As an individual residing in South Africa and/or employed in corporate South Africa, you are probably aware of the Protection of Personal Information Act No 4 of 2013 (“POPIA”), which has been enforceable in the country since 1 July 2021. Whilst South Africa enforces POPIA, other countries around the globe also have their own privacy laws enacted in order to regulate the processing of their personal information. This means that whilst a South African organisation must adhere to the conditions of POPIA, there may very well be other privacy laws that it may also need to comply with when processing or collecting personal information cross border.
There are numerous countries around the globe that have data privacy laws enacted. Interestingly, there are some large countries, such as the United States, which have privacy laws that may differ at state level and some countries that have multiple privacy laws that may need to be applied concurrently.
Below are some of the privacy laws enacted around the globe:
- General Data Protection Regulation (GDPR) and ePrivacy in the European Union
- California Consumer Privacy Act (CCPA) and The California Online Privacy Protection Act (CalOPPA) of the USA
- The Privacy Act 1988 of Australia
- Cyber Security Law of China
- Personal Data Protection Bill 2018 of India
- The Personal Information Protection and Electronic Documents Act of Canada
When Personal Information leaves South Africa in instances such as using cloud services hosted in foreign countries, it is important for organisations to ensure that data protection clauses are included in contracts with those third party recipients of the personal information. This is to ensure protection of the data subject’s personal information and to ensure that the third party adequately adheres to data protection laws and requirements. Alternatively, entities collecting data may request consent from the data subject prior to collecting their personal information through a privacy notice or other practicable methods.
In instances where personal information is collected from foreign countries, it is important for organisations to ensure that they research the privacy laws enacted in those countries they are collecting personal information from in order to ensure they comply with all requirements applicable to them. It is important to note that privacy laws may vary from country to country and, in such an instance, you may find that you need to comply with both POPIA and other privacy law requirements of the country that you are collecting personal information from.
Below is a five step approach that organisations may apply to transborder personal information collected and processed in South Africa to ensure compliance with POPIA and other applicable privacy laws.
- Identify and assess the personal information being collected in order to establish the data type, the source of data and the geographic location of the source.
- Research the privacy laws enacted by the country where the source is geographically located and which requirements are applicable to the personal information collected. This can also be done by seeking advice from a legal representative or data privacy expert.
- Identify any overlaps between requirements if more than one privacy law is applicable. This will allow common requirements to be addressed simultaneously in order minimise costs.
- Address the remaining requirements that are applicable to ensure full compliance.
- Regularity check for updates to laws applied in order to ensure continuous compliance to applicable requirements.
Privacy laws enacted around the globe are not intended to add unnecessary red tape but instead to ensure data security, responsible processing of personal information and adequate protection for data subjects. Organisations, therefore, have an obligation to ensure the protection of the right to privacy for citizens around the globe. The free flow of information with no legal regulation leads to an increased risk of personal information breaches, discrimination of data subjects and other cybersecurity crimes. With that said, it is important to note that compliance to privacy laws minimises exposure to the risks above, it protects the data subjects and demonstrates good governance and leadership.
IT Auditor, Johannesburg