South Africa: The National Policy on Data and Cloud – Some highlights

Overall, the Policy has received positive feedback from interested stakeholders. It prioritises an acceleration of the rollout of digital infrastructure (to ensure fast, secure and reliable broadband connectivity), data privacy and security, open data and data interoperability, and the adoption of a cloud-first approach (requiring collaboration, funding, stakeholder engagement, and the capacitation of the State Information Technology Agency (SITA)). 

Some of the material policy shifts between the Draft Policy and the Policy, the implications for stakeholders, and the next steps, are as follows.

Digital infrastructure and access to data and cloud services

As with the Draft Policy, the Policy prioritises the capturing of all government data in digital format and the migration of all government IT services to the cloud, while also ensuring interoperability between various government departments and enhancing digital services for citizens. 

The proposed policy interventions set out in the Draft Policy and the Policy are substantially different. 

The Draft Policy had proposed the establishment of a single, government-owned high-performance computing and data processing centre to manage cloud computing capacity and to provide use-on-demand cloud services for Government and its functionaries, universities, research centres and South African registered businesses. 

Various criticisms were levelled against this proposal in submissions made during the public participation process, including concerning the State’s implicit resource, expertise and capacity challenges. 

In response, the policy interventions set out in the Policy contemplate a decentralised approach focusing on the State’s cooperation with the private sector, thereby enhancing scalability and reliability while also reducing costs. 

In essence, the Policy now envisages private entities providing cloud-based solutions to the State, with SITA being assigned primary responsibility for sourcing all data infrastructure and cloud services for the Government, developing and monitoring service level agreements, and developing applicable guidelines and technical standards for the acquisition and operations of data centres. 

The Minimum Information Security Standards (which are to be updated to align with technology-driven computing) are to be used as the guiding framework for access to government data in unified government data centres, while Open Data and Data for Development Frameworks (which will enable access to timely, accurate, complete, consistent and valid government data) are to be developed. 

It would be advisable for operators of data centres to attempt to keep track of these developments and, where possible, to provide input on any such agreements, guidelines, frameworks and standards.

Data sovereignty, data localisation and cross-border transfers

The draft policy had recommended that all data identified as critical information infrastructure should be processed and stored only within South Africa; that any cross-border transfers must be subject to localisation requirements (including requiring that copies of any data transferred outside of South Africa must also be stored in South Africa for law enforcement purposes); and that all data generated in South Africa be considered the property of South Africa, irrespective of the location of the technology company. 

The practicalities of these draft policy interventions had been criticised in various submissions during the public participation process. The Policy has, accordingly, adopted a more standardised approach.

For example, while the Policy proposes that any government data that incorporates ‘content pertaining to the protection and preservation of national security and sovereignty’ of South Africa must be stored in digital infrastructure within South African borders, no further data localisation requirements are imposed. Instead, there is a clear preference for supporting the current position: that the processing of data, including cross-border data transfers, must comply with South African data protection and security laws and policies.

Cybersecurity and a digital trust environment

To address growing cybersecurity concerns, the Draft Policy had proposed the review and alignment of the Electronic Communications and Transactions Act 25 of 2002, the establishment of a National Cybersecurity Policy Framework (to provide guidance on cybersecurity initiatives and measures), and the development and implementation of cybersecurity awareness initiatives for the public.  Mention of the Cybercrimes Act 19 of 2000 was noticeably absent from the draft Policy.

Cybersecurity and a ‘digital trust environment’ remain a key focus under the Policy. In addition to cybersecurity awareness initiatives (as also proposed under the Draft Policy), the Policy actively recognises and seeks to reinforce existing policies and legislation, including the Protection of Personal Information Act 4 of 2013 (POPIA), the National Cybersecurity Policy Framework (2012) – which is currently being reviewed – and the Cybercrimes Act. 

However, as specific policy interventions, the Minister is required to ensure that the Cybersecurity Hub is adequately capacitated and strengthened to deal with increasing cybersecurity threats while all digital technologies used by the Government must incorporate cybersecurity-by-design principles, including warning systems to detect and inform clients of potential cybersecurity threats across the entire lifecycle of data collection, processing, use, storage, mining and destruction. 

