Due to ever increasing globalisation in business, personal information is rarely limited to being processed within the borders of South Africa. With the commencement of the Protection of Personal Information Act, 2013 ("POPIA") on 1 July 2020 which includes a year's "grace period" to comply with the provisions, it is imperative for organisations to comply with POPIA when transferring personal information outside of South Africa. POPIA recognises the need to transfer personal information from South Africa and states, inter alia, that its purpose is to protect "important interests, including the free flow of information within the Republic and across international borders".

Section 72 of POPIA prescribes the conditions for the transfer of personal information outside of South Africa, and, in essence, prohibits the transfer of personal information outside of South Africa unless at least one of the prescribed safeguards is met. These safeguards include consent from the data subject in respect of such transfer and that the third party who is the recipient of the information, is subject to a law which provides an adequate level of protection that effectively upholds principles for reasonable processing of the information in a similar manner to POPIA. In addition such law must include adequate provisions relating to the further transfer of personal information from the recipient to third parties who are in a foreign country.

Bearing in mind that POPIA is largely based on the European Data Protection Directive (EU Directive), which was replaced by the General Data Protection Regulation in May 2018 (GDPR), and that POPIA prescribes that processing conditions should be established "in harmony with international standards", some reliance can be placed on those countries which the European Commission has declared as having such adequate safeguards.

While the European Commission had previously adopted the EU-US Privacy Shield Framework (which replaced the previous Safe Habor agreement) that permitted the free transfer of personal information under the GDPR from the EU to the US, on 16 July 2020, in one of the most important data-protection cases in history, the European Court of Justice invalidated the EU-US Privacy Shield Framework (Schrems II) on the basis that it failed to protect EU citizens' rights in accordance with EU laws.

This decision has left personal data transfers between the EU and the US in turmoil. This case did not invalidate the use of EU approved contractual clauses that set safeguard standards for the transfer of personal information known as Standard Contractual Clauses (SCCs). In order to ensure compliance under POPIA, it is imperative for organisations who transfer personal information outside of South Africa (and particularly to countries where there is no EU declaration of adequate safeguards and/or where juristic personal information is processed) to ensure that they:

  • carry out due diligence checks of the data protection laws (if any) in place in the foreign country that they wish to export the personal information to;
  • obtain advice on the laws in that foreign country that permit access to personal information by government agencies; and
  • put in place the appropriate safeguards in comprehensive data-transfer agreements through the use of properly worded SCCs or binding corporate rules (which would only apply to transfers of personal information within a group of companies).

Falling foul of the provisions of POPIA can lead to the imposition of fines of up to ZAR10million, and/or the imposition of jail time of up to 10 years.

ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:

  • pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
  • post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.

We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.