TRANSBORDER INFORMATION FLOW
Personal information flows across South African borders on a daily basis. This includes offshore call centres of a local company, online newsletters, using cloud services, online shopping and marketing, e-commerce and a whole host of other instances.
You are not allowed to transfer personal information about a data subject to a third party who is in a foreign country unless certain protections are in place. At least one of the following must apply:
FOREIGN COUNTRY HAS A LAW THAT PROVIDES ADEQUATE PROTECTION
There are a number of jurisdictions to which data can be transferred, and it is important to ensure that where personal information is transferred to one of these, that there are laws in place that are substantially similar to POPI and effectively uphold the processing principles.
In particular, the regulation of the country must include provisions relating to the further transfer of information which also require ensuring that this protection is in place.
The adequacy of legal protection in the foreign country is specifically relevant if you intend transferring special information or children’s information across border. This type of information being transferred to a third party in a country that does not provide adequate protection, where you rely on this provision, requires prior authorisation from the Regulator before any processing can take place.
BINDING CORPORATE RULES THAT PROVIDE ADEQUATE PROTECTION
“binding corporate rules” means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
“group of undertakings” means a controlling undertaking and its controlled undertakings.
This concept caters for organizations and their subsidiaries with a means to transfer data over international borders without falling foul of POPI. Underpinning this concept is that of “a group of undertakings” which is a broad definition for an organization that consists of multiple entities operating in different regions.
In order for this provision to apply, the corporate rules must provide an adequate level of protection that effectively upholds the principles for reasonable processing and includes provisions that are substantially similar to the conditions for the lawful processing and the further transfer of personal information.
AGREEMENT BETWEEN SENDER AND RECEIVER – ADEQUATE PROTECTION
Any agreement relied upon here, must contain provisions which ensure the same provisions as noted above.
CONSENT
Where you obtain informed consent from the data subject to transfer their personal information across borders, then this is permitted.
CONTRACT PERFORMANCE
Where the transfer is necessary for you to perform in terms of a contract with the person, cross-border data transfer is allowed. You will have to be able to prove that data transfer is necessary for the performance of a contract between you and the data subject or for the implementation of pre-contractual measures taken in response to the data subject’s request.
CONTRACT IN THE INTERESTS OF THE DATA SUBJECT
Cross-border flow of personal information is permitted where this is necessary for the performance of a contract between you and a third party which is in the interests of the data subject.
DATA SUBJECTS INTERESTS
Where the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject but if it were, the person would likely give consent, then the cross-border transfer of data is allowed.
CLOUD STORAGE
Cloud storage presents particular complexities in respect of where the data transfers. It is important to know where the information goes and what happens to it. There is often very little control of the terms and conditions of the service provider, what the service provider does with the information, or whether the data is stored in a jurisdiction with an adequate level of protection.
Any agreements which relate to cloud computing need to be carefully examined to ensure that the provisions governing trans-border information flows are not contravened.
This risk should be identified and quantified and measures implemented to address it. It is advisable to notify data subjects of your practice in this regard, obtain the necessary consent and ensure you do your due diligences to effectively identify and manage any risks.
WHAT MUST YOU DO?
You need to:
- Identify where personal information is transferred outside South Africa and list the countries to which personal information is
- Check that where you transfer information outside South African borders, that it will be properly protected. Find out which of the countries have a law that provides adequate protection, and for those that don’t, decide which other protection in section 72 on which to rely. You do this by working out which protection set out in section 72 you are relying.
Where a foreign country does not provide an adequate level of protection, put adequate safeguards in place to protect the rights of the data subjects, for instance through the use of model contract clauses or binding corporate rules.