Weighing in on a UK-SA data bridge

Beverley Townsend

Beverley Townsend

Dr Beverley Townsend is a Postdoctoral Researcher at the York Law School at the University of York, UK.

If you think that with the advent of POPIA – by all accounts a comprehensive and robust piece of data protection legislation – that South Africa should simply expect to be considered ‘adequate’ for data transfers to the EU or the UK, you would be sorely mistaken. South Africa is not on the European Commission’s adequacy list. No African country is, and by all accounts, is not now nor will be considered ‘adequate’ for the purposes of UK data flows in the immediate future.[1]

The effect of being included in the European Commission’s adequacy list – the most recent country was the Republic of Korea – is that personal information can flow freely from the EU to South Africa without any further safeguard being necessary.[2] In other words, transfers are assimilated into intra-EU transmissions of data. But where the EU has ‘adequacy’ rules, requirements, and decisions,[3] post-Brexit the UK has opted to side-step the language of ‘adequacy’ preferring to style the idea as a ‘data bridge’.

The UK Data Protection and Digital Information Bill (‘UK DPDI Bill’) has recently sought to amend Chapter 5 of the UK GDPR concerning the transfer of personal data to third countries by setting out certain conditions for such transfer in Schedule 5. Following this, UK adequacy will be granted by the Secretary of State who will, by regulation, approve transfers of personal data to countries and international organizations.[4] However, for a country to be party to such an arrangement or be offered a ‘data bridge’, the Secretary of State will consider, first, the desirability of facilitating transfers of personal data to and from the United Kingdom with that third country, and then whether the ‘data protection test’ is met in relation to such transfers.[5] South Africa is not listed as a top priority, or even, unlike Kenya, a longer-term priority for UK data partnership.[6] 

Moreover, for a country to be extended a data bridge it will need to have passed the ‘data protection test’. This means that consideration will be had, not only of whether the country has data protection legislation, but of its overall effect, implementation, enforcement, and supervision. In terms of the UK DPDI Bill, in deciding whether South Africa or an international organisation will pass the test the Secretary of State will also account for, amongst other things,

  • respect for the rule of law and for human rights in the country or by the organisation,
  • the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,
  • arrangements for judicial or non-judicial redress for data subjects in connection with such processing,
  • rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,
  • relevant international obligations of the country or organisation, and
  • the constitution, traditions, and culture of the country or organisation.[7]

 

Once approved, the Secretary of State will, on an ongoing basis, monitor developments in third countries and international organisations and amend or revoke such regulations if the requirement for the data protection test is no longer met.

It is therefore not merely a matter of having POPIA in place. POPIA is a start – in the right direction, certainly – but simply the start.

_____________________________________

[1] https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation.

[2] https://commission.europa.eu/document/e9453177-f192-4416-a147-3c57adc468c4_en.

[3] Townsend, BA. (2021). The lawful sharing of health research data. Information & Communication Technology Lawhttps://doi.org/10.1080/13600834.2021.1918905.  

[4] Article 45A. https://publications.parliament.uk/pa/bills/cbill/58-03/0265/220265.pdf.

[5] UK DPDI Bill Article 45A(3) and Article 45B.

[6] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1085485/World-Map-V3__2_.jpg.

[7] UK DPDI Bill Article 45B(2).