Section 72 of the Protection of Personal Information Act, 2013 ("POPIA"), deals with the transfer of personal information outside South Africa and states that it may not happen, unless one of the exceptions contained in a closed list applies.
Like many other countries' data privacy legislation, POPIA has such an exception in the case where the country to which the personal information is to be transferred provides an "adequate" level of protection.
This blog post explores whether this can be relied on in all cases.
When is it "adequate"?
The requirement for adequacy is unpacked in greater detail in section 72(1)(a) to state that the foreign law must:
- effectively uphold principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
- include provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
Information regulators in countries with this sort of provision may sometimes issue a so-called "adequacy ruling", where they officially acknowledge specific foreign legislation to be adequate.
Juristic data subjects and the Constitution
As we have it, POPIA is at the time of writing the only piece of dedicated data privacy legislation in the world to extend data subject rights to juristic persons.
The reasoning for this unusual construction relates to the history of POPIA, as well as to the wording of the Bill of Rights.
In 2009, when the Law Reform Commission proposed the Protection of Personal Information Bill, it noted two things. Firstly, South African courts have in numerous decisions applied the common law right to privacy to juristic persons (see for instance Financial Mail (Pt) Ltd v Sage Holdings Ltd and more recently, Investigating Directorate: SEO v Hyundai Motors. Secondly, section 8(4) of the Constitution entitles juristic persons to the rights in the Bill of Rights “to the extent required by the nature of the rights and the nature of the juristic person”.
Comments received at the time also noted that international practice varied, but that the Law Reform Commission had received widespread support for its proposal to include juristic persons in the scope of this bill, primarily as a way to prevent communications by juristic persons from being intercepted.
The dilemma
If South Africa is the only country in the world to offer data subject status to juristic persons, the effect is that all other countries have effectively disenfranchised an entire category of data subject, as compared to POPIA.
Can any foreign data privacy legislation then truly be "adequate" as compared to POPIA for purposes of section 72?
And the question that follows:
If no foreign data privacy legislation can be "adequate" given the aforegoing, does this apply only in relation to juristic data subjects, or the foreign legislation in full?
One would almost be tempted to follow a common-sense approach and argue that something like the European Union's General Data Protection Regulation ("GDPR"), generally held as the gold standard, must surely be adequate. The legislator could not have intended an absurd result?
Perhaps there is some relief in section 72(1)(a) where it states "...and, where applicable, a juristic person...". On a literal reading, this could mean that:
- when transferring the personal information of a natural data subject, GDPR could for instance be adequate; but
- when transferring the personal information of a juristic data subject, no other data privacy legislation (in the world) can be adequate because it does not protect such information and therefore section 72(1)(a) can never be relied on for expedient cross border data flows.
Even if this view holds water, it will be of limited practical relief, given that the information processed may contain both personal information of natural and juristic data subjects, in which case most data privacy professionals may for the sake of expediency not seek to rely on section 72(1)(a) at all.
In conclusion
While adequacy is of course not the only potential ground for an international data transfer, and entities may still transfer personal information across borders provided that they include the contractual provisions referred to in s72 in their DPAs, this still produces an absurdity: the 'adequacy' category in the closed list in section 72 can never be used. The need to negotiate custom clauses in a DPA every time there is a cross-border transfer is a heavy burden, particularly for smaller entities with limited negotiating power.
Unlike POPIA, GDPR provides an official mechanism (in article 45) for the European Commission to determine the adequacy of foreign data protection laws. POPIA provides no such mechanism. Even the ability of the Minister of Justice to make regulations is stated in section 112 to relate to a closed list of sections which does not include section 72.
While it may provide some relief if POPIA's information regulator expresses a ruling that it deems a legislative framework like POPIA "adequate", such a ruling would have no legislative standing and be merely an opinion, which could be overturned in any subsequent proceedings, with the concomitant risk of rendering cross border transfers unlawful and likely triggering indemnity obligations.
It is crucially important that South African does not pursue a course of action that puts it at odds with international best practices for data privacy legislation and frustrates ease of doing business in the information age.
Given that the Constitution support the existence of a right to privacy for juristic persons, it is doubtful that South Africa could go back to purely common law protection of privacy for juristic persons. Instead, South Africa may be better advised to promulgate dedicated legislation for the protection of juristic data subjects, and thereafter to remove juristic persons from the ambit of POPIA.
Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.