Abstract

Keywords

POPI/POPIA; personal information; territorial scope; section 3 POPIA.

……………………………………………………….

1 Introduction

Using the Internet for commercial exchange has led to an increase in international trade in goods and services. This stimulates the global economy and, in turn, creates an opportunity for economic growth, which can assist in alleviating poverty. 1

* Juana Coetzee. BA, LLB, LLM, LLD (Stellenbosch University). Associate Professor (Emeritus) and Research Fellow, Department of Mercantile Law, Stellenbosch University, South Africa. Email: jcoet@sun.ac.za. ORCiD: https://orcid.org/0000-0003-1388-4792.

1 This explains why the digital economy is listed as one of the United Nations 2030 Sustainable Development Goals. UN General Assembly Transforming our World: The 2030 Agenda for Sustainable Development UN Doc A/RES/70/1 (2015) Goal 9c.

The impact of Covid 19 has emphasised the value of the free flow of information on different levels. Thus, data sharing assisted in researching the virus and ultimately in developing a vaccine. Furthermore, the free flow of data facilitates online shopping, which provided many with the opportunity to continue doing business, and for the consumer the possibility of obtaining household necessities without having to expose themselves to the virus. When lockdowns and other social distancing measures prevented contact in person, your house suddenly became your home, office, classroom, and movie theatre. Many could continue working from home; education resumed online when face-to-face teaching was no longer possible; online platforms enabled social connection with family and friends; and digital service networks provided entertainment. 4

4 This contribution recognises the consequences of the digital divide between the rich and the poor, which affects access to digital information. However, it is not the purpose of this article to discuss these aspects in any detail.

However, the free flow of data often entails the collection and distribution of personal information. In some instances the processing of personal information is necessary to complete a transaction and its performance; for example, in connection with the payment and delivery aspects thereof. In this context the transfer of personal data to another country is often unavoidable for the completion of a cross-border transaction; for example, when a consumer purchases goods online via a non-domestic website or

when registering with a digital service provider. Information that is processed in South Africa can also leave the country to be further processed in another country or stored on servers, or in the cloud, located in another legal jurisdiction. Data processing connected to social media or cross-border data sharing by public authorities are common examples of the export of personal information to other countries. Processing can even take place without the knowledge or consent of the data subject. Cookies, scanners, sensors, radio frequency identification tags on consumer goods and other technological interventions that support Big Data are a few examples that fall into the latter category. To make our lives easier the Internet of Things connects household appliances and other smart goods to the Internet, and to make us feel safer they watch our houses and our children. In the process they follow our daily movements and collect information on our likes and dislikes, record our voices, store images of our loved ones and ourselves, and much more. Once collected, do we know where our personal data is going and what is done with that information? Even if technology can help to keep us safe by monitoring who enters our properties and neighbourhoods, is our personal data safe?

The concept "personal information" is hard to define exhaustively. 5

5 See De Stadler et al Over-thinking the Protection of Personal Information Act para 3.2.1.1.

POPIA or the Act) therefore does not constitute a numerus clausus of types of information covered by the Act but takes account of all "information relating to an identifiable, living, natural person, and … an identifiable, existing juristic person". 17

17 Section 1 of POPIA.

The protection of personal information does not prohibit the processing of all personal information but ensures the lawful processing of personal data by imposing legal conditions on such processing. As the processing of personal information can infringe on a data subject's right to privacy, data protection laws must balance the right to the free flow of information with the rights to privacy and identity. 20

20 Section 14 of the Constitution.

of processors situated in different countries, which might entail that the data subject's personal information is transferred to another country and later transferred onwards to yet another country for further processing. Whether the information would be protected adequately in third party countries is often not clear. This can leave data subjects vulnerable to further processing of their personal information for purposes other than those for which they were collected originally.

Personal data has become the commodity of our times, 23

23 Data has become a major commodity of the twenty-first century and has been called the "new oil". See Hayward 2021 UNSW Law Journal 888.

