The Problem of Trans-Border Information Flows in the Protection of Personal Information
DOI:
https://doi.org/10.17159/1727-3781/2024/v27i0a14296Keywords:
Cross-border data transfers, personal information, data protection, privacy, cloud computing, Protection of Personal Information Act, General Data Protection RegulationAbstract
Cross-border transfers of personal information have become an important integrant of international trade, global economic activities enabler and a component of digital services driver, however, they are faced with the limitations of cross-border personal information transfers and data localisation laws. Various methodologies are used to process and transfer personal information across the borders such as cloud computing. Cloud computing has grown to include more users across different countries through its transnational characteristics on cross-border personal information transfers and triggers the Protection of Personal Information Act 4 of 2013 (POPIA) application. POPIA seeks to promote and protect personal information when processed by public or private bodies. Personal information also forms part of privacy which is a fundamental right enshrined under section 14 of the Constitution of the Republic of South Africa, 1996. Therefore, the processing of personal information unlawfully across South Africa is a violation of the fundamental right to privacy and the POPIA. A comparative analysis of the provisions of the European Union (EU) General Data Protection Regulation (GDPR) on cross-border data transfers will be used to illustrate the shortcomings of section 72 of the POPIA in the cloud computing context. The GDPR has set a benchmark for international data protection standards and POPIA must comply with those standards if South Africa wants to maintain its status as part of the international information technology market.
Downloads
References
Bibliography
Literature
Allan K and Currie ID "Enforcing Access to Information and Privacy Rights: Evaluating Proposals for an Information Protection Regulator for South Africa" 2007 SAJHR 570-586
Blume P "EU Adequacy Decisions: The Proposed New Possibilities" 2015 IDPL 34-39
Bradford A "The Brussels Effect" 2012 NWULR 19-35
Carpenter RH Jr "Walking from Cloud to Cloud: The Portability Issue in Cloud Computing" 2010 Washington Journal of Law, Technology and Arts 1-14
Cohn BL "Data Governance: A Quality Imperative in the Era of Big Data, Open Data, and Beyond" 2015 ISJLP 811-826
Engels B "Data Governance as the Enabler of the Data Economy" 2019 Intereconomics 216-222
Esayas SY "A Walk in the Cloud and Cloudy It Remains: The Challenges and Prospects of 'Processing' and 'Transferring' Personal Data" 2012 Computer Law and Security Review 662-678
Kuner C "Reality and Illusion in EU Data Transfer Regulation Post Schrems" 2017 German Law Journal 881-918
Kuner C Transborder Data Flows and Data Privacy Law (Oxford University Press Oxford 2013)
Mattoo A and Meltzer JP "International Data Flows and Privacy: The Conflict and Its Resolution" 2018 J Int'l Econ L 769-789
Millard D and Bascerano EG "Employers' Statutory Vicarious Liability in Terms of the Protection of Personal Information Act" 2016 PELJ 1-38
Mokowadi-Tladi SE The Regulation of Unsolicited Electronic Communication (Spam) in South Africa: A Comparative Study (LLD-thesis University of South Africa 2017)
Mouzakiti F "Transborder Data Flows 2.0: Mending the Holes of the Data Protection Directive" 2015 EDPL 39-51
Narayanan V "Harnessing the Cloud: International Law Implications of Cloud-Computing" 2012 Chicago Journal of International Law 783-809
Neethling J "Features of the Protection of Personal Information Bill, 2009 and the Law of Delict" 2012 THRHR 241-255
Neethling J, Potgieter J and Knobel JC Neethling-Potgieter-Visser Law of Delict 7th ed (LexisNexis Durban 2014)
Neethling J, Potgieter J and Roos A Neethling on Personality Rights 2nd ed (LexisNexis Durban 2019)
Peterson T "Cloudy with a Chance of Waiver: How Cloud Computing Complicates the Attorney-Client Privilege" 2012 J Marshall L Rev 383-408
Power EM and Trope RL "Lessons in Data Governance: A Survey of Legal Developments in Data Management, Privacy and Security" 2005 Business Law 471-516
