Menu

Protection of Personal Information Act

Insights-Artwork-1

Information rights in the digital age: Why we need an effective Information Regulator

, , ,

  • Information rights play a crucial role in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.
  • The Information Regulator, established in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), has yet to be fully operationalised, despite POPIA having been signed into law in 2013.
  • This has led to a protection vacuum over information rights, and runs foul of section 237 of the Constitution, which requires that “[a]ll constitutional obligations must be performed diligently and without delay”.
  • The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated, and that appropriate recourse is available where conduct falls foul of the required standards.

***

Since 2016, the United Nations and the global community have marked 28 September as the International Day for Universal Access to Information (IDUAI).  This is in recognition of the importance of the triad of information rights – freedom of expression, access to information and privacy – particularly in democratic societies, both as important rights in themselves and as enablers of the full array of fundamental rights.

On IDAUI this year, the members of the Access to Information Network issued a call for the full operationalisation of the Information Regulator in South Africa, whose role is critical in the realisation of the triad of information rights.  The Information Regulator, with a key role at the helm of both the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA), is a crucial body in ensuring the protection of our personal data, facilitating PAIA requests, and striking the correct balance between the free flow of information and legitimate restrictions thereon.

The Information Regulator is established by statute in terms of POPIA.  However, despite POPIA having been signed into law in 2013, and the members of the Information Regulator having been appointed in 2016, neither the substantive provisions of POPIA nor the amendments to PAIA have yet been brought into force.  This has resulted in the powers of the Information Regulator being severely hamstrung, and the body being rendered effectively toothless.

This is a fundamental failing in the realisation of the rights to receive and impart information and to have one’s personal information protected.  These are constitutionally-protected rights, which obliges the state to take positive measures to realise them.  Further, section 237 of the Constitution requires that “[a]ll constitutional obligations must be performed diligently and without delay”.  In Khumalo v Member of the Executive Council for Education: KwaZulu-Natal [2013] ZACC 49, the Constitutional Court explained that this provision elevates expeditious and diligent compliance with constitutional duties to an obligation in itself, in recognition of the public interest in having certainty and finality.

However, the state’s approach to the implementation of POPIA and the functioning of the Information Regulator appears to fall foul of section 237 of the Constitution.  The significant delay has led, in turn, to significant uncertainty, and a protection vacuum over information rights that cannot be countenanced.

In a media statement published on June 2018, the Information Regulator itself expressed concern that:

“South Africa has experienced a disturbingly high number of material data breaches in the past few months … Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in POPIA.  These data breaches underscore the urgent establishment of the Regulator.  It is for this reason that the Information Regulator requests the powers that be to assist it in fast-tracking its operationalization.”

A year later, in June 2019, the Chairperson of the Information Regulator stated in an interview published in IT Web that although certain key appointments have recently been made, the process was “going very slowly”, which was attributed to slow processes within government, particularly the Department of Justice.

This, however, is not enough of an answer.  As technological advancements increase at a rapid pace – and are increasingly data-driven and data-dependent – it is unacceptable that South Africans have been left without effective information governance frameworks to vindicate our rights.  The list of commonplace activities that involve the processing of personal information is countless: the filing of tax returns; the collection of a social security benefit; the application for an identity document or driver’s licence; making a telephone call; accessing the internet.

This is all the more complex when dealing with personal information.  Every person has two distinct lives: a public life; and private life.  It is in the inner sanctum of the latter that we are free to fully realise our own autonomy and identity, and truly explore the elements of our personality, sexuality and self-development.  It is precisely for this reason that the right to privacy is a fundamental right: one that is both at the core of who we are as individuals and how we engage with those around us.

In practice, the vast majority of us readily share personal information in order to engage in society, but this gives rise to risk as well.  While this can be beneficial and necessary, there are also risks.  As explained by Access Now, “[y]our personal data reveals a lot about you, your thoughts, and your life.  These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities”.

The answer is not to become afraid of sharing data, but to be conscious of it.  More urgently, however, is the need for the substantive provisions of POPIA and the amendments to PAIA to be brought into force, to ensure that there are appropriate safeguards over how personal information is used and shared; that information rights can be effectively vindicated; and that appropriate recourse is available through the Information Regulator where conduct falls foul of the required standards.

In the absence of this – particularly without an effective and fully operational Information Regulator – the generation and collection of personal information render persons in South Africa vulnerable to this information being improperly exploited and abused, with little to no recourse when this occurs.

The power of information cannot be gainsaid.  It is through the exercise of information rights that the media is able to function freely; that we are able to access relevant information to make informed political choices; that we are able to hold those in power to account; and that we are able to inform ourselves and express who we are as individuals.  It is important and essential that information rights are given meaningful effect.

