The Problem of Trans-Border Information Flows in the Protection of Personal Information

Authors

DOI:

https://doi.org/10.17159/1727-3781/2024/v27i0a14296

Keywords:

Cross-border data transfers, personal information, data protection, privacy, cloud computing, Protection of Personal Information Act, General Data Protection Regulation

Abstract

Cross-border transfers of personal information have become an important integrant of international trade, global economic activities enabler and a component of digital services driver, however, they are faced with the limitations of cross-border personal information transfers and data localisation laws. Various methodologies are used to process and transfer personal information across the borders such as cloud computing. Cloud computing has grown to include more users across different countries through its transnational characteristics on cross-border personal information transfers and triggers the Protection of Personal Information Act 4 of 2013 (POPIA) application. POPIA seeks to promote and protect personal information when processed by public or private bodies. Personal information also forms part of privacy which is a fundamental right enshrined under section 14 of the Constitution of the Republic of South Africa, 1996. Therefore, the processing of personal information unlawfully across South Africa is a violation of the fundamental right to privacy and the POPIA. A comparative analysis of the provisions of the European Union (EU) General Data Protection Regulation (GDPR) on cross-border data transfers will be used to illustrate the shortcomings of section 72 of the POPIA in the cloud computing context. The GDPR has set a benchmark for international data protection standards and POPIA must comply with those standards if South Africa wants to maintain its status as part of the international information technology market.

Downloads

Download data is not yet available.

Author Biography

  • Mthuthukisi Malahleka, Rhodes University

    PhD Researcher, School of Law and Economics (Erasmus University Rotterdam, Netherlands) Affiliated with Rhodes University, South Africa.

References

Bibliography

Literature

Allan K and Currie ID "Enforcing Access to Information and Privacy Rights: Evaluating Proposals for an Information Protection Regulator for South Africa" 2007 SAJHR 570-586

Blume P "EU Adequacy Decisions: The Proposed New Possibilities" 2015 IDPL 34-39

Bradford A "The Brussels Effect" 2012 NWULR 19-35

Carpenter RH Jr "Walking from Cloud to Cloud: The Portability Issue in Cloud Computing" 2010 Washington Journal of Law, Technology and Arts 1-14

Cohn BL "Data Governance: A Quality Imperative in the Era of Big Data, Open Data, and Beyond" 2015 ISJLP 811-826

Engels B "Data Governance as the Enabler of the Data Economy" 2019 Intereconomics 216-222

Esayas SY "A Walk in the Cloud and Cloudy It Remains: The Challenges and Prospects of 'Processing' and 'Transferring' Personal Data" 2012 Computer Law and Security Review 662-678

Kuner C "Reality and Illusion in EU Data Transfer Regulation Post Schrems" 2017 German Law Journal 881-918

Kuner C Transborder Data Flows and Data Privacy Law (Oxford University Press Oxford 2013)

Mattoo A and Meltzer JP "International Data Flows and Privacy: The Conflict and Its Resolution" 2018 J Int'l Econ L 769-789

Millard D and Bascerano EG "Employers' Statutory Vicarious Liability in Terms of the Protection of Personal Information Act" 2016 PELJ 1-38

Mokowadi-Tladi SE The Regulation of Unsolicited Electronic Communication (Spam) in South Africa: A Comparative Study (LLD-thesis University of South Africa 2017)

Mouzakiti F "Transborder Data Flows 2.0: Mending the Holes of the Data Protection Directive" 2015 EDPL 39-51

Narayanan V "Harnessing the Cloud: International Law Implications of Cloud-Computing" 2012 Chicago Journal of International Law 783-809

Neethling J "Features of the Protection of Personal Information Bill, 2009 and the Law of Delict" 2012 THRHR 241-255

Neethling J, Potgieter J and Knobel JC Neethling-Potgieter-Visser Law of Delict 7th ed (LexisNexis Durban 2014)

Neethling J, Potgieter J and Roos A Neethling on Personality Rights 2nd ed (LexisNexis Durban 2019)

Peterson T "Cloudy with a Chance of Waiver: How Cloud Computing Complicates the Attorney-Client Privilege" 2012 J Marshall L Rev 383-408

Power EM and Trope RL "Lessons in Data Governance: A Survey of Legal Developments in Data Management, Privacy and Security" 2005 Business Law 471-516

Power EM and Trope RL "The 2006 Survey of Legal Developments in Data Management, Privacy, and Information Security: The Continuing Evolution of Data Governance" 2006 Business Law 251-294

Quan X "The Governance of Cross-Border Data Flows in Trade Agreements: Is the CPTPP Framework an Ideal Way Out?" 2020 Frontiers Law China 253-279

Roos A "The European Union's General Data Protection Regulations (GDPR) and Its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37

Roos A The Law of Data (Privacy) Protection: A Comparative and Theoretical Study (LLD-thesis University of South Africa 2003)

SALRC Privacy and Data Protection

South African Law Reform Commission Discussion Paper 109, Project 124: Privacy and Data Protection (SALRC Pretoria 2005)

Schwartz PM "European Data Protection Law and Restrictions on International Data Flows" 1995 Iowa L Rev 471-496

Van der Merwe DP et al Information and Communications Technology Law 2nd ed (LexisNexis Durban 2016)

Voss WG "Internet, New Technologies, and Value: Taking Share of Economic Surveillance" 2017 University of Illinois Journal of Law, Technology and Policy 469-485

Voss WG "Obstacles to Transatlantic Harmonization of Data Privacy Law in Context" 2019 University of Illinois Journal of Law, Technology and Policy 405-463

Voss WG "Cross-Border Data Flows, the GDPR, and Data Governance" 2020 Washington International Law Journal 485-532

Voss WG and Woodcock K Navigating EU Privacy and Data Protection Laws (American Bar Association Cleveland 2016)

Yakovleva S and Irion K "Toward Compatibility of EU Trade Policy with the General Data Protection Regulation" 2020 AJIL Unbound 10-14

Yav C "Perspectives on the GDPR from South Africa" 2018 International Journal Data Protection Officer, Privacy Officer, and Privacy Counsel 19-20

Yoo CS and Blanchette JF Regulating the Cloud: Policy for Computing Infrastructure (MIT Press Cambridge, Mass 2015)

Case law

South Africa

Dlomo v Natal Newspapers (Pty) Ltd 1989 1 SA 945 (A)

Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd; In re Hyundai Motor Distributors (Pty) Ltd v Smit 2001 1 SA 545 (CC)

Janit v Motor Industry Fund Administrators (Pty) Ltd 1995 4 SA 293 (A)

Universiteit van Pretoria v Tommie Meyer Films 1977 4 SA 376 (T)

European Union

Google Spain v Agencia Española de Protección de Datos 317 ECR (13 May 2014)

Schrems and Facebook Ireland v Data Protection Commissioner C-311/18 CJEU (2020)

Schrems v Data Protection Commissioner 310 IEHC (2014)

Schrems v Data Protection Commissioner C-362/14 CJEU (2015)

Legislation

Ireland

Irish Data Protection Act 25 of 1988

Irish Data Protection (Amendment) Act 6 of 2003

South Africa

Constitution of the Republic of South Africa, 1996

Protection of Personal Information Act 4 of 2013

European Union

Commission Decision 2000/520/EC of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce OJ L 215/7 (2000)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals Concerning the Processing of Personal Data and the Free Movement of Such Data OJ L281/31 (1995)

EU-US Privacy Shield C(2016) 4176 (2016)

EU-US Safe Harbor Agreement (2000)

General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons Concerning the Processing of Personal Data and the Free Movement of Such Data, and Repealing Directive 95/46/EC OJ L 119/1 (2016)

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data OJ L 8/1 (2001)

Government publications

Gen N 309 in GG 44411 of 1 April 2021

International instruments

Charter of Fundamental Rights of the European Union (2000)

Convention for the Protection of Human Rights and Fundamental Freedoms (1950)

Treaty on European Union (2009)

Internet sources

Ahmed S 2010 Data Portability: Key to Cloud Portability and Interoperability http://ssrn.com/abstract=1712565 accessed 7 May 2022

Article 29 Data Protect Working Party 2012 https://ec.europa.eu/justice/article29/documentation/opinion/recommendations/files/2012/wpl96_en.pdf

Article 29 Data Protect Working Party 2012 Opinion 05/2012 on the Cloud Computing WP 196 https://ec.europa.eu/justice/article29/

documentation/opinion/recommendations/files/2012/wpl96_en.pdf accessed 22 April 2022

Article 29 Data Protection Working Party 2017 https://www.datenschutzkonferenz-online.de/media/wp/20180206_wp254_

rev01.pdf

Article 29 Data Protection Working Party 2017 Adequacy Referential 18/EN WP254 rev.01 (28 November 2017) https://www.datenschutzkonferenz-online.de/media/wp/20180206_wp254_rev01.pdf accessed 6 April 2024

Charlet 2019 https://news.bloomberglaw.com/privacy-and-data-security/big-google-privacy-fine-may-set-bar-foreuprivacy-penalties

