The basis for enforcement of data protection laws is to protect the public against data breaches, both domestically and internationally. Many South African organizations transfer data both locally and abroad. Cross-border data transfers occur, for instance, where personal information is sent outside of South Africa to a customer, client, service provider or sub-contractor, or when making use of cloud storage hosted outside South African borders. Section 72 of POPIA sets out the requirements for the export of data while ensuring that the data is subject to adequate legal protection.
In particular, section 72 states that a responsible party may only transfer personal information to a third party that is in a foreign country if certain protections are in place. To provide personal information abroad, one of the following protections must be present:
- Adequate legal protection: The cross-border recipient of the personal information is subject to a law, corporate rules or an agreement that provides an adequate level of protection that effectively upholds the principles for reasonable processing. The law, corporate rules or agreement should include provisions that are (i) substantially similar to the conditions for the lawful processing of personal information in South Africa, and (ii) substantially similar to section 72 of POPIA, relating to the further transfer of personal information from the recipient to third parties that are in a foreign country.
- Consent: The data subject consents to the transfer of personal information.
- Necessary for the performance of a contract: The transfer of personal information is necessary for the performance of a contract between the data subject and the responsible party, or to implement pre-contractual measures taken in response to a data subject’s request.
- Interests of the data subject: The transfer of personal information is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
- Benefit of the data subject: The transfer of personal information is for the benefit of the data subject in circumstances where (i) it is not reasonably practicable to obtain the consent of the data subject for the transfer, and (ii) if it were reasonably practicable, the data subject would be likely to give consent.