Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part I: The Territorial Scope Provision
DOI:
https://doi.org/10.17159/1727-3781/2024/v27i0a15233Keywords:
POPIA/POPI, personal information, territorial scope, Section 3 POPIAAbstract
The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, for the Act to be enforced against a responsible party who has transgressed any of its provisions, the responsible party needs to be brought under its jurisdiction. To that end, POPIA makes provision for a territorial scope provision (section 3) based on the notion of domicilium and the use of automated and non-automated means for processing personal information situated in the Republic. This article makes use of comparative analysis to interpret the content of these provisions with reference to the European Union (EU)'s 1995 Data Protection Directive (DPD), on which they were modelled, and its successor, the 2016 General Data Protection Regulation (GDPR). The article demonstrates that section 3 can give rise to interpretative uncertainties which could result therein that personal information processed by responsible parties who are outside the Republic would not be regulated by the Act, or that these parties could move their processing activities out of the country to escape liability. An expansive interpretation of these provisions by the courts is needed to plug these gaps; alternatively, legislative revision must be undertaken in line with developments in the EU, where the GDPR endeavoured to address some of these aspects.
Downloads
References
Bibliography
Literature
Baumann J and Ismail N "The (Extra-)territorial Scope Rules of the New European Data Protection Law from a Private International Law Perspective: A Model for South Africa?" 2021 CILSA 1-49
Baumann J and Ismail N "The Concept of 'Personal Information' in the Protection of Personal Information Act 4 of 2013: A Comparative Analysis from a European Perspective" 2021 TSAR 718-739
De Stadler E and Esselaar P A Guide to the Protection of Personal Information Act (Juta Cape Town 2015)
De Stadler E et al Over-thinking the Protection of Personal Information Act (Juta Cape Town 2021)
Hayward B "To Boldly Go, Part I: Developing a Specific Legal Framework for Assessing the Regulation of International Data Trade under the CISG" 2021 UNSW Law Journal 878-918
Papadopoulos S and Snail ka Mtuse S (eds) Cyberlaw@SA IV: The Law of Internet in South Africa (Van Schaik Pretoria 2022)
Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37
Roos A "Data Privacy Law" in Van der Merwe DP (ed) Information and Communications Technology Law 3rd ed (Lexis Nexis Johannesburg 2021) 387-530
Case law
Competition Commission of South Africa v Media 24 (Pty) Ltd 2019 5 SA 598 (CC)
Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18) [2020] ECLI:EU:C2020:559
Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317
Google LLC v Commission nationale d' l'informatique et de libertés (CNIL) (Case C-507/17) [2018] ECLI:EU:C:2019:722
Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650
R v Secretary of State for Transport (Ex parte Factortame) (Case C-221/89) [1991] ECR I-3905
Verein für Konsumenteninformation v Amazon EU Sarl Case (C-191/15) [2016] EU:C:2016:612
Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabaság Hatóság (NAIH) (C-230/14) [2015] EU:C:2015:639
Legislation
South Africa
Constitution of the Republic of South Africa, 1996
Consumer Protection Act 68 of 2008
Cybercrimes Act 19 of 2020
Electronic Communications and Transactions Act 25 of 2002
Promotion of Access to Information Act 2 of 2000
Protection of Personal Information Act 4 of 2013
International and regional instruments
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No 108/1981 (1981)
Directive 95/46/EC of the European Parliament and of the Council enacted 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspects of information society services, in particular electronic commerce, in the internal market (Directive on Electronic Commerce) [2000] OJ L 178/1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1
UN General Assembly Transforming our World: The 2030 Agenda for Sustainable Development UN Doc A/RES/70/1 (2015)
Universal Declaration of Human Rights (1948)
Internet sources
Article 29 - Data Protection Working Party Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Web Sites, 5035/01/EN/Final WP 56, Adopted 30 May 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf accessed 30 March 2022
European Data Protection Board 2019 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2.1 (Adopted 12 November 2019) https://edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf accessed 28 April 2022
European Data Protection Board 2022 Statement 01/2022 on the Announcement of an Agreement in Principle on a New Trans-Atlantic Data Privacy Framework (Adopted 6 April 2022) https://edpb_statement_
202201_new-trans-atlantic_data-privacy_framework.pdf accessed 28 April 2022
Information Regulator (South Africa) 2021 Guidance Note on Information Officers and Deputy Information Officers (1 April 2021) https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf accessed 13 May 2022
Kuner C 2021 Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU's Ambition of Borderless Data Protection. University of Cambridge Faculty of Law Legal Studies Research Paper Series Paper No 20/2021, April 2021 https://ssrn.com/abstract=3827850 accessed 30 March 2022
Organisation for Economic Cooperation and Development 2013 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Revised Version 11 July 2013) https://www.oecd.org/
sti/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborder
flowsofpersonaldata.htm accessed 20 March 2022
Organisation for Economic Cooperation and Development 2018 Trade and Cross-Border Data Flows: Report by the Working Party of the Trade Committee (21 December 2018) TAD/TC/WP(2018)19/FINAL https://one.oecd.org/document/TAD/TC/WP(2018)19/FINAL/En/pdf accessed 13 May 2022
South African Law Reform Commission 2009 Project 124 Privacy and Data Protection Report https://www.justice.gov.za/salrc/reports/r_prj124_privacy
%20and%20data%20protection2009.pdf accessed 28 April 2022
Published
Issue
Section
License
Copyright (c) 2024 Juana Coetzee
This work is licensed under a Creative Commons Attribution 4.0 International License.
.png){kind=spacer}