South Africa needs the European Commission to find or decide that South Africa provides an adequate level of protection of personal data. They have so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Japan, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. It is a list that South Africa simply has to get on.
Japan is the latest non-EU country the commission has found to provide an adequate level of protection. This allows personal data to flow freely between the two economies and creates the world’s largest area of safe data flow. Japan has the Act on the Protection of Personal Information.
In the map above, South Africa is a blue country which is actually misleading. South Africa has enacted a comprehensive data protection law. However, it has not yet commenced.
You can find out more about how to transfer personal data cross-borders lawfully by working through our transferring data cross-borders module in our data protection programme.
Why does South Africa need an adequacy decision?
It will allow personal data to flow freely between South Africa and the EU. This would enable South Africa to participate in the global data economy. Europeans will benefit from high privacy standards when the data is transferred to South Africa. At the same time, South Africans will benefit from high privacy standards when the data is transferred to the EU.
South African companies will also benefit because they will get access to millions of consumers within the EU. It is highly likely that EU companies will outsource to South African companies. This is especially so when the outsourcing arrangement involves processing of personal data. Effectively, data protection laws and international trade go hand-in-hand.
What does South Africa need to do to be adequate?
Not a lot but there are a few things.
- POPIA (the South African data protection law) needs to commence and be of full force and effect. This is another reason why the announcement of the POPI commencement date needs to happen as soon as possible. South Africa will only be able to be found to be adequate or not after the end of the grace period for the implementation of POPIA.
- Following the Japanese example, South Africa may need to introduce a set of supplementary rules that will bridge the several differences between the GDPR and POPIA. These supplementary rules would only be binding on South African companies wishing to import data from the EU.
- The South African government may also need to give the commission assurances regarding the country’s law enforcement agencies. This is especially the case when accessing personal data for criminal law enforcement and national security purposes. Essentially, the commission will want assurance that South African law enforcement agencies will only access European personal data if it’s necessarily proportionate and subject to independent oversight.
- Europeans will need to be able to complain if they feel that their personal data has been abused. The information regulator will need to address these complaints effectively.