Is POPIA-compliance sufficient to meet the requirements of the GDPR?
- The General Data Protection Regulation of the European Union 2016/679 (GDPR) comes into force on 25 May 2018 and will apply extra-territorially to businesses located outside of the EU, for instance where such businesses offer goods or services to data subjects within the EU.
- For South African businesses that fall within the extra-territorial scope of the GDPR, this means that they will need to comply with both the GDPR and South Africa’s Protection of Personal Information Act 4 of 2013 (POPIA).
- While there is significant overlap between the GDPR and POPIA, the GDPR contains certain additional requirements above that required by POPIA which will need to be implemented by such businesses to ensure full compliance.
- As discussed in more detail below, these additional requirements include, for instance, stricter conditions for valid consent; additional data subject rights pertaining to ‘the right to be forgotten’ and data portability; more stringent stipulations in the event of a data breach; the requirement that data protection impact assessments be conducted; and an obligation to implement appropriate technical and organisational measures that inculcate privacy by design and by default into the organisation.
Extra-territorial application of the General Data Protection of the European Union
In precisely a month from today, a new data protection law will take effect in the European Union (EU): the General Data Protection Regulation of the EU 2016/679 (GDPR). (An overview of the GDPR is accessible here.) The GDPR comes into force on 25 May 2018 and will replace the current EU Data Protection Directive 95/46/EC (EU Directive).
A particularly noteworthy feature of the GDPR is that it applies extra-territorially. This means that it is not limited in its scope to businesses that are based in the EU; rather, it may also apply to businesses located outside of the EU. In such instances, those businesses will be required to comply with the GDPR, despite not being located within the EU. This is aimed at protecting the rights of EU data subjects, regardless of where and by whom their personal information is being processed.
In terms of article 3 of the GDPR, there are three instances in which the GDPR will apply extraterritorially.
The first instance is where a business located outside of the EU offers goods or services to data subjects within the EU. In determining whether this provision applies, Recital 23 to the GDPR explains that the question to be determined is whether it is apparent that the data controller or processor intends or envisages offering goods or services to data subjects in one or more EU member states. Simply put, it is a question of intention.
In this regard, the mere accessibility of a website or contact details are insufficient to ascertain such intention. On the other hand, however, factors such as the use of a language or a currency generally used in a member state with the possibility of ordering goods and services in that language, or the mention of customers or users who are in the EU, may be sufficient to trigger the extra-territorial scope of the GDPR.
The second instance is where a business located outside of the EU monitors the behaviour of data subjects within the EU. As explained in Recital 24 to the GDPR, this refers to the tracking of natural persons on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning the data subject or to analyse or predict the data subject’s preferences, behaviours and attitudes.
The third instance is where the law of an EU member state applies to a controller located outside of the EU by virtue of public international law. As explained in Recital 25 to the GDPR, this applies for instance to a controller in a member state’s diplomatic mission or consular post.
While the intention behind the extra-territorial application of the GDPR is rooted in wanting to protect the rights of EU data subjects, this can have onerous consequences for implicated businesses located outside of the EU that may be required to comply both with their own domestic data protection law and with the GDPR.
What does this mean for South African businesses?
South Africa too has a comprehensive data protection law: the Protection of Personal Information Act 4 of 2013 (POPIA). (An overview of POPIA is accessible here.) However, only certain sections of POPIA are currently in force: section 1 relating to the definitions; part A of chapter 5 relating to the Information Regulator; section 112 relating to the power to make regulations; and section 113 relating to the procedure for making regulations. There is not yet a clear indication of when the remaining substantive provisions of POPIA regarding the conditions for the lawful processing of personal information will take effect.
Although compliance is not yet required in terms of POPIA, many businesses in South Africa have nevertheless proactively started taking steps to meet the requirements of POPIA in anticipation of the law coming into effect. This will need to be expedited for those businesses falling within the extra-territorial scope of the GDPR, as they will already need to comply with the GDPR from 25 May 2018 onwards, even though POPIA is not yet fully in force.
