Abstract

Keywords

POPI/POPIA; personal information; cross-border data transfers; section 72 POPIA

……………………………………………………….

1 Introduction

Data protection laws are aimed at protecting the processing of a data subject's personal information. However, this protection might be circumvented if the responsible party is located outside the borders of the country that regulates such processing, or by moving the data out of the country, such as when the processing of the data takes place outside the country. To protect a data subject's rights in these circumstances data protection laws include two types of provisions, namely territorial scope provisions and data transfer provisions.

Part I of this article 1

* Juana Coetzee. BA, LLB, LLM, LLD (Stellenbosch University). Associate Professor (Emeritus) and Research Fellow, Department of Mercantile Law, Stellenbosch University, South Africa. Email: jcoet@sun.ac.za. ORCiD: https://orcid.org/0000-0003-1388-4792.

1 See Coetzee 2024 PELJ DOI: http://dx.doi.org/10.17159/1727-3781/2024/ v27i0a15233.

find extra-territorial application and bring the processing activities of non-South African responsible parties taking place outside the borders of the country within its reach if a territorial link between the responsible party and the Republic can be established.

However, the cross-border movement of personal data can also take place where a responsible party in the Republic transfers personal information out of the country to be processed in a so-called third-party country. For example, a company incorporated in South Africa exports personal data of its customers and employees to be processed in another country. This aspect is explicitly regulated by the Act in section 72 of POPIA, the so-called data transfer provision. Data transfer provisions do not bring responsible parties or other data processors under the scope of a data protection law such as POPIA. The purpose of a data transfer rule is to make sure that when a data subject's personal information is moved to another country, it will enjoy a level of protection similar to what it would have under POPIA.

South African courts have not dealt with this issue yet; but the issue of international data flows has already landed before the European courts on a number of occasions, such as in the well-known judgments of Maximillian Schrems v Data Protection Commissioner 6

6 Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650 (hereafter Schrems I).

protection clauses (SCCs) contained in an EU SCC Decision, which fall under an exception to the GDPR's data transfer provision. The Commission furthermore replaced the Safe Harbor agreement with the Privacy Shield. However, Mr Schrems contended that the SCC Decision could not justify the infringement of his human rights by the US authorities which would take place by monitoring his personal information by means of their various monitoring programmes. Subsequently, the Commissioner published a draft decision in which she found that the US security agencies' processing activities were indeed infringing on an EU data subject's human rights and that the SCC Decision fails to provide adequate remedies to address such violations, since they confer contractual rights on the data subject against the data exporter and importer only and not any rights against the US authorities. The Commissioner then approached the High Court on the question of the SCC Decision's validity. The High Court in turn referred the matter to the ECJ to determine various questions relating to the SCCs and the Privacy Shield arrangement that replaced the Safe Harbor arrangement. In Schrems II the ECJ declared the Privacy Shield invalid but upheld the use of SCCs. However, it was held that data controllers must still ensure that the standards of data protection in the third country provide adequate protection similar to those in the EU even when SCCs are used.

It is quite common for data protection laws to make use of both territorial scope provisions and data transfer provisions when it comes to regulating the processing of personal information outside the country of the data subject. This is also the case in the GDPR. However, questions have arisen on the efficacy of having two sets of rules regulating the same case, for instance where a foreign data controller (the responsible party) or processor (the operator) is subject to the data protection law of a country by virtue of its territorial scope rule but at the same time the data transfer rule will apply to the transfer of information out of the country. 8

8 Kuner 2021 https://ssrn.com/abstract=3827850 5.

are protected once the data leaves the borders of the Republic, responsible parties and processors (operators) have to be clear on their duties as they are the ones who have to implement the protective measures, and those who have to enforce the provisions of the Act dealing with the transfer of personal data and its processing in third countries need clarity not only on the content of the rules but also on when the Act applies.

Chapter 9 of POPIA regulates transborder information flows. This chapter comprises a single provision, section 72, which regulates the transfer of personal information by a responsible party in the Republic to a third party in a foreign country. Section 72 is aimed at balancing the free flow of information with the data subject's right to protection of its personal information. Furthermore, the aim is to keep safe personal data that is processed subject to POPIA by requiring that the responsible party ensures an adequate level of protection for the data when the data leaves the country.

