Let us first look at an example of cross-border transfers
A company based in Germany collected and transferred an individual’s email address to MailChimp based in the USA. MailChimp is a newsletter and email marketing service provider used globally (including many South African businesses).
Data Protection Authorities in Bavaria prohibited the transfer of email addresses to MailChimp. This was because the company (the controller) failed to follow the GDPR (which is basically Europe’s version of POPIA).
Data controllers in Europe tended to rely on standard contractual clauses governing data protection obligations when transferring data outside of the European Union. The idea is that you could then contractually ensure that recipients securely handle data.
However, it is now clear that companies in Europe must also check whether any extra measures are necessary to protect the data transferred. Standard contractual clauses alone may not be enough.
The reason behind this is interesting
Authorities considered the Schrems II decision handed down under the GDPR (which also invalidated the previous EU-USA Privacy Shield). In simple terms, companies must first check the data protection laws of the recipient country. This is because contracts do not bind the supervisory authorities of the recipient country (usually government bodies – think CIA). This is a problem, for example, if local surveillance laws allow government bodies to intercept data with little regulation.
If the recipient’s laws are inadequate. Then companies may not be able to rely on standard data protection contracts. The “exporting” company may be expected to stop the transfer and end the contract. If the transfer is essential to the company, then the company should get informed consent from the data subjects as required under the GDPR.
Now let us take a look at South Africa.
Section 72 of POPIA regulates cross-border transfers with many exceptions (we will chat about this soon).
The general position is that the recipient of the data must be subject to a law, binding corporate rules OR a binding agreement providing an adequate level of protection.
POPIA may then differ to the GDPR.
Under GDPR, the company must follow a double-barrel approach. There must be both adequate laws and a contract governing the recipient.
POPIA appears to only need one or the other. This is a more lenient stance on cross-border transfers. This could mean that a mere contract with MailChimp will be enough.
This lenient position taken by South Africa could become very problematic. Think of an example where a European company transfers data to a South African company, who then transfers that data onto their MailChimp system (in the USA).
European authorities might view POPIA as an inadequate data protection law because it offers a lower level of protection to later transfers of data elsewhere from South Africa. This could create further regulatory barriers to doing business in South Africa. This means that European countries might need to consider additional measures to protect their data in South Africa, or stop transferring data entirely.
Despite this position taken by South Africa on cross-border transfers, it would be prudent to tread cautiously when transferring data outside of South Africa. Always seek expert legal advice before doing so.
**The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice