In South Africa, personal information may be transferred to a third party or organisation outside of South Africa, provided that one of the permitted circumstances outlined in section 72 of the Protection of Personal Information Act No 4 of 2013 (“POPIA”) applies.
Permitted Grounds for Transfer
In short, where a responsible party (being the party that processes personal information as contemplated in POPIA) wishes to transfer personal information to a third party or organisation outside of South Africa, that responsible party must ensure that one of the following grounds, for permitted transfers, applies:
Adequate legal protection:The recipient of the personal information must be subject to laws, binding corporate rules (BCRs) or binding agreement (i.e. data transfer agreements) which provide an adequate level of protection that effectively upholds the principles for reasonable processing, and that include provisions that are substantially similar to the conditions for the lawful processing of personal information and for the further transfer of personal information.
Equivalent laws – this would be equivalent privacy and data protection laws which apply in another jurisdiction, for example the EU and UK’s General Data Protection Regulation (“GDPR”), to the extent that the personal information to be transferred relates only to natural persons;
BCR - this is substantially the same form as an agreement, but is accepted data protection principles that are binding on a company or group of companies. For purposes of POPIA, BCRs do not need to be registered with a data protection authority;
Data transfer agreements - this can be achieved through (i) an intra-group data transfer agreement for transfers between multinational group companies; or (ii) a data transfer agreement/provisions in a contract between the transferor and the recipient.
Consent:the data subject consents to the transfer of its personal information. It is important to note that notwithstanding the fact that consent has been obtained where applicable, if special personal information or personal information relating children is transferred to a jurisdiction that does not provide the same or similar adequate protection as provided for under POPIA, then prior authorisation may be required from the information regulator, if such country does not provide adequate legal protection.
Necessary for the performance of a contract: The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request. For example, this could include performance of a courier contract, where an item is being sent to another country by the courier for the data subject.
Interests of the data subject: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party. This could, for example, become relevant in relation to an employment contract. In order to give effect to an employment contract where an employee is being seconded to an office in another country, the cross-border transfer of that employee’s personal information will be necessary and in the interest of the employee.
Benefit of the data subject: The transfer is for the benefit of the data subject in circumstances where it is not reasonably practicable to obtain the consent of the data subject for the transfer, and the data subject would be likely to give consent had it been obtained. This situation could arise, for example, where a patient is in a medical state which renders them unable to speak or give any kind of consent to a transfer of their medical information to a doctor in another jurisdiction, like the United States (which does not have adequate legal protection in place), for purposes of their treatment.
In respect of the grounds of ‘adequate legal protection’ as it relates to equivalent laws of the recipient, the Information Regulator of South Africa (“Information Regulator”) has not given any clarification of a criteria or any guidance on how to determine adequacy, nor has the Information Regulator, published a list of jurisdictions and/or organisations which are deemed to provide adequate protection.
How then should organisations approach data transfers?
Due to lack of guidance from the Information Regulator, it is important and useful to develop a consistent approach to data transfers which aids in eliminating uncertainty for an organisation. We recommend taking a practical approach and putting in place a data transfer agreement, both with intra-group parties and with external parties, which governs data transfers of personal information of data subjects. To determine the content of these data transfer agreements, it is useful to rely on leading data protection standards such as the GDPR. Under the auspices of the GDPR, European regulators have pre-approved model standard contractual clauses (“SCCs”) which organisations may use when transferring data to demonstrate compliance with EU and UK data protection laws. These SCCs can be used and amended as necessary for compliance with South African law.
We discuss below two examples which illustrate unique considerations of data transfers under South African law and the need to beware passive data transfers.
Unique aspect of South African law
POPIA contains a peculiarity in that it applies not only to natural persons, but also to companies and trusts. This requirement is an outlier in comparison with leading data protection standards such as the GDPR and UK GDPR, which only protect the personal information of natural persons. This anomaly in POPIA means that any transfer of information of a company to Europe or the UK, for example, would not be permitted in terms of section 72 of POPIA as the GDPR does not provide for any protection of a company’s personal data. In this instance, to comply with section 72, one would usually conclude a data transfer agreement which provides for implementation of the standards stipulated in POPIA. This, however, becomes complicated due to the GDPR and UK GDPR’s SCCs, which European organisations would likely not be willing to amend. This creates a conundrum: POPIA requires that similar protection be granted to juristic persons when transferring data, but European entities will likely be unwilling to amend the SCCs to include juristic persons. One manner in which South African organisations can deal with this conflict, is to attach jurisdiction-specific schedules to the relevant data transfer agreement, making provision for the special requirements of POPIA. This solution ensures that South African-specific requirements are included, but that the body of the SCCs themselves are left untouched.
Considerations regarding ‘passive’ data transfers
The use of cloud storage also presents particular complexities in respect of cross-border data transfers. More and more organisations are opting for cloud-based data storage solutions instead of physical storage solutions, such as hard-drives. A cloud service provider is generally considered as an operator in terms of POPIA, and it is therefore the obligation of the organisation which is making use of the cloud service (the “responsible party” in terms of POPIA) to ensure that the cloud service provider establishes and maintains adequate security measures and does not unlawfully transfer data cross-border. This presents a challenge because responsible parties often have little control over the terms and conditions of the cloud storage service provider, how the service provider uses that information or whether the server where the data is stored is located in a jurisdiction with adequate data protection in terms of section 72. If responsible parties are not vigilant and well-informed, they may find themselves liable for an unlawful data transfer, despite such transfer being passive on their part. It is, therefore, important for responsible parties to either get the consent of customers for any potential transfer of data or to do due diligence on the adequacy of the practices of the cloud storage service provider being used and laws of the jurisdiction where the information may be hosted.
Managing cross-border data transfers is an ongoing process. In order to manage the uncertainty of navigating data transfers in absence of guidance from the Regulator, it is recommended that organisations and companies obtain legal assistance to craft the necessary agreements and develop risk management solutions for assessing the legal risk of data transfers to relevant jurisdictions.
There is no clarity regarding adequate data protection jurisdictions and organisations
Our recommended approach to mitigate this uncertainty and comply with section 72 of POPIA is to conclude a data protection agreement where it is not onerous to do so, unless other grounds in section 72 apply to the specific data transfer situation.
South Africa is an outlier regarding the protection which POPIA affords juristic persons (companies and trusts, for example) and this will always be a consideration as other jurisdictions will not all likely have adequate data protection standards applicable to juristic persons
Use of cloud-based storage solutions pose a risk of non-compliance with section 72 as access and storage activities may be considered as data transfers.
Contact us if your organisation requires assistance with a data transfer agreement, internal data transfer framework or similar risk management solution.