Chapter V of the GDPR, on the other hand, contains a number of provisions regulating the processing of EU data subjects' personal information outside the Union. 11

11 Articles 44-50 of the GDPR; EDPB 2021 https://edpb_guidelines interplaychapterv_article3_adopted_en.pdf para 1.

In this contribution the aim is to analyse the content and requirements of section 72 of POPIA and compare this provision to its European counterpart to establish its efficacy and whether there is room for improvement. In the final instance, the article investigates the need for having both a territorial scope provision as well as a data transfer rule.

2 The transfer of data provision

2.1 General requirements for the application of section 72

Section 72 of POPIA 13

13 This provision tracks that of Art 25 of the DPD. See Roos Law of Data (Privacy) Protection 226-235, Roos 2007 SALJ 411 et seq.

(1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless-

(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that-

(i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and

(ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;

(b) the data subject consents to the transfer;

(c) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or

(e) the transfer is for the benefit of the data subject, and-

(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and

(ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

Before section 72(1) can find application, certain requirements must be met, namely (i) the transfer must be done by a responsible party in the Republic; (ii) personal information must be transferred out of the Republic; and (iii) the information must be transferred to a third party in another country. However, where special personal information or the personal information of a child is to be transferred out of the Republic, section 57(1)(d) of POPIA determines that the transfer can take place only with the prior authorisation of the Information Regulator if the third-party country does not provide an adequate level of protection as envisaged in section 72.

2.1.1 Transfer by a responsible party in the Republic

According to the Act, a responsible party is "a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information". 14

14 Section 1 of POPIA.

be distinguished from an operator or processor who acts on behalf of the responsible party in processing the data, i.e. physically collecting, analysing and storing data. An operator is an independent party who does not come under the direct authority of the responsible party, such as an employee, and who processes data in terms of a contract with or mandate of the responsible party. 15

15 Section 1 of POPIA.

In sections 20 and 21 POPIA deals specifically with situations where an operator processes information on behalf of a responsible party in terms of a contract or mandate. According to section 20 the operator or anyone who processes information on behalf of the responsible party can process such information only with the knowledge or authority of the responsible party, 17

17 Section 20(a) of POPIA.

If the operator transfers information to another processor, inside or outside the Republic, this is to take place with the knowledge or authority of the responsible party. 22

22 Section 20(a) of POPIA.

party and the processor does not explicitly provide for the transfer of personal information by a processor to a sub-processor, it can take place only with the knowledge or authorisation of the responsible party. This means that the responsible party, at the very least, must be informed of the processing. It is not clear whether notice must be given prior to the processing taking place or whether mere reporting of the fact would suffice. However, it is submitted that notice must be given before the processing takes place so that the purpose of section 20, and especially that of section 21, is not defeated. Knowledge on the part of the responsible party would possibly be construed as some form of implied authorisation. Therefore, even if section 72 will not find application per se, or the processor will not automatically be obliged to comply with its conditions, the responsible party remains obliged to the provisions of POPIA and must make sure that its processors or operators comply with its requirements. The contract or mandate with the processor, therefore, should not only set out the duties of the operator insofar as security measures are concerned but it should also impose duties similar to those in section 72 on an operator who transfers data out of the country. However, in the interest of clarity, and to protect the rights of a data subject, it is submitted that the legislature should explicitly extend the scope of 72 to include operators, as is currently the case in the GDPR. That would spread the risk more evenly if the operator, without the knowledge of the responsible party, fails to comply, or if lack of knowledge on the part of the responsible party might be construed as a loophole that discharges the responsible party from any liability.

