Russel Luck, specialist Technology Attorney at SwiftTechLaw discusses the similarities and differences between South Africa’s Protection of Personal Information Act (POPIA) and Europe’s GDPR and how companies doing business across both regions need to handle their approach to privacy compliance.

A lesser-known fact is that the European Union is the birth-place of modern information privacy laws. The right to privacy has existed for centuries. However, E.U countries experienced first-hand how the abuse of personal information can lead to detrimental (sometimes fatal) consequences. This led to the adoption of the European Union Data Protection Directive (EUDPD) in the mid-1990s in an effort to regulate the use of information.

Since then, the digital age has presented major challenges to regulation. Technology enables the transfer of vast amounts of information across borders with many benefits. It simultaneously enables the citizens from countries governed by privacy legislation to transfer data outside their borders and bypass restrictions. In response, information privacy laws have been constructed to prohibit the transfer of personal information to countries with lower standards of legal regulation than their own.

In this context South Africa promulgated the Protection of Personal Information Act (POPIA). It ensures that South Africa is able to process information and conduct business with European countries for commercial benefit. Conversely, POPIA advances the right to privacy contained in our Constitution and imposes harsh sanctions to protect SA citizen’s right to privacy

In the digital economy, stake holders within South Africa and the E.U process personal information across jurisdictions in a multitude of mediums. South Africa and the E.U both have comprehensive information privacy laws in place but there are disparities and similarities between both. This creates frequently asked, seldom answered questions:

  If you’re processing personal information (or personal data) governed by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not particularly onerous or invasive.”

When are South African entities bound by the GDPR and when are European entities bound by POPIA? Is compliance with one legal standard sufficient for the other? The answer is not always simple, but a basic understanding can assist.

What POPIA compliant organisations need to know about the GDPR

POPIA extends to the protection of personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent than the GDPR. The latter only applies to natural persons. It is therefore necessary for SA organisations to ensure that if they engage in business with organisations who are GDPR compliant, domestic information privacy standards extend accordingly.

POPIA is more stringent in its mandate for an Information Officer. It requires all organisations to create an Information Officer role failing which the CEO is imputed to be the Information Officer. In contrast the GDPR only requires the appointment of a Data Protection Officer for certain organisations in specified circumstances.

Furthermore, the GDPR has much heavier fines than POPIA. The GDPR carries fines of up to €20 Million or 4% of the global annual turnover, whichever is higher. The maximum penalties under POPIA are a R10 million fine and/or imprisonment for a period not exceeding 10 years, where the GDPR considers the latter to be a matter for member state law.

What GDPR compliant organisations need to know about POPIA

While the concept of privacy by design is mandated by the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for POPIA compliant organisations.

The GDPR grants data subjects the benefits of data portability where data subjects may request that their data be transferred to another controller or service provider. This right is not extended to data subjects under POPIA. Lastly, GDPR mandates that data protection impact assessments be conducted, and that evidence or documentation of such assessments be maintained. Currently there is no corresponding requirement under POPIA.

The best way forward

When it comes to information privacy compliance, there is no one-size-fits-all solution. As a point of departure, if you’re processing personal information (or personal data) governed by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not particularly onerous or invasive. However, it requires expertise in both and worth making further enquiries.

Technology Attorney, SwiftTechLaw