The time is ripe for the Minister of Justice to bring the substantive provisions of POPIA into force.  Even once brought into force, POPIA still provides for a further one-year grace period before compliance is required.  A further challenge is that POPIA is already at risk of being outdated, as it is based on the 1995 law of the European Union that has since been replaced by the modernised 2018 General Data Protection Regulation.  That said, POPIA is certainly better than nothing, and as a starting point puts in place an important and much-needed framework for the protection of personal information.

If the state is to meet its constitutional obligations regarding information rights – and to do so diligently and without delay, as section 237 of the Constitution requires – this demands the expeditious and effective enforcement of POPIA and PAIA.  At a very minimum, there should at least be a timeline that provides clarity on when the provisions are to be brought into force, and what protections are available to the public pending that enforcement.  Until then, as South Africans, we are left in the invidious position of a hollow legal framework with inadequate protections to prevent our information from being exploited and used for nefarious purposes.  In this data-driven digital age, this simply cannot be allowed to persist.

Insights-Artwork-min

Data protection for civil society: A guide to the Protection of Personal Information Act

, , , ,

  • The Protection of Personal Information Act (POPIA) will have implications for all sectors across South Africa, including civil society organisations.
  • There are certain provisions of POPIA that are likely to be of particular interest or relevance to organisations working on public interest issues and fundamental rights.
  • Civil society organisations are also well-placed to raise awareness about the role and importance of data protection and to support individuals to realise their privacy rights and hold wrongdoers to account.

Introduction

The Protection of Personal Information Act 4 of 2013 (POPIA) will have implications for all sectors across South Africa once the remaining provisions come into force.  Enacted to give effect to the constitutional right to privacy, it also provides a framework for striking a balance between privacy and the protection of other important interests, including the free flow of information within South Africa and across international borders.

POPIA applies to personal information entered into a record – through either automated or non-automated means – where the responsible party is either domiciled in South Africa or makes use of means in the country.  Subject to the exclusions set out in sections 6 and 7 of POPIA, the law applies to all processing of personal information by both the state and private sector.

This includes civil society organisations (CSOs), which will also be required to comply with the provisions of POPIA.  Among these requirements are eight conditions for lawful processing of personal information; limitations on cross-border data transfers and processing for direct marketing; and the realisation of data subject rights.  (An overview of POPIA is accessible here.)

CSOs should take care to ensure reasonable and responsible data processing, particularly by limiting the amount of personal information that is collected.  At this stage, there is no special dispensation for CSOs, which means that CSOs will need to prepare for compliance with the legislation as a whole.  However, our experience having worked in and on behalf of civil society has given us insight into certain aspects of POPIA that are likely to be of particular interest or relevance to CSOs.  These aspects are highlighted below.

Exemptions in the public interest

As a point of departure, and of direct applicability to CSOs, section 37 of POPIA provides that the Information Regulator may grant an exemption from complying with POPIA, provided that one or both of the following requirements are met: (i) the Regulator is satisfied that the public interest in processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from the processing; or (ii) that the processing involves a clear benefit to the data subject or third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from the processing.

The public interest includes, in this context, the interests of national security; the prevention, detection and prosecution of offences; important economic and financial interests of a public body; historical, statistical or research activity; or the special importance of freedom of expression.

Given that the requirements under POPIA are certainly onerous, and compliance may be a resource-intensive exercise, CSOs may consider applying to the Information Regulator for an exemption in respect of certain processing activities.  For instance, CSOs with a focus on historical, statistical or research activities will likely have a strong basis to argue that such an exemption should be granted in the public interest.  Furthermore, although the provision only expressly refers to the right to freedom of expression, it may be argued that the pursuance of any constitutional rights – such as health, education or housing – would similarly be in the public interest, and therefore subject to a possible exemption being granted.

Even if the Information Regulator were to impose conditions on such an exemption, it can be expected that this would still assist in reducing the compliance burden.  Similarly-placed CSOs may consider approaching the Information Regulator jointly to secure an exemption that has broad application to the public interest sector.

Grounds for lawful processing

Section 11(1) of POPIA sets out the grounds on which personal information may be processed.  Consent is one such ground, where the data subject has consented to their personal information being processed.  In order for consent to be valid, it must be voluntary, specific and informed.

CSOs should take care to ensure that the consent obtained is meaningful, and that the data subject has retained agency in determining how their personal information is to be used.  As explained in recital 32 to the General Data Protection Regulation (GDPR) of the European Union, consent should be given by a clear affirmative act:

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.  Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

If a CSO chooses to rely on consent as the ground for the processing of personal information, that CSO should ensure that it is able to prove that the data subject has provided the appropriate consent.  Further, it is also necessary to ensure that the data subject to able to withdraw consent and to have the processing consequently stopped.  According to the Information Commissioner’s Office in the United Kingdom, consent is not valid if any of the following apply:

  • you have any doubts over whether someone has consented;
  • the individual doesn’t realise they have consented;
  • you don’t have clear records to demonstrate they consented;
  • there was no genuine free choice over whether to opt-in;
  • the individual would be penalised for refusing consent;
  • there is a clear imbalance of power between you and the individual;
  • consent was a precondition of a service, but the processing is not necessary for that service;
  • the consent was bundled up with other terms and conditions;
  • the consent request was vague or unclear;
  • you use pre-ticked opt-in boxes or other methods of default consent;
  • your organisation was not specifically named;
  • you did not tell people about their right to withdraw consent;
  • people cannot easily withdraw consent; or
  • your purposes or activities have evolved beyond the original consent.

