A lot of people have asked me what I felt about the European Court of Justice (ECJ) ruling on Wednesday 7 Oct. This is how I have replied – The European Commission (EC) has been wasting time with its (so far failed) Data Protection Regulation, rather than looking at some of the major issues that have come out of global developments with Big Data, the Internet of Things, & the Snowden revelations over the last 5 years. Anyone could see that the Safe Harbors (correct spelling) was way out of date & didn’t adequately cover the needs of personal data in the second decade of the 21th century. The agreement was drafted at the turn of the century – nearly 15 years ago – and has not been radically amended since.
Question:- will the Court’s ruling affect POPI or individual company agreements between SA & the EU? Well at present companies should be working on individual “model contract” agreements between EU-based entities & their suppliers in SA. These contracts are subject to national EU regulators as far as EU citizens’ data are concerned. For example, a SA-based call centre doing any work on EU consumers has to provide some sort of proof that they are giving those consumers the same protection as if they were in Europe.
POPI was supposed to provide “adequate” (ie the same) protection as any EU country thus allowing free flow of personal data between the EU & SA. Problem, POPI is now becoming outdated & the EC will be forced by this ECJ ruling to become much more strict when considering the “adequacy” of foreign privacy law. Result – we may have lost the opportunity to get POPI recognized by the EC.
Meanwhile, large data generators, like Facebook (which was specifically referred to in the case), Yahoo, Google, and others, will have to reconsider how they collect & use data on European citizens. Will they consider that SA with its (as yet non-implemented) POPI Act should be treated in the same way as a EU country when it comes to processing SA citizens’ data in the USA? We will have to wait & see.