Section 72 of POPIA governs the transfer of personal information across South African borders. This guide explains the five permitted transfer grounds, the practical compliance steps, and the documentation required.
The Cross-Border Transfer Problem
South African businesses routinely transfer personal information outside the country: to global cloud storage providers, to international payroll administrators, to group affiliates in other jurisdictions, to international legal counsel, and to customer relationship management platforms hosted abroad. Each such transfer is regulated by section 72 of the Protection of Personal Information Act 4 of 2013 (POPIA), and each requires the responsible party to identify and document a lawful basis for the transfer.
Yet despite the ubiquity of cross-border data flows, section 72 is among the most frequently overlooked POPIA compliance areas. The Information Regulator has identified cross-border transfers as a focus area for enforcement, and many otherwise mature compliance programmes have material section 72 gaps.
The Five Section 72 Grounds
Section 72(1) prohibits the transfer of personal information about a data subject to a third party in a foreign country unless one of five grounds applies. The grounds are alternatives — only one need apply — but each imposes specific evidentiary and operational requirements.
Ground 1: Adequate Foreign Law or Binding Agreement
The third party must be subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection that effectively upholds principles for the reasonable processing of the information substantially similar to POPIA's conditions, and includes provisions substantially similar to section 72.
This is the most analytically demanding ground. It requires comparative legal analysis between POPIA and the foreign legal framework. Jurisdictions whose data protection laws are widely accepted as substantially similar to POPIA include the European Union (under the General Data Protection Regulation), the United Kingdom (under the UK GDPR), and certain other common-law jurisdictions with comprehensive data protection regimes. The position on the United States is more nuanced: there is no comprehensive federal data protection law, and reliance on this ground for transfers to US recipients typically requires the binding-agreement route — standard contractual clauses or binding corporate rules — rather than reliance on the legal framework alone.
Ground 2: Consent of the Data Subject
Section 72(1)(b) permits transfer where the data subject consents. As with all POPIA consent, the consent must be specific, informed, and freely given. For cross-border transfers, the data subject must be informed of the identity of the receiving country, the categories of recipient, and the implications of the transfer in terms of the level of protection in the receiving jurisdiction. Generic consent to international data sharing is unlikely to satisfy the section 72 standard.
Ground 3: Necessary for Performance of a Contract with the Data Subject
Section 72(1)(c) permits transfer where necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request. The necessary standard is meaningful: a transfer that is convenient or commercially preferable but not contractually required does not satisfy this ground.
Ground 4: Necessary for a Contract in the Data Subject's Interest
Section 72(1)(d) extends the contractual ground to contracts concluded between the responsible party and a third party, where the contract is in the data subject's interest. A typical example is the transfer of payroll data to an international payroll administrator under a contract that benefits the employee data subject.
Ground 5: Benefit of the Data Subject
Section 72(1)(e) permits transfer where the transfer is for the benefit of the data subject and either it is not reasonably practicable to obtain the data subject's consent, or if it were reasonably practicable to obtain consent, the data subject would be likely to give it. This ground is rarely available in commercial settings and is most often invoked in healthcare, family welfare, or emergency response contexts.
The Practical Compliance Architecture
Data flow mapping
An accurate map of all cross-border data flows is the foundation of section 72 compliance. The map should record, for each transfer: the categories of personal information; the recipient with full legal entity details; the recipient country; the purpose; the section 72 ground relied upon; and the safeguards in place.
Standard contractual clauses
For transfers that rely on the binding agreement route within Ground 1, standard contractual clauses (SCCs) are the most commonly used instrument. SCCs should be drafted to incorporate POPIA's eight conditions for lawful processing, breach notification obligations, audit rights, and termination rights. The European Commission's 2021 SCCs are a useful baseline but require adaptation for POPIA compliance.
Binding corporate rules
For multinational groups with substantial intra-group transfers, binding corporate rules (BCRs) may be more efficient than SCCs. POPIA does not yet have a formal BCR approval mechanism comparable to GDPR Article 47, but well-drafted BCRs that meet POPIA's binding agreement standard can support the Ground 1 route.
Operator agreements
Where the recipient is an operator under POPIA section 1 (broadly equivalent to a processor under GDPR), the section 21 operator agreement requirements apply in addition to section 72. The operator agreement must address confidentiality, security safeguards, sub-processing restrictions, and assistance with data subject rights requests.
Cross-border breach notification
The breach notification obligation under section 22 applies to data held outside South Africa. Operator agreements must include reciprocal breach notification obligations sufficient to enable the responsible party to comply with section 22 timelines.
Common Compliance Gaps
Recurring section 72 compliance gaps include: reliance on outdated assumptions about US data protection law (the post-Schrems II landscape in the EU has not directly altered POPIA, but it has made transfers to US recipients more legally fraught and requires careful analysis); cloud provider terms that do not constitute binding agreements (standard cloud provider Terms of Service often disclaim liability and exclude key data protection commitments — bespoke data processing agreements are typically required); transfers to group affiliates without intra-group documentation (group structures often involve informal data sharing that lacks the binding instruments required by section 72); and inadequate transparency in privacy notices (section 18 of POPIA requires data subjects to be informed of cross-border transfers, the recipient countries, and the level of protection — many privacy notices are silent or inadequately specific).
How Mashiane Attorneys Can Assist
Our POPIA practice advises responsible parties on cross-border data transfer compliance, including data flow mapping, transfer ground assessment, SCC and BCR drafting, operator agreement structuring, privacy notice review, and cross-border breach response. Contact our team for a section 72 compliance assessment.