In addition, the Government and all data and cloud service providers are required to ensure that robust data and cloud security measures are in place to mitigate cyber-attacks and data privacy violations, including establishing the necessary data protection protocols in terms of POPIA.

Finally, in terms of the Policy, the Government is required to prioritise the signing and ratification of regional, continental and global treaties and conventions that support collaboration in the pursuit and prosecution of cybercrimes.

Please see our article on the data protection considerations of the Policy here.

Policy interventions for data centres

The Policy specifically recognises the presence and competencies of data centre investors and cloud providers in South Africa and notes that regulatory clarity is required to guide their investments.

As such, the Policy sets out certain specific policy interventions and proposals for data centres.  These include, for example, that all data centres must be built and operated in accordance with environmental legislation and building by-laws, and must not be built in restricted areas such as heritage sites, national key points, or land designated for land reform, or in areas prone to natural disasters or social disturbances. 

The Policy further stipulates that data centres must display or be able to provide verifiable certification credentials to all potential customers and that priority should be given to data centres ensuring the self-provision of electricity and water for the operations of data centres to ensure continuous operation and reduce dependency on the national grids.

Finally, the Policy stipulates that data centres used by the Government should comply with a fault-tolerant design that provides a minimum uptime of 99.995%.

These policy interventions and proposals should be considered by any data centres operating in South Africa as well as any organisations using data centres in South Africa to host their data.

Competition considerations

The Policy notes that the Competition Commission has been active, having already undertaken merger reviews in the data centre market, initiated market inquiries to examine competition issues in digital markets, and  recommended remedial actions where pricing or other behaviour by e-commerce and digital platforms was determined to be unfair to small platform users, or found to transgress competition rules.  The Policy states that there is no empirical evidence necessitating a digital regulator focused solely on competition issues in the digital space.

However, mindful of possible competition concerns, the Policy proceeds to set out certain policy interventions relating to competition in the data and cloud market. For example, one policy intervention suggested is that the Competition Commission ‘shall’ conduct studies in the data centre and cloud services markets to identify potential anti-competitive trends and behaviours, and where applicable, identify proactive preventative measures to ensure a fair and competitive market. 

Only the Commission or the Minister of Trade, Industry and Competition can initiate a market inquiry. Further, while the Competition Act 89 of 1998 (Competition Act) empowers the Competition Commission to initiate a market inquiry, it does not compel it to do so even if this is recommended in a government policy document. As such, despite the mandatory language adopted in the Policy, no legal obligation is imposed on the Competition Commission. 

A further policy intervention is that the Competition Commission ‘shall’ consider reviewing and potentially augmenting the Competition Act in relation to the data and cloud market, where empirical evidence indicates that the current law is inadequate to address competition issues in these markets.

Of course, the Competition Commission cannot amend the Competition Act; it only has the power to recommend new or amended legislation as a result of a market inquiry. As such, any such amended legislation, including any proposed amendments to the Competition Act, can only be effected through an Act of Parliament.

Despite the challenges with the phrasing of the policy interventions concerning competition, cloud services were specifically mentioned by the Competition Commission as an area in which competition concerns might potentially arise in its ‘Competition in the Digital Economy’ Report, which was a trigger for the online platform market inquiry.  It is therefore conceivable that cloud services may be a future subject of a market inquiry. 

Next steps

The Policy – which primarily focuses on the implementation of existing legislation – will now need to be implemented, which will involve consultation with key stakeholders. 

As the Policy also specifically contemplates various governance and institutional mechanisms for the governance of data and cloud services, these will need to be established and operationalised.  This includes the proposed establishment of an advisory council (consisting of public and private representatives) to enhance data management standards, guidelines, and best practices; assist with the development of a regulatory framework for the management of data and cloud services; and develop an interoperability framework between the Government and other key stakeholders.  It also includes the establishment of a data and cloud technical implementation task team comprising representatives from various government entities.

It is likely that the establishment and operation of the various governance and institutional mechanisms proposed in the Policy, the capacitation of SITA, and the effective implementation of existing legislation, will determine the effectiveness of the various policy interventions set out in the Policy.