BY Era Gunning AND Nicole Gabryk
Extraterritorial Application: GDPR vs POPIA
Existing GDPR policies and documents can readily be adapted for POPIA compliance and vice versa. In this article, we briefly detail the general application of the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Protection of Personal Information Act, 2013 (“POPIA”).
Article 3(1) of the GDPR provides that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
In Article 3(2) the GDPR sets out its extraterritorial scope and provides:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The GDPR applies to the processing of personal data by persons not established in the EU if they offer goods or services to, or monitor the behaviour of, human beings in the EU.
Similarly, Section 3(1) of POPIA provides that POPIA applies to the processing of personal information entered in a record by or for a responsible party in or out of South Africa, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.
“Automated means”, for the purposes of the section, means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
The genesis of this provision as well as POPIA, is Article 4(1)(c) of the Directive 95/46/EC that was replaced by the GDPR, which provided:
“Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.”
The motivation for the provision in Article 4(1)(c) of the EU Directive, set out in Recital 20, provides:
“the fact that the processing is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this directive; whereas in these cases, the processing should be governed by the law of the Member State, in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice”.
In interpreting this provision, the Article 29 - Data Protection Working Party in its “Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites” in respect of the meaning of “equipment” provides:
“The Directive does not contain a definition of this term. According to the Collins English dictionary, "equipment" is defined as a set of tools or devices assembled for a specific purpose.
Examples of equipment are personal computers, terminals and servers, that may be used for nearly all kinds of processing operations. The Directive makes clear that equipment as such can be automated or otherwise as far as it is not used only for transit of information through the territory of the Community.
A typical case where equipment is used for transit only are the telecommunications networks (back bones, cables etc.), that form part of the internet and over which internet communications are travelling from the expedition point to the destination point.”
POPIA will accordingly apply to foreign entities if they use any equipment, including computers, terminal and servers, to process personal information in South Africa. The use of operators ie. POPIA parlance for data processors, in the Republic would clearly also trigger the application of the Act. The Act will not apply where local telecommunications networks are used for transit purposes only.
From the breakdown above, it is evident that GDPR and POPIA are linked and that protocols can be conversely adapted to ensure compliance.
Executive | Banking and Finance
+27 82 788 0827
Executive | Dispute Resolution
+27 82 787 9792