In Africa there are an ever-increasing number of data protection laws being passed each year. In South Africa alone, we are subject to our own forms of these laws, with the Protection of Personal Information (POPI) Act being most widely known. POPI concerns itself with the protection personal information, preventing companies and organisations from harvesting, storing and using an individual’s personal data without permission. For businesses, this has placed certain restrictions and limitations regarding on data handling.
There are, however, other concerns businesses must address, especially when data is being transferred and stored outside of South African borders. Section 69 of POPI regulates trans-border information flow as follows:
- The recipient of the information is subject to a law which regulates trans-border information flow and personal information in a way which is substantially similar to POPI;
- You have obtained the data subject’s consent;
- The transfer is necessary for the performance of a contract between the data subject and the responsible party;
- The transfer is necessary for the conclusion of a contract which is in the data subject’s interests;
- The transfer is for the benefit of the data subject and it is not reasonably practical to obtain the consent of the data subject and if it were reasonably practical to obtain the consent the data subject would likely give it.
So, it is possible to transfer personal information from South Africa to most other developed countries in the world. Still, the practice of trans-border data transfer raises a number of questions around data sovereignty. Data sovereignty is the concept that a company’s digitally stored information is subject to the laws of the country in which it is located. It involves governmental and international legislation stipulating how that data may be generated, stored and handled in any given country – rules to which all businesses must adhere. In South Africa, these laws are defined in the POPI Act. When it comes to information stored outside of South Africa, the laws of that country are applicable and this is often of major concern for many businesses who make use of international Cloud Hosting Providers. The most prevalent of these concerns primarily centres on the adequate protection of this information – do international Cloud Hosting Providers and their country provide an acceptable level of safety and protection that satisfies the needs of a company and its customers?
A prime example of the problems with trans-border information hosting can be seen in the now defunct Safe Harbour Agreement. Under the Safe Harbor Agreement, companies in the United States were permitted to self-certify that they would comply with EU data protection standards in order to allow for transfer of European data to the US. However, in October 2015, the European Court of Justice ruled that Europeans’ data was not adequately protected when transferred to the US, citing US government surveillance programs and weak laws governing digital privacy. The result was the dissolution of the agreement.
It is imperative that South African companies think carefully about hosting their business and customer data outside of our borders. They must carefully consider how secure their information will be and how easy it would be to recover that information should they ever need to. In all probability, a local Cloud Hosting Provider may be a smarter choice for many South African businesses to consider.
The intricacies of data handling and data sovereignty are many and varied. The rules that govern data handling even extend to specific industries, with different rules applicable for different sectors. It is important that company executives understand their specific business requirements to avoid any potential threat to their business. As a local Cloud Hosting Provider, CipherWave offers a number of holistic Data Storage solutions. Should your company be interested in further information, we will happily assist with attending to your query. Simply visit us here to contact us.
