Data Without Borders: How to Manage Cross-Border Data Transfers in South Africa
Cross-border data transfers are necessary and unavoidable for most organisations. What does the Protection of Personal Information Act require, and how can this be implemented?
Summary: Data breaches, both domestically and abroad, are a stark reminder of the urgent need for the implementation of data protection laws to give effect to the right to privacy. For many organisations, the flow of data does not only take place within domestic borders but also sees vast amounts of data being transferred to third parties in foreign countries. Section 72 of South Africa’s Protection of Personal Information Act 4 of 2013 – once it comes into force – will place certain stipulations on how this can be effected, for instance by ensuring that the data will be subject to adequate legal protection. By considering the comparative experiences in other jurisdictions, we explore the meaning of adequate legal protection, and what practical implications this will have.
The recent data breach, in which it has been revealed that at least 30 million South African identity numbers have been disclosed, is a stark reminder of the urgent need for the remaining provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) to be brought into force in South Africa. To date, only certain sections of POPIA have come into force, and it remains unclear when the real crux of POPIA – those provisions providing for the rights and duties of data subjects and those responsible for processing information (known as the ‘responsible party’ under POPIA) – will begin to apply.
In terms of data breaches, South Africa is by no means alone in dealing with this: internationally, there have reportedly been a staggering 1,901,866,611 data records compromised in the first half of 2017 alone, with the highest number of incidents reported in the United States (US). This global landscape is particularly relevant because, once the remaining provisions of POPIA come into force, it is not only the South African law that will need to be considered.
One of the key provisions under POPIA relates to cross-border information flows, where a responsible party in South Africa transfers personal information about a data subject to a third party in a foreign country outside of South Africa. This occurs, for instance, where personal information is sent outside of South Africa to a customer or client, to a service provider or sub-contractor, or when making use of cloud storage hosted outside of South African borders. Think about the data you share on social media and chat platforms: do you know where the servers that contain your data are located?
In the global digital age, where significant amounts of trade and commerce take place online and across multiple jurisdictions, cross-border data transfers are necessary and unavoidable for most businesses.
Relevant in this regard in section 72 of POPIA. This section of POPIA is not yet in force, but will require once it is that in order for cross-border transfers of personal information to be permissible, one of the following must be present:
- Adequate legal protection: The recipient of the personal information must be subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that effectively upholds the principles for reasonable processing, and that include provisions that are substantially similar to the conditions for the lawful processing of personal information and for the further transfer of personal information.
- Consent: The data subject consents to the transfer.
- Necessary for the performance of a contract: The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request.
- Interests of the data subject: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
- The benefit of the data subject: The transfer is for the benefit of the data subject in circumstances where it is not reasonably practicable to obtain the consent of the data subject for the transfer, and the data subject would be likely to give consent had it been obtained.
These are not cumulative requirements, and only one of the above would need to be present in order for the cross-border data transfer to pass muster.
The experience in other jurisdictions has shown that one of the easiest and most convenient ways to effect cross-border data transfers is where the transfer takes place to a country with a law which provides “an adequate level of protection”, with principles for processing that are “substantially similar to the conditions for the lawful processing of personal information”, as contemplated under section 72(1)(a) of POPIA.
The question of the adequacy of legal protection in the foreign country is also specifically relevant if a responsible party intends to transfer data that falls into one of the following two categories: (i) special personal information (as set out in section 26 of POPIA, and includes, for instance, information relating to race, health, biometric information or criminal behaviour); or (ii) the personal information of children. In these circumstances, section 57(1) of POPIA provides that if such information is being transferred to a third party in a country that does not provide an adequate level of protection, the responsible party is required to obtain prior authorisation from the Regulator, prior to any processing taking place.
Determining whether legal protection is adequate
While the crux of the assessment is whether the law in the foreign country is adequate, POPIA provides little guidance on what this entails. The United Kingdom (UK) Information Commissioner’s Office (ICO) has provided some guidance in this regard that may be useful when interpreting POPIA, given the similarities of the provisions in the UK and the South African laws. Notably, the UK ICO identifies six criteria to take into consideration:
- The nature of the personal data: This consideration recognises that some types of personal data will pose little risk to the rights and freedoms of data subjects, whilst the required level of protection may be higher if one is transferring special personal information, for instance.
- The purposes for which the data is intended to be processed: Some purposes will carry greater risks than others. For instance, according to the UK ICO, data processed for an internal company or group purposes only may involve less risk than if the data is distributed more widely.
- The period during which the data is intended to be processed: The UK ICO notes that if the data is only processed once or for a short period and then destroyed, the risks arising from any lack of protection for data subjects’ rights may be less than if they are processed on a long-term basis. While this does not mean that once-off transfers may be carried out without putting any protections in place, the requirements for such protections may nevertheless be less onerous.
- The country or territory of origin of the information contained in the data: Consideration must be given to circumstances where information may have been obtained in a third country, and the expectations that such data subjects may have for the level of protection that they will enjoy.
- The country or territory of the final destination of the information: Given that transfers may be made in several stages, the adequacy of protection of the final destination is also relevant in assessing the adequacy of protection associated with the transfer.
