Data transfer agreements

 Data Transfer Agreements

There is no denying that in a modern society, data is incredibly valuable, with some even suggesting that “data is the new oil”. Whether in a business context, or in a scientific and research environment, data sharing and processing has become the norm rather than the exception.  On a regular basis, we are seeing personal information being transferred outside the borders of South Africa.

In some instances, data is transferred to a foreign country for analytical purposes, or it may be sent to affiliates or subsidiaries abroad to make business decisions, or it could be sent to another country electronically for storage purposes, or it may be shared with research groups in foreign jurisdictions for scientific and medical purposes – there are various reasons data is sent abroad.  In either event, it is essential that an agreement is in place – to protect the parties, and to ensure compliance with the Protection of Personal Information Act 4 of 2013 (‘POPIA’).

Primarily, section 72 of POPIA regulates the transfer of personal information outside the borders of South Africa.  The default position is that personal information may not be transferred outside the Republic.

However, there are several exceptions to this, which are:

• The third-party, in a foreign country, who is the recipient of the data is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection;
• The data subject consents to the transfer;
• The transfer is necessary for the performance of a contract between the data subject and responsible party;
• The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the responsible party and a third party; and
• The transfer is for the benefit of the data subject.

In our experience the first two exceptions are the most relied on. It should be noted that any one of these exceptions can apply, and a responsible party does not need to satisfy all of them.

What does adequate protection mean?  In simple terms, it means the same level of protection as provided for by POPIA.  The Information Regulator is yet to make any adequacy determinations in relation to foreign countries where the law provides protection for data. Consequently, for the time being, we suggest that parties rely on a contract which consents to the transfer, and which also articulates protection for the data on the same basis as provided for in POPIA. We always suggest that wherever the data flows, the protection should “travel” with it, and where possible, the data subject should expressly consent to the transfer. 

What countries have laws that provide adequate protection? For the most part, if a person is transferring data to the EU, or the UK, the GDPR based principles in our view provide an adequate level of protection for natural persons, but the GDPR does not protect juristic personal information which provides an interesting nuance. In the near future, one expects to see the Information Regulator publish further guidance on this issue, and to list countries which it deems to provide sufficient protection. By way of example, the Information Commissioner’s Office in the UK (the equivalent of the Information Regulator) has provided a list of countries that are covered by “adequacy decisions”.  These are the EU countries, as well as several others including Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, all of which are deemed to have “adequate” protection.  South Africa is not yet on the UK or EU adequacy list, although with the promulgation of POPIA, one hopes our Information Regulator and government engages on this topic with the EU and UK as a matter of urgency to facilitate international trade.

Be that as it may, our view is that where data is transferred outside of South Africa, one should always have a signed agreement in place, and the parties to that agreement should be obliged to abide by the principles contained in POPIA.  In brief, the eight conditions for lawful processing should apply, and the parties must set out the technical and organisational measures that will protect the data.  There should be obligations on each party to check that the other can comply with the various requirements, compliance should be audited regularly, and this should be documented with the parties meeting regularly. 

Lee Swales

Livingston Leandy Inc.
031 536 7538
lswales@livingston.co.za

The content of this blog is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive, nor does it constitute legal or other professional advice. You should seek legal or other professional advice before acting or relying on any of the content.