Section 72 of POPI deals with transfers of personal information outside South Africa or transborder information flows. It essentially says that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country, unless certain protections are in place. For example, if:
- The foreign country has a law that provides adequate protection.
- There are binding corporate rules that provide adequate protection.
- There is an agreement between the sender and the receiver that provides adequate protection.
- The data subject consents.
- The transfer is necessary for the responsible party to perform in terms of a contract.
Does the United States (USA) have a law that provides adequate protection?
No. Under the safe habour arrangement America was regarded as having laws that provide adequate protection. But a recent ruling of the European Court of Justice says that they don’t. This means that if you want to transfer personal information from South Africa to the US, you need to rely on one of the other protections.
Lawful transfer personal information outside South Africa
To lawfully transfer personal information outside South Africa to a foreign country you need to check that it will be protected in that foreign country. You do this by working out which protection (or unless) set out in section 72 you are relying on. In future, the Information Regulator or a data subject could ask you why you transferred their personal information to another country. You will need to have a reason why it was lawful for you to do so.
Transborder information flows
You need to:
- make a list of the all the countries to which you transfer personal information,
- work out which of those have a law that provides adequate protection, and
- for those that don’t, decide which other protection in section 72 you are going to rely on.
We can help
- Provide you with an opinion answering a particular question.
- Tell you which countries (especially African countries) have a law that provides adequate protection.
- Draft binding corporate rules.
- Draft an agreement with a third party (like an operator or another responsible party) to provide an adequate level of protection.
- Draft template clauses for you to include in your agreements with third parties who are in other countries.
- Draft consent clauses for you.