Section 72(1) refers to a responsible party in the Republic. Does this require a physical presence in South Africa? The legislature's choice of words differs from that used in section 3(1)(b), which requires either South African domicile 23

23 Section 3(1)(b)(i) of POPIA.

criteria of Article 3. 25

25 See EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted-en.pdf paras 9 and 10.

However, where a data subject contracts online via a foreign website and provides their personal data on their own initiative by completing the necessary form and the information is transferred out of the Republic, the transfer will not be regulated by section 72. Here it is the data subject who transfers the information and not the responsible party, as required by this section. 27

27 EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf 5-6 para 12. In Bodil Lindqvist (Case C-101/01) [2003] ECLI:EU:C:2003:596, the European Court of Justice (ECJ) held that there was no data transfer to a third country within the meaning of the DPD when an individual in a Member State of the EU loaded personal data onto an Internet page stored on a site hosted within the EU. This position is confirmed in the context of ch V of the GDPR.

party. It would therefore apply only where data collected via the responsible party's website is transferred to an operator in a third country. 29

29 Also see EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_ en.pdf paras 14 and 15.

If the device used by the data subject is located in the Republic and the responsible party makes use of an automated means of processing located in the Republic 30

30 For example, by using cookies which are "equipment capable of operating automatically in response to instructions given for the purpose of processing information" (see the definition of "automated means" in s 1 of POPIA).

Furthermore, where data is processed in South Africa by a processor or operator on behalf of a non-South African responsible party and the data is transferred back from the Republic to the responsible party, section 72 will not apply since the first condition is not met, namely that the responsible party in the Republic must be the one exporting the data out of the country. 32

32 In line with what was said above, if a non-South African responsible party falls under the scope of POPIA by virtue of s 3(1)(b)(ii), the responsible party will have to comply with the provisions of the Act, and ss 20 and 21 will find specific application.

contract between the responsible party and the third-party operator that makes provision for security measures. It is submitted that this contract should also make provision that data which is processed outside the country is to be transferred safely back into the Republic. Moreover, section 72(1)(a) provides for a binding agreement between the responsible party and a third-party operator or processor located outside the Republic, which will regulate the export of data and can be used to stipulate conditions for the return of the information as well. 35

35 See the discussion of SCCs in section 2.2.3 of this article.

2.1.2 Transfer of data out of the Republic

Transferring data normally entails the transmission of data from one place to another or from one person to another. However, transfers can also take place passively. For example, if personal information is available on a website, the information will not be "transferred" for the purposes of section 72 until a third party in another country has accessed the information. 36

36 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.1.3.

2.1.3 Transfer to a third party outside the Republic

The legislator chose to use the term "third party" to refer to the data importer. This includes a range of persons, natural or juristic. The EU regulation states it even more generally by requiring that data is to be transferred to a third country or an international organisation. 38

38 Article 45 of the GDPR. Its predecessor, Art 25 of the DPD, refers only to a third country. Note that there is a discrepancy in POPIA in this regard: while s 72 mentions only "a third party who is in a foreign country", s 18(1)(g) refers to the responsible party's duty to inform the data subject if it intends transferring information to "a third party or international organisation" and also of the level of protection that will be afforded to the information so transferred. The latter section tracks the wording of the GDPR more closely than s 72 does even though it was modelled on the DPD. The discrepancy between ss 72 and 18(1)(g) is quite strange in the light thereof that they deal with the same topic.

Where an employee of a responsible party accesses personal data remotely while outside the Republic, section 72 will not find application because the employee is not a "third party" but a representative of the responsible party. 39

39 EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf para 14. The responsible party must ensure that security measures are applied to the information when it is in the possession of the employee as per s 19 of POPIA.

responsible party or a jointly responsible party; however, it will depend on the facts whether the exporter and importer are two separate parties. 40

40 EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf paras 11-16. Where data are disclosed between entities in the same corporate group, this could constitute the transfer of information from one responsible party to another responsible party.

Where personal data is exported to a data processor operator outside the Republic, the conditions of sections 20 and 21 must still be met, namely that a contract is to be concluded setting out the duties of the operator. If a responsible party concludes a binding agreement (SCC) with the third party, as envisaged by section 72(1)(a), the conditions of sections 20 and 21 should be included in the agreement if they otherwise do not form part of the standard clauses. Section 72(1)(a)(ii), furthermore, states that if a data importer in a foreign country transfers the data onwards to another country, the processor or operator must be subject to the same conditions as would apply to responsible parties transferring data out of the country. It therefore follows that the law in the third-party country must at a minimum comply with the same principles as those on which POPIA is based. Alternatively such further transfers must be regulated by binding corporate rules (BCRs) or standard contract clauses (SCCs).

