International data transfers: What are the ‘adequate levels of protection’ required by POPIA?


This article discusses the significance that a recent European Union Court of Justice decision may have on the way in which POPIA is applied in South African courts, specifically in relation to the preconditions that are imposed before a cross-border transfer of personal information may take place.

In a recent decision by the European Union Court of Justice (“ECJ”) in the matter between Data Protection Commissioner v Facebook Ireland Ltd (Case C‑311/18) (“Facebook Case”), it was ruled that the Privacy Shield agreement, a framework for regulating exchanges of personal data for commercial purposes between the European Union and the United States of America, is invalid.

The Privacy Shield agreement was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US in support of transatlantic commerce.

The ECJ held that the quality of protection offered by the Privacy Shield agreement did not meet the standard of protection guaranteed to EU citizens by the General Data Protection Regulation (“GDPR”), the primary legal framework providing for the protection or personal data and privacy of EU residents.

Although the ECJ judgment is based on the GDPR, an EU regulation, it is significant for South Africa because of the similarities between the preconditions imposed by article 46 of the GDPR and section 72 of South Africa’s Protection of Personal Information Act, 4 of 2013 (“POPIA”) before a cross-border transfer of personal information may take place. In this regard, the GDPR requires that “appropriate safeguards” and “enforceable data subject rights and effective legal remedies” be provided.

Section 72 of POPIA states that a responsible party in the Republic of South Africa may not transfer personal information about a data subject to a third party who is in a foreign country unless the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that:

  • effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and

  • includes provisions, that are substantially similar to section 72, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country.

The substantive provisions of POPIA (and in particular, section 72) have only recently come into force, and its content has not yet been tested by the South African courts. In the absence of binding case law in South Africa for the time being that deals with the provisions of POPIA, the considerations taken into account by the ECJ in the Facebook Case serve as a good indication of how South African courts may choose to consider “adequate protection” when applying section 72 of POPIA.

The ECJ in the Facebook Case pointed out that it is not sufficient that a foreign country has laws catering for the protection of personal data and privacy, and the content of those laws must also be considered and understood to determine whether the type and level of protection provided meets the required standards. Further, the ECJ found that the adoption of an adequacy decision with regard to a territory or a specified sector in a foreign country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the foreign country. The foreign country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the EU, in particular where personal data are processed in one or several specific sectors. Furthermore, the foreign country should ensure effective independent data protection supervision and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

The above safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to data processing within the EU, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the EU or in a third country.

When assessing the adequacy of the level of protection, the following elements are to be considered:

  • the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another foreign country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

  • the existence and effective functioning of one or more independent supervisory authorities in the foreign country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

  • the international commitments the foreign country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

In the absence of an adequacy decision, the controller or processor of the personal data should take measures to compensate for the lack of data protection in a foreign country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of:

  • binding corporate rules;

  • adoption of standard data protection clauses; and

  • standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority.