South Africa and Mauritius develop their GDPR-influenced legislative frameworks

The GDPR-oriented privacy laws in South Africa and Mauritius were discussed in depth at the Privacy Laws & Business webinar on 22 April(1), followed by a Q&A session on 6 May. The timing of the webinar was chosen to reflect the fact that the remaining parts of South Africa’s Protection of Personal Information Act 2013 (POPIA) will finally fully enter into force on 30 June and 1 July(2), and the one-year grace period for compliance comes to an end. Speaking at the event, Professor Sizwe Snail ka Mtuze, Member of South Africa’s Information Regulator, said that the grace period was intended for organisations to learn about the law, and now they need to become compliant. There has been no enforcement so far, but the regulator envisages to start enforcement as soon as the law is fully in force. The regulator is now pursuing the August 2020 Equifax breach; an independent report has been prepared by consultants, and will be shared with Equifax, and later with the public.

Stewart Dresner, Chief Executive, Privacy Laws & Business who chaired the event said that South Africa and Mauritius are two of only three countries in Africa’s Top 10 (ranked according to GDP per capita) with data privacy laws and a specialised Data Protection Authority to enforce them. South Africa has enshrined the right to privacy in its Constitution, and POPIA is South Africa’s equivalent of the EU GDPR. There are some differences however as the law was principally based on the EU Data Protection Directive 1995. GDPR-style additions include requirements to notify data breaches and appoint Information Officers, for example.

Requirement to appoint Information Officer

POPIA requires organisations to appoint Information Officers and Deputy Information Officers (similar to the GDPR’s DPOs) and to register them with the Regulator. The registration portal was supposed to be functional from 1 May but has been delayed as it is going through rigorous testing.

Professor Snail ka Mtuze and Lebogang Stroom-Nzama, Advocate, Member of South Africa’s Information Regulator explained that the Information Officers’ responsibilities cover both the Promotion of Access to Information Act (PAIA) and POPIA. The Information Officer needs to be located in South Africa, even in the case of multinational organisations that are based elsewhere. The Information Officer is expected to be independent – Snail ka Mtuze did not think that being employed by the company would interfere with this independence.

The Regulator has published a Guidance Note on Information Officers and Deputy Information Officers on its website.

International transfers

Section 72 of POPIA regulates the transfers of personal information outside South Africa, and bans transfers unless the following conditions are met:

• The third party is bound by law, agreements or binding corporate rules similar to the conditions for the lawful processing of personal information.
• The provisions in the third country are substantially similar to this ­section.
• The data subject consents to the transfer.
• The transfer is necessary for the performance of a contract between the data subject and the responsible party.
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject in relation to the responsible party.
• The transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to that transfer; and if it were reasonably practicable to obtain such consent, the data ­subject would be likely to give it.

The question of whitelisting certain countries is a political question. Professor Snail ka Mtuze said that in the absence of formal guidance on transfers (which is being prepared), “one can safely accept that the GDPR principles, found also in the POPIA, would mean South Africa’s recognition of EU ­countries’ adequacy”.

With regard to other transfer mechanisms, Snail ka Mtuze said that S.72 of POPIA refers to Binding Corporate Rules which are quite similar in essence to the EU Standard Contractual Clauses.

Enforcement and international cooperation

Lebogang Stroom-Nzama explained that there are several steps in enforcement and that POPIA has both civil and criminal liability provisions. For the more serious offences, the ­maximum penalty is 10 million rand (€600,000/US$727,000) or imprisonment for up to ten years. But the regulator can settle complaints with mediation without having to resort to expensive court procedure.

Professor Sizwe Snail ka Mtuze said that the countries around South Africa are following its lead in adopting and drafting data protection legislation. The nature of international business means that the office is in regular contact with its counterparts worldwide. For example, in the Experian case it was found that some of the data had landed on a server in Switzerland, he said.

Both stressed the independence of the Regulator. The fact that the Ministry of Justice is used as a conduit to provide for the office’s HR and finance systems should not be interpreted as a threat to the Regulator’s independence, or its willingness to pursue cases against public entities. These are issues to do with setting up systems and ­procedural reasons, they said.

Mauritius

Drudeisha Madhub, Data Protection Commissioner, explained that Mauritius is located off the southeast coast of Africa, and has around 1.3 million people. The Mauritius Data Protection Act 2004 was amended in 2017 to bring its data protection framework in line with the GDPR and the Council of Europe Convention 108+. The significance of Mauritius signing and ratifying the Convention is that it has triggered organisations there to start their journey to implement data protection law, Madhub said.

There are some differences between the Mauritius DP law and the GDPR. For example, the Mauritius law requires controllers and processors to register with the Data Protection Commissioner before processing personal data. Madhub said she thinks that this is one of the most efficient ways to see what a company is doing with personal data. Also, there is a criminal sanction of up to five years’ imprisonment.

Data transfers

Madhub told the audience that Mauritius has initiated the application process for EU adequacy. The office has invited proposals from external consultants to carry out a complete assessment and evaluation of the existing data protection law, and its application. The chosen consultancy, expected to be appointed soon, will provide an opinion on the adequacy of Mauritius for the EU Commission’s consideration. As writing the report is likely to take 4-5 months, it could be towards the end of the year before Mauritius will be ready to submit it to the EU. But we have informed the Commission that it is to be expected then, Madhub said.

At the moment, transfer of personal data to another country may be made where any one of the following conditions are met:

• Proof of appropriate safeguards provided to the Commissioner;
• The data subjects have provided their explicit consent;
• For the performance of a contract or pre-contractual measures taken with the data subject;
• For the conclusion or performance of a contract concluded in the interest of the data subject;
• For reasons of public interest as provided by law;
• For legal claims;
• For the vital interest of the data subjects;
• For compelling legitimate interests of the controller or processor;
• For a public register containing information which is required to be transferred.

Organisations may also use Binding Corporate Rules and Standard ­Contractual Clauses for data transfers.

Issues for multinational companies

Madhub said that for a jurisdiction which relies on its offshore financial services and outsourcing, amongst other industries, data privacy is an important factor to enhance trust. Multinational companies outsourcing to Mauritius are defined as those which are either establishing a branch or choosing a processor in Mauritius to process data on their behalf. In both settings, the DP Act will apply and they will need to abide by all the provisions laid down in the Act.

If a company uses a processor located in Mauritius, they will need to have a contract between the controller and processor as stipulated under section 31 (4) of the DP Act which are equivalent to standard contractual clauses or can include Binding Corporate Rules, Madhub said. For companies that use equipment in Mauritius, the DP Act will still apply to them and any communication should be done through a representative established in Mauritius.

“While the DPA’s application is territorial in scope, the absence of extra-territorial effect does affect us in certain ways as we cannot prosecute companies established outside Mauritius and which are processing Mauritian citizens’ personal data. However, we are somehow reassured when the companies are from the EU where the GDPR is in force, as heavy penalties for non-compliance with the GDPR will be applicable in case of any breach.”

The registration requirement applies to companies of any size and also to sub-processors based in Mauritius. If a sub-processor is not based in Mauritius, then it will have to abide by the data protection law in that country plus the contractual requirements with the controller wherever the latter’s establishment is, Madhub said.

DPOs are mandatory

It is mandatory to appoint a Data Protection Officer, but the threshold will vary from organisation to organisation. A small company may designate someone that can fulfil this role of DPO despite shouldering other functions in the company. However, there should be no conflicts of interest between the different functions, Madhub explained.

The DPO role can be either a full time or part-time person depending on the organisation. It can be combined with an existing role such as an Information Security or Legal Officer as long as the DPO meets the requirements of this role.

June 2021