It is clear that there is a need for legal regulation that protects the data subject against unlawful processing but at the same time supports the free and lawful flow of data to facilitate commerce, innovation, and technological and economic development. In South Africa POPIA finally came into

operation on 1 July 2020 after it had already been promulgated in 2013. 27

27 Most sections of the Act came into operation on 1 July 2020 but responsible parties were given a grace period of one year to make sure that they meet the requirements of the Act.

According to its Preamble and section 2, 28

28 Sections 2(a)(i) and (ii) of POPIA.

Where responsible parties collect personal information from data subjects in South Africa such information can be processed inside the country but it can also leave the country to be processed abroad. 33

33 See s 72 of POPIA.

Worldwide the main measures used to protect data flows to destinations outside the borders of a country are territorial scope provisions and data transfer provisions. Both aim to prevent the circumvention of the data protection laws of a country by exporting the data to another country. Territorial scope rules determine when the provisions of a data protection law will apply to parties located outside the borders of the country where the law would normally apply. This therefore extends the scope of the data protection law beyond the borders of a particular country. Data transfer rules, on the other hand, restrict the transfer of personal data to a third country by placing restrictions on and adding conditions to the processing of such information. Although both find application to parties located in other countries, the purpose and function of these rules are different. POPIA, like many other data protection laws, uses both measures. Section 3(1) states that the Act will apply in instances where the responsible party is domiciled in the RSA or where it makes use of equipment located in the Republic for its processing purposes. Section 72, on the other hand, explicitly regulates the cross-border transfer of data by a responsible party from the RSA to another country by setting certain conditions for such transfer.

This article restricts itself to a critical interpretation of the territorial scope provision. This is not the first time that section 3 of POPIA has been discussed and analysed in the context of academic scholarship; 34

34 See, for example, Baumann and Ismail 2021 CILSA 30 et seq.

To follow the discussion it is essential to note that the terminology in the EU regulations differs from that used in POPIA. Both the DPD and the GDPR

use "controller" for what we call a responsible party and "processor" where we refer to an operator.

2 Territorial scope provisions

2.1 Rationale for extra-territorial application

The main reason for extending the scope of data protection rules to outside the borders of a country is to protect the rights of its data subjects. There is not much sense in protecting the personal information of data subjects if these protective measures can be circumvented by transferring the data to a third party that is not subject to that law or if personal information is collected and processed by a responsible party that falls outside the scope of the data protection law in a country where the protection of personal information is either weak or non-existent. Where service providers in other countries process the personal information of South African data subjects, they deserve that their human rights to privacy and identity enjoy protection similar to that in their own country.

2.2 Section 3: General

Section 3(1) states:

(1) This Act applies to the processing of personal information-

(a) entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and

(b) where the responsible party is-

(i) domiciled in the Republic; or

(ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.

It must be noted that POPIA applies only where personal data are entered into a record. It is also necessary to point out that "processing"; 37

37 "Processing", as used in the context of the Act, is a broad concept that is defined in s 1 as: "any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including- (a) the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information".

information" 38

38 Section 1 of POPIA lists eight different types of information which are to be included in the definition but does not purport to serve as a numerus clausus. De Stadler et al Over-thinking the Protection of Personal Information Act para 3.2.1.1 categorises personal information as identifiers, biometric information, demographic information, contact details and location, financial information, background information, behavioural information, correspondence, opinions about data subjects, and "what is in a name".

Paragraph (b) of section 3(1) deserves closer analysis as this paragraph requires a territorial connection for the Act to apply.

2.3 Section 3(1)(b)(i)

POPIA's point of departure is that the responsible party (or data controller) must be domiciled in the Republic. A responsible party is "a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information". 40

40 Section 1 of POPIA.

As against the EU data protection regulation, the DPD and the current GDPR do not require domicilium or residency per se but that "the activities of an establishment of the controller" must take place in the territory of an EU Member State. 42

42 Article 4(1)(a) of the DPD; Art 3(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1 (GDPR). Art 3(1) of the GDPR also extends this requirement to processors.

not the place where the technology used to support the website of a company is situated or the place at which the website is accessible, but the place where the controller pursues its activity. 44

44 Recital 19 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspects of information society services, in particular electronic commerce, in the internal market (Directive on Electronic Commerce) [2000] OJ L 178/1; Article 29 - Data Protection Working Party 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf 8; Baumann and Ismail 2021 CILSA 11.

In Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González 45

45 Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317 (Google Spain).

therefore, note that the case law departs from a more formalistic approach that would otherwise restrict the interpretation of the term establishment to a place of registration or incorporation. 49

49 For example, Google Spain para 53; Weltimmo para 25.

This raises the question whether the scope of the EU territorial rule is broader than that of section 3(1)(b)(i) of POPIA. Is the South African rule restricted to the principles of incorporation, management or control, or can it include a place of business? Can businesses or companies that conduct business operations in the Republic by having a physical presence in the RSA or in the online environment by making use of an address in the RSA on their website fall under the territorial scope of section 3(1)(b)(i) if they are not incorporated or controlled from the Republic? There is no real clarity on this aspect. Although most sources do not deal with this question at all, some scholars seem to suggest that this would be possible, 50

50 De Stadler and Esselaar Guide to the Protection of Personal Information Act 6.

3(1)(b)(i). A local address on a website or the ability to access a website from the Republic, on the other hand, might not be enough unless it is the address of a local branch, or if another stable arrangement and effective activity in the Republic can be established, even if that is in relation to a mere online activity. In the latter case, that will be determined in the light of the nature of the economic activities and the services offered in the Republic, especially if that is an exclusively online service. For example, a local office of a non-South African company operating an e-commerce website processes personal information for marketing purposes in South Africa. The processing of personal information can serve to make the e-commerce website profitable and could therefore be considered as a processing activity that will be subject to POPIA by virtue of section 3(1)(b)(i). 52

52 Example derived from EDPB 2019 https://edpb_guidelines_3_2018_territorial_ scope_after_public_consultation_en_1.pdf 8-9.

This highlights a further shortcoming in POPIA, namely that it does not provide for instances where non-South African parties market or sell products in South Africa. Article 3(2) was introduced into the GDPR because of concerns that the DPD failed to provide sufficient protection where data is processed or stored outside the EU. This section applies to processing activities by data controllers or processors who do not have an establishment in the EU but where goods or services are offered to data subjects in the EU (Article 3(2)(a)), 54

54 According to Recital 23 of the GDPR, in order to determine whether a controller is offering goods or services to data subjects in the Union, it must be established whether "it is apparent that the controller envisages offering services to data subjects in one or more Member States in the Union". Obviously, that is not easy to determine and it would depend on the circumstances; factors such as language and currency can play a role here.

instances one would be able to fill this gap. However, from a South African perspective, it is important to take note of Article 3(2) of the GDPR as it brings all South Africans who offer goods or services in the EU under the scope of the GDPR when they process or monitor the personal data of EU data subjects. For the most part, compliance with POPIA will suffice as the provisions of the Act and the GDPR largely overlap, but it is important to note that the GDPR contains provisions where the duties of a responsible party exceed those required by POPIA. 56

56 See, in general, Roos 2020 CILSA 1-37.

POPIA does not require that the processor or operator must be physically present in South Africa at the time of processing but only that there must be a territorial connection established with the Republic, based on the concept of the domicilium of the responsible party. Therefore, if the personal information of a South African data subject is processed outside the borders of the Republic, the question would be whether that person is acting on behalf of a responsible party who is domiciled in the Republic. An employee of a business or company is not a responsible party as the business or company for whom it works determines the purpose and means of processing. 58

58 The employee does not act as an operator either. See s 1 of POPIA for the definition of "operator", which clarifies that an operator also acts on behalf of the responsible party but, unlike an employee, does not act under the direct authority of the responsible party but in terms of a contract or mandate.

Moreover, once the territorial condition is met, the location of the means of processing is not important. For example, if personal information is stored on a server or other storage medium outside the Republic but the responsible party who determined the means for the processing is domiciled in the Republic, the processing of such information still must take place in accordance with the conditions set out in POPIA. This is due to the territorial link between the responsible party and the Republic. The same would apply if a responsible party domiciled in South Africa were to make use of an operator or processor situated outside South Africa. 59

59 In these circumstances the responsible party must comply with s 72 of POPIA regulating data transfers out of the country. This section will be discussed in part II of this article. As storage is also a form of processing, the server could also be a third-party operator for the purposes of s 72.