- Any security measures are taken in respect of the data in the country or territory of destination: Responsible parties exporting data may be able to ensure that personal data is protected by technical measures, such as encryption, to assist in safeguarding the personal information.
What happens if the level of protection in a foreign country is not adequate?
The question of adequacy was at the heart of the 2015 decision of the Court of Justice of the European Union (CJEU) in the matter of Maximillian Schrems v Data Protection Commissioner. Mr Schrems, a European citizen, lodged a complaint with Irish Data Protection Commissioner that some or all of the data that he had provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the US, where it was processed. The US does not have a comprehensive data protection law, and Mr Schrems argued that the law and practice in the US did not offer sufficient protection against surveillance by the US public authorities, and did not meet the test for adequacy as contemplated in the Data Protection Directive of the European Parliament.
In a landmark ruling, the CJEU agreed. The CJEU noted that the protective rules laid out in the data-sharing arrangement between the European Union (EU) and the US (known as the ‘Safe Harbour Decision’) could be disregarded by the US where they conflicted with national security, public interest and law enforcement requirements of the US. The CJEU held that any legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the right to privacy. Furthermore, the CJEU was of the view that legislation that does not provide for an individual to pursue legal remedies to access one’s personal information or to have such information rectified or erased, compromises the essence of the right to effective judicial protection.
Accordingly, the CJEU declared the Safe Harbour Decision invalid, with immediate effect. The EU and the US have since entered into the EU-US Privacy Shield in an effort to remedy the concerns raised by the CJEU. According to the guidance published by the European Commission, US companies wanting to make use of the Privacy Shield must sign up to the framework with the US Department of Commerce, which is responsible for managing and administering it and ensuring that companies meet their commitments. In order to be able to certify, companies are required to have a privacy policy in line with eight privacy principles set out in the Privacy Shield:
- a right to be informed;
- limitations on the use of data for different purposes;
- data minimisation and the obligation to keep data only for the time needed;
- the obligation to secure data;
- the obligation to protect data if it is transferred to another country;
- a right to access and correct one’s data;
- a right to lodge a complaint and obtain a remedy; and
- redress in the case of access by public authorities.
These principles can be seen as offering some guidance on what key features should be present to establish the adequacy of a comparable data protection regime. Although the CJEU’s decision is not binding for South Africa, it is likely that South Africans seeking to transfer personal information to the United States may similarly find that the US does not provide an adequate standard of protection comparable to POPIA. A similar challenge arises when contemplating transferring personal information around the continent, given that the majority of African countries do not presently have data protection laws in place. In such circumstances, the UK ICO proposes the following approach:
- Risk assessment: The responsible party should conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects.
- Adequate safeguards: Where it is found that the foreign country does not provide an adequate level of protection, the responsible party should put in place adequate safeguards to protect the rights of the data subjects, for instance through the use of model contract clauses or binding corporate rules.
- Statutory exceptions: A responsible party may also make use of one of the other statutory exceptions provided for, which in terms of POPI includes the consent of the data subject to the transfer.
The use of cloud storage presents particular complexities with respect to data transfers. The challenge with cloud storage, where the information is hosted outside of South Africa, is that one often has little control of the terms and conditions of the service provider, what the service provider does with that information, or whether the data is stored in a jurisdiction with an adequate level of protection. While it appears that many cloud storage service providers are becoming increasingly cognizant of the need to ensure appropriate standards and protections, it is still advisable for responsible parties to endeavour to notify data subjects of their practices in this regard, and seek to exercise due diligence in respect of the cloud storage service provider being used.
The role of the Regulator
Fortunately, responsible parties are not alone. Section 40(1)(g) of POPIA provides that the Regulator has a duty “to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation”. It will, therefore, be an important part of the role of the Regulator to assist to facilitate the cross-border transfers of personal information in a manner that is both effective and compliant with POPIA.
In Europe, for instance, the European Commission is empowered to determine whether a third country ensures an adequate level of protection by reason of its domestic law or the international commitments that it has entered into. The effect of this adequacy determination is that data can flow from the member states of the EU and the European Economic Area to that third country, without any further safeguarding being necessary. To date, the European Commission has recognised 11 countries as providing adequate protection. Similarly, the approach taken by the Privacy Commissioner for Personal Data in Hong Kong, for instance, was to conduct a survey of 50 jurisdictions and prepare a “white list” of places with a data protection law in force offering substantially similar protections or serving the same purpose as the law in Hong Kong.
The flipside of this is that South Africa too wants to ensure that it can meet the threshold of having an adequate standard of protection in place, to facilitate data transfers from outside South Africa into the country. As interest in South Africa’s ICT sector continues to grow – for instance, with Microsoft has announced the introduction of two new data centres in Johannesburg and Cape Town to be available from 2018 – this has become more necessary than ever. This will require both the relevant legal framework, as well as the effective implementation of that framework.
Until this is done, other measures will need to be put in place to facilitate such data transfers from countries that require an adequate level of protection, which may be more complex and costly. Given the scale, inevitability and importance of cross-border transfers for the purposes of commerce and trade, this is a further reminder of the importance for POPIA to be fully brought into force as a matter of urgency, both in the best interests of data subjects in South Africa and those who engage in business abroad.
Avani Singh is a Director and Co-founder of ALT Advisory.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].