POPI (the Protection of Personal Information Bill) has been a difficult subject for most corporates living in the age of cloud computing. Corporates using offshore data centres to store customer or employee-related personal information need not fear that this will be totally prohibited once the POPI becomes law. Although POPI prohibits the offshore transfer of personal data, POPI will provide for a number of exemptions to this prohibition.
“POPI has been in the making for eight years and will hopefully be passed into law this year. Companies will then have a one-year transition period to get their houses in order to ensure they comply with POPI” says Tammy Bortz, director and IT law specialist at Werksmans Attorneys. “One of the benefits of POPI is that it sets out the requirements to enable the transfer of personal data offshore which will in turn enable South African companies to do business internationally,” says Bortz.
“There appears to be a view amongst certain companies and institutions that the cross-border transfer of personal data will be prohibited once POPI is enacted. This is not the case,” says Bortz. “POPI provides for exemptions to this prohibition which allow for cross border data transfer in a number of circumstances. Companies need to work though these exemptions to see if and where an exemption may apply to its specific cross border data transfer requirements.”
The relevant section in POPI, section 72, has five exemptions that if applicable, would allow offshore data transfer.
The practicalities of obtaining consent
One exemption that is potentially available to all companies is where the data subject – the person to whom the personal information relates – gives his or her voluntary, specific and informed consent to the data transfer.
“However, obtaining consent could be difficult and impractical for a business where the consent of thousands of subscribers or customers would need to be obtained,” Bortz says. “Before going ahead with any transfer, it would be necessary to obtain consent from each and every individual whose data is to be transferred.”.
In such cases, there is another useful exemption which makes provision for situations where it is not practical to gain the data subject’s consent.
“There is the exemption allowing offshore data transfer when this would be for the benefit of the data subject,” Bortz says. “For this exemption to apply, three factors must be present – the data owner would derive some kind of benefit as a result of the transfer (for example, better data security, lower costs or better service delivery), it would not be reasonably practical to obtain the data subjects consent and further if the data subjects were to be contacted, they would be likely to give their consent,”
Transfer to Jurisdictions with similar laws or rules
A further useful exemption is the introduction of the concept of ‘binding corporate rules’(BCR’s),” says Bortz. BCR’s are essentially legally enforceable personal information processing policies that are applied throughout a global company so as to ensure that all companies within the group (both local and offshore) adhere to the same set of data protection principles. BCRs ensure that adequate safeguards are in place so that the data subject’s rights will not be prejudiced as a result of the transfers made to jurisdictions which do not offer the same level of protection as POPI.
Useful mechanism in the international arena
Bortz says POPI could be a useful mechanism for South African organisations that may currently be prohibited from transferring data to or bringing it to South Africa back from overseas destinations.
For example, the data protection laws in the United Kingdom only allows personal data that is being processed in the United Kingdom to be returned to a country whose laws provide similar data protection as those of the UK. POPI, once it becomes law, will be regarded as such a law and hence any exiting prohibitions to the transfer of data from the UK to the RSA on the grounds that South Africa does not have in place sufficient data protection laws, will fall away.
This is especially good news for South African companies wishing to use cloud services and where such use will require them to place personal data of their customers or employees in an offshore cloud. There have been certain instances where the UK data protection commissioner has disallowed the transfer of personal data back to South Africa on the grounds set out above but this will no longer be a problem once POPI becomes law
She adds that POPI, which the Portfolio Committee on Justice and Constitutional Development approved in September 2012, brings South Africa’s personal data protection regime in line with the European Union’s – widely recognised as the most advanced in the world.