Furthermore, the Act does not require that the data subject must be a South African citizen or be physically present or resident in the Republic as the Act focusses on bringing the party who is responsible for determining the purpose and means of the processing under its scope of application. Similar to the South African act, its European counterparts do not require that the data subjects must be EU citizens or physically present or resident in the EU. 60

60 EDPB 2019 https://edpb_guidelines_3_2018_territorial_scope_after_public_ consultation_en_1.pdf 10.

2.4 Section 3(1)(b)(ii)

Section 3(1)(b)(ii) provides for cases where the responsible party is not domiciled in the Republic but there is still a connection with the Republic in that the responsible party makes use of a means of processing that is located in South Africa. Therefore, unless the processing falls within one of the exceptions set out in sections 6 or 7, POPIA will apply to a non-South African responsible party if it makes use of an automated or non-automated means of processing in South Africa.

It is necessary to first define the notion "automated or non-automated means of processing". Section 3(4) defines automated means of processing as "any equipment capable of operating automatically in response to instructions given for the purpose of processing information". This indicates that a "means of processing" refers to equipment used to conduct the processing of personal information, which can operate automatically. The Act fails to define it any closer, probably because no definition would be able to keep up with the technological development and would become unnecessarily restricted. It does not define non-automated means either, but the Act requires that information so collected must be recorded in a filing system, 61

61 Section 3(1)(a) of POPIA.

from one country to another country are excluded as well. 64

64 SALRC 2009 https://www.justice.gov.za/salrc/reports/r_prj124_privacy%20and%20 data%20protection2009.pdf 403; De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.1.2.

The online environment creates specific challenges. Where a data subject concludes an online transaction via a website that they access in the RSA, it is not always possible to ascertain where the website is located. Domain names do not always contain geographical elements, and even if they do, that does not automatically mean that the website is hosted on a server in that country. When one considers this example from the viewpoint of POPIA, it is clear that if the responsible party is domiciled outside the Republic, such as where the vendor is registered in another country, and there are insufficient activities of an establishment in the Republic, section 3(1)(b)(i) will not apply. However, jurisdiction could perhaps be found based on section 3(1)(b)(ii). Again, guidance can be sought in the EU privacy regulations which have informed the POPIA, more specifically Article 4(1)(c) of the DPD. 66

66 Article 4 of the DPD delineated its territorial scope under the heading "national law applicable". This provision was to prevent data processors and data controllers evading their responsibilities by relocating their establishments outside the EU.

of South African scholars, 70

70 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.1.2.

Although the ECJ was asked to opine on the applicability of Article 4(1)(c) of the DPD to instances where a search engine uses crawlers or robots to locate and index information contained in web pages located on servers in

a Member State, and where a website, using a domain name pertaining to a Member State, arranges for searches and the results thereof to be based on the language of the Member State, the Court failed to address these matters. 80

80 See Google Spain para 20.

Ownership is not a prerequisite for the operation of this provision; neither the responsible party nor the data subject must be the owner of the equipment being used to process the personal data. The guiding principle here is the ability to exercise control over the equipment – it does not have to be full control but the equipment must be at the disposal of the responsible party. 81

81 Article 29 - Data Protection Working Party 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf 9; De Stadler et al Over-thinking the Protection of Personal Information Act para 3.2.4.2.

Therefore, if a data subject in South Africa accesses a non-South African website on a smart phone, and a cookie is installed on the device, 83

83 Section 18 of POPIA requires that the data subject is to be informed of the cookie.

to process data when the data subject is outside the country? Furthermore, non-South African data subjects may access the website of a non-South African data controller during their stay in South Africa, and in this way, their personal data may be processed by an automatic means of processing located in the Republic.

The EU Working Party's working document notes that one has to be cautious when interpreting territorial provisions and only apply them if necessary and where there is a reasonable degree of enforceability. 84

84 Article 29 - Data Protection Working Party 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf 9.

3 Conclusion

If read in conjunction with the purposes of POPIA set out in section 2, it is clear that the Act aims to protect the rights of the data subject as far as is

possible in a balanced approach; therefore, the territorial scope of the Act must be interpreted in a manner that facilitates and fulfils this purpose. However, the discussion has shown that the wording of section 3(1)(b) is open to different interpretations. It is suggested that the interpretation of section 3(1)(b)(i) must not follow a mere formalistic approach that restricts its scope of application to responsible parties who are incorporated or controlled in the Republic but that it must be extended to responsible parties who conduct a stable and constant activity in the Republic. This interpretation would be supported by the interpretation afforded to the comparable territorial scope provision in the DPD, and currently in the GDPR. Guidelines on how to set boundaries for such an extensive interpretation are found in the ECJ case law as well as in the official guidelines of the EDPB. Adopting a comparative approach could also assist in interpreting the notion of automated means of processing in section 3(1)(b)(ii) POPIA. An extensive interpretation is necessitated here to achieve one of the goals of a territorial scope provision, namely to extend the ambit of a data protection law to non-resident responsible parties. In the absence of an extensive interpretation the effectiveness of the POPIA and the complete protection of data subjects' rights that the Act seeks to ensure will not be reached. 90

90 This was the reason given by the court in para 58 of the Google Spain case for why the meaning had to be extended.

The comparative analysis has furthermore shown that POPIA has shortcomings, which also existed in the DPD, on which our law is based. In the EU these shortcomings were subsequently addressed by way of the GDPR, which specifically extends its territorial scope provisions to

processors (operators) in addition to controllers (responsible parties). It also addresses the issue where data controllers outside the Union make offerings for goods and services targeted at data subjects in the EU or monitor their behaviour. This provision is especially important in the context of online websites. The GDPR furthermore tries to address the responsibility of controllers and processors without an EU establishment who fall under the GDPR because of Article 3(2) by requiring that they appoint a representative in the Union. This is to facilitate enforcement against them. 95

95 Kuner 2021 https://ssrn.com/abstract=3827850 12.

However, the transfer of the personal information of a South African data subject out of the Republic is not restricted to the collection and further processing thereof by responsible parties outside the country but can also occur when responsible parties in the Republic transfer such personal information to a third-party country for processing there. Part II of this article will analyse the applicable provision of section 72. The main purpose of the data transfer rule is to make sure that a data subject's personal information remains protected when transferred out of the country. In many instances the responsible party would already be subject to the scope of POPIA by virtue of section 3, which means that it would have to uphold the data protection principles of the Act in any event. However, where personal information is transferred out of the country and processed by a third party who is not automatically subject to POPIA, section 72 will make this transfer conditional on compliance with requirements that ensure that the same minimum protection afforded by the Act applies to the extra-territorial processing of a South Africa data subject's personal information.

Bibliography

Literature

Baumann and Ismail 2021 CILSA

Baumann J and Ismail N "The (Extra-)territorial Scope Rules of the New European Data Protection Law from a Private International Law Perspective: A Model for South Africa?" 2021 CILSA 1-49

Baumann and Ismail 2021 TSAR

Baumann J and Ismail N "The Concept of 'Personal Information' in the Protection of Personal Information Act 4 of 2013: A Comparative Analysis from a European Perspective" 2021 TSAR 718-739

De Stadler and Esselaar Guide to the Protection of Personal Information Act

De Stadler E and Esselaar P A Guide to the Protection of Personal Information Act (Juta Cape Town 2015)

De Stadler et al Over-thinking the Protection of Personal Information Act

De Stadler E et al Over-thinking the Protection of Personal Information Act (Juta Cape Town 2021)

Hayward 2021 UNSW Law Journal

Hayward B "To Boldly Go, Part I: Developing a Specific Legal Framework for Assessing the Regulation of International Data Trade under the CISG" 2021 UNSW Law Journal 878-918

Papadopoulos and Snail ka Mtuse Cyberlaw@SA IV

Papadopoulos S and Snail ka Mtuse S (eds) Cyberlaw@SA IV: The Law of Internet in South Africa (Van Schaik Pretoria 2022)

