Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part II: The Data Transfer Provision

Cross-Border Data Flows and the Protection of Personal Information Act 4 of 2013 – Part II: The Data Transfer Provision

The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, personal information is very often collected and proces...

Full description

Saved in:
Bibliographic Details
Published in:Potchefstroom electronic law journal Vol. 27
Main Author: Coetzee, Juana
Format: Journal Article
Language:Afrikaans
English
Published: North-West University 07-11-2024
Subjects:
cross-border data transfers
personal information
POPIA/POPI
section 72 POPIA
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The Protection of Personal Information Act 4 of 2013 (POPIA) was introduced to protect the right to privacy of the South African data subject. The Act prescribes obligations that a responsible party must fulfil to achieve this purpose. However, personal information is very often collected and processed by responsible parties who are outside the Republic. Alternatively personal information is collected by a responsible party in the Republic and then transferred out of the country. Part I of this article discussed the territorial scope provision (section 3) and concluded that it can give rise to interpretative uncertainties with the result that personal information processed by responsible parties outside the Republic would not be covered by the Act. However, responsible parties often move their processing activities out of the country to escape liability. This part of the article analyses the data transfer provision (section 72), a provision that is directed at the regulation of the transfer of data outside the Republic. Section 72 lays down certain conditions before a responsible party can export data out of the Republic to a third party. The discussion will show that the provision has certain shortcomings which could limit its effectiveness in providing the necessary protection if compared to its counterpart in the EU General Data Protection Regulation (GDPR). Consequently, legislative revision or clarification by the Information Regulator in the form of a Guidance Note would be welcomed. The article concludes with a brief analysis of the interplay between sections 3 and 72 to illustrate the need for both these provisions in our law.
ISSN:1727-3781
1727-3781
DOI:10.17159/1727-3781/2024/v27i0a15234