Meaningful consent is perhaps not the silver bullet that some would like to believe.  In practical terms for CSOs, who may be based a distance away from the clients or partners with whom they are working – and which may further be exacerbated by barriers such as language and access to technology – it is not always simple or practicable to obtain meaningful consent.  It is therefore important to note that consent is not the only ground for lawful processing.

Another ground that may be relied on is where the processing is in the legitimate interests of the data subject.  While section 26 of POPIA makes clear that this ground does not apply to the processing of special personal information, it does nevertheless apply to the other types of personal information, such as names and contact details.  POPIA does not set out what factors should be taken into account when determining the legitimate interests, but it is certainly arguable that seeking to vindicate the fundamental rights of the data subject would meet these criteria.

While any of the grounds set out in section 11(1) of POPIA may be relied on in the appropriate circumstances, it bears mention that, to the extent possible, CSOs may want to consider both obtaining consent and establishing another ground of lawful processing, to ensure that the processing of the personal information is fully compliant with the will and interests of the data subject.

Special personal information

POPIA creates a sub-category of personal information – referred to as “special personal information” – which is afforded additional protections in terms of the legislation, given the sensitive nature of this information.  As set out in section 26 of POPIA, this includes religious or philosophical beliefs, race or ethnic origin, political persuasion, and information regarding one’s health or sex life.

As a general principle, the processing of special personal information is not permitted unless one or more of the exceptions apply.  The exceptions provided in respect of special personal information are much narrower than ordinarily applies, and for instance, does not include the legitimate interests of the data subject as one of the grounds on which processing is permissible.  Grounds that can, however, be relied on include consent from the data subject, or where the information has deliberately been made public by the data subject.

This provision is relevant given that various CSOs deal directly with matters pertaining to special personal information, such as the right to health, freedom of religion or racial discrimination.  For these organisations, the processing of special personal information is both necessary and unavoidable, which will, therefore, require appropriate measures to be put in place to ensure compliance with POPIA.  On the other hand, for those CSOs that do not deal directly with these issues, it may be advisable to endeavour to process as little special personal information as possible, given the more stringent requirements that apply.

Children

Sections 34-35 of POPIA put in place special protections for the processing of personal information of children.  As with special personal information, it would be advisable to limit such processing to the extent possible given the heightened protections that apply.

As a general principle, POPIA contemplates that the processing of personal information of children is not permissible unless one or more of the exceptions apply.  These exceptions include the prior consent of a competent person, or where the personal information has deliberately been made public by the child with the consent of a competent person.

For any CSO that processes personal information of children as a key part of its work, section 35(2) of POPIA may be helpful.  This provides for an application to be made to the Information Regulator for authorisation to process personal information of children, as long as this is in the public interest and appropriate safeguards are in place to protect the information.  CSOs working on children’s rights, for example, certainly have a strong basis to apply for this authorisation.  The Information Regulator is empowered to impose reasonable conditions if this authorisation is granted.

Cross-border data transfers

Many CSOs work with partners, donors and other stakeholders based outside of South Africa.  In such instances, where personal information will be transferred to third parties in another country, it is necessary to comply with the cross-border transfer provisions contained in section 72 of POPIA.  In sum, section 72(1) provides a general principle that personal information about a data subject may not be transferred to a third party in a foreign country unless one of the exceptions apply.

Two of the grounds of exception that may be expected to be commonly relied on are where the data subject consents to the transfer of personal information; or where the third party is subject to a law or binding agreement that provides an adequate level of protection substantially similar to POPIA.  Provision is also made for a cross-border transfer that is for the benefit of the data subject, where it is not reasonably practicable to obtain the consent of the data subject and the data subject would be likely to consent.

In the event of either special personal information, or any personal information about children, being transferred to a third party in a country that does not provide an adequate level of protection, section 57(1) of POPIA requires prior authorisation to be obtained from the Information Regulator before the transfer takes place.

Fundraising

Section 69 of POPIA deals with direct marketing through unsolicited electronic means.  Direct marketing includes any approach to a data subject – whether in person, by mail or electronic communication – to request the data subject “to make a donation of any kind for any reason”.  This has the potential to impact the fundraising efforts of CSOs that seek donations to support the work being done.  POPIA makes clear that data subjects have an express a right to object to the processing of personal information for direct marketing at any time.

