South Africa’s Protection of Personal Information Act 2013 (POPI) is largely based on the principles of the EU data protection directive. This includes the requirement that personal information must be adequately protected when transferred cross-border (assuming none of the other grounds apply).
As the US does not have privacy laws equivalent to the EU it could not be considered as a jurisdiction that adequately protected personal information and therefore this hampered the transfer of data freely across the Atlantic. In order to counteract this, in 2000 the EU Commission negotiated the Safe Harbour arrangement which allowed for US companies to voluntarily adhere to a set of data privacy principles deemed to meet the EU’s adequacy standards. These principles were enforced by the US Federal Trade Commission (FTC).
US based corporations often attempt to rely on the fact that they are “Safe harbour compliant” when demonstrating their data protection capabilities to South African companies. However these words were always meaningless outside the EU. Following the Schrems-Facebook judgment, it seems that these words may no longer hold weight in the EU either. The judgment invalidates the EU Commissions’ decision that Safe Harbour offers adequate protection when exporting personal data from the EU to the US.
Impact on South African companies?
- The ruling may impact the manner in which our information regulator (once appointed) enforces the requirement of adequacy in POPI (once it is in full force).
- South African companies with EU based operations may need to review their contractual arrangements for data transfer to the US. Our colleagues set out some practical guidance here.
- Locally based companies should continue to not rely on the promise of Safe harbour.
Read this post by our EU and US colleagues for more information on the decision.