The Protection of Personal Information Act, 2013 ("POPIA") prohibits organisations from transferring any personal information about a data subject to a foreign country. Given the way many businesses engage globally, this is this poses some highly problematic issues and can hinder all sorts of standard business practices, such as engaging with customers in foreign countries, procuring services from foreign service providers and storing personal information in a cloud whose servers are not located in South Africa.
POPIA, however, provides that personal information can be transferred to a foreign country, where:
- the third party recipient is subject to laws, binding corporate rules or binding agreements that provide adequate protection to the personal information and are substantially similar to POPIA and provide for the restriction of any further transfer of personal information by that recipient to other third parties in a foreign country;
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract or pre-contractual measures; or
- the transfer is for the benefit of the data subject and it's not reasonably practicable to obtain consent and if it were reasonably practicable the data subject would likely give it.
A carefully drafted transborder transfer agreement between a responsible party and a third party who needs to have access to personal information but is not based in South Africa, is a foolproof way of ensuring a transborder transfer of personal information is lawful. It allows a responsible party to contractually impose processing restrictions on a third party, such as restricting the further transfer of personal information outside of that foreign country and ensures that sufficient security measures are implemented to safeguard the personal information. It should also provide for remedies available to the responsible party, such as a warranty from the third party regarding its compliance with data privacy laws, including POPIA and an indemnity to cover any losses arising from their non-compliance with data privacy laws. Where apposite, the agreement should also include the mandatory operator or data processor clauses.
A transborder agreement should, at a minimum, be in place for as long as the third party is in possession of or in control of personal information provided by the responsible party. However, in order to ensure that there are no gaps, a transborder agreement could be concluded for an indefinite period.
Of importance, POPIA requires responsible parties to obtain prior authorisation of the Information Regulator when it seeks to transfer special personal information or personal information of children to a party in a foreign country that does not provide levels of protection comparable to those in POPIA. The Information Regulator has not as yet issued any directive or guidance regarding which countries' laws are adequate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.