In section 72, the Protection of Personal Information Act (POPIA) prescribes the conditions for the transfer of personal information from South Africa across its borders. If the foreign third party (whether natural or juristic) receives personal information, it must be bound by a law, binding corporate rules or binding agreement. They must provide adequate protection that uphold the principles for reasonable processing. 

 Let’s use the Southern African Development Community (SADC) to demonstrate the issues. Trading requires the free flow of data and each country’s privacy laws matter. As common standards do not exist, trade occurs in uneven legal landscapes. Some SADC members enshrine the right to privacy but are without enabling laws. Other SADC members have democratic legal frameworks for this right. Others are in-between: draft laws that are not in force. There is accord on the topic, eg consent of the data subject is a minimum. But there are differences too, like transferring data to third party countries (ie to South Africa as the foreign third party): some SADC members require prior regulatory authorisation. 

 The gaps between jurisdictions can be bridged using ‘binding corporate rules’ or ‘binding agreements’ as defined in POPIA. These documents help clarify responsibilities and terminology. Is it the ‘Information Officer’ or the ‘Data Protection Officer’? The ‘data subject’ or the ‘user’? The ‘processor’ or the ‘operator’? 

 It is critical to know the law on both sides of the border. If in doubt, please get advice.