2.2 Conditions for data transfers

Section 72 determines that personal data can be transferred to a third party in another country only if that party is subject to a law, BCRs or a binding agreement with the responsible party that provides an "adequate level of protection". Article 46 of the GDPR requires similar "appropriate safeguards" but the list includes additional measures such as codes of conduct, certification mechanisms, ad hoc contractual clauses and international agreements or administrative arrangements. 44

44 Woods 2020 https://eulawanalysis.blogspot.com/2029/07/you-were-only-supposed-to-blow-the-bloody.html?m=1.

2.2.1 Law that provides an adequate level of protection

Section 72 does not extend the application of POPIA per se so that it will apply automatically to the third party. It merely requires that the third party (the data importer) must be bound to a data protection law providing an adequate level of protection. What does this entail?

A comparative investigation reveals that, whereas section 72(1)(a) requires "an adequate level of protection", Article 46 of the GDPR requires "appropriate safeguards" to ensure "enforceable data subject rights and effective legal remedies for data subjects". 48

48 POPIA makes mention of "safeguards" only in Condition 7, security safeguards in ch 3 dealing with the conditions for the lawful processing of personal information, and also in s 19 in connection with operators and processors who process on behalf of a responsible party.

adequate level of protection" as measures that afford protection "essentially equivalent" to those of the GDPR. In Schrems II the ECJ read Articles 45 and 46 together and even though Article 46 requires "appropriate safeguards", the Court used the essentially equivalent test here as well.

Therefore, an adequate level of protection would be met when the law of the third party's country upholds principles or conditions for reasonable processing that are substantially similar to those subscribed to in POPIA. These conditions are accountability; 49

49 Section 8 of POPIA.

The Act does not afford the Information Regulator or another body, institution or official with any duty or authority to determine whether the law of the third-party country provides such an adequate level of protection. It would seem that it is the duty of the responsible party to make that determination. In practice this would mean that the responsible party must obtain legal advice every time it makes use of a processor in another country to ensure that the requirements of section 72 are met. South African commentators have expressed doubt as to whether legal practitioners would feel comfortable doing so as it requires remarkable expertise, which most do not have. They furthermore fear that this will give rise to data localisation as responsible parties might avoid transferring data to other destinations, which will have cost implications and will affect the free flow of

information negatively and deter investment. 57

57 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.1.

If compared to the position in the EU, Article 45 of the GDPR provides for an adequacy decision which could perhaps simplify matters. This entails that the EU Commission may decide that a third country or an international organisation offers an adequate level of data protection, which will then apply to all Member States. 59

59 Recital 103 of the GDPR.

Because of the immense burden placed on responsible parties, they might instead want to make use of agreements (SCCs) with the data importer to protect the rights of the data subject. However, as the discussion of that measure will show, this might place a similar burden on a responsible party.

2.2.2 Binding corporate rules

Section 72(1) allows the export of data across borders within a group of undertakings if BCRs provide an adequate level of protection. BCRs are defined in section 72(2)(a) as "personal information processing policies

within a group of undertakings" which the responsible party is part of. A "group of undertakings", in turn, is defined in section 72(2)(b) as "a controlling undertaking and its controlled undertakings". This would cover situations where transnational companies deal with the processing of data in different locations but in the same corporate structure. Normally section 72 will not find application if data is transferred from a responsible party to a co- or jointly responsible party in the same corporate structure but in another country where the importer is not acting as a different responsible party, as data is not exported to a third party as required by the section. However, this must be determined on a case-to-case basis. 61

61 EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf para 16.

The meaning and content of the term "adequate level of protection" is the same as is required in the context of a law that provides adequate protection. It is submitted that BCRs should not only provide levels of protection similar to those provided in POPIA but also mechanisms that can ensure effective enforcement of these obligations. Article 47(1) of the GDPR requires that a corporate group's BCRs must expressly make provision for the acceptance of liability or audit and verification processes, as well as confer enforceable rights on data subjects. 62

62 See Kuner 2021 https://ssrn.com/abstract=3827850 27.

2.2.3 Binding agreement

The third way personal data can be transferred out of the country is via a binding agreement between the responsible party and the third party, which provides an adequate level of protection in that it upholds substantially the same principles or conditions for data processing as those subscribed to by

POPIA. The agreement must also contain a provision(s) similar to that of section 72 regulating further transborder data flows. No definition is provided for a "binding agreement between the responsible party and the third party". However, in practice such agreements usually take the form of standard data protection clauses or standard contract clauses (SCCs).