Roos 2020 CILSA

Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37

Roos "Data Privacy Law"

Roos A "Data Privacy Law" in Van der Merwe DP (ed) Information and Communications Technology Law 3rd ed (Lexis Nexis Johannesburg 2021) 387-530

Case law

Competition Commission of South Africa v Media 24 (Pty) Ltd 2019 5 SA 598 (CC)

Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18) [2020] ECLI:EU:C2020:559

Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317

Google LLC v Commission nationale d' l'informatique et de libertés (CNIL) (Case C-507/17) [2018] ECLI:EU:C:2019:722

Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650

R v Secretary of State for Transport (Ex parte Factortame) (Case C-221/89) [1991] ECR I-3905

Verein für Konsumenteninformation v Amazon EU Sarl Case (C-191/15) [2016] EU:C:2016:612

Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabaság Hatóság (NAIH) (C-230/14) [2015] EU:C:2015:639

Legislation

South Africa

Constitution of the Republic of South Africa, 1996

Consumer Protection Act 68 of 2008

Cybercrimes Act 19 of 2020

Electronic Communications and Transactions Act 25 of 2002

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 4 of 2013

International and regional instruments

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No 108/1981 (1981)

Directive 95/46/EC of the European Parliament and of the Council enacted 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspects of information society services, in particular electronic commerce, in the internal market (Directive on Electronic Commerce) [2000] OJ L 178/1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the

processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1

UN General Assembly Transforming our World: The 2030 Agenda for Sustainable Development UN Doc A/RES/70/1 (2015)

Universal Declaration of Human Rights (1948)

Internet sources

Article 29 - Data Protection Working Party 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf

Article 29 - Data Protection Working Party Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Web Sites, 5035/01/EN/Final WP 56, Adopted 30 May 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf accessed 30 March 2022

EDPB 2019 https://edpb_guidelines_3_2018_territorial_scope_after_ public_ consultation_en_1.pdf

European Data Protection Board 2019 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2.1 (Adopted 12 November 2019) https://edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf accessed 28 April 2022

EDPB 2022 https://edpb_statement_202201_new-trans-atlantic_data-privacy_framework.pdf

European Data Protection Board 2022 Statement 01/2022 on the Announcement of an Agreement in Principle on a New Trans-Atlantic Data Privacy Framework (Adopted 6 April 2022) https://edpb_statement_ 202201_new-trans-atlantic_data-privacy_framework.pdf accessed 28 April 2022

Information Regulator 2021 https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf

Information Regulator (South Africa) 2021 Guidance Note on Information Officers and Deputy Information Officers (1 April 2021) https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf accessed 13 May 2022

Kuner 2021 https://ssrn.com/abstract=3827850

Kuner C 2021 Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU's Ambition of Borderless Data Protection. University of Cambridge Faculty of Law Legal Studies Research Paper Series Paper No

20/2021, April 2021 https://ssrn.com/abstract=3827850 accessed 30 March 2022

OECD 2013 https://www.oecd.org/sti/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborderflowsofpersonaldata.htm

Organisation for Economic Cooperation and Development 2013 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Revised Version 11 July 2013) https://www.oecd.org/ sti/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborder flowsofpersonaldata.htm accessed 20 March 2022

OECD 2018 https://one.oecd.org/document/TAD/TC/WP(2018)19/ FINAL/En/pdf

Organisation for Economic Cooperation and Development 2018 Trade and Cross-Border Data Flows: Report by the Working Party of the Trade Committee (21 December 2018) TAD/TC/WP(2018)19/FINAL https://one.oecd.org/document/TAD/TC/WP(2018)19/FINAL/En/pdf accessed 13 May 2022

SALRC 2009 https://www.justice.gov.za/salrc/reports/r_prj124_privacy%20

and%20data%20protection2009.pdf

South African Law Reform Commission 2009 Project 124 Privacy and Data Protection Report https://www.justice.gov.za/salrc/reports/r_prj124_privacy %20and%20data%20protection2009.pdf accessed 28 April 2022

List of Abbreviations