With the Protection of Personal Information Act 4 of 2013 compliance deadline of the 7th of July 2021 looming around the corner, a lot of attention has been given to the potential risks and effects of this Act when analysing popular applications and services. In this article, we will be looking at online storage services such as iCloud and Google Drive as it relates explicitly to Trans-Border Information Flows in terms of the POPI Act.
Google Drive and iCloud:
Google Drive is a service developed by Google which allows users to store files on their servers, synchronise files across devices, and share files. As of 2018, it had over one billion active users, and there were over two trillion files stored on the service. iCloud is a cloud storage and cloud computing service from Apple Inc. As of 2018, the service had an estimated 850 million users.
In terms of the POPI Act, a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless it complies with specific provisions. The most common of these will be consent (pre-contractually) and that the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that embody the same principles or is substantially similar to the POPI Act. ‘‘Binding corporate rules’’ means information policies within the entity being adhered to in that country.
It is uncertain which approach will be used in order to determine the exact scope of the application in this instance. The most likely approach will be access based – viewing the service as a vehicle for the transfer of information and taking the location of the sender and recipient into account irrespective of the physical location of the information on a server it may temporarily reside on in cyberspace. The scope of application will then be limited to parties who have direct access to the information, however, this interpretation does not negate the application of the POPI Act on the service provider in circumstances where privacy policies are in direct conflict with it.
Given the fact that the company/administrator of the server may still access the information, the POPI Act will apply to both user and service provider. Given the issues raised in the past with both of these services, users may do well to familiarise themselves with the newly established framework imposed by the POPI Act and ensure they are fully compliant. In this context, SEESA provides expert advice and assistance to implement POPI legislation strategies and safeguards regarding integrity and confidentiality of personal information as well as expert advice and assistance during information security breaches, Information Regulator investigations or referrals and registering Information Officers.
Should you require more information or assistance, please contact your SEESA Consumer Protection &POPI legal advisor, alternatively, “SMS” the word “SEESA” to 45776, and we will contact you.
About The Author:
Esias Olckers started his career at SEESA in 2017 and is currently a Labour and Consumer Protection & POPI Legal Advisor at SEESA’s Klerksdorp office. He obtained his LLB via the University of Johannesburg in 2014. He completed two years of articles as well as LEAD Law School and was admitted as an attorney of the High Court of South Africa in 2016.
- Protection of Personal Information Act 4 of 2013.