Cross-Border Transfer of Personal Information

Section 72 of the Protection of Personal Information Act 4 of 2013 prohibits a responsible party from transferring personal information about a data subject to a third party who is in a foreign country, unless one of five grounds applies: (a) the recipient is subject to a law, binding corporate rules or agreement which provides an adequate level of protection that effectively upholds the POPIA conditions and includes sub-transfer controls; (b) the data subject consents; (c) the transfer is necessary for performance of a contract between the data subject and the responsible party; (d) the transfer is necessary for pre-contractual measures at the data subject\'s request; or (e) the transfer benefits the data subject and consent is not reasonably practicable.

The Information Regulator has not published a formal adequacy list, but jurisdictions with comprehensive data-protection laws (EU/EEA under GDPR, United Kingdom, Mauritius, Ghana, Kenya, Nigeria, Uganda) are widely treated as offering adequate protection. For transfers to the United States, India or China, the common route is ground (a) read with contractual safeguards — a binding operator agreement incorporating Standard Contractual Clauses–style commitments, or intra-group binding corporate rules. The Information Regulator\'s Guidance Note on Cross-Border Transfers (not yet published in final form at the time of writing) is expected to mirror the GDPR\'s approach following Schrems II.

In practice, attorneys drafting cloud agreements and outsourced services contracts should (i) map the data flows, (ii) identify the third-country recipients and any onward transfers, (iii) nominate a lawful basis under section 72 and document it in the operator agreement, and (iv) build transfer impact assessments (TIAs) into the data protection policy. Failure to comply with section 72 is an interference with protection of personal information under section 73 and triggers the section 109 administrative fine regime.