As a general principle, such processing is prohibited unless the data subject has given consent to the processing or is a “customer” of the organisation.  In respect of the former, the Regulations in terms of POPIA (the Regulations), published in December 2018, provide that consent for the processing of personal information for direct marketing by electronic communications must be obtained in writing and in accordance with Form 4 contained in the Regulations.

Furthermore, in respect of the latter, for instance, when engaging with a former donor, the CSO must ensure that the data subject has a reasonable opportunity to object to the marketing, free of charge and without unnecessary formality.  In order to facilitate this, any communication for the purpose of direct marketing must contain the relevant contact details for the recipient to be able to request the CSO to stop sending such communications.

When engaging with existing or potential donors, it would be advisable for CSOs to maintain a written record of the persons who may be approached and the basis on which it appropriate to make such an approach (for instance, if consent has been obtained).  It would also be advisable for CSOs to keep a record of those persons who have objected to receiving marketing communications, to ensure that the organisation does not inadvertently continue to send them communications in breach of these provisions.

Exclusions in terms of POPIA

Sections 6 and 7 of POPIA provide for certain exclusions to which POPIA will not apply.  This includes information that has been de-identified to the extent that it cannot be re-identified or the processing of personal information relating to the judicial functions of a court.

Further, section 7 of POPIA contains a specific exclusion for journalistic, literary or artistic expression.  In this regard, POPIA does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression, to the extent that it is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.  As such, in order to rely on this exclusion, the following requirements must be met: (i) the processing is solely for the purpose of journalistic, literary or artistic expression; (ii) it pertains to a matter of public interest; and (iii) it is necessary to reconcile the right to privacy with the right to freedom of expression.

Should an exclusion apply to any processing of personal information, CSOs will not be required to comply with POPIA for the purposes of that exclusion.  However, until such time as further guidance is given, it would not be advisable to adopt too broad an interpretation of these exclusions, to avoid the risk of falling foul of POPIA.

Exceptions for historical, research or statistical purposes

POPIA contemplates that where personal information is processed for historical, research or statistical purposes, it is possible to be exempted from having to comply with certain conditions in the legislation.  For instance, POPIA provides that the personal information may be retained for a longer period than would ordinarily be permitted, and that notification to the data subject is not required as it would be in the ordinary course.  In respect of personal information of children, this exception only applies if it is in the public interest or would constitute a disproportionate effort to obtain consent, and appropriate safeguards are established over the personal information.

This exception is useful for CSOs undertaking research or that maintain archives of information.  It should, however, be noted that this exception is not a complete exclusion under POPIA; rather, there are still certain conditions that would need to be complied with, such as the requirement to maintain appropriate security safeguards over the personal information.  To the extent practicable, CSOs may consider de-identifying the personal information being used for historical, research or statistical purposes, to offer more complete protection to the data subjects to whom the information pertains.

Use of third party operators

Many CSOs are likely to outsource certain functions to third party operators to provide support and capacity to the organisation.  This may include, for instance, external service providers that perform the accounting and auditing functions, facilitate payroll, manage the pension fund, or provide monitoring and evaluation services.  Many of these functions will require the organisation to share personal information about its staff, clients and others with the third party operator in order for this function to be effectively completed.

Section 20 of POPIA provides that where an operator processes personal information on behalf of the organisation, the operator must treat the personal information as confidential and not disclose it unless required by law or in the course of their duties.  In the event of there being a data breach, the operator is required to notify the organisation immediately where there are grounds to believe that personal information has been accessed or acquired by an unauthorised person.

Of particular importance, CSOs engaging the services of third party operators must ensure that they have a written contract in place with the operator, requiring the operator to take appropriate, reasonable technical and organisational measures to prevent a data breach.  This contract should also require that the operator, among other things, ensures that its safeguards are continually updated and that it has due regard to generally accepted information security practices and procedures.

In addition to the written contract, it would also be good practice for the CSO to exercise a reasonable measure of due diligence over whether the operator is appropriately implementing this contract, and taking the necessary steps to protect the personal information that it has under its control.  Ultimately, in the event of a data breach, it will remain the responsibility of the CSO to notify the Information Regulator and the affected data subjects; it is also the CSO that faces the risk of reputational harm if appropriate measures have not been taken.

Concluding remarks

Data protection should not be seen simply as a compliance issue, but also as a public interest issue that is provided for in a framework that seeks to give effect to a range of constitutional rights, including privacy, freedom of expression and access to information.  Given that personal information is inherent to who are as people, this is certainly an aspect worth protecting.

There is, therefore, an urgent need for the remaining provisions of POPIA to be brought into force to ensure that the substantive protections of the legislation are implemented. Once in force, CSOs would be well-placed to use their voices to raise awareness about the role and importance of data protection, as well as to support data subjects in realising their rights and holding wrongdoers to account.

