The Draft National Data and Cloud Policy: Possible Implications for Data Hosting and Cloud IT Services
May, 2021 - Isaivan Naidoo, Jessica Steele, Naledi Ramoabi
On 1 April 2021, the Department of Communications and Digital Technologies published the Draft National Data and Cloud Policy (GG No. 44389). The vision of the policy is move "towards a data intensive and data driven South Africa".
The Draft National Data and Cloud Policy recognises and highlights the important role of data hosting and cloud computing technologies in today's digital world, and it’s stated aim is to bolster the South African economy by leveraging the opportunities which can be provided by these technologies. The proposed changes to the current environment in South Africa, if effected, will be broad and will essentially apply nationwide (such as to government, state-owned enterprises, the private sector, and the general public). The proposed policy interventions contained in the Draft National Data and Cloud Policy will impact a number of key areas in this space, such as digital infrastructure, cybersecurity measures and data privacy.
Amongst other policy interventions, the Draft National Data and Cloud Policy proposes to regulate cross-border data transfers and to impose data localisation requirements. The Draft National Data and Cloud Policy defines data localisation as "the requirements for the physical storage of data within a country's national boundaries, although it is sometimes used more broadly to mean any restrictions on cross border data flows". The proposed policy interventions include:
- establishing a High Performance Computing and Data Processing Centre (HPCDPC), which will process and host government data using cloud computing;
- storing and processing all data classified as critical information infrastructure within the borders of South Africa; and
- when there is a cross border transfer of citizen data, storing a copy of such data in South Africa for the purposes of law enforcement.
The requirement to store a copy of citizen data is not expanded upon further, and it would be interesting to further understand whether the intention is that a copy of any and all citizen data would need to be stored in South Africa.
Considering the number of companies utilising cloud services where information is hosted on servers outside of South Africa, a number of questions arise. For example, would this require that a copy of the data be transferred to South Africa and if so, at whose cost? The Draft National Policy on Data and Cloud recognises and aims to enhance compliance with the Protection of Personal Information Act, 2013 ("POPIA"). While POPIA does not have a specific provision on data localisation, section 72 of POPIA does restrict the transfer of personal information outside of South Africa. However, the section also prescribes lawful ways of transferring personal information outside of South Africa. These include instances where:
- the data subject consents to the transfer of data;
- the third party recipient of the information is subject to law or binding rules/ agreement that provides an adequate level of protection;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party; or
- the transfer is for the benefit of the data subject.
By enacting data localisation requirements through the Draft National Data and Cloud Policy, there will be an increased need to establish more data centres in South Africa. At present, most of the data centres in South Africa are located in the large metropolitan areas located in Gauteng, KwaZulu-Natal, and the Western Cape Provinces. The Draft National Data and Cloud Policy proposes that data centres be built outside of these areas in order to decentralise investments and distribute opportunities across the country.
Additional socio-economic objectives include requirements that all investments made in the development and building of data centres will need to further broad-based black economic empowerment objectives and that where there is foreign direct investment in the infrastructure, such parties will be required to make provision for the transfer of digital skills (which are defined in the context of the Draft National Data and Cloud Policy, to refer to a range of abilities to use digital devices, communication applications, and networks to access and manage information).
The Draft National Data and Cloud Policy is still in its nascent phase, and the minister is currently accepting comments and submissions on it until 18 May 2021.
Submissions can be sent to the Department of Communications and Digital Technologies using an online form, via email at [email protected], or via post at:
- The Director-General, Department of Communications and Digital Technologies
- For attention: Ms C Lesufi, Director, Telecommunications Policy
- First Floor, Block A3, iParioli Office Park, 1166 Park Street, Hatfield, Pretoria
- Private Bag X860, Pretoria, 001.
Should you require our assistance with preparing a submission, please contact:
Isaivan Naidoo
Technology, Media and Telecommunications Executive
[email protected]
+27 82 310 5172
Link to article