The applicability of POPIA

At a foundational level, the processing of personal information is regulated by the Protection of Personal Information Act, 4 of 2013 ('POPIA') in South Africa. POPIA is, in turn, guided by Section 14 of the Constitution of the Republic of South Africa, which provides a right to privacy for all. POPIA serves as the first manifestation of South African legislation considering data specifically.

Before considering the impact of POPIA on cloud services specifically, it is crucial to recognise that, regardless of the type of organisation, whether a cloud service provider ('CSP') or any other company, POPIA requirements and particularly the requirements relating to the processing of information remain applicable. Therefore, when South African companies make use of CSPs, their obligations as Responsible Parties do not shift to CSPs. The conditions for the lawful processing of personal information by Responsible Parties, as set out in Section 4(1) of POPIA, remain valid and applicable to Responsible Parties. Similarly, CSPs which are conducting business within South Africa also need to adhere to the requirements of POPIA for their own business operations; however, the relationship between CSPs and Responsible Parties gives rise to most of the CSP's obligations, as will become clear in what follows.

Regulative framework and key sections of POPIA

Data processing

This article specifically considers matters related to cloud regulation. Sections 19 and 21 of POPIA are arguably the most relevant insofar as it relates to CSP relationships and will be discussed first. Section 72 of POPIA, which is particularly relevant to instances where CSPs process data outside of the Republic, is discussed thereafter.

Firstly, Section 19 of POPIA considers the security measures required to ensure the integrity and confidentiality of personal information and holds that Responsible Parties must take appropriate, reasonable technical, and organisational measures to prevent the unlawful processing, access, or alteration of data. To give effect to this requirement, Responsible Parties must identify risks to the personal information it holds, establish safeguards against the risks, and regularly ensure that the safeguards are effectively implemented and updated as new risks come to the fore. Specific industries, like the banking industry, have additional generally accepted security practices and procedures which may further apply.

The requirements contained within Section 19 apply regardless of whether a Responsible Party makes use of a CSP or not. Yet, provided this obligation, Section 19 of POPIA is crucial for organisations considering CSPs since it requires Responsible Parties to govern the risks associated with data processing. Essentially, Section 19 manifests the obligation of ensuring the safety of the Responsible Party's information with the Responsible Party and not with any CSP. When procuring a CSP, a Responsible Party will therefore need to be cognisant that it will still be required to ensure compliance with the specific obligations raised by Section 19.

The management of the compliance relationship between Responsible Parties and CSPs is further unpacked within Section 21 of POPIA. Section 21 of POPIA requires organisations considering CSPs to ensure that the necessary due diligence has been taken in appointing a CSP which can adhere to the requirements set out in Section 19 of POPIA. Organisations acquiring CSP services also need to ensure that the applicable CSP conforms to the security requirements detailed within Section 19. CSPs, in turn, need to inform Responsible Parties immediately should reasonable grounds exist to believe that data has been subject to any type of unauthorised access. Unauthorised access to data may constitute a criminal offence and is further considered within a separate Insight article available here. In addition to Sections 19 and 21 of POPIA, Section 72 is also particularly relevant and will be discussed in the following section of this article followed by the operational considerations of CSPs in light of POPIA.

Geographical considerations

In addition to the processing requirements created by POPIA, a further set of requirements apply in instances where data is processed outside of the Republic. Section 72 of POPIA prevents Responsible Parties from transferring any personal information of a data subject to a third party outside of the Republic without certain protections being in place. Notably, each of these requirements authorises a cross-border transfer of data, and Responsible Parties need not adhere to all the requirements listed below.