Avani Singh is a Director and Co-founder of ALT Advisory. Avani writes in her personal capacity and her views do not necessarily constitute the views of ALT Advisory.  This Insight is based on a workshop hosted by ALT Advisory on 20 August 2019, in which Avani presented to civil society organisations on data protection compliance in South Africa.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].

5-min

Is POPIA-compliance sufficient to meet the requirements of the GDPR?

, , , ,

  • The General Data Protection Regulation of the European Union 2016/679 (GDPR) comes into force on 25 May 2018 and will apply extra-territorially to businesses located outside of the EU, for instance where such businesses offer goods or services to data subjects within the EU.
  • For South African businesses that fall within the extra-territorial scope of the GDPR, this means that they will need to comply with both the GDPR and South Africa’s Protection of Personal Information Act 4 of 2013 (POPIA).
  • While there is significant overlap between the GDPR and POPIA, the GDPR contains certain additional requirements above that required by POPIA which will need to be implemented by such businesses to ensure full compliance.
  • As discussed in more detail below, these additional requirements include, for instance, stricter conditions for valid consent; additional data subject rights pertaining to ‘the right to be forgotten’ and data portability; more stringent stipulations in the event of a data breach; the requirement that data protection impact assessments be conducted; and an obligation to implement appropriate technical and organisational measures that inculcate privacy by design and by default into the organisation.

Extra-territorial application of the General Data Protection of the European Union

In precisely a month from today, a new data protection law will take effect in the European Union (EU): the General Data Protection Regulation of the EU 2016/679 (GDPR).  (An overview of the GDPR is accessible here.)  The GDPR comes into force on 25 May 2018 and will replace the current EU Data Protection Directive 95/46/EC (EU Directive).

A particularly noteworthy feature of the GDPR is that it applies extra-territorially.  This means that it is not limited in its scope to businesses that are based in the EU; rather, it may also apply to businesses located outside of the EU.  In such instances, those businesses will be required to comply with the GDPR, despite not being located within the EU.  This is aimed at protecting the rights of EU data subjects, regardless of where and by whom their personal information is being processed.

In terms of article 3 of the GDPR, there are three instances in which the GDPR will apply extraterritorially.

The first instance is where a business located outside of the EU offers goods or services to data subjects within the EU.  In determining whether this provision applies, Recital 23 to the GDPR explains that the question to be determined is whether it is apparent that the data controller or processor intends or envisages offering goods or services to data subjects in one or more EU member states.  Simply put, it is a question of intention.

In this regard, the mere accessibility of a website or contact details are insufficient to ascertain such intention.  On the other hand, however, factors such as the use of a language or a currency generally used in a member state with the possibility of ordering goods and services in that language, or the mention of customers or users who are in the EU, may be sufficient to trigger the extra-territorial scope of the GDPR.

The second instance is where a business located outside of the EU monitors the behaviour of data subjects within the EU.  As explained in Recital 24 to the GDPR, this refers to the tracking of natural persons on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning the data subject or to analyse or predict the data subject’s preferences, behaviours and attitudes.

The third instance is where the law of an EU member state applies to a controller located outside of the EU by virtue of public international law.  As explained in Recital 25 to the GDPR, this applies for instance to a controller in a member state’s diplomatic mission or consular post.

While the intention behind the extra-territorial application of the GDPR is rooted in wanting to protect the rights of EU data subjects, this can have onerous consequences for implicated businesses located outside of the EU that may be required to comply both with their own domestic data protection law and with the GDPR.

What does this mean for South African businesses?

South Africa too has a comprehensive data protection law: the Protection of Personal Information Act 4 of 2013 (POPIA).  (An overview of POPIA is accessible here.)  However, only certain sections of POPIA are currently in force: section 1 relating to the definitions; part A of chapter 5 relating to the Information Regulator; section 112 relating to the power to make regulations; and section 113 relating to the procedure for making regulations.  There is not yet a clear indication of when the remaining substantive provisions of POPIA regarding the conditions for the lawful processing of personal information will take effect.

Although compliance is not yet required in terms of POPIA, many businesses in South Africa have nevertheless proactively started taking steps to meet the requirements of POPIA in anticipation of the law coming into effect.  This will need to be expedited for those businesses falling within the extra-territorial scope of the GDPR, as they will already need to comply with the GDPR from 25 May 2018 onwards, even though POPIA is not yet fully in force.

POPIA was largely modelled on the EU Directive that will be replaced by the GDPR.  As such, whilst there is substantial overlap, the GDPR imposes certain additional requirements that were not contained in the EU Directive, and that are not required under POPIA.  Accordingly, for those South African businesses that do fall within the extra-territorial scope of the GDPR, complying with POPIA alone will not be sufficient to meet the requirements of the GDPR.

