“Data localisation or data residency laws require data about a nations' citizens or residents be collected, processed, and/or stored inside the country, often before being transferred internationally, and usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and obtaining their consent.” - Wikipedia
2. WHAT IS DATA LOCALISATION ? UCHI ADVISORY LLC
“Data localisation or data residency law requires
data about a nations' citizens or residents be
collected, processed, and/or stored inside the
country, often before being transferred
internationally, and usually transferred only after
meeting local privacy or data protection laws, such
as giving the user notice of how the information will
be used and obtaining their consent.” - Wikipedia
3. WHY SOME SAY WE NEED DATA LOCALISATION ?
A 2018 Brookings report on the importance of cross-border
data flows discusses five reasons why governments want to
localise data:
Protection of citizens’ personal data;
Access to data by law enforcement agencies;
Ensuring national security;
Advancing local economic competitiveness; and
Levelling the regulatory playing field.
Dealing with each of these objectives, the report
concluded that data localisation measures actually could
have a negative impact on some country’s economies and
suggests other options should be investigated to achieve
the above mentioned goals.
4. UCHI ADVISORY LLCSOME PRACTICAL CONCERNS
Economic, Infra-Structure, and development concerns in smaller
countries could prove to be problematic for the localisation of
Data. For example, data centers require reliable infrastructure to
keep the data secure in-country that many developing countries
may not be able to ensure.
Another problem could be that there is not sufficient incentive for
the larger cloud server providers, the likes of AWS, Microsoft Azure,
or Google Cloud, to invest in such a country as they did in
countries like India or South Africa, where local data centers
where built.
This could result in financial services providers in developing
countries being forced to look outside of their local jurisdiction to
find a robust cloud computing solution to protect their data.
5. UCHI ADVISORY LLCDATA PROTECTION IN SOUTH AFRICA
In South Africa, the Protection of Personal Information Act of 2013
(also referred to as the POPI Act or POPIA) only came officially
into operation on 1 July 2020.
This Act brings an end to the uncertainty surrounding dealing with
personal information in South Africa.
POPIA is essentially South Africa's equivalent to the EU's GDPR;
although promulgated in 2013, only certain sections of the Act
have been working since April 2014. Certain sections have been
in effect from 1 July 2020. whilst other parts of the Act, will only be
in effect from 30 June 2021.
That means that even though the Act is in effect, we are still in a
so-called one-year grace period, which will end on 1 July 2021.
Currently, the Information Regulator published the final POPI
Regulations and appointed various people to fill vacancies.
6. UCHI ADVISORY LLCDATA PROTECTION IN SOUTH AFRICA
Only once POPI is fully in force data will officially be protected,
and localisation rules will apply to its full extent.
The purpose of this Act is to protect the "personal information" of
the citizens of South Africa, which is obtained as well as
processed by both public and private institutions. The Act also
attempts to balance the constitutional right to privacy with other
rights, for example, access to information.
The POPIA recognises the right to privacy enshrined in the
Constitution and gives effect to this right through mandatory
procedures and mechanisms for the handling and processing of
personal information.
The POPI Act is in line with current international trends and laws
on privacy. 'Processing' is widely defined.
7. WHAT IS PROCESSING ? Uchi Advisory LLC
Processing involves any activity, operation or set off operations
automatic or not in relation to personal information.
It includes but are not limited to the:
collection,
receipt,
recording,
organising,
collation,
updating,
modification,
retrieval,
alteration,
use,
storage,
distribution,
making available,
dissemination,
merging,
linking,
restriction,
degradation erasure or destruction
of personal information
8. UCHI ADVISORY LLCWHAT IS PERSONAL INFORMATION
Personal information is a very broad term, but relates to any
identifiable, natural, or legal entity and includes, but is not limited
to:
Any identifiable number or symbol including email,
location information, online identifier
Being disabled (in case of a natural person)
Private or confidential correspondence
Biometric information
Demographic information – age, gender, race, date of
birth, ethnicity, etc.
Personal opinions and views of and about a person or
group
History – employment, financial information, medical
history, criminal history as well as educational history
The POPI Act applies to every business or institution in South Africa,
as well as an international company that does business in South
Africa, that collects, uses, stores, or destroy personal information
from a data subject, whether or not such processing is automatic.
