If there is a silver lining to most crises, the accelerated move toward digitized commerce globally and in Africa may be one positive outcome of the COVID-enforced lockdown. It is welcome news there that the South African Minister of Communications and Digital Technologies (“Minister”) published the Draft National Data and Cloud Policy (in Government Gazette no. 44389) (“Draft Policy”) for public comment. The Draft Policy seeks to create an enabling environment for the provision of data and cloud services in an effort to move “towards a data intensive and data driven South Africa” that ensures social and economic development and inclusivity. The Draft Policy affects a few key areas, which we briefly highlight below.
The objectives of the Draft Policy are to:
- Encourage universal access to broadband connectivity, along with access to data and cloud services;
- Eliminate regulatory barriers and enable competition in the data and cloud sector;
- Implement effective measures to ensure the security of cloud infrastructure;
- Create institutional mechanisms to govern data and cloud services;
- Support the development of small, medium, and micro enterprises (“SMMEs”);
- Promote research, innovation, and technological developments in relation to cloud;
- Increase the government’s capacity to deliver relevant data and cloud-based services to the public;
- Promote data sovereignty and security with respect to South African data; and
- Encourage alignment with the Fourth Industrial Revolution (“4IR”), the OECD Framework and standards adopted by the European Union.
Draft Policy proposal relating to digital infrastructure
The Draft Policy recognizes that digital transformation in South Africa relies upon further developing electronic communication networks, mobile communication networks, and cloud and data infrastructure services in the country.
In relation to universal access and service delivery obligations, the Draft Policy recommends a government-backed digital platform and for all South African citizens to be provided with an online identity in order to receive services more easily.
The Draft Policy discusses the need for a Wireless Open Access Network (“WOAN”) “to extend the digital infrastructure footprint and services” across the country. The Draft Policy also refers to various measures to ensure the deployment of electronic communication infrastructure, which will help to bridge the digital divide by ensuring universal access to cloud and data infrastructure services for all South Africans.
The Draft Policy also proposes that existing networks of state-owned enterprises, such as Sentech and Broadband Infraco, be consolidated to form a State Digital Infrastructure Company (“SDIC”), which will provide network connectivity for the State.
Draft Policy proposal relating to cloud computing infrastructure
The Draft Policy also highlights the need to process data using cloud computing infrastructure and makes provision for pliable data storage architecture and the purchase of capacity from cloud service providers.
The Draft Policy highlights the importance of cloud services and their ability to enhance the potential of 4IR technologies (e.g. blockchain, the Internet of Things (“IoT”) and artificial intelligence (“AI”).
In order to leverage the full potential of the South African economy through digital technologies, the Draft Policy proposes that a Digital Transformation Centre (“DTC”) act “as a catalyst to lead Digital South Africa”.
In addition, the Draft Policy proposes the establishment of a High-Performance Computing and Data Processing Centre (“HPCDPC”) for the purpose of managing cloud computing capacity for the State and its functionaries, universities, research centers and South African registered business, and to provide user-on-demand cloud services for the State and its functionaries .
The Draft Policy specifically provides that investment in data centres will be centralised in large metropolitan areas in South Africa, like Gauteng, KwaZulu-Natal and the Western Cape. Further, the Draft Policy proposes supporting local and foreign investment in data and cloud infrastructure and services by establishing a digital or ICT ‘Special Economic Zone’ (“SEZ”).
Draft Policy proposal on data protection, data localization and cross border data transfers
The Draft Policy states that the processing of personal data or personal information, specifically metadata (for example, IP addresses), must be compliant with applicable laws like the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and international best practice (such as the General Data Protection Regulation (“GDPR”) in the European Union).
There are currently no data localization requirements in South Africa (under POPIA or otherwise). However, the Draft Policy seeks to impose data localization requirements and defines data localization as the “…requirements for the physical storage of data within a country’s national boundaries, although it is sometimes used more broadly to mean any restrictions on cross border data flows”.
On the issue of data localization, the Draft Policy provides inter alia that:
- Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled.
- Ownership and control of personal information and data shall be in line with the POPIA.
- The Department of Trade, Industry and Competition through the Companies and Intellectual Property Commission (“CIPC”) and the National Intellectual Property Management Office (“NIPMO”) shall develop a policy framework on data generated from intellectual activities including sharing and use of such data.
Draft Policy proposal on cybersecurity measures
The Draft Policy proposes that the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) be reviewed to align with cybersecurity policy and legislation.
Interestingly, the Draft Policy does not mention the Cybercrimes Act 19 of 2020, which is now an official Act of Parliament. The Cybercrimes Act aims to established a comprehensive cybersecurity framework and provides for the criminalisation of a broad range of cyber-related crimes. The date on which the Cybercrimes Act comes into force is yet to be announced.
Nevertheless, the Draft Policy proposes the establishment of a National Cybersecurity Policy Framework (“NCPF”) which, together with other policies, legislation and international best practice, will provide guidance as to cybersecurity initiatives and measures, and will be reviewed from time to time to ensure that the NCPF is responsive to cybersecurity threats and risks.
In addition, the Draft Policy proposes that the government develop and implement cybersecurity awareness initiatives to educate the public.
Next steps
Upon finalization of the Draft Policy, it will apply to all levels of government (i.e. national, provincial and local authorities); state-owned entities, the private sector (i.e., multi-national entities seeking to invest in the digital infrastructure of South Africa); and the general public.