At the end of last year, the Court of Justice of the European Union ruled that the EU Safe Harbour Decision (permitting the transfer of personal data to the US) was invalid as the US did not provide an adequate level of protection of personal data within the meaning of Article 25 of Directive 95/46.
The Protection of Personal Information Act 4 of 2013 (POPI) includes similar "safe harbour" language for the cross-border transfer of personal information. In this insight we provide a brief overview of the requirements to transfer personal information to a third party in a foreign country under POPI.
POPI is the first piece of legislation in South Africa that deals specifically and fully with the protection of personal information. The commencement of POPI (the date of which is yet to be proclaimed) will require a complete reform of the manner in which entities process personal information to ensure compliance with POPI, particularly the transfer of such information to another country.
Transfer of personal information outside South Africa
POPI prohibits the transfer of personal information to a third party who is in a foreign country unless such transfer falls within the ambit of certain exemptions.
These exemptions include the transfer of personal information to a third party who is subject to a law, binding corporate rules or binding agreement which provides an "adequate level of protection" that:
- effectively upholds the principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
- includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country.
POPI does not specify which countries have laws that provide an adequate level of protection or the manner in which such countries will be identified. Further clarity may be available when regulations are published pursuant to POPI. Accordingly, it would be prudent for entities to rely on agreements that provide for adequate levels of protection or binding corporate rules for the transfer of personal information out of South Africa (unless the transfer falls within one of the other categories).
"Binding corporate rules" is defined in POPI as personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country. Accordingly, it appears that the binding corporate rules exemption will only apply to entities that are transferring personal information to entities within the same group.
Other exemptions to cross-border transfers
In addition to the safe harbour type exemption referred to above, the cross-border transfer of personal information is permitted if:
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
- the transfer is for the benefit of the data subject, and:
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com