Charlet D 2019 Big Google Privacy Fine May Set Bar for EU Privacy Penalties, https://news.bloomberglaw.com/privacy-and-data-security/big-google-privacy-fine-may-set-bar-foreuprivacy-penalties accessed 26 August 2022

CJEU 2015 http://www.europe-v-facebook.org/CJEUhearingnotes.pdf

Court of Justice of the European Union 2015 Procedure, Protocol of the Hearing http://www.europe-v-facebook.org/CJEUhearingnotes.pdf accessed 19 September 2022

European Union 2020 Country Profiles https://europa.eu/european-union/about-eu/countries_en accessed 9 April 2024

EU 2021 https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

European Union 2021 Data Protection under GDPR https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data- non-eu-countries-en accessed 5 September 2022

Europe-v-Facebook Organisation Project 2017 C-362/14 – Schrems Further Files Concerning the Schrems Case before the CJEU http://europe-v-facebook.org/EN/en.html accessed 19 September 2022

European Commission 2007 https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-charterfundamental-rights_en

European Commission 2007 EU Charter of Fundamental Rights and Freedoms 2007/C 303/01 https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-charterfundamental-rights_en accessed 05 September 2022

European Commission 2020 https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

European Commission 2020 Adequacy Decision: How the EU Determines if a Non-EU Country has an Adequate Level of Data Protection https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en accessed 6 September 2022

Hage and Brown date unknown http://www.johnseely

brown.com/cloudcomputingdisruption.pdf

Hage J and Brown JS date unknown Cloud Computing – Storms on the Horizon http://www.johnseelybrown.com/cloudcomputingdisruption.pdf accessed 15 April 2022

High Court Commercial 2016 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62014CJ0362

The High Court Commercial 2016 The Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems, Request for a Preliminary Ruling under Article 267 TFEU (2016) No 4809 P https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62014CJ0362 accessed 27 August 2022

Ireland's National Public Media 2018 European Union and Japan Sign Historic Trade Deal https://www.rte.ie/news/2018/0717/979174-eu-japan/ accessed 29 August 2022

Kayali L 2019 France Hits Google with 50 Million Fine for GDPR Violation https://www.politico.eu/article/france-hits-google-with-e50-million-fine-for-gdpr-violation/ accessed 19 August 2022

Manyika J et al 2016 Digital Globalization: The New Era of Global Flows https://www.mckinsey.com//media/McKinsey/Business%20Functions/McKinsey%2ODigital/Our%20Insights/Digital%20globalization%20The%20new%2era%20f%2Oglobal%20flows/MGI-Digitalglobalization-Full-report.ashx accessed13 September 2022

Martin TD 2011 Hey! You! Get Off of My Cloud: Defining and Protecting the Metes and Bounds of Privacy, Security, and Property in Cloud Computing http://works.bepress.com/timothy_martin/3 accessed 21 April 2022

McKinsey/Featured%/`20Insights/Innovation/Globalizationo2Oino20transitiono2OThe%20future%20fo20trade/o20and%20value%20chains/MGI-Globalizationo2Oin%/o20transition-The-future-of-trade-and-value-chains-Fullreport.ashx accessed 7 September 2022

Mell P and Grance T 2011 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf accessed 19 April 2022

Meltzer JP 2020 The Court of Justice of the European Union in Schrems II: The Impact of the GDPR on Data Flows, and National Security https://www.brookings.edu/research/the-court-of-justice-of-the-european-union-in-schrems-ii-the-impact-of-gdpr-on-data-flows-and-national-security/#footnote-1 accessed 9 April 2022

Preston B 2008 Down to Business: Customers Fire a Few Shots at Cloud Computing https://www.informationweek.com/software-services/down-to-business-customers-fire-a-few-shots-at-cloud-computing accessed 14 April 2022

Wikipedia 2022 Edward Snowden https://en.wikipedia.org/wiki/Edward_

Snowden accessed 26 September 2022

WorldAtlas 2020 How Many Countries Are in the World? Https://www.worldatlas.com/nations.htm accessed13 September 2022

Published

08-08-2024

Issue

Section

Articles

How to Cite

Malahleka, M. (2024). The Problem of Trans-Border Information Flows in the Protection of Personal Information. Potchefstroom Electronic Law Journal, 27, (Published on 8 August 2024 ) pp 1-40. https://doi.org/10.17159/1727-3781/2024/v27i0a14296

Similar Articles

1-10 of 1157

You may also start an advanced similarity search for this article.