Schrems II: The impact on South Africa
Provided by Eversheds Sutherland
Eversheds Sutherland represents the coming together of two firms with a shared ethos and commitment to client service excellence. We are known for our business savvy and industry intelligence and for providing innovative and ... more
By Grant Williams and Kelly Hutchesson
08 Dec 2020
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) delivered its judgment in the landmark case known as Schrems II (Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems and intervening parties, Case C-311/18), which ruling will have a significant impact on the transfer of personal data outside of the European Union (“EU”).
When transferring personal data from the EU to a country outside of the EU, which does not have an adequacy decision (“Third Country”), the General Data Protection Regulation (“GDPR”) requires “appropriate safeguards” to be in place before any data is transferred. Organisations often rely on the conclusion of data transfer agreements, which include the Standard Contractual Clauses (“SCC”) or corporate binding rules, to ensure that the appropriate safeguards requirement is met. For the transfer of personal data to the United States of America, many organisations have relied on the EU-US Privacy Shield Framework (“Privacy Shield”), as their safeguard mechanism.
In the Schrems II judgment, the CJEU invalidated, with immediate effect, the use of Privacy Shield as a personal data transfer mechanism. The CJEU’s reasoning for this decision is that Privacy Shield could not ensure the protection of personal data in light of the US’ excessive state surveillance powers. Although the invalidation of Privacy Shield itself has limited effect on South African organisations, the CJEU also made a significant ruling in respect of the SCC, which has a bearing on all South African organisations that receive and process personal data relating to EU citizens.
The CJEU held that although the SCC remains a valid transfer mechanism, it no longer constitutes an “appropriate safeguard” on its own. The CJEU now requires that organisations that will be transferring EU citizens’ personal data to a non-EU organisation conduct a full risk assessment and due diligence, on the non-EU organisation, and the data protection legislation applicable to that non-EU organisation, on a case-by-case basis, in order to ensure that the personal data will be adequately protected.
Practically, this entails a potentially expensive and time-consuming evaluation of the other party’s information security measures, and the Third Country’s laws regarding privacy, personal data protection, and government surveillance /state security.
The CJEU has indicated that “adequate protection” will be based on the EU data protection standards, and that the transfer of personal data may (should) be suspended or prohibited if the protection of the personal data cannot be ensured at this standard. This standard of protection may be difficult (if not impossible) to attain, especially in developing countries. The CJEU further provided that in the event that the laws of a Third Country are found wanting, the controllers and processors should take additional measures to ensure the protection of the data. However, the CJEU provided little guidance as to what these measures might entail.
In order to mitigate the risks, EU controllers and their processors (responsible parties and operators, under POPIA, respectively) should map their international data flows, considering the quantity and sensitivity of the data, and should then consider, based on the level of protection afforded to the data, as well as the potential harm that can be caused by a failure to protect the data, whether it is necessary to relocate the processing of the data to another country, which does provide adequate protection. Organisations that process EU personal data should develop new data strategies, and establish which data transfers are essential and which are only “nice-to-haves”, as the localisation of data processing may mitigate its risks. Organisations can also implement technical safeguards to protect the data, such as the encryption of data. CJEU also suggested the inclusion of more stringent contractual clauses to protect the data. However, this may not be a practical approach, as those clauses are not capable of binding the government of any Third Country.
In order to determine whether South Africa has adequate protection for EU personal data, a thorough evaluation of South Africa’s surveillance laws is required to establish what access the government has to data, the limits on this access, and the judicial oversight and remedies that are in place to ensure the protection of this data. As a starting point, South Africa’s Constitution provides that “everyone has the right to privacy”, and the Protection of Personal Information Act elaborates on this right by establishing responsibilities and obligations aimed at protecting the privacy of personal data.
However, the Constitution also provides that all rights in the Bill of Rights may be limited, by a law of general application. There are a number of statutes that afford the State the authority to access and/or intercept data in specified circumstances, including the Financial Intelligence Centre Act, the National Strategic Intelligence Act, and most notably, the Regulation of Interception of Communications and Provision of Communications Related Information Act (“RICA”). RICA is South Africa’s main surveillance law and regulates the interception of certain communications. RICA provides that the interception of communication must be authorised by a designated judge, however, it also provides for certain exceptions where judicial authorisation is not required.
In light of the Schrems II decision and South Africa’s surveillance laws, it is clear that the SCC and binding corporate rules, as stand-alone mechanisms, are not sufficient to comply with the GDPR’s “adequate safeguard” requirements, and that risk assessment on a case-by-case basis is essential. Parties will be required to identify any potential risks in the transfer of data, and to take steps to mitigate those risks before any data is transferred to South Africa.
The Schrems II judgement is available at: https://noyb.eu/files/CJEU/judgment.pdf
The GDPR is available at: https://gdpr-info.eu/
RICA is available at: http://www.saflii.org/za/legis/num_act/roiocapocia2002943.pdf
Please contact us if you would like us to assist you with risk assessments, data impact assessments, and the establishing of adequate safeguards, to mitigate any risks that you may face.
The above does not constitute legal advice, but rather advice of general application which may change depending on the facts and circumstances of a particular case. Independent legal advice should be obtained before implementing any measure which may impact upon rights and obligations.
- Is your organisation POPIA ready?
- Commencement of certain sections of the Protection of Personal Information Act
- Data protection – The ramifications of the landmark EU Facebook case
- The enforcement of POPI
- Personal Information Act for the grace period – 12 months to learn from Experian
- Thank the Protection of Personal Information Act for the grace period – 12 months to learn from Experian
- Protection of Personal Information Act finally commencing on 1 July 2020
(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)
Grant Williams is a partner in our commercial group. He specialises in commercial law with an emphasis on media, telecommunications and IT. Grant’s recent experience includes assisting with the establishment... Read more about Grant Williams
Kelly Hutchesson is a senior associate in Eversheds Sutherland's commercial group and a notary public. Kelly advises ICT service providers on: • IT and business process outsourcing • the design/build/run... Read more about Kelly Hutchesson