What international organisations should consider for the transborder transfer of information

17 November 2021

Picture the world with fine strings connecting every place on earth to one another. Now imagine these strings alight with the instantaneous transfer of information back and forth between data points across cities, countries and continents. Our world is interconnected by data. And at the best of times, this interconnected nature is complex. 

It is even more complex when organisations use this interconnectedness to enable business as usual.

The nature of business in the 21st Century is such that organisations are no longer limited to using infrastructure in their own country. Instead, organisations in one country can tap into state-of-the-art resources across the world – more commonly known as Infrastructure as a Service (IaaS). Examples of these cloud-based, interconnected resources are legion in the form of off-the-shelf and bespoke cloud platforms, email marketing platforms and collaboration solutions.

What do cloud-based resources have in common?

In order to unlock the full scope of a global organisation’s products or service offering using cloud-based infrastructure, the organisation’s information, including personal information, is transferred from one country to another seamlessly and easily considering that global organisations typically use data centres in multiple locations. Organisations are either investing more into cloud-based platforms (whether public or private) as well as their own data centre operations in countries where it makes sense to do so. 

The value that an organisation creates from leaning into accessible, streamlined products and services allows such an organisation to contribute to the local and global economy.

However, risks associated with data privacy compliance increases significantly when personal information is transferred out of a country. The spectrum of cyber risk events become usual suspects – a daily consideration

Data is valuable. And where there is something valuable, along with it presents an opportunity for it to be compromised. In recent years, governments across the world have started fine-tuning legislation to protect their citizens’ personal information from falling into the wrong hands and risk the misuse of their data. Global companies are now faced with navigating multiple privacy laws across geographic regions. 

How does POPIA in South Africa protect personal information in the context of transborder transfers of information?

Section 72 of the Personal Protection of Information Act (POPIA) prohibits a responsible party in South Africa to transfer the personal information of any data subject to a foreign country. However, POPIA also sets out specific conditions under which personal information can be transferred in order to protect it: 

ENSafrica Executives Era Gunning and Rakhee Dullabh unpack these provisions in a recent article that appeared in ENSight:

  1. The third-party recipient is subject to laws, binding corporate rules or binding agreements that provide adequate protection of personal information. These laws, rules and agreements, must be similar to POPIA and provide for the restriction of any further transfer of personal information by that recipient to other third parties in a foreign country;
  2. The data subject consents to the transfer;
  3. The transfer is necessary for the performance of a contract or pre-contractual measures; or
  4. The transfer benefits the data subject and it is not reasonably practicable to obtain consent, and if it were reasonably practicable the data subject would likely give it.

Organisations also need to consider that although many countries have some form of data privacy legislation in place, certain nuances exist that may require careful comparison. Be aware to carefully distinguish between similarly sounding terms. For instance, comparably, POPIA and GDPR are often perceived to be similar – but they do in fact contain significant differences.

Do not underestimate the value of an operator agreement in the context of global systems

There are definitive practical considerations that global organisations should be cognisant of on their data privacy journey. In our experience a well drafted operator agreement between the Responsible Party and the service providers (Operators) who facilitate the processing, storing, safeguarding, use and destruction of personal information on behalf of the Responsible Party should not be underestimated. Such an agreement forms the backbone of negotiations reflecting key aspects of data protection such as the location of the data and how it should be safeguarded.

However, in many instances a strict agreement might be negatively received by operators hesitant to sign for fear of being disadvantaged. To frame this agreement with a more friendly, cooperative tone, position the agreement as a mutually beneficial framework to navigate data privacy risk together instead of a one-sided contract. This is an effective and deliberate strategy that allows organisations to cultivate trust and transparency with their operators.

As the data privacy landscape unfolds, so does the legislation that governs the protection of personal information. Alongside ENSafrica, we aim to provide our clients with up-to-date information through a series of exclusive, client-only webinars. To find out more about our inter-operable practice and how we can walk the POPIA compliance journey with you, feel free to reach out to hello@krielandco.com.