Global recognition of the importance of data privacy can be traced back to the United Nations (UN) which has a long history of promoting the right to privacy through its Human Rights treaties.
This includes article 12 of the Universal Declaration of Human Rights in 1948 and article 17 of the International Covenant on Civil and Political Rights in 1966. More recently in July 2015 the UN appointed a “Special Rapporteur on the right to privacy” to bring additional focus to the importance of data privacy. Supporting the UN is the Organisation for Economic Co-operation and Development (OECD) which in 1980 issued its “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” which were revised and re-issued in 2013, just as the POPI Act (POPIA) was gazetted in South Africa. Following the UN and OECD initiatives, nearly one hundred countries and territories have established or are developing data protection laws.
African data privacy
In Africa, the African Union (AU) Commission and the Economic Commission for Africa have spearheaded the development of the AU Convention on Cybersecurity and Personal Data Protection, which was adopted by the AU Heads of States and Governments Summit in June 2014 in Malabo, Equatorial Guinea. Eight Countries had already signed the convention by July 2016 according to AU Commission: Benin, Chad , Congo, Guinea Bissau, Mauritania , Sierra Leone, Sao Tome & Principe and Zambia. At a regional level in Africa there are also several initiatives, notably the ECOWAS Cybersecurity guidelines and the SADC Model Law on data protection, e-transactions and cybercrime. There is also the HIPSSA initiative (Harmonization of the ICT Policies in Sub-Saharan Africa) which covers 30 countries across the continent. Latest estimates show that 16 African countries have data privacy legislation, with an additional 14 countries working on legislation, leaving a balance of 24 currently having taken no action so far.
POPIA and the European Union
The POPI Act can trace its origins not just to the OECD guidelines but also Directive 95/46/EC of the European Parliament in 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive will have been completely replaced across all member states of the EU (including the United Kingdom, despite BREXIT) by May 2018 by the General Data Protection Regulation – commonly known as the GDPR. The GDPR has potentially wide-ranging implications for companies based outside the EU trading with the EU member states. Of particular interest is the following extract from the GDPR document: “The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.” This tells us two things: the faster our Information Regulator South Africa (IRSA) gets POPIA full commenced and SA becomes a trusted trading partner in terms of data protection, the easier trade with the EU will become. The downside is if the IRSA is ineffective then potentially the whole country could be put at a significant disadvantage.
International trade recommendations
For those of you who trade in Africa and more broadly across the globe an understanding of data privacy legislation can be an important consideration when establishing trading relationships. This view is supported by DataGuidance, a London-based organisation that provides advice on a global basis concerning data privacy and protection through a global network of experts, including coverage of South Africa. “Our clients tell us that a clear understanding of the data privacy and protection legislation applicable to the territories and countries in which they trade can have a significant influence on the way they do business. Privacy professionals are facing a fast changing global legislative landscape and constant attention needs to be given to ensure consistent compliance with national laws” says David Longford, CEO at DataGuidance. So the key recommendation is to create and maintain awareness of privacy laws when doing business outside of SA, just as much as paying attention to the requirements of POPIA in SA.
My thanks to the Beatles for prompting the title of this article which is in part based on their August 1996 hit song “Here, there and everywhere” released as a track on the hugely successful Revolver album.
By Dr Peter Tobin
Submit queries or feedback from these articles to firstname.lastname@example.org.