The GDPR requires that, for SCCs to function as an appropriate safeguard, they must be "adopted by the Commission in accordance with the examination procedure referred to in Article 93(2)" 63

63 Article 46(2)(c) of the GDPR.

Neither POPIA nor its regulations make provision for pre-approved standard clauses or for the Regulator to approve any other standard agreements (apart from codes of conduct). It would seem that the burden is on the responsible party to enter into the appropriate agreement with the third party

to ensure that an adequate level of protection is in place when the third party processes the information received. This is quite a heavy burden, especially in that the responsible party remains responsible for the lawful processing of a data subject's personal data throughout the lifespan of such data. Again, guidance by the Information Regulator is needed in this regard. The way the GDPR provides direction in these matters is commended and could serve as a useful example.

Furthermore, even if the appropriate SCC is in place section 72 does not make the provisions of POPIA applicable to the third party per se but it merely ensures that the data subject's personal information enjoys protection equal to that provided by POPIA. That immediately raises the question as to the rights of a South African data subject if its personal data is processed unlawfully in a foreign country by a third party after the data was transferred there by a responsible party in the Republic. It seems that POPIA places the liability squarely on responsible parties. They must make sure that the transfer takes place subject to the processing conditions of POPIA. Furthermore, it is the responsible party's duty to inform the data subject of the transfer of its personal data. 70

70 Section 18(1)(g) of POPIA.

In the context of the EU's pre-approved SCCs, recital 12 of the 2021 Commission Implementing Decision on standard contractual clauses for the transfer of data to third countries 71

71 Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contract clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31.

someone who is not a party to the original contract. Moreover, if such a right is to be enforced in a third-party country, that could complicate matters even further, as that would depend on the law of that country and whether third-party rights are enforceable there.

In Schrems II the ECJ stated that SCCs as a tool for cross-border data transfers will suffice only if the third-party country in addition also has data protection provisions in place that are equivalent to those in the GDPR. This is quite a strict interpretation aimed at the protection of privacy rights. A literal reading of section 72(1)(a) does not seem to require this. However, only time will tell how South African courts or the Information Regulator will approach this matter.

2.3 Exceptions

Section 72(1)(b)-(e) furthermore contains certain derogations or exceptions where a third party does not have to comply with the conditions for data processing, such as where the data subject consented to the transfer, where the transfer is necessary in the interest of the data subject, or where the risks are relatively small. These derogations are allowed based on public policy as it is in the interest of the public or the data subject that the transfer takes place. As a result, these exceptions must be interpreted restrictively. 72

72 Kuner 2021 https://ssrn.com/abstract=3827850 5.

2.3.1 The data subject consented to the transfer

POPIA defines consent as "any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information". 73

73 Section 1 of POPIA.

data subject's failure to uncheck or deselect a pre-ticked consent box cannot be interpreted as implied consent. The data subject must also be informed of its right to withdraw consent at any time, as well as the possible risks and safeguards that will be in place. 75

75 See recitals 32 and 43 of the GDPR.

2.3.2 The transfer is necessary for the conclusion or performance of a contract between the data subject and the responsible party

Section 72(1)(c) authorises the transfer of personal data that is necessary to perform a contract between the data subject and the responsible party. This paragraph will apply primarily in connection with the conclusion, payment, delivery and other performance aspects of transactions. These transfers all take place in the context of a contract already concluded between a data subject and the responsible party. Typical examples are transfers of personal information to reserve an airline ticket for a passenger; a travel agent transferring a traveller's information to a hotel in a foreign country to book his stay there; the transfer of personal data to effect an international credit card payment; or the transfer of personal information by a bank in South Africa to a foreign bank to execute a client's payment. 76

76 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.3; SALRC 2009 https://www.justice.gov.za/salrc/reports/r_prj 124_privacy%20and%20data%20protection2009.pdf 408.

Data transferred under this paragraph is restricted to necessary information, necessity being determined with reference to the purpose of the contract between the responsible party and the data subject. 78

78 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.3.