9. UCHI ADVISORY LLC
MAY PERSONAL INFORMATION BE SEND ABROAD?
The short answer is yes it is possible, but there are restrictions
and will depend on the laws of the country/ies to which the
information is sent and where the information comes from.
It is especially cloud-based systems that can cause problems
with POPI.
The electronic transmission and processing of data cross-
countries have led to a concern that data protection legislation
will simply be circumvented by the transfer of personal
information to countries where data protection rules or
regulations will not apply and where information will be
processed and (miss)-used without any hindrance.
10. UCHI ADVISORY LLCCROSS BORDER DATA FLOWS
POPIA prohibits the transfer of data across border and will only permits
the transferring across borders under specific circumstances
mentioned in section 72.
In essence, the country where the information will be processed, or
the recipient of the information, must be subject to rules or regulations
effectively similar to the principles stated in POPIA.
The above obligation can be fulfilled by means of legislation or a
personal contractual relationship between the parties.
For example, in countries where equivalent data protection rules or
regulations exist, the parties can enter into an agreement, outlining
the duties on the party processing or receiving the information in the
country without data protection legislation, in line with the principles
of POPIA.
A party’s prior consent to a cross-border transfer of its personal
information must also be obtained, unless it is not practicable to
obtain such consent
11. WHAT ARE THE OBLIGATION OF BUSINESSES UNDER POPIA ? Uchi Advisory LLC
In short, the obligations include:
to only collect information for a specific
purpose;
to ensure that the information is relevant and
up to date;
to have reasonable security measures in place
to protect the information;
to only keep the necessary information; and
to allow the data subject to obtain or view his
or her information on request.
12. WHAT ARE THE OBLIGATION OF BUSINESSES UNDER POPIA ? Uchi Advisory LLC
Accountability: The Business is accountable for complying
with the principles contained in the Act. The business will be
responsible from the time that the information is collected
and/or processed to the time of its deletion.
Specific purpose: Personal information must only be
collected for a specific and defined and lawful purpose,
relation to a function or activity of the business. This
information may also not be retained for longer than it is
required unless it is lawful to do so.
Processing restriction: The processing must be conducted
lawfully, and only the minimum necessary personal
information may be processed, and the information must
not be excessive, given the purpose for which it is
processed.
Further processing restrictions: The business is responsible for
preventing the further processing of information in a
manner that was not intended when the information was
collected. This restriction attempts to limit any secondary
use of personal information. This covers the eventuality
where personal information of a third party is received and
transferred to another responsible party for processing.
13. WHAT ARE THE OBLIGATION OF BUSINESSES UNDER POPIA ? Uchi Advisory LLC
Transparency: The business needs to ensure that the data
subject is aware of the various matter in relation to the
collection and processing of information as well as to the
purpose for which the information is collected and whether the
information provided by the data subject is voluntary or
mandatory.
Information Quality: The business must ensure and take
reasonably practical steps that personal information is
accurate, not misleading, and updated where necessary.
Security measures: The business must protect the integrity of the
personal information in its possession and under its control. The
business needs to identify all reasonably foreseeable internal
and external risks to the date in its possession and control and
ensure that measures are in place to prevent:
loss of, damage to or
the unauthorised access or destruction
of the personal information.
Data subject participation: A data subject has the rights to:
request an explanation of the personal information
collected;
Request information about the recipients of personal
information; and
Request deletion or correction of the personal information
14. WHAT PENALTIES ARE THERE UNDER POPIA ? Uchi Advisory LLC
The POPIA has strict regulations that every company
must comply with and depending on the nature of the
offense, businesses as well as individuals can be
punished.
Offenders can be
fi
ned up to R10 million and can even
be jailed.
15. UCHI ADVISORY LLC
To recap:
Personal Information may only be transmitted
across boarders from South Africa to a third party in
a country which are subject to rules or regulations
effectively similar to the principles stated in POPIA,
either based on legislation or contractual
agreement.
Remember each business collecting personal
information has 12 months (from 1 July 2020) to fully
comply with this Act.