South Africa needs the European Commission to find or decide that South Africa provides an adequate level of protection of personal data. They have so far recognised various countries and territories as providing adequate protection. It is a list that South Africa simply has to get on.
Japan is the latest non-EU country the commission has found to provide an adequate level of protection. This allows personal data to flow freely between the two economies and creates the world’s largest area of safe data flow. Japan has the Act on the Protection of Personal Information.
You can find out more about how to transfer personal data cross-borders lawfully by working through our transferring data cross-borders module in our data protection programme.
Why does South Africa need an adequacy decision?
It will allow personal data to flow freely between South Africa and the EU. This would enable South Africa to participate in the global data economy. Europeans will benefit from high privacy standards when the data is transferred to South Africa. At the same time, South Africans will benefit from high privacy standards when the data is transferred to the EU.
South African companies will also benefit because they will get access to millions of consumers within the EU. It is highly likely that EU companies will outsource to South African companies. This is especially so when the outsourcing arrangement involves the processing of personal data. Effectively, data protection laws and international trade go hand-in-hand.
What does South Africa need to do to be adequate?
At a high level, a few things.
- POPIA (the South African data protection law) needs to commence and be of full force and effect.
- Following the Japanese example, South Africa may need to introduce a set of supplementary rules that will bridge the differences between the GDPR and POPIA. These supplemental rules would only be binding on South African companies wishing to import data from the EU.
- The South African government may also need to give the commission assurances regarding the country’s law enforcement agencies. This is especially the case when accessing personal data for criminal law enforcement and national security purposes. Essentially, the commission will want assurance that South African law enforcement agencies will only access European personal data if it’s necessarily proportionate and subject to independent oversight.
- Europeans will need to be able to complain if they feel that their personal data has been abused. The information regulator will need to address these complaints effectively.