2.3.3 The transfer is necessary for the conclusion of a contract between the responsible party and a third party in the interest of the data subject

The exception in section 72(1)(d) differs from that in section 72(1)(c) in that the contract concluded is between the responsible party and a third party (and not between the responsible party and the data subject) and it is concluded in the interest of the data subject. For example, where a data subject is the beneficiary of a payment to be made by another person to the responsible party or contracts concluded on behalf of juristic persons still to be formed. As in the previous exception, the transfer of the personal data must be necessary and occasional. 81

81 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.4.

2.3.4 The transfer is to the benefit of the data subject in circumstances where consent could not reasonably be obtained

Section 72(1)(e) applies to transfers of personal data to the benefit of the data subject where it is reasonably impracticable to obtain the data subject's consent to the transfer, but if it were reasonably practicable to do so, the data subject would most likely have given consent. This exception would apply to situations where the data subject is physically or legally incapable of giving consent, such as where an unconscious South African needs medical assistance in a foreign country and his medical aid in South Africa is asked to disclose personal medical information. 82

82 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.5.

Section 72(1)(e) furthermore states that transfers to the benefit of a third party will also be exempted. Where paragraph (d) dealt with contracts between the responsible party and a third party only, paragraph (e) has a broader scope. It covers transfers made to third parties in general and not only in connection with a contract between a responsible party and a third party. Again, transfers will be restricted to necessary transfers. 83

83 De Stadler et al Over-thinking the Protection of Personal Information Act para 14.2.3.4.

2.4 Conclusion

Data transfer rules aim to protect personal data that would have been protected by a country's data protection laws if the data were not moved out of the country. POPIA does not protect all transfers of personal data to another country but merely those that meet the criteria set out in section 72, namely that there must be a transfer of a data subject's personal information

by a responsible party in the Republic to a third party in another country. Section 72 does not extend the application of POPIA to the third party, but makes the transfer dependent on certain conditions, unless it falls under one of the exceptions. Personal data can be transferred to a third party in another country only if an adequate level of protection has been set in place, either in the form of the third country's laws, a BCR between the responsible party and the third party, or a binding agreement between the responsible party and the third party. An adequate level of protection would exist if the instrument used displays a level of protection substantially similar to the principles and conditions on which POPIA is based. Section 18(1)(g) also places an obligation on a responsible party who intends transferring information to a third country or an international organisation to inform the data subject of the level of protection afforded to the information by that country or organisation.

The discussion has shown that this places an extremely high burden on the responsible party to decide on the adequacy of these measures, which most responsible parties and legal practitioners would not be qualified to make. When it comes to the data protection laws of a third country, it cannot be expected that a responsible party will be acquainted with the laws of another country to the extent that it can make this call. 84

84 A similar concern has been raised in the context of the GDPR, where data controllers are required to verify whether the same level of protection that is enjoyed by data subjects in the EU exists in the third country. See Schrems II para 142; Kuner 2020 https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation.

These days, most websites contain a link to their owners' data privacy policies. Usually these policies are incorporated impliedly into the agreement between the data subject and the service provider. As a matter of course, these agreements would require data subjects' consent to the processing of their personal information, which would function as a general exception to the conditions posed by section 72. Consideration of whether the data privacy policy was adequately brought to the knowledge of the party and consequently incorporated into the agreement is beyond the scope of this article but it is an important factor that must be kept in mind to ensure that consent was informed and specific. 85

85 See Van Deventer 2021 SALJ 219.

Furthermore, as the consent must be express or at least in the form of an affirmative act it cannot simply be assumed or implied. Moreover, even though this article has not attempted to discuss the criteria or standards to determine whether data subjects can trust the technology or the surveillance measures in place in third countries to which data is transferred, this aspect is one that must be taken into consideration as well. 86

86 See Schrems I and Schrems II; Hoffman 2021 North Carolina Journal of Law and Technology 573.

3 Interaction between territorial scope and transfer of data provisions

The effect of the provisions relating to territorial scope is to afford a data protection law extra-territorial force. If it brings a foreign responsible party or an operator under its scope of application, the question is whether there is still a need for data transfer rules, as they might result in unnecessary duplication. This question is especially pertinent as data transfer rules do not result in the extra-territorial application of the data protection law but merely make the transfer dependent on certain conditions that require a form of protection substantially similar to that of the data protection law. The UK and New Zealand have recently amended their data protection laws so that the data transfer rule will not apply if the data importer otherwise falls under the scope of their respective data protection laws by virtue of the territorial scope provision.

