Companies are confused about whether they can lawfully store personal data outside South Africa under the provisions of the Protection of Personal Information (PoPI) Act.
Theo Watson, commercial attorney at Microsoft SA, tenders the following advice:
We are often asked whether cloud services are in any manner restricted under the data sovereignty provisions of PoPI and consequently whether a customer may store their data outside of South Africa. All too often we hear from customers that PoPI seeks to strictly enforce data sovereignty and prevent offshore data flows.
Firstly, what is data sovereignty? In its simplest form data sovereignty describes the legal principle that information (generally in electronic form) is regulated or governed by the legal regime of the country in which that data resides.
With cloud computing, and specifically the public cloud aspect thereof, data that users generate in most instances resides on servers outside the legal or territorial border of the users’ country of residence. This means that the data of an individual becomes subject to a foreign legal regime.
Secondly, and for purposes of those resident within the borders of the South Africa, what does PoPI say about data sovereignty? Section 72 of PoPI regulates transfers of personal information outside the Republic and therefore broadly determines the issue of “data sovereignty”.
Section 72 of PoPI provides the following:
- (1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless any ONE of the following conditions/considerations exist —
(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that reflect the principles of PoPI
(b) the data subject consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the data subject and the responsible party;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; or
(e) the transfer is for the benefit of the data subject.
It therefore follows that PoPI does not broadly prohibit the transfer of data outside of South Africa.
On the contrary, we find that PoPI narrowly concerns itself only with personal information, and further – and more importantly – regulates how personal information may lawfully be transferred internationally.
Simply put, section 72 does not prohibit cross-border data flows, rather it acts as an enabler and protector of personal information by providing a set of five conditions (considerations) which a responsible party needs to apply and which seek to protect a data subject’s personal information as it moves offshore. Of course, if none of the five conditions are met, a data subject’s personal information may not be transferred outside of South Africa.