Set out below are some of the key requirements contained in the GDPR that are not expressly required in terms of POPIA:

  • Consent (article 7 of the GDPR): Consent is often relied on to facilitate the processing of personal information. Under POPIA, consent means “any voluntary, specific and informed the expression of will in terms of which permission is given for the processing of personal information”.  Under the GDPR, the conditions for valid consent are stricter.  The GDPR requires that a request for written consent “must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language”.
  • Right to be forgotten (article 17 of the GDPR): While both POPIA and the GDPR contain a right to erasure, the GDPR goes further in defining what is commonly referred to as ‘the right to be forgotten’. The GDPR expressly requires that where a data controller has made personal information public and is obliged to erase that data, the data controller has a duty to take reasonable steps to inform other controllers processing that information that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, the information in question.  This right is, however, circumscribed by considerations of available technology and the cost of implementation, as well as the need to balance it with competing rights and interests, such as the right to freedom of expression.
  • Right to data portability (article 20 of the GDPR): The GDPR introduces a new right in respect of data portability, which relates to the right for a data subject to receive the personal information that they have provided in a structured, commonly used and machine-readable format, and the data subject’s right to transmit that information to another data controller. In short, this means that a data subject can require that their personal information is transferred from one data controller to another, where technically feasible.  This is aimed at ensuring that data subjects have more control over their data where processing is carried out by automated means.  POPIA does not include an express right to data portability.
  • Breach notification (article 33 of the GDPR): POPIA requires that in the event of a data breach, the party responsible must notify the Information Regulator and the affected data subjects “as soon as reasonably possible”. In comparison, the GDPR sets out more specific requirements, most notably that data breaches must be reported to a supervisory authority within 72 hours of becoming aware of the data breach unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.  The GDPR also stipulates the specific information that must be provided in the notification to the supervisory authority.
  • Data protection impact assessments (Article 35 of the GDPR): The GDPR creates an obligation for data protection impact assessments to be conducted, and requires that the evidence or documentation of such assessments be maintained. This obligation arises where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.  Recital 90 explains that impact assessments should include, in particular, the measures, safeguards and mechanisms in place to mitigate risk and demonstrate compliance with the GDPR.  Where appropriate, the GDPR requires that the data controller must seek the views of the data subjects or their representatives on the intended processing.  POPIA, on the other hand, does not expressly require that data protection impact assessments be conducted in the same vein.
  • Data protection by design and by default (article 25 of the GDPR): The GDPR further includes an express requirement that appropriate technical and organisational measures be implemented, both when determining the means for processing and at the time of the processing itself, that are designed to implement data protection principles in an effective manner. This includes integrating necessary safeguards and protecting the rights of data subjects.  The GDPR provides further that data controllers must ensure that, by default, only personal information that is necessary for the specific purpose is processed.  Data protection by design and by default is not expressly provided for under POPIA.

Concluding remarks

South African businesses that fall within the extraterritorial scope of the GDPR – that is, by offering goods or services to data subjects in the EU, or by monitoring the behaviour of data subjects in the EU – will carefully need to scrutinise both POPIA and the GDPR to be in full data protection compliance.  While complying with POPIA will mean that businesses are mostly compliant with the GDPR, there are certain additional requirements that will need to be met in order to fully comply with the GDPR.  This will need to be implemented from 25 May 2018 when the GDPR takes effect.

Although the additional requirements set out above may not expressly be required under POPIA, they are nevertheless a reflection of good practice.  Data protection by design and by default, for instance, contemplate measures specifically geared towards ensuring that the protection of data subject rights and the implementation of necessary safeguards features throughout the data processing lifespan.  This is similarly true of data protection impact assessments.  Although businesses may not be required by POPIA to implement these features in respect of their South African operations, it may, in any event, be worthwhile to voluntarily do so to ensure good practices and responsible data management throughout the organisation.

Avani Singh is a Director and Co-founder of ALT Advisory.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.  For any enquiries, please contact us at [email protected].

2-min

Data Without Borders: How to Manage Cross-Border Data Transfers in South Africa

, , , ,

Cross-border data transfers are necessary and unavoidable for most organisations.  What does the Protection of Personal Information Act require, and how can this be implemented?

Summary: Data breaches, both domestically and abroad, are a stark reminder of the urgent need for the implementation of data protection laws to give effect to the right to privacy.  For many organisations, the flow of data does not only take place within domestic borders but also sees vast amounts of data being transferred to third parties in foreign countries.  Section 72 of South Africa’s Protection of Personal Information Act 4 of 2013 – once it comes into force – will place certain stipulations on how this can be effected, for instance by ensuring that the data will be subject to adequate legal protection.  By considering the comparative experiences in other jurisdictions, we explore the meaning of adequate legal protection, and what practical implications this will have.

