What do you know...and what can you do with it? [Part 1]
It is often said that “the most valuable commodity in the world today is information,” for that reason, it can also be the most abused.
The preamble to the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) recognises that “the protection of natural persons in relation to the processing of personal data is a fundamental right”. It also notes that “rapid technological developments and globalisation have brought new challenges for the protection of personal data”. Taking this into account, the EU Parliament enacted the GDPR to ensure “effective protection of personal data” by “the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data”.
In the same vein, South Africa enacted the Protection of Personal Information Act 4 of 2013 (“POPIA”), for the purpose of “[giving] effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at:
balancing the right to privacy against other rights, particularly the right of access to information; and
protecting important interests, including the free flow of information within the Republic and across international borders”.
General Data Protection Regulations (“GDPR”)
Although the GDPR is aimed at improving and standardising Europe’s data privacy laws, it applies to every natural or juristic person, wherever located, that processes personal data in relation to the offering of goods and services to, or monitoring behaviour of, EU citizens. A failure to comply with GDPR could result in varying consequences, including a written warning, and being subjected to periodic data protection audits. In more serious cases, administrative fines may be imposed. These fines could be up to 4% of the annual global turnover of the offender or €20 million.
Regardless of whether South African organisations have physical presence in the EU, they are still obligated to comply with the provisions of the GDPR. In accordance with Article 3 thereof, the GDPR is applicable whenever an EU resident’s personal data is processed by a South African company in connection with goods or services provided and where South African companies monitor the behaviour of EU residents within the EU.
Tests for GDPR Application
Article 3(2)(a) outlines the goods or services test, which implies that a controller or processor established outside the European Economic Area (“EEA”) will nevertheless be subject to the GDPR when it process the personal data of EEA data subjects in relation to its offering of goods and services to EEA data subjects. While this new test will bring many non-EEA suppliers and service providers within the scope of the GDPR, it is not intended to encompass every organisation whose promotional website is accessed from the EEA. Supervisory authorities will take a facts-based approach and apply the test on a case-by-case basis.
Article 3(2) also introduces the monitoring test which is applicable to the extent that an organisation monitors an individual’s behaviour within the EEA. This test is intended to encompass organisations outside the EEA that utilise online technologies to track and profile individuals in the EEA. Natural persons will also be associated with online identifiers such as IP addresses, radio frequency identification tags and cookies, effectively classifying such information as personal data. The monitoring test may extend to non-EEA organisations that utilise cookies and other tracking technologies in their website, where tracked individuals are located within the EEA. Several organisations may satisfy this test on account of their marketing activities.
Exemptions in Respect of Data Processing
In accordance with Article 2, even where a controller or processor falls within the territorial scope of the GDPR there are three exemptions in respect of certain types of data processing:
processing in the course of an activity which falls outside of the scope of EU law;
processing by competent authorities for the purposes of the prevention, investigation, dictation or prosecution of criminal offences or the execution of criminal penalties; and
processing by competent authorities to safeguard against and prevent threats to public security.
Our next article in this series discusses The Protection of Personal Information Act 4 of 2013 (“POPIA”), and the Relationship between GDPR and POPIA.