Power EM and Trope RL "The 2006 Survey of Legal Developments in Data Management, Privacy, and Information Security: The Continuing Evolution of Data Governance" 2006 Business Law 251-294
Quan X "The Governance of Cross-Border Data Flows in Trade Agreements: Is the CPTPP Framework an Ideal Way Out?" 2020 Frontiers Law China 253-279
Roos A "The European Union's General Data Protection Regulations (GDPR) and Its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37
Roos A The Law of Data (Privacy) Protection: A Comparative and Theoretical Study (LLD-thesis University of South Africa 2003)
SALRC Privacy and Data Protection
South African Law Reform Commission Discussion Paper 109, Project 124: Privacy and Data Protection (SALRC Pretoria 2005)
Schwartz PM "European Data Protection Law and Restrictions on International Data Flows" 1995 Iowa L Rev 471-496
Van der Merwe DP et al Information and Communications Technology Law 2nd ed (LexisNexis Durban 2016)
Voss WG "Internet, New Technologies, and Value: Taking Share of Economic Surveillance" 2017 University of Illinois Journal of Law, Technology and Policy 469-485
Voss WG "Obstacles to Transatlantic Harmonization of Data Privacy Law in Context" 2019 University of Illinois Journal of Law, Technology and Policy 405-463
Voss WG "Cross-Border Data Flows, the GDPR, and Data Governance" 2020 Washington International Law Journal 485-532
Voss WG and Woodcock K Navigating EU Privacy and Data Protection Laws (American Bar Association Cleveland 2016)
Yakovleva S and Irion K "Toward Compatibility of EU Trade Policy with the General Data Protection Regulation" 2020 AJIL Unbound 10-14
Yav C "Perspectives on the GDPR from South Africa" 2018 International Journal Data Protection Officer, Privacy Officer, and Privacy Counsel 19-20
Yoo CS and Blanchette JF Regulating the Cloud: Policy for Computing Infrastructure (MIT Press Cambridge, Mass 2015)
Case law
South Africa
Dlomo v Natal Newspapers (Pty) Ltd 1989 1 SA 945 (A)
Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd; In re Hyundai Motor Distributors (Pty) Ltd v Smit 2001 1 SA 545 (CC)
Janit v Motor Industry Fund Administrators (Pty) Ltd 1995 4 SA 293 (A)
Universiteit van Pretoria v Tommie Meyer Films 1977 4 SA 376 (T)
European Union
Google Spain v Agencia Española de Protección de Datos 317 ECR (13 May 2014)
Schrems and Facebook Ireland v Data Protection Commissioner C-311/18 CJEU (2020)
Schrems v Data Protection Commissioner 310 IEHC (2014)
Schrems v Data Protection Commissioner C-362/14 CJEU (2015)
Legislation
Ireland
Irish Data Protection Act 25 of 1988
Irish Data Protection (Amendment) Act 6 of 2003
South Africa
Constitution of the Republic of South Africa, 1996
Protection of Personal Information Act 4 of 2013
European Union
Commission Decision 2000/520/EC of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce OJ L 215/7 (2000)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals Concerning the Processing of Personal Data and the Free Movement of Such Data OJ L281/31 (1995)
EU-US Privacy Shield C(2016) 4176 (2016)
EU-US Safe Harbor Agreement (2000)
General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons Concerning the Processing of Personal Data and the Free Movement of Such Data, and Repealing Directive 95/46/EC OJ L 119/1 (2016)
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data OJ L 8/1 (2001)
Government publications
Gen N 309 in GG 44411 of 1 April 2021
International instruments
Charter of Fundamental Rights of the European Union (2000)
Convention for the Protection of Human Rights and Fundamental Freedoms (1950)
Treaty on European Union (2009)
Internet sources
Ahmed S 2010 Data Portability: Key to Cloud Portability and Interoperability http://ssrn.com/abstract=1712565 accessed 7 May 2022
Article 29 Data Protect Working Party 2012 https://ec.europa.eu/justice/article29/documentation/opinion/recommendations/files/2012/wpl96_en.pdf
Article 29 Data Protect Working Party 2012 Opinion 05/2012 on the Cloud Computing WP 196 https://ec.europa.eu/justice/article29/
documentation/opinion/recommendations/files/2012/wpl96_en.pdf accessed 22 April 2022
Article 29 Data Protection Working Party 2017 https://www.datenschutzkonferenz-online.de/media/wp/20180206_wp254_
rev01.pdf
Article 29 Data Protection Working Party 2017 Adequacy Referential 18/EN WP254 rev.01 (28 November 2017) https://www.datenschutzkonferenz-online.de/media/wp/20180206_wp254_rev01.pdf accessed 6 April 2024
