Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part I: The Territorial Scope Provision

Authors

DOI:

https://doi.org/10.17159/1727-3781/2024/v27i0a15233

Keywords:

POPIA/POPI, personal information, territorial scope, Section 3 POPIA

Abstract

The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, for the Act to be enforced against a responsible party who has transgressed any of its provisions, the responsible party needs to be brought under its jurisdiction. To that end, POPIA makes provision for a territorial scope provision (section 3) based on the notion of domicilium and the use of automated and non-automated means for processing personal information situated in the Republic. This article makes use of comparative analysis to interpret the content of these provisions with reference to the European Union (EU)'s 1995 Data Protection Directive (DPD), on which they were modelled, and its successor, the 2016 General Data Protection Regulation (GDPR). The article demonstrates that section 3 can give rise to interpretative uncertainties which could result therein that personal information processed by responsible parties who are outside the Republic would not be regulated by the Act, or that these parties could move their processing activities out of the country to escape liability. An expansive interpretation of these provisions by the courts is needed to plug these gaps; alternatively, legislative revision must be undertaken in line with developments in the EU, where the GDPR endeavoured to address some of these aspects.

Downloads

Download data is not yet available.

Author Biography

  • Juana Coetzee, Stellenbosch University

    BA, LLB, LLM, LLD (Stellenbosch University). Associate Professor (Emeritus) and Research Fellow, Department of Mercantile Law, Stellenbosch University, South Africa.

References

Bibliography

Literature

Baumann J and Ismail N "The (Extra-)territorial Scope Rules of the New European Data Protection Law from a Private International Law Perspective: A Model for South Africa?" 2021 CILSA 1-49

Baumann J and Ismail N "The Concept of 'Personal Information' in the Protection of Personal Information Act 4 of 2013: A Comparative Analysis from a European Perspective" 2021 TSAR 718-739

De Stadler E and Esselaar P A Guide to the Protection of Personal Information Act (Juta Cape Town 2015)

De Stadler E et al Over-thinking the Protection of Personal Information Act (Juta Cape Town 2021)

Hayward B "To Boldly Go, Part I: Developing a Specific Legal Framework for Assessing the Regulation of International Data Trade under the CISG" 2021 UNSW Law Journal 878-918

Papadopoulos S and Snail ka Mtuse S (eds) Cyberlaw@SA IV: The Law of Internet in South Africa (Van Schaik Pretoria 2022)

Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37

Roos A "Data Privacy Law" in Van der Merwe DP (ed) Information and Communications Technology Law 3rd ed (Lexis Nexis Johannesburg 2021) 387-530

Case law

Competition Commission of South Africa v Media 24 (Pty) Ltd 2019 5 SA 598 (CC)

Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18) [2020] ECLI:EU:C2020:559

Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (Case C-131/12) [2014] ECLI:EU:C:2014:317

Google LLC v Commission nationale d' l'informatique et de libertés (CNIL) (Case C-507/17) [2018] ECLI:EU:C:2019:722

Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650

R v Secretary of State for Transport (Ex parte Factortame) (Case C-221/89) [1991] ECR I-3905

Verein für Konsumenteninformation v Amazon EU Sarl Case (C-191/15) [2016] EU:C:2016:612

Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabaság Hatóság (NAIH) (C-230/14) [2015] EU:C:2015:639

Legislation

South Africa

Constitution of the Republic of South Africa, 1996

Consumer Protection Act 68 of 2008

Cybercrimes Act 19 of 2020

Electronic Communications and Transactions Act 25 of 2002

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 4 of 2013

International and regional instruments

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No 108/1981 (1981)

Directive 95/46/EC of the European Parliament and of the Council enacted 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspects of information society services, in particular electronic commerce, in the internal market (Directive on Electronic Commerce) [2000] OJ L 178/1

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1

UN General Assembly Transforming our World: The 2030 Agenda for Sustainable Development UN Doc A/RES/70/1 (2015)

Universal Declaration of Human Rights (1948)

Internet sources

Article 29 - Data Protection Working Party Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Web Sites, 5035/01/EN/Final WP 56, Adopted 30 May 2002 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf accessed 30 March 2022

European Data Protection Board 2019 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2.1 (Adopted 12 November 2019) https://edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf accessed 28 April 2022

European Data Protection Board 2022 Statement 01/2022 on the Announcement of an Agreement in Principle on a New Trans-Atlantic Data Privacy Framework (Adopted 6 April 2022) https://edpb_statement_

202201_new-trans-atlantic_data-privacy_framework.pdf accessed 28 April 2022

Information Regulator (South Africa) 2021 Guidance Note on Information Officers and Deputy Information Officers (1 April 2021) https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf accessed 13 May 2022

Kuner C 2021 Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU's Ambition of Borderless Data Protection. University of Cambridge Faculty of Law Legal Studies Research Paper Series Paper No 20/2021, April 2021 https://ssrn.com/abstract=3827850 accessed 30 March 2022

Organisation for Economic Cooperation and Development 2013 Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Revised Version 11 July 2013) https://www.oecd.org/

sti/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborder

flowsofpersonaldata.htm accessed 20 March 2022

Organisation for Economic Cooperation and Development 2018 Trade and Cross-Border Data Flows: Report by the Working Party of the Trade Committee (21 December 2018) TAD/TC/WP(2018)19/FINAL https://one.oecd.org/document/TAD/TC/WP(2018)19/FINAL/En/pdf accessed 13 May 2022

South African Law Reform Commission 2009 Project 124 Privacy and Data Protection Report https://www.justice.gov.za/salrc/reports/r_prj124_privacy

%20and%20data%20protection2009.pdf accessed 28 April 2022

Published

07-11-2024

Issue

Section

Articles

How to Cite

Coetzee, J. (2024). Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part I: The Territorial Scope Provision. Potchefstroom Electronic Law Journal, 27, (Published on 7 November 2024) pp 1-25. https://doi.org/10.17159/1727-3781/2024/v27i0a15233

Similar Articles

1-10 of 1134

You may also start an advanced similarity search for this article.