If you’re in business in 2017, and you create and make use of data in your everyday business activities, you’ve likely heard of the Protection of Private Information Act. Or, as it’s better known, PoPI.
While all of PoPI’s details aren’t something everyone discusses in detail around the water cooler, one of the provisions business owners are likely to have heard about is the idea that PoPI will prevent cross-border data flows. That is, that all data will – by law – have to be stored within South Africa’s borders.
But is that really true? Is it even possible in the era of the cloud, where datacentres are geographically dispersed while being used by customers the world over?
Commercial Attorney at Microsoft South Africa, Theo Watson, says the answer to both questions is no.
In a recent LinkedIn post, Watson wrote the following:
Firstly, what is data sovereignty? In its simplest form data sovereignty describes the legal principle that information (generally in electronic form) is regulated or governed by the legal regime of the country in which that data resides. With cloud computing, and specifically the public cloud aspect thereof, data that users generate in most instances resides on servers outside the legal or territorial border of the users’ country of residence. This means that the data of an individual becomes subject to a foreign legal regime.
Secondly, and for purposes of those resident within the borders of the South Africa, what does PoPI say about data sovereignty? Section 72 of PoPI regulates transfers of personal information outside the Republic and therefore broadly determines the issue of “data sovereignty”.
Section 72 of PoPI provides the following (below is a summary of Section 72. For the full version for Section 72, click here.):
- (1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless any ONE of the following conditions/considerations exist —
(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that reflect the principles of PoPI
(b) the data subject consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the data subject and the responsible party;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; or
(e) the transfer is for the benefit of the data subject.
It therefore follows that PoPI does not broadly prohibit the transfer of data outside of South Africa. On the contrary, (i) we find that PoPI narrowly concerns itself only with personal information and (ii) further, and more importantly, regulates HOW personal information may lawfully be transferred internationally.
Simply put, section 72 does not prohibit cross-border data flows, rather it acts as an enabler and protector of personal information by providing a set of five (5) conditions (considerations) which a Responsible Party needs to apply and which seek to protect a data subject’s personal information as it moves offshore. Of course, if none of the five (5) conditions are met, a Responsible Party may not transfer a data subject’s personal information outside of South Africa.
And there you have it, directly from a legal mind at Microsoft: PoPI seeks to protect your personal information, but does not demand that local data must not leave South Africa’s borders.
[Image – CC BY SA-2.0]