Transfers of personal information outside South Africa

Section 72 of POPI deals with transfers of personal information outside South Africa or transborder information flows. It essentially says that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless certain protections are in place. For example, if:

1. The foreign country has a law that provides adequate protection.
2. There are binding corporate rules that provide adequate protection.
3. There is an agreement between the sender and the receiver that provides adequate protection.
4. The data subject consents.
5. The transfer is necessary for the responsible party to perform in terms of a contract.

You can also find out how to achieve cross-border data transfers in compliance with the law from one country to any other.

Does the United States (US) have a law that provides adequate protection?

No. Under the safe harbour arrangement and then privacy shield, America was regarded as having laws that provide adequate protection. But a recent ruling of the European Court of Justice (ECJ) says that they don’t. This means that if you want to transfer personal information from South Africa to the US, you need to rely on one of the other protections.

Lawfully transfer personal information outside South Africa

To lawfully transfer personal information outside South Africa to a foreign country you need to check that it will be protected in that foreign country. You do this by working out which protection (or unless) set out in section 72 you are relying on. In future, the Information Regulator or a data subject could ask you why you transferred their personal information to another country. You will need to have a reason why it was lawful for you to do so.

Lawfully transfer personal information from a country to South Africa

The EU does not currently regard South Africa as having an adequate level of protection. South Africa needs the Commission to find it adequate.

Transborder information flows

You need to:

1. make a list of all the countries to which you transfer personal information,
2. work out which of those have a law that provides adequate protection, and
3. for those that don’t, decide which other protection in section 72 you are going to rely on.

Action you can take

1. Lawfully transfer personal information from South Africa to another country by asking Michalsons to:
   1. provide you with an opinion answering a particular question,
   2. draft binding corporate rules for your organisation,
   3. draft a binding agreement with a third party (like an operator or another responsible party) to provide an adequate level of protection,
   4. draft a bespoke operator agreement for your organisation, 
   5. draft template clauses for you to include in your agreements with third parties who are in other countries, or
   6. draft consent clauses for you.
2. Know which countries in the world (especially African countries) have a law that provides adequate protection by asking Michalsons.