Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part II: The Data Transfer Provision

Authors

DOI:

https://doi.org/10.17159/1727-3781/2024/v27i0a15234

Keywords:

POPIA/POPI, personal information, cross-border data transfers, section 72 POPIA

Abstract

The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, personal information is very often collected and processed by responsible parties who are outside the Republic. Alternatively personal information is collected by a responsible party in the Republic and then transferred out of the country. Part I of this article discussed the territorial scope provision (section 3) and concluded that it can give rise to interpretative uncertainties with the result that personal information processed by responsible parties outside the Republic would not be covered by the Act. However, responsible parties often move their processing activities out of the country to escape liability. This part of the article analyses the data transfer provision (section 72), a provision that is directed at the regulation of the transfer of data outside the Republic. Section 72 lays down certain conditions before a responsible party can export data out of the Republic to a third party. The discussion will show that the provision has certain shortcomings which could limit its effectiveness in providing the necessary protection if compared to its counterpart in the EU General Data Protection Regulation (GDPR). Consequently, legislative revision or clarification by the Information Regulator in the form of a Guidance Note would be welcomed. The article concludes with a brief analysis of the interplay between sections 3 and 72 to illustrate the need for both these provisions in our law.

Downloads

Download data is not yet available.

Author Biography

  • Juana Coetzee, Stellenbosch University

    BA, LLB, LLM, LLD (Stellenbosch University). Associate Professor (Emeritus) and Research Fellow, Department of Mercantile Law, Stellenbosch University.

References

Bibliography

Literature

De Stadler E et al Over-thinking the Protection of Personal Information Act (Juta Cape Town 2021)

Hoffman DA "Schrems II and Tik Tok: Two Sides of the Same Coin" 2021 North Carolina Journal of Law and Technology 573-616

Papadopoulos S and Snail ka Mtuse S (eds) Cyberlaw@SA IV: The Law of Internet in South Africa (Van Schaik Pretoria 2022)

Roos A "Data Protection: Explaining the International Backdrop and Evaluating the Current South African Position" 2007 SALJ 400-436

Roos A The Law of Data (Privacy) Protection: A Comparative and Theoretical Study (LLD-thesis Unisa 2003)

Van Deventer S "Problems Relating to the Formation of Online Contracts: A South African Perspective" 2021 SALJ 219-257

Case law

Bodil Lindqvist (Case C-101/01) [2003] ECLI:EU:C:2003:596

Data Protection Commissioner v Facebook Ireland, Maximillian Schrems (Case C-311/18) [2020] ECLI:EU:C2020:559

Maximillian Schrems v Data Protection Commissioner (Case C-362/14) [2015] ECLI:EU:C:2015:650

Legislation

New Zealand

Privacy Act 31 of 2020

South Africa

Protection of Personal Information Act 4 of 2013

United Kingdom

Data Protection Act of 2018 (implementing the United Kingdom General Data Protection Regulation)

International and regional instruments

Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contract clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31

Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 [2010] OJ L 39/5

Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 [2016] OJ L 344/100

Directive 95/46/EC of the European Parliament and of the Council enacted 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31

Privacy and Electronic Communications (EC Directive) Regulations, 2003

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1

Internet sources

European Data Protection Board 2019 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) Version 2.1 (Adopted 12 November 2019) https://edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf accessed 28 April 2022

European Data Protection Board 2021 Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR (Adopted 18 November 2021) https://edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf accessed 30 March 2022

Kuner C 2020 The Schrems II Judgment of the Court of Justice and the Future of Data Transfer Regulation https://europeanlawblog.eu/

2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation accessed 30 March 2022

Kuner C 2021 Exploring the Awkward Secret of Data Transfer Regulation: the EDPB Guidelines on Article 3 and Chapter V GDPR https://europeanlawblog.eu/2021/12/13/exploring-the-awkward-secret-of-data-transfer-regulation-the-edpb-guidelines-on-article-3-and-chapter-v-gdpr accessed 31 December 2021

Kuner C 2021 Territorial Scope and Data Transfer Rules in the GDPR: Realising the EU's Ambition of Borderless Data Protection. University of Cambridge Faculty of Law Legal Studies Research Paper Series Paper No 20/2021, April 2021 https://ssrn.com/abstract=3827850 accessed 30 March 2022

South African Law Reform Commission 2009 Project 124 Privacy and Data Protection Report https://www.justice.gov.za/salrc/reports/r_prj124_privacy

%20and%20data%20protection2009.pdf accessed 28 April 2022

Woods L 2020 "You Were Only Supposed to Blow the Bloody Doors Off!" Schrems II and External Transfers of Personal Data https://eulawanalysis.blogspot.com/2029/07/you-were-only-supposed-to-blow-the-bloody.html?m=1 accessed 17 March 2022

Published

07-11-2024

Issue

Section

Articles

How to Cite

Coetzee, J. (2024). Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part II: The Data Transfer Provision. Potchefstroom Electronic Law Journal, 27, (Published on 7 November 2024) pp 1-29. https://doi.org/10.17159/1727-3781/2024/v27i0a15234

Similar Articles

1-10 of 1112

You may also start an advanced similarity search for this article.