What constitutes a “transfer” of personal information?
By Tabacks Commercial Team
Section 72 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), the legislation that regulates the protection of personal information in South Africa, states that transfers of personal information to a foreign country can take place if the transfer satisfies one or more of the following conditions:
the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for lawful processing in the POPIA (including, where applicable, in respect of data subjects that are legal entities);
the data subject consents to the transfer;
the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer but if it were the data subject would be likely to give it.
Article 44 of the General Data Protection Regulation (“GDPR”), the legislation that regulates the protection of personal information and the European Union, states that “any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in [Chapter 5 of GDPR] are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
Upon inspection of POPIA and the GDPR, it becomes evident that the term “transfer” is not defined.
In the absence of a definition of the term “transfer”, some uncertainty is created as regards what constitutes a “transfer” of personal information, such as whether the location of servers (for example) matters, and whether the type of access to hosted personal information that persons in countries outside the borders of South Africa are given is called into question.
Conversely, the failure to define the term may have been intentional due to how rapidly the advances in technology occur. It may be that not having a formal definition allows for flexibility, so that any fixed definition of “transfer” does not become outdated and fail to cover any future advancements in respect of transfers to which technology may give rise.
As the South African (and it appears, European) courts are yet to pronounce on the meaning of the term “transfer”, parties are obliged to rely on general principles of interpretation and on reading the term in the context of POPIA as a whole.
It is interesting to note that the word “processing” (and its linguistic variations) is used widely and is a defined term in both POPIA and the GDPR, yet the word “transfer” is only used in relation to cross-border transfers of personal information outside of South Africa and the EU, respectively.
“Processing” is defined under POPIA as any operation or activity or any set of operations whether or not by automatic means, concerning personal information, including:
the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
dissemination by means of transmission, distribution or making available in any other form; or
merging, linking, as well as restriction, degradation, erasure or destruction of information.
Under the GDPR, “processing” is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Having regard to the above definitions of “processing” it is possible to apply, to a certain extent, the terms of this definition in terms of the definition of “transfer”. The plain English meaning of the word, as defined by the Oxford English Dictionary, is to (1) move (from one place to another); (2) move or cause to move to another department, occupation, etc., redirect (a telephone call) to a new line or extension; (3) change to another place, route or means of transport during a journey; and (4) Make over the possession of”.
By reference to the definition of “processing”, it will be noted that it includes, “the dissemination by means of transmission, distribution and making available in any other form”. “Transmission”, according to the Oxford English Dictionary, is, inter alia, a synonym for “transfer” and accordingly, in as much as “transmission” is one of the acts comprising “processing”, it may be said that the provisions of both POPIA and GDPR that apply to “processing” also apply to cross-border transfers of information as “transfers” of information referred to in section 72 of POPIA and Article 44 of GDPR.
In determining the meaning of the word “transfer”, and in the absence of any indication that a contrary approach was intended, the principles of interpretation of statutes require that the plain meanings of the words should be applied.
Having regard to the definitions of “transfer” and “transmission” set out above, any act by which information is sent from a location in South Africa to a recipient in another country would amount to a “transfer” of information contemplated by Section 72 of POPIA. It does not matter whether the information is sent as a result of direct decision by a specific, identifiable person, or is consciously received by another specific identifiable person, or whether the transfer is generated or received and stored, as the case may be, by a computer that is programmed to carry out that function without a specific human instruction.