are discussed below.
Chapter 5 of the GDPR deals with cross-border data transfers. In Article 49 provides that:
‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’
Where PoPIA sets out exceptions, GDPR sets out requirements. We can compare the PoPIA exceptions to the GDPR requirements as follows:
- PoPI Act – Data is not allowed to be transferred across international borders to a third party.
- GDPR – Data can be transferred on the basis of an adequacy decision by the Commission.
- GDPR – Data can be transferred subject to appropriate safeguards.
- GDPR – Data can be transferred on the basis of binding corporate rules.
- GDPR – Data can be transferred by force on mutual international agreements.
- PoPI Act – Exceptions – Cross-border data transfers are acceptable: With consent of the data subject; For the performance of a contract, or for pre-contractual measures in response to the data subject’s request. For the conclusion of a contract between the controller and a third party for the benefit of the data subject. For the benefit of the data subject where: (a) consent cannot be reasonably obtained or (b) where consent can be obtained, it is likely that consent would be granted. When adequate protection is provided for where the third part is bound by law, agreements, or corporate rules.
- GDPR – With consent of the data subject. When necessary for performance of a contract (between the controller and data subject). When necessary for performance of a contract (between the controller and a third party for the benefit of a data subject). When it is in the public interest. When necessary for the exercise or defence of legal claims. For the protection of vital interests where the data subject is unable to give consent. When transferred from publicly accessible registers.
How the laws differ
At face value, PoPIA prohibits cross-border data transfers, whereas GDPR provides strict requirements for such a transfer to take place. This makes sense as the EU consists of many co-operative countries who are bound to have organisations span international boundaries.
However, the emphasis in section 72 of PoPIA is not on prohibiting data flowing out of the country, but rather on the exceptions themselves. The exceptions are designed to safeguard data when they flow outside of the country. With this understanding, the differences between the two laws regarding cross-border transfers are mostly superficial.
When it comes to the exceptions, GDPR provides additional possibilities that relate to the public interest or publicly accessible data. GDPR also provides an exclusion related to legal applications, which PoPIA lacks. Finally, in Article 20, the GDPR provides the data subject with the right to transfer data from one controller to another, called data portability, which is absent from PoPIA.
In order to ensure compliance under PoPIA, it is imperative that a business, in transferring personal information outside of South Africa (and particularly to countries where there is no EU declaration of adequate safeguards and/or where juristic personal information is processed) to ensure that:
- carry out due diligence checks of the data protection laws (if any) in place in the foreign country that they wish to export the personal information to obtain advice on the laws in that foreign country that permit access to personal information by government agencies; and
- put in place the appropriate safeguards in comprehensive data-transfer agreements or binding corporate rules (which would only apply to transfers of personal information within a group of companies).