Discussions

The protection of personal information and cross-border data flows

The protection of personal information and cross-border data flows

14 Dec 2016

Ashly Hope, tralac Research Advisor, comments on the regulation of movement of data across borders and South Africa’s new privacy protection regime

On 1 December 2016 South Africa’s very first Information Regulator commenced operations. The Information Regulator is an independent agency created by the Protection of Personal Information (POPI) Act 2013 – legislation that creates a new regime to ensure personal information is gathered and dealt with appropriately. The strict new rules to be enforced by the regulator could have implications for South African trade as they restrict the movement of data across borders. Given South Africa’s important role as trading partner on the continent it is worthwhile considering whether continent-wide rules on the protection of personal information should be part of continental free trade area negotiations.

The full POPI regime will enter into force 12 months after proclamation of its commencement by the President. Reports suggest that the appointment of the Information Regulator and her team indicate that proclamation is looming – expectations are that this will occur in early 2017.

Given the vast volumes of personal information generated and used globally, and increasing concern about the use or misuse of this information, the new law is timely and welcome. However, while these new strict laws will help ensure personal information is not compromised or used for nefarious means, like any kind of regulation, there is a risk that these laws block the good as well as the bad.

In even the simplest of transactions, data crosses borders – whether it is among the branches of a trans-national bank, at the offshore call centre of a local company, via the cloud service that supports a logistics company, signing up to an online newsletter, or an individual purchasing a book from an overseas headquartered store. On these, and many transactions, personal data must be shared.

Consequently, the trade implications that could arise from the implementation of the new data protection laws are not insignificant. The legislation prohibits cross-border data flows to countries that do not have similar standards for the use of personal information as South Africa, and one of the responsibilities of South Africa’s new regulator will be to facilitate cross-border cooperation in the enforcement of privacy laws.

In terms of positive trade implications, the prohibition on cross-border flows means that South Africa is more likely to be granted equivalence from other jurisdictions that also have strict data protection standards. This legislation, then, may make it easier for businesses to rely on their compliance with local law to meet the requirements of other jurisdictions. This would be a particular advantage for businesses dealing with and in the European Union, which has strict data protection requirements and a high barrier for equivalence assessments. With this new law in place, South African businesses may be able to avoid the more cumbersome arrangements have been put in place where laws aren’t comparably strict. For example, the arrangements reached between the United States and the EU – the Privacy Shield – requires the US Department of Commerce to verify that any particular company’s privacy policy complies with the EU’s strict requirements. An approach such as this would likely overburden the new regulator.

On the other hand, this prohibition has the potential to restrict the ability for South African businesses to operate beyond South African borders more generally. Given South Africa’s new regime is based on that of the EU, there is a possibility that the United States may be considered to have lower standards of data protection, and therefore data flows may be restricted.

Importantly, there are also varying levels of data protection standards across the continent, which may hinder the path towards African continental integration and in particular boosting intra-African trade. The digital economy offers a critical opportunity for African countries to leapfrog towards economic development, and good regulation of the digital environment is essential to ensure this opportunity can be taken advantage of. When considering the protection of personal information, the absence of regulation can be just as problematic as overly restrictive regulation. Individuals need the assurance that their personal information is safe and secure to give them the trust and confidence to participate in online transactions and engage with businesses that have cross-border operations. At the same time, businesses need to have the ability to use personal information across borders to both improve their services and maximise their profits.

The cross-border movement of information is an important and somewhat controversial component of trade that is particularly crucial for e-commerce. E-commerce has been high on the agenda of some WTO members – with the US in particular pursuing efforts to advance work on global e‑commerce rules under the WTO. This effort, however, was reportedly blocked by a coalition of African economies with support of other developing economies on the grounds that it was a diversion from the development agenda.[1]

The lack of support from African countries towards the development of global e-commerce rules means it is even more important that, at the very least, African rules are developed that can integrate with the global economy. Pursuing common standards around information transfer and privacy will help to ensure that different approaches to the protection of personal information do not unnecessarily constrain trade on the continent.

Local regional economic communities have already made significant progress towards the implementation of personal information protection laws across the continent, with, for example, e‑commerce strategies or regional level rules in place in most RECs. The African Union Convention on Cyber Security and Personal Data Protection, adopted in 2014, also includes comprehensive provisions on personal data protection, with the objective of the protection of physical data without prejudice to the principle of free-flow of personal data. However, as of June 2016, this Convention had only been signed by eight members, and not yet ratified by any members.[2]

In pursuit of a more effective and enforceable baseline standard, Africa could learn from other regional efforts to attempt to balance the protection of personal information with the need for data to cross borders under trade agreements. For example, one of the objectives of the Trans-Pacific Partnership’s E-Commerce chapter is to ‘establish requirements that support a single, global Internet, including ensuring cross-border data flows, consistent with governments’ legitimate interest in regulating for purposes of privacy protection.’ To this end, the agreement requires members ‘…adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce’.

Given the new arrangements in one of the continent’s largest economies, the importance of digital commerce and the differing regimes across the continent, it might be valuable for Continental Free Trade Area negotiators to consider whether the protection and transfer of data could be usefully incorporated into the CFTA discussions. This could form part of a dedicated E-Commerce chapter in the agreement, or be an example of mutual recognition of other country standards. Agreement at the Continental level could provide an overarching driver for countries to adopt the relevant instruments (such as model laws) developed in the RECs as well as recognise the different pathways to achieving functional equivalence in terms of protection of personal information. The REC instruments have the advantage of having already been implemented by a number of countries and the detail means that the CFTA provisions could be principles based – thus avoiding the prescriptiveness of the AU Convention.

This significant change in South Africa’s privacy protection regime, and its potential implications for trade on the continent should serve as a catalyst for further efforts towards continental harmonisation and integration of personal data protection regulation – and reinforcement of the importance of the free flow of data.

.


[1] Live Mint African nations block WTO talks on digital trade rules 20 Oct 2016 http://www.livemint.com/Politics/SXA2N1RrqkMTzbKYxaKGaI/African-nations-block-WTO-talks-on-digital-trade-rules.html

[2] List of countries which have signed, ratified/acceded to the African union convention on cyber security and personal data protection: http://www.tralac.org/images/Resources/African_Union/AU Convention on Cyber Security and Personal Data Protection Status 1 June 2016.pdf