Data Protection and Privacy laws are the current subjects of interest for multiple organizations around the world. The chatter is mainly about the European Union’s General Data Protection Regulation which came into force early this year on the 25th of May. The GDPR is an overhaul of the existing data protection legislation which seeks to upgrade the legislation across the EU to ensure the law reflects the changes in technology. However, as the case is with privacy laws, GDPR has gone beyond the walls of the European Union and l has had an impact on the way other countries do business.
In South Africa, businesses which are focusing on data protection and privacy are probably more concerned about complying with the Protection of Personal Information Act 4 of 2013 (PoPIA). This Act applies to all organizations in South Africa because they collect data from their workers, suppliers and customers. The PoPIA regulates how this data is collected, how it is stored, what it is used for and the rights of the person whose data is being collected.
PoPIA is not in effect yet, but it is expected to commence in 2019 and once this happens South African organizations will have at most, three years to become compliant. GDPR and PoPIA are legislations providing for the protection of personal information and are in many ways similar to each other. While the PoPIA might be the main concern for South African businesses, they should also consider GDPR. Many businesses are turning their attention away from the EU’s new legislation because they are not in the European Union when they should be determining whether GDPR applies to them. Some organizations that process personal information of individuals in Europe are subjected to GDPR constraints, regardless of where the organization is located. If an organization based outside of the EU can answer yes to any of the questions outlined below, just a few of many, they are subject to the requirements contained within GDPR:.
- Does the organization have a legal entity registered in Europe?
- Is the organization established in the EU in some other way? The test is whether the organization exercises ‘any real and effective activity – even a minimal one in the EU’ (Weltimmo v NAIH (C-230/14)).
- Does the organization offer goods and services to individuals in Europe? The question is whether that organization foresees that its activities will reach individuals in the EU.
- Does the organization monitor the behavior of individuals in the EU while they are in the EU?
It makes sense that the regulation should apply equally to such organizations because in the connected world we live in, data flows from country to country with no regard for borders or jurisdiction and so data protection laws must also cross borders.
- FHBC, ‘EU General Data Protection Regulation GDPR Protection Personal Information Act No.4 2013’ <http://www.fhbc.co.za/2018/05/03/eu-general-data-protection-regulation-gdpr-protection-personal-information-act-act-no-4-2013-popia/> accessed 10th November 2018
- Everlitic, ‘POPI and GDPR’ (Everlitic) <https://www.everlytic.co.za/wp-content/uploads/2018/09/POPI-GDPR-Whitepaper.pdf> accessed 10th November 2018
- Michalsons, ‘POPI Act Summary in Plain Language’ (Michalsons, 22nd July 2018) <https://www.michalsons.com/blog/popi-act-summary-in-plain-language/18618> accessed _10th November 2018