The recent data breach, in which it has been revealed that at least 30 million South African identity numbers have been disclosed, is a stark reminder of the urgent need for the remaining provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) to be brought into force in South Africa.  To date, only certain sections of POPIA have come into force, and it remains unclear when the real crux of POPIA – those provisions providing for the rights and duties of data subjects and those responsible for processing information (known as the ‘responsible party’ under POPIA) – will begin to apply.

In terms of data breaches, South Africa is by no means alone in dealing with this: internationally, there have reportedly been a staggering 1,901,866,611 data records compromised in the first half of 2017 alone, with the highest number of incidents reported in the United States (US).  This global landscape is particularly relevant because, once the remaining provisions of POPIA come into force, it is not only the South African law that will need to be considered.

One of the key provisions under POPIA relates to cross-border information flows, where a responsible party in South Africa transfers personal information about a data subject to a third party in a foreign country outside of South Africa.  This occurs, for instance, where personal information is sent outside of South Africa to a customer or client, to a service provider or sub-contractor, or when making use of cloud storage hosted outside of South African borders.  Think about the data you share on social media and chat platforms: do you know where the servers that contain your data are located?

In the global digital age, where significant amounts of trade and commerce take place online and across multiple jurisdictions, cross-border data transfers are necessary and unavoidable for most businesses.

Relevant in this regard in section 72 of POPIA.  This section of POPIA is not yet in force, but will require once it is that in order for cross-border transfers of personal information to be permissible, one of the following must be present:

  • Adequate legal protection: The recipient of the personal information must be subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that effectively upholds the principles for reasonable processing, and that include provisions that are substantially similar to the conditions for the lawful processing of personal information and for the further transfer of personal information.
  • Consent: The data subject consents to the transfer.
  • Necessary for the performance of a contract: The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request.
  • Interests of the data subject: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
  • The benefit of the data subject: The transfer is for the benefit of the data subject in circumstances where it is not reasonably practicable to obtain the consent of the data subject for the transfer, and the data subject would be likely to give consent had it been obtained.

These are not cumulative requirements, and only one of the above would need to be present in order for the cross-border data transfer to pass muster.

The experience in other jurisdictions has shown that one of the easiest and most convenient ways to effect cross-border data transfers is where the transfer takes place to a country with a law which provides “an adequate level of protection”, with principles for processing that are “substantially similar to the conditions for the lawful processing of personal information”, as contemplated under section 72(1)(a) of POPIA.

The question of the adequacy of legal protection in the foreign country is also specifically relevant if a responsible party intends to transfer data that falls into one of the following two categories: (i) special personal information (as set out in section 26 of POPIA, and includes, for instance, information relating to race, health, biometric information or criminal behaviour); or (ii) the personal information of children.  In these circumstances, section 57(1) of POPIA provides that if such information is being transferred to a third party in a country that does not provide an adequate level of protection, the responsible party is required to obtain prior authorisation from the Regulator, prior to any processing taking place.

Determining whether legal protection is adequate

While the crux of the assessment is whether the law in the foreign country is adequate, POPIA provides little guidance on what this entails.  The United Kingdom (UK) Information Commissioner’s Office (ICO) has provided some guidance in this regard that may be useful when interpreting POPIA, given the similarities of the provisions in the UK and the South African laws.  Notably, the UK ICO identifies six criteria to take into consideration:

  • The nature of the personal data: This consideration recognises that some types of personal data will pose little risk to the rights and freedoms of data subjects, whilst the required level of protection may be higher if one is transferring special personal information, for instance.
  • The purposes for which the data is intended to be processed: Some purposes will carry greater risks than others. For instance, according to the UK ICO, data processed for an internal company or group purposes only may involve less risk than if the data is distributed more widely.
  • The period during which the data is intended to be processed: The UK ICO notes that if the data is only processed once or for a short period and then destroyed, the risks arising from any lack of protection for data subjects’ rights may be less than if they are processed on a long-term basis. While this does not mean that once-off transfers may be carried out without putting any protections in place, the requirements for such protections may nevertheless be less onerous.
  • The country or territory of origin of the information contained in the data: Consideration must be given to circumstances where information may have been obtained in a third country, and the expectations that such data subjects may have for the level of protection that they will enjoy.
  • The country or territory of the final destination of the information: Given that transfers may be made in several stages, the adequacy of protection of the final destination is also relevant in assessing the adequacy of protection associated with the transfer.
  • Any security measures are taken in respect of the data in the country or territory of destination: Responsible parties exporting data may be able to ensure that personal data is protected by technical measures, such as encryption, to assist in safeguarding the personal information.

What happens if the level of protection in a foreign country is not adequate?

The question of adequacy was at the heart of the 2015 decision of the Court of Justice of the European Union (CJEU) in the matter of Maximillian Schrems v Data Protection Commissioner.  Mr Schrems, a European citizen, lodged a complaint with Irish Data Protection Commissioner that some or all of the data that he had provided to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the US, where it was processed.  The US does not have a comprehensive data protection law, and Mr Schrems argued that the law and practice in the US did not offer sufficient protection against surveillance by the US public authorities, and did not meet the test for adequacy as contemplated in the Data Protection Directive of the European Parliament.

