On 11 March 2021, the Information Regulator published an invitation to apply for prior authorisation, together with a Guidance Note, on the application for prior authorisation and the form to be used by responsible parties in obtaining such prior authorisation.
The invitation to apply for prior authorisation encourages responsible parties to submit their applications as soon as possible. The Information Regulator states that by submitting the application for prior authorisation timeously, this will afford the Information Regulator sufficient time to process these prior authorisation applications ahead of 1 July 2021 (the Protection of Personal Information Act, 2013 ("POPIA's") effective date).
When does a responsible party require prior authorisation?
Section 57 of POPIA obliges a responsible party to obtain prior authorisation from the Information Regulator (on a once-off basis), prior to any processing, if that responsible party plans to:
- process any unique identifiers of data subjects:
- for a purpose other than the one for which the identifier was specifically intended at collection; and
- with the aim of linking the information together with information processed by other responsible parties (which, in our view, necessarily would include other group entities)
- process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
- process information for the purposes of credit reporting (such as a credit bureau); or
- transfer special personal information or the personal information of children under 18, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
It is important to note that:
- section 57(2) of POPIA prohibits responsible parties from carrying out processing which has not been notified to the Information Regulator (until the Information Regulator has completed its investigation or until the responsible party has received notice from the Information Regulator that a more detailed investigation will not be conducted);
- if consideration is given to section 114(3) of POPIA, read together with sections 57 and 58(2), this would mean that a responsible party would not currently have to stop processing the personal information (which has been notified to the Information Regulator) until the Information Regulator determines otherwise by way of notice in the Government Gazette – the Information Regulator has not yet published the requisite notice in terms of section 114(3) of POPIA, which necessarily means that the prohibition in section 58(2) on the carrying out of the processing is currently not applicable;
- any failure by a responsible party to obtain prior authorisation (in terms of section 59 of POPIA) is an offence which, upon conviction, may lead to the imposition of a fine or imprisonment (or both).
Practical issues for responsible parties (which have not been dealt with by the Information Regulator) arising from the Guidance Note:
The Guidance Note published by the Information Regulator leads to some practical issues for responsible parties:
- the application form for prior authorisation should be signed by the Information Officer as registered with the Information Regulator. The Information Regulator has not yet finalised its guidelines for the registration of Information Officers and there is currently still no clarity on whether or not the role of Information Officer can be delegated (in this regard see our article on the Role of Information Officer). It is therefore premature to require Information Officers (that cannot yet be registered or appointed) to complete these application forms; and
- the Guidance Note states that if a responsible party intends to
transfer the special personal information or personal information
of children to a third party outside of the Republic of South
Africa (which would necessarily include storing data in the cloud
on servers located outside of South Africa), such responsible party
is required to assess whether this (foreign based) third party is
subject to: i) a law; ii) binding corporate rules; or iii) a
binding agreement which provides an adequate level of
protection, effectively upholding the principles for
reasonable processing of personal information, that are
substantially similar to the eight conditions for the lawful
processing of personal information relating to a data subject found
in POPIA. In this regard:
- it is currently impossible for a responsible party to determine which countries have adequate data privacy laws, substantially similar to POPIA. For example, POPIA extends to juristic persons while most other data protections laws only extend to natural persons, and accordingly will not adequately protect the personal information of juristic persons. Data privacy legislation such as the European Union ("EU") General Data Privacy Regulation ("GDPR"), in respect of controllers (EU parlance for responsible parties) established out of the EU, only protects the personal information of EU data subjects and will therefore also not automatically provide any protection to the personal information of South African citizens processed in the EU.
- It stands to reason that until the Information Regulator issues guidance on which countries/territories/jurisdictions are considered as having adequate levels of protection, it may be impossible for responsible parties to determine whether or not they require prior authorisation from the Information Regulator, and currently all transfers to any other country may require prior authorisation (which will have a significant impact on many entities, large and small, in South Africa).
Further guidance from the Information Regulator on these aspects is urgently needed in order for responsible parties to comply with the provisions of POPIA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.