On 31 May 2024, the Department of Communications and Digital Technologies (DCDT) published the National Policy on Data and Cloud (Policy), which still needs to be approved by the Cabinet.
The Policy aims to manage and utilise data efficiently, using cloud computing technologies. Its main objectives are to improve government service delivery and boost socio-economic development by encouraging data-driven decision-making and creating tradeable data-based goods and services, thereby supporting the growing digital economy.
The National Data and Cloud Policy and POPIA
The Protection of Personal Information Act 4 of 2013 (POPIA), South Africa’s data protection legislation, gives effect to the constitutional right to privacy by ensuring that the personal information of data subjects is protected and processed according to international standards and minimum threshold requirements for the lawful processing of personal information.
The Policy aims to guarantee the secure and reliable storage of data in the cloud, and protect personal and sensitive information from cyberattacks by establishing data protection protocols, as required under section 19 of POPIA.
Cross-border data transfers and the National Data and Cloud Policy
The Policy recognises the importance of the free flow of data as a catalyst for the global exchange and sharing of information and data. It also recognises that many multinational organisations rely on an open cross-border data regime to manage their businesses across various jurisdictions. In addition, the Policy seeks to ensure that South Africa is recognised as an investment destination for multinationals that support local economic growth.
POPIA provides for legal requirements regarding cross-border transfers of personal data. However, the South African Government might be approached by other governments and organisations seeking data-sharing arrangements in certain areas, such as health, environment, fauna and flora.
Where these requests are viewed positively, it is important to have guidelines that determine the modalities of entering into data-sharing agreements. The principles that govern such agreements should be the same to avoid arbitrary decisions and agreements that might compromise the security and sovereignty of South Africa and ultimately cause harm to those they are intended to benefit.
South Africa is also participating in various digital trade and investment initiatives. A clear government cross-border data regime is necessary to guide those involved in related engagements and negotiations, for example, the African Continental Free Trade Area (AfCFTA), Smart Africa Single African Digital Market initiative, and the Southern African Customs Union (SACU). Here too, cross-border data transfers and sharing should be carried out in a manner that respects the security and sovereignty of South Africa.
Against this background, the Policy proposes the following interventions:
- The processing of data collected within the borders of South Africa must comply with South African data protection and security laws and policies.
- Government data that incorporates content about the protection and preservation of national security and sovereignty of the Republic must be stored only in digital infrastructure located within the borders of South Africa.
- The Government must pursue cross-border data transfers and sharing agreements that meet the following criteria:
- Agreements must promote national interests, including socio-economic development, security, and sovereignty.
- Agreements must comply with the data protection and data security laws and policies of South Africa.
- Agreements should enhance mutually beneficial cooperation for all parties involved.
- Agreements should give effect to the AfCFTA, SACU, Single Digital African Market, African Union, and Southern African Development Community protocols.
Data protection and cybersecurity in the National Data and Cloud Policy
The Policy further recognises the need for a well-resourced and capacitated data protection authority to safeguard personal information that becomes more accessible as result of the growing digital economy.
POPIA established the Information Regulator as South Africa’s data protection authority. It independently oversees all matters related to data protection, including education on the conditions for the lawful processing of information, monitoring enforcement and compliance with the provisions of POPIA, and the handling of complaints related to alleged violations of the protection of personal information of data subjects.
The Policy emphasises the need for the Information Regulator to conduct periodic assessments of privacy performances of government agencies, businesses, and online platforms, taking appropriate action where breaches are discovered. The Information Regulator is empowered by POPIA to conduct such assessments of public and private bodies.
Conclusion
The Policy recognises the need for the