US Safe Habor and POPI
19 July 2016
In 2013, an Austrian citizen Maximillian Schrems, lodged a complaint with Irish authorities. Mr Schrems was of the view that, in light of the mass surveillance activities undertaken by the U.S. National Security Agency (NSA), as disclosed by Edward Snowden in 2013, the transfer of his Facebook information from the European Union (EU) to the U.S. in terms of the current legislative frameworks did not amount to "adequate protection" as required by the EU Data Protection Directive 95/46. By this complaint, Mr Schrems initiated a set of events that would eventually culminate in the landmark decision by the Court of Justice of the European Union (CJEU) on 6 October 2015, which declared that the EU-U.S. Safe Harbor framework, in terms of which US-based organisations overcame the restrictions on the transfer of personal information from the EU to the U.S., to be invalid.
The CJEU found that Safe Harbor does not provide an adequate level of data protection, because it was unable to prevent large scale access by the U.S. intelligence authorities in respect of personal information transferred from the EU to the U.S.
From a South African perspective, the CJEU judgment brings into sharp focus the cross-border transfer of personal information provisions in the upcoming Protection of Personal Information Act (POPI Act). The rationale for the promulgation of the POPI Act was, among other things, to harmonise the processing of personal information in South Africa with international standards and facilitate the cross-border transfer of personal information. In this regard the POPI Act contains several provisions that specifically address the transfer of personal information beyond the borders of South Africa.
Chapter 9 of the POPI Act, like the EU Data Protection Directive 95/46, provides that a responsible party may not transfer personal information to a third party in a foreign country unless the third party is compelled by law, binding agreement or binding corporate rules, to provide an adequate level of protection. As a result of the congruency between the EU Data Protection Directive 95/46 and the POPI Act, the CJEU findings could serve as a reference for a South African court to reach a similar decision in similar circumstances. However, the POPI Act contains a number of provisions that could result in a different finding.
Section 13(2) provides that steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable. In respect of the former, section 18(1) provides that if personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of certain information related to the collection thereof, including but not limited to the purpose for which the personal information is collected.
Sections 18(4)(c)(i) and (iv), by exception and among others, provide that it is not necessary for a responsible party to comply with subsection 18(1) if non-compliance is necessary "to avoid prejudice to the maintenance of the law by any public body" or is "in the interests of national security", respectively. These exceptions are quite broad in their construction and could be open to interpretation. In this regard, could mass surveillance activities undertaken in the U.S., the purpose of which is to safeguard the integrity of its national security, be necessary and related to the maintenance of law, and in the interest of South Africa's national security?
On 8 September 2015, the U.S. Diplomatic Mission to South Africa issued a security message to American citizens in South Africa, based on specific and credible threat information it had received that extremists may be targeting U.S. interests in South Africa, including U.S. government facilities and other facilities identifiable with U.S. business interests. There are therefore reasonable grounds to substantiate the argument that, albeit temporarily, the national interests of both the U.S. and South Africa may be aligned.
As a result, when POPI does indeed become effective, U.S. mass surveillance activities could fall within the exceptions in sections 18(4)(c)(i) and (iv). The ends could justify the means, if the end resulted in the issuing of a security message, such as the one issued in South African on 8 September 2015. This could be the case, notwithstanding the fact that processing of personal information in respect of the exceptions is occurring outside the borders of South Africa, by a foreign government.
In the event that the South African courts find, as the CJEU found, that the U.S. does not meet the adequacy requirements, South Africa could continue to remain a destination for personal information transitioning from the EU, but the South African organisation would have to ensure that if it was then transmitting that information to a U.S. organisation, such organisation was subject to a binding agreement or binding corporate rules that would ensure that the adequacy requirements of the EU are met. This in itself appears improbable, as it is unlikely that any rule or agreement between a South African and U.S. organisation could prevent or usurp the NSA's right to intercept such information in terms of the Foreign Intelligence Surveillance Act, which is the basis for mass surveillance activities, considering the fact that U.S. technology companies, such as Yahoo, are compelled to monitor foreign targets on behalf of the NSA.
In the event that South African courts find that U.S. mass surveillance activities fall within the national security exception in sections 18(4)(c)(i) and (iv) of the POPI Act, this may result in the EU identifying South Africa as being unable to meet the adequacy requirements of the UK Data Protection Directive 95/46 because of the inherent conflict and result in personal information from the EU not transitioning to South Africa.
In either circumstance, it appears that the very rationale of the POPI Act may have been eroded by the CJEU judgment. Until the U.S. and the EU address the adequacy requirements in the UK Data Protection Directive 95/46, the POPI Act may not have the effect we all hoped for, at least from a cross-border perspective anyway.