In a landmark ruling, the CJEU agreed.  The CJEU noted that the protective rules laid out in the data-sharing arrangement between the European Union (EU) and the US (known as the ‘Safe Harbour Decision’) could be disregarded by the US where they conflicted with national security, public interest and law enforcement requirements of the US.  The CJEU held that any legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the right to privacy.  Furthermore, the CJEU was of the view that legislation that does not provide for an individual to pursue legal remedies to access one’s personal information or to have such information rectified or erased, compromises the essence of the right to effective judicial protection.

Accordingly, the CJEU declared the Safe Harbour Decision invalid, with immediate effect.  The EU and the US have since entered into the EU-US Privacy Shield in an effort to remedy the concerns raised by the CJEU.  According to the guidance published by the European Commission, US companies wanting to make use of the Privacy Shield must sign up to the framework with the US Department of Commerce, which is responsible for managing and administering it and ensuring that companies meet their commitments.  In order to be able to certify, companies are required to have a privacy policy in line with eight privacy principles set out in the Privacy Shield:

  • a right to be informed;
  • limitations on the use of data for different purposes;
  • data minimisation and the obligation to keep data only for the time needed;
  • the obligation to secure data;
  • the obligation to protect data if it is transferred to another country;
  • a right to access and correct one’s data;
  • a right to lodge a complaint and obtain a remedy; and
  • redress in the case of access by public authorities.

These principles can be seen as offering some guidance on what key features should be present to establish the adequacy of a comparable data protection regime.  Although the CJEU’s decision is not binding for South Africa, it is likely that South Africans seeking to transfer personal information to the United States may similarly find that the US does not provide an adequate standard of protection comparable to POPIA.  A similar challenge arises when contemplating transferring personal information around the continent, given that the majority of African countries do not presently have data protection laws in place.  In such circumstances, the UK ICO proposes the following approach:

  • Risk assessment: The responsible party should conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects.
  • Adequate safeguards: Where it is found that the foreign country does not provide an adequate level of protection, the responsible party should put in place adequate safeguards to protect the rights of the data subjects, for instance through the use of model contract clauses or binding corporate rules.
  • Statutory exceptions: A responsible party may also make use of one of the other statutory exceptions provided for, which in terms of POPI includes the consent of the data subject to the transfer.

The use of cloud storage presents particular complexities with respect to data transfers.  The challenge with cloud storage, where the information is hosted outside of South Africa, is that one often has little control of the terms and conditions of the service provider, what the service provider does with that information, or whether the data is stored in a jurisdiction with an adequate level of protection.  While it appears that many cloud storage service providers are becoming increasingly cognizant of the need to ensure appropriate standards and protections, it is still advisable for responsible parties to endeavour to notify data subjects of their practices in this regard, and seek to exercise due diligence in respect of the cloud storage service provider being used.

The role of the Regulator

Fortunately, responsible parties are not alone.  Section 40(1)(g) of POPIA provides that the Regulator has a duty “to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation”.  It will, therefore, be an important part of the role of the Regulator to assist to facilitate the cross-border transfers of personal information in a manner that is both effective and compliant with POPIA.

In Europe, for instance, the European Commission is empowered to determine whether a third country ensures an adequate level of protection by reason of its domestic law or the international commitments that it has entered into.  The effect of this adequacy determination is that data can flow from the member states of the EU and the European Economic Area to that third country, without any further safeguarding being necessary.  To date, the European Commission has recognised 11 countries as providing adequate protection.  Similarly, the approach taken by the Privacy Commissioner for Personal Data in Hong Kong, for instance, was to conduct a survey of 50 jurisdictions and prepare a “white list” of places with a data protection law in force offering substantially similar protections or serving the same purpose as the law in Hong Kong.

The flipside of this is that South Africa too wants to ensure that it can meet the threshold of having an adequate standard of protection in place, to facilitate data transfers from outside South Africa into the country.  As interest in South Africa’s ICT sector continues to grow – for instance, with Microsoft has announced the introduction of two new data centres in Johannesburg and Cape Town to be available from 2018 – this has become more necessary than ever.  This will require both the relevant legal framework, as well as the effective implementation of that framework.

Until this is done, other measures will need to be put in place to facilitate such data transfers from countries that require an adequate level of protection, which may be more complex and costly.  Given the scale, inevitability and importance of cross-border transfers for the purposes of commerce and trade, this is a further reminder of the importance for POPIA to be fully brought into force as a matter of urgency, both in the best interests of data subjects in South Africa and those who engage in business abroad.

Avani Singh is a Director and Co-founder of ALT Advisory.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.  For any enquiries, please contact us at [email protected].

Skip to content