The final version of the European Data Protection Board (EDPB) guidelines on the territorial scope of Article 3 of the GDPR was published in November 2019. 87

87 EDPB 2019 https://edpb_guidelines_3_2018_territorial_scope_after_public_ consultation_en_1.pdf.

The question of their interaction and the need for having both territorial scope rules and data transfer rules applying to the same situation might perhaps be best answered by starting with the rationale for these rules. The discussion in parts I and II of this article has shown that the rationale for having territorial scope and data transfer rules is the same, namely to

prevent the circumvention of data protection laws by moving the data outside the jurisdiction of that law. 89

89 Kuner 2021 https://ssrn.com/abstract=3827850 23.

In the EU context it has been suggested that the two types of rules are to be merged into one provision that specifically provides for situations where they might potentially overlap, but this would require a revision of the GDPR. 92

92 See Kuner 2021 https://ssrn.com/abstract=3827850 33-35 for suggested formulations.

If compared to the South African legal position, the potential for overlap is greater in the context of the GDPR as its data transfer rule also covers the export of data from a processor (an operator) in the Union to a third party in another country. 96

96 Moreover, Art 3(2) of the GDPR extended the territorial scope provision to include processing activities by controllers or processors outside the Union when goods or services are offered to data subjects in the EU or where they monitor the behaviour of data subjects in the EU.

rule when the data are transferred back to the responsible party. In this example both rules will have the same effect. However, in the South African context the data transfer rule will not apply as, firstly, the operator transferring the data out of the country is not a responsible party as required by section 72 POPIA, and secondly, the importer is a responsible party and not a third party as required. In this example the data subject's personal information can be protected based on POPIA only by virtue of an extensive interpretation of the territorial scope provision of section 3(1)(b) bringing the non-South African responsible party under the scope of the Act and not under the data transfer rule. It is difficult to imagine a situation where a potential conflict could arise between the two rules in the light of the requirements set by POPIA.

Therefore, from a South African point of view it would seem that there is a need for both rules, as they will supplement and complement each other rather than overlap. From an enforcement point of view, the data transfer rule might be more beneficial as it is often difficult to enforce the data protection law outside the borders of a country. A data transfer rule acts proactively by restricting the transfer of data to cases that meet stringent conditions. On the other hand, territorial scope provisions find application only where a foreign responsible party is brought under the ambit of the Act to address an already committed transgression of the data protection law. In that sense they act retroactively. 97

97 Kuner 2021 https://ssrn.com/abstract=3827850 24-25.

The question should rather be whether the data transfer rule achieves its goal of protecting the data subject's rights. The discussion of section 72 and the comparative analysis with the counterpart provisions in the GDPR have identified very specific shortcomings. Restricting the operation of this rule to exports by responsible parties leaves a gap when data is exported by an operator. Although the responsible party remains liable for the processing of personal data during the lifespan of the data, the only provisions dealing directly with operators are those of sections 20 and 21, which means that any conditions imposed on exports of data by operators must be stipulated in the contract between the responsible party and the operator. The discussion has shown that responsible parties must include very specific

conditions on such exports in their agreements with operators. Furthermore, the data transfer rule can function effectively only when the phrase "responsible party in the Republic" is interpreted extensively to cover those who reach into the Republic to collect, monitor and otherwise process data subjects' personal data. Even if there were a potential for both the data transfer rule and the territorial scope rule to apply to the same scenario, the advantages of the data transfer rule justify that they operate in tandem. However, the absence of a measure similar to the adequacy decision used in the EU, or that of regulated pro-forma SCCs and BCCs, might leave the data transfer rule without teeth. Section 72(1) will operate to its full potential only if clear guidance is provided on the content of these measures. Until then, the practical reality might be that South African data subjects primarily will have to rely on POPIA's territorial scope provision, which in turn needs to be interpreted expansively for the Act to protect South African data subjects adequately.

