Dr Beverley Townsend is a Postdoctoral Researcher at the York Law School at the University of York, UK.
If you think that with the advent of POPIA – by all accounts a comprehensive and robust piece of data protection legislation – that South Africa should simply expect to be considered ‘adequate’ for data transfers to the EU or the UK, you would be sorely mistaken. South Africa is not on the European Commission’s adequacy list. No African country is, and by all accounts, is not now nor will be considered ‘adequate’ for the purposes of UK data flows in the immediate future.[1]
The effect of being included in the European Commission’s adequacy list – the most recent country was the Republic of Korea – is that personal information can flow freely from the EU to South Africa without any further safeguard being necessary.[2] In other words, transfers are assimilated into intra-EU transmissions of data. But where the EU has ‘adequacy’ rules, requirements, and decisions,[3] post-Brexit the UK has opted to side-step the language of ‘adequacy’ preferring to style the idea as a ‘data bridge’.
The UK Data Protection and Digital Information Bill (‘UK DPDI Bill’) has recently sought to amend Chapter 5 of the UK GDPR concerning the transfer of personal data to third countries by setting out certain conditions for such transfer in Schedule 5. Following this, UK adequacy will be granted by the Secretary of State who will, by regulation, approve transfers of personal data to countries and international organizations.[4] However, for a country to be party to such an arrangement or be offered a ‘data bridge’, the Secretary of State will consider, first, the desirability of facilitating transfers of personal data to and from the United Kingdom with that third country, and then whether the ‘data protection test’ is met in relation to such transfers.[5] South Africa is not listed as a top priority, or even, unlike Kenya, a longer-term priority for UK data partnership.[6]
Moreover, for a country to be extended a data bridge it will need to have passed the ‘data protection test’. This means that consideration will be had, not only of whether the country has data protection legislation, but of its overall effect, implementation, enforcement, and supervision. In terms of the UK DPDI Bill, in deciding whether South Africa or an international organisation will pass the test the Secretary of State will also account for, amongst other things,
Once approved, the Secretary of State will, on an ongoing basis, monitor developments in third countries and international organisations and amend or revoke such regulations if the requirement for the data protection test is no longer met.
It is therefore not merely a matter of having POPIA in place. POPIA is a start – in the right direction, certainly – but simply the start.
_____________________________________
[1] https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation.
[2] https://commission.europa.eu/document/e9453177-f192-4416-a147-3c57adc468c4_en.
[3] Townsend, BA. (2021). The lawful sharing of health research data. Information & Communication Technology Law. https://doi.org/10.1080/13600834.2021.1918905.
[4] Article 45A. https://publications.parliament.uk/pa/bills/cbill/58-03/0265/220265.pdf.
[5] UK DPDI Bill Article 45A(3) and Article 45B.
[6] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1085485/World-Map-V3__2_.jpg.
[7] UK DPDI Bill Article 45B(2).