POPIA was largely modelled on the EU Directive that will be replaced by the GDPR. As such, whilst there is substantial overlap, the GDPR imposes certain additional requirements that were not contained in the EU Directive, and that are not required under POPIA. Accordingly, for those South African businesses that do fall within the extra-territorial scope of the GDPR, complying with POPIA alone will not be sufficient to meet the requirements of the GDPR.
Set out below are some of the key requirements contained in the GDPR that are not expressly required in terms of POPIA:
- Consent (article 7 of the GDPR): Consent is often relied on to facilitate the processing of personal information. Under POPIA, consent means “any voluntary, specific and informed the expression of will in terms of which permission is given for the processing of personal information”. Under the GDPR, the conditions for valid consent are stricter. The GDPR requires that a request for written consent “must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language”.
- Right to be forgotten (article 17 of the GDPR): While both POPIA and the GDPR contain a right to erasure, the GDPR goes further in defining what is commonly referred to as ‘the right to be forgotten’. The GDPR expressly requires that where a data controller has made personal information public and is obliged to erase that data, the data controller has a duty to take reasonable steps to inform other controllers processing that information that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, the information in question. This right is, however, circumscribed by considerations of available technology and the cost of implementation, as well as the need to balance it with competing rights and interests, such as the right to freedom of expression.
- Right to data portability (article 20 of the GDPR): The GDPR introduces a new right in respect of data portability, which relates to the right for a data subject to receive the personal information that they have provided in a structured, commonly used and machine-readable format, and the data subject’s right to transmit that information to another data controller. In short, this means that a data subject can require that their personal information is transferred from one data controller to another, where technically feasible. This is aimed at ensuring that data subjects have more control over their data where processing is carried out by automated means. POPIA does not include an express right to data portability.
- Breach notification (article 33 of the GDPR): POPIA requires that in the event of a data breach, the party responsible must notify the Information Regulator and the affected data subjects “as soon as reasonably possible”. In comparison, the GDPR sets out more specific requirements, most notably that data breaches must be reported to a supervisory authority within 72 hours of becoming aware of the data breach unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR also stipulates the specific information that must be provided in the notification to the supervisory authority.
- Data protection impact assessments (Article 35 of the GDPR): The GDPR creates an obligation for data protection impact assessments to be conducted, and requires that the evidence or documentation of such assessments be maintained. This obligation arises where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Recital 90 explains that impact assessments should include, in particular, the measures, safeguards and mechanisms in place to mitigate risk and demonstrate compliance with the GDPR. Where appropriate, the GDPR requires that the data controller must seek the views of the data subjects or their representatives on the intended processing. POPIA, on the other hand, does not expressly require that data protection impact assessments be conducted in the same vein.
- Data protection by design and by default (article 25 of the GDPR): The GDPR further includes an express requirement that appropriate technical and organisational measures be implemented, both when determining the means for processing and at the time of the processing itself, that are designed to implement data protection principles in an effective manner. This includes integrating necessary safeguards and protecting the rights of data subjects. The GDPR provides further that data controllers must ensure that, by default, only personal information that is necessary for the specific purpose is processed. Data protection by design and by default is not expressly provided for under POPIA.
Concluding remarks
South African businesses that fall within the extraterritorial scope of the GDPR – that is, by offering goods or services to data subjects in the EU, or by monitoring the behaviour of data subjects in the EU – will carefully need to scrutinise both POPIA and the GDPR to be in full data protection compliance. While complying with POPIA will mean that businesses are mostly compliant with the GDPR, there are certain additional requirements that will need to be met in order to fully comply with the GDPR. This will need to be implemented from 25 May 2018 when the GDPR takes effect.
Although the additional requirements set out above may not expressly be required under POPIA, they are nevertheless a reflection of good practice. Data protection by design and by default, for instance, contemplate measures specifically geared towards ensuring that the protection of data subject rights and the implementation of necessary safeguards features throughout the data processing lifespan. This is similarly true of data protection impact assessments. Although businesses may not be required by POPIA to implement these features in respect of their South African operations, it may, in any event, be worthwhile to voluntarily do so to ensure good practices and responsible data management throughout the organisation.
Avani Singh is a Director and Co-founder of ALT Advisory.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].