Bibliography

Literature

De Stadler et al Over-thinking the Protection of Personal Information Act

De Stadler E et al Over-thinking the Protection of Personal Information Act (Juta Cape Town 2021)

Hoffman 2021 North Carolina Journal of Law and Technology

Hoffman DA "Schrems II and Tik Tok: Two Sides of the Same Coin" 2021 North Carolina Journal of Law and Technology 573-616

Papadopoulos and Snail ka Mtuse Cyberlaw@SA IV

Papadopoulos S and Snail ka Mtuse S (eds) Cyberlaw@SA IV: The Law of Internet in South Africa (Van Schaik Pretoria 2022)

Roos 2007 SALJ

Roos A "Data Protection: Explaining the International Backdrop and Evaluating the Current South African Position" 2007 SALJ 400-436

Roos Law of Data (Privacy) Protection

Roos A The Law of Data (Privacy) Protection: A Comparative and Theoretical Study (LLD-thesis Unisa 2003)

Van Deventer 2021 SALJ

Van Deventer S "Problems Relating to the Formation of Online Contracts: A South African Perspective" 2021 SALJ 219-257

Case law

Bodil Lindqvist (Case C-101/01) [2003] ECLI:EU:C:2003:596

Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18) [2020] ECLI:EU:C2020:559

Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650

Legislation

New Zealand

Privacy Act 31 of 2020

South Africa

Protection of Personal Information Act 4 of 2013

United Kingdom

Data Protection Act of 2018 (implementing the United Kingdom General Data Protection Regulation)

International and regional instruments

Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contract clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31

Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 [2010] OJ L 39/5

Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 [2016] OJ L 344/100

Directive 95/46/EC of the European Parliament and of the Council enacted 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31

Privacy and Electronic Communications (EC Directive) Regulations, 2003

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1

Internet sources

EDPB 2019 https://edpb_guidelines_3_2018_territorial_scope_after_ public_ consultation_en_1.pdf

European Data Protection Board 2019 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2.1 (Adopted 12 November 2019) https://edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf accessed 28 April 2022

EDPB 2021 https://edpb_guidelinesinterplaychapterv_article3_adopted_

en.pdf

European Data Protection Board 2021 Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR (Adopted 18 November 2021) https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf accessed 30 March 2022

Kuner 2020 https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation

Kuner C 2020 The Schrems II Judgment of the Court of Justice and the Future of Data Transfer Regulation https://europeanlawblog.eu/ 2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation accessed 30 March 2022

Kuner 2021 https://europeanlawblog.eu/2021/12/13/exploring-the-awkward-secret-of-data-transfer-regulation-the-edpb-guidelines-on-article-3-and-chapter-v-gdpr

Kuner C 2021 Exploring the Awkward Secret of Data Transfer Regulation: the EDPB Guidelines on Article 3 and Chapter V GDPR https://europeanlawblog.eu/2021/12/13/exploring-the-awkward-secret-of-data-transfer-regulation-the-edpb-guidelines-on-article-3-and-chapter-v-gdpr accessed 31 December 2021

Kuner 2021 https://ssrn.com/abstract=3827850

Kuner C 2021 Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU's Ambition of Borderless Data Protection. University of Cambridge Faculty of Law Legal Studies Research Paper Series Paper No 20/2021, April 2021 https://ssrn.com/abstract=3827850 accessed 30 March 2022

SALRC 2009 https://www.justice.gov.za/salrc/reports/r_prj124_privacy% 20and%20data%20protection2009.pdf

South African Law Reform Commission 2009 Project 124 Privacy and Data Protection Report https://www.justice.gov.za/salrc/reports/r_prj124_privacy %20and%20data%20protection2009.pdf accessed 28 April 2022

Woods 2020 https://eulawanalysis.blogspot.com/2029/07/you-were-only-supposed-to-blow-the-bloody.html?m=1

Woods L 2020 "You Were Only Supposed to Blow the Bloody Doors Off!" Schrems II and External Transfers of Personal Data

https://eulawanalysis.blogspot.com/2029/07/you-were-only-supposed-to-blow-the-bloody.html?m=1 accessed 17 March 2022

List of Abbreviations