Firstly, the Responsible Party will need to ensure that the third party is bound to similar or stronger data processing requirements which uphold the principles of reasonable processing discussed above. The requirements may be informed by the data processing laws within the territory of the third party, a binding agreement, or binding corporate rules ('BCRs'). Further, data subjects could consent to the transfer of their data outside of South Africa's borders or the transfer may be required as part of the performance of a contract between a data subject and a Responsible Party. Similarly, the transfer may be permitted should it be in the interest of the data subject, or the performance of a contract concluded in the interest of the data subject between a Responsible Party and a third party. Finally, a cross-border data transfer could be permitted should it be to the benefit of the data subject and not reasonably practicable to obtain the data subject’s consent, and should it have been reasonably practicable, that the data subject would likely provide their consent.

Practice in other jurisdictions tends to suggest that that the requirement for similar or stronger data processing requirements is most readily utilised in cross-border data transfers and is established in terms of Section 72(a)(i) of POPIA. A similar provision can be found in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which formed part of the considerations within the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Within the Schrems II Case, the Court of Justice of the European Union ('CJEU') found that the US surveillance laws did not provide European citizens with sufficient protection in terms of the GDPR. Provided the similarities between the Section 72 of POPIA and its GDPR counterpart, Responsible Parties who have the intention of transferring data to the US would best consider alternative requirements in terms of Section 72 of POPIA.

Operational considerations

Transitioning from the regulative framework to the practical factors relevant within a business organisation, this section considers some of the most pertinent factors flowing from the legislation discussed above. The matter is addressed by considering the roles of CSPs and Responsible Parties in turn, followed by their shared roles.

The roles of CSPs and Responsible Parties have some intersections, but broad role divisions are established by the abovementioned sections of POPIA. Firstly, Responsible Parties need to be informed of the processes and approaches utilised by CSPs in storing and accessing data. Both parties will be required, in terms of Section 21 of POPIA, to undertake a contract ensuring that the processing of personal information adheres to the security measures discussed above in relation to Section 19 of POPIA. However, the governance of the security of data and the risk assessment of data security measures continues to reside with the Responsible Party should the CSP be contracted. For this reason, Responsible Parties are advised to categorise and manage agreements based on the total potential risk of a data breach (in terms of the extent and type of information within any particular database). The Responsible Party may also need to revise their privacy policy to allow for third-party processing of data and the possible impact thereof on client consent. Finally, the Responsible Party may need to consider their customer base, and the possible applicability of the GDPR.

Should CSP services be procured, Responsible Parties will still need to ensure that the organisational networks which access the services of the CSP are secure and that only permitted, secure devices have access to those networks. CSPs, in turn, would need to ensure the security of the data they have been provided and that they perform in accordance with their contract with the Responsible Party regarding data storage. CSPs would also need to ensure that access is only provided as required by the Responsible Party and that the integrity of the Responsible Party's data is safeguarded. Furthermore, CSPs would need to inform Responsible Parties as soon as they have reasonable grounds to suspect that a data breach has taken place.

In addition to the separate roles of Responsible Parties and CSPs, there are also some overlapping obligations. Both CSPs and Responsible Parties need to stay up to date with any prescripts made by the Information Regulator ('the Regulator') and both would, therefore, need to ensure that they regularly check for updates in the regulatory framework for the country and their applicable industries. One example hereof is the recent addition of the cloud computing directive within the South African public service where all government departments were all required to reconsider their CSPs in light of the directive.

Summary

This article provided an overview of the key legislative aspects which Responsible Parties should consider when undertaking cloud data services with any third parties. It highlights that the obligations created by POPIA with regard to Responsible Parties are not dissolved by the appointment of CSPs; rather, the primary data processing responsibilities continue to reside with Responsible Parties. Responsible Parties are reminded of the reputational impact of a data breach and the impact thereof on their customers. As such, Responsible Parties need to take particular notice of the data processing requirements applicable to CSPs and, if applicable, the relevant geographical considerations regarding the territory on which processing will take place. Finally, this article considered some of the operational implications of POPIA.

PR de Wet Director
[email protected]
Davin Olën Candidate Attorney
[email protected]
VDT Attorneys Inc., Pretoria