Charlet 2019 https://news.bloomberglaw.com/privacy-and-data-security/big-google-privacy-fine-may-set-bar-foreuprivacy-penalties
Charlet D 2019 Big Google Privacy Fine May Set Bar for EU Privacy Penalties, https://news.bloomberglaw.com/privacy-and-data-security/big-google-privacy-fine-may-set-bar-foreuprivacy-penalties accessed 26 August 2022
CJEU 2015 http://www.europe-v-facebook.org/CJEUhearingnotes.pdf
Court of Justice of the European Union 2015 Procedure, Protocol of the Hearing http://www.europe-v-facebook.org/CJEUhearingnotes.pdf accessed 19 September 2022
European Union 2020 Country Profiles https://europa.eu/european-union/about-eu/countries_en accessed 9 April 2024
European Union 2021 Data Protection under GDPR https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data- non-eu-countries-en accessed 5 September 2022
Europe-v-Facebook Organisation Project 2017 C-362/14 – Schrems Further Files Concerning the Schrems Case before the CJEU http://europe-v-facebook.org/EN/en.html accessed 19 September 2022
European Commission 2007 https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-charterfundamental-rights_en
European Commission 2007 EU Charter of Fundamental Rights and Freedoms 2007/C 303/01 https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-charterfundamental-rights_en accessed 05 September 2022
European Commission 2020 https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
European Commission 2020 Adequacy Decision: How the EU Determines if a Non-EU Country has an Adequate Level of Data Protection https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en accessed 6 September 2022
Hage and Brown date unknown http://www.johnseely
brown.com/cloudcomputingdisruption.pdf
Hage J and Brown JS date unknown Cloud Computing – Storms on the Horizon http://www.johnseelybrown.com/cloudcomputingdisruption.pdf accessed 15 April 2022
High Court Commercial 2016 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62014CJ0362
The High Court Commercial 2016 The Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems, Request for a Preliminary Ruling under Article 267 TFEU (2016) No 4809 P https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62014CJ0362 accessed 27 August 2022
Ireland's National Public Media 2018 European Union and Japan Sign Historic Trade Deal https://www.rte.ie/news/2018/0717/979174-eu-japan/ accessed 29 August 2022
Kayali L 2019 France Hits Google with 50 Million Fine for GDPR Violation https://www.politico.eu/article/france-hits-google-with-e50-million-fine-for-gdpr-violation/ accessed 19 August 2022
Manyika J et al 2016 Digital Globalization: The New Era of Global Flows https://www.mckinsey.com//media/McKinsey/Business%20Functions/McKinsey%2ODigital/Our%20Insights/Digital%20globalization%20The%20new%2era%20f%2Oglobal%20flows/MGI-Digitalglobalization-Full-report.ashx accessed13 September 2022
Martin TD 2011 Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing http://works.bepress.com/timothy_martin/3 accessed 21 April 2022
McKinsey/Featured%/`20Insights/Innovation/Globalizationo2Oino20transitiono2OThe%20future%20fo20trade/o20and%20value%20chains/MGI-Globalizationo2Oin%/o20transition-The-future-of-trade-and-value-chains-Fullreport.ashx accessed 7 September 2022
Mell P and Grance T 2011 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf accessed 19 April 2022
Meltzer JP 2020 The Court of Justice of the European Union in Schrems II: The Impact of the GDPR on Data Flows, and National Security https://www.brookings.edu/research/the-court-of-justice-of-the-european-union-in-schrems-ii-the-impact-of-gdpr-on-data-flows-and-national-security/#footnote-1 accessed 9 April 2022
Preston B 2008 Down to Business: Customers Fire a Few Shots at Cloud Computing https://www.informationweek.com/software-services/down-to-business-customers-fire-a-few-shots-at-cloud-computing accessed 14 April 2022
Wikipedia 2022 Edward Snowden https://en.wikipedia.org/wiki/Edward_
Snowden accessed 26 September 2022
WorldAtlas 2020 How Many Countries Are in the World? Https://www.worldatlas.com/nations.htm accessed13 September 2022
Published
Issue
Section
License
Copyright (c) 2024 Mthuthukisi Malahleka
This work is licensed under a Creative Commons Attribution 4.0 International License.
.png){kind=spacer}