Missed the previous articles? Read them here: Article 1 | Article 2 | Article 3 | Article 4 | Article 5
In a connected world, it is too easy for personal data to move across borders. In the sixth article in our series, we look at how GDPR and POPIA treat cross-border transfers. Here is what we'll discuss:
Imagine this scenario for a moment. You are on a date at the zoo, chatting to your new beau while perusing animals, when you almost drop your phone into the water at the penguin enclosure. “Luckily I copied all your details to my neighbour’s phone, so at least that is safe.”
They look at you somewhat annoyed: “Hopefully not the weird one! And why not just back it up to the cloud?” In your defense, the weird neighbour was the only one with enough space on his device. And the WiFi was down.
One of the key characteristics of data is that it is relatively easy to move. Companies may have many different reasons to move data around, and do so on a regular basis. On the other hand, data subjects might also want to capture and move their data.
In today’s article, we are discussing the issues of cross-border data transfer and data portability as they relate to GDPR and POPIA.
Data transfer by data controllers across borders is prohibited by POPIA, and restricted by GDPR, with specific exceptions. Additionally, GDPR provides data subjects with the right to transfer their data between controllers (data portability).
In Section 72 of Chapter 9, POPIA states the following: “A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country…” and then proceeds to list a number of exceptions which are discussed below.
Chapter 5 of the GDPR deals with cross-border data transfers. In Article 49 we find the following: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
Where POPIA sets out exceptions, GDPR sets out requirements. We can compare the POPIA exceptions to the GDPR requirements as follows:
|
POPI Act |
GDPR |
|
Data is not allowed to be transferred across international borders to a third party. |
Data can be transferred on the basis of an adequacy decision by the Commission. |
|
Data can be transferred subject to appropriate safeguards. |
|
|
Data can be transferred on the basis of binding corporate rules. |
|
|
Data can be transferred by force on mutual international agreements. |
|
|
Exceptions - Cross-border data transfers are acceptable: |
Exceptions - Cross-border data transfers are acceptable: |
|
With consent of the data subject. |
With consent of the data subject. |
|
For the performance of a contract, or for |
When necessary for performance of a contract (between the controller and data subject). |
|
For the conclusion of a contract between the controller and a third party for the benefit of the data subject. |
When necessary for performance of a contract (between the controller and a third party for the benefit of a data subject). |
| No comparable exception. |
When it is in the public interest. |
| No comparable exception. |
When necessary for the exercise or defense of legal claims. |
|
For the benefit of the data subject where (a) consent can’t be reasonably obtained or (b) where consent can be obtained, it is likely that consent would be granted. |
For the protection of vital interests where the data subject is unable to give consent. |
| No comparable exception. |
When transferred from publicly accessible registers. |
|
When adequate protection is provided for where the third part is bound by law, agreements or corporate rules. |
No comparable exception. |
The concept of “binding corporate rules” was designed, in both cases, to provide organizations and their subsidiaries with a means to transfer data over international boundaries. Underpinning this concept is that of “a group of undertakings” which is a broad definition for an organization that consists of multiple entities operating in different regions.
At face value, the POPI Act prohibits cross-border data transfers, whereas GDPR provides strict requirements for such a transfer to take place. This makes sense as the EU consists of many co-operative countries who are bound to have organizations span international boundaries.
However, the emphasis in Section 72 of POPIA is not on prohibiting data flowing out of the country, but rather on the exceptions themselves. The exceptions are designed to safeguard data when they flow outside of the country. With this understanding, the differences between the two laws regarding cross-border transfers are mostly superficial.
When it comes to the exceptions, GDPR provides additional possibilities that relate to the public interest or publicly accessible data. GDPR also provides an exclusion related to legal applications, which POPIA lacks.
Finally, in Article 20, the GDPR provides the data subject with the right to transfer data from one controller to another, called data portability, which is absent from POPIA.
With numerous cloud services available, it is commonplace for businesses to host data outside of a given geographical jurisdiction. POPIA is designed to ensure that data controlled by South African entities is safe, regardless of where it is transferred to.
When using cloud services, or transferring data between on-site servers within the same organization (binding corporate rules), the effort lies in ensuring that the country that hosts the data offers the same degree of protection than would the POPI Act itself.
It is worth noting that the United States is not regarded as giving such protection.
Back at the zoo, you told your date that you allegedly copied their personal information to the weird neighbour’s phone. They didn’t give you permission to do that, and let’s be honest, the neighbour may lose his phone or abuse the information.
Similarly, POPIA and GDPR aim to protect personal data by restricting the ways in which organizations can transfer it outside of the geographical jurisdictions of these laws.
The rule of thumb is this: when moving data, be sure to store it in a country where it will be just as safe as it would be should POPIA or GDPR protect it.
POPIA compliance is a challenge. We created this free flowchart poster to help you figure it out. Click below to download your copy.
No SAP system is an island. Most of the time, SAP systems act as the hub that connects many other systems, including third parties. These include banks, benefit providers, vendors, clients and a multitude of cloud systems. It’s not uncommon for us to work with SAP systems that have more than a hundred interfaces.
You can only manage what you know. One of your first steps to POPIA and GDPR compliance is to map your data and data flows. This includes making an inventory of all interfaces on the SAP systems and classifying the data that flows through them. This will be the basis for working with third parties to ensure that data shared with them are done in a compliant manner. This takes time, since it depends on how quickly those third parties can respond and make changes, where required. Therefor, the data flow mapping should be one of the early steps in your compliance project.
EPI-USE Labs has developed our Privacy Comply methodology to streamline privacy compliance projects. Understanding data classifications and flows are a core part of this methodology. Given our years of experience working with data mappings in big systems, we use our software to largely automate sensitive data discovery, thereby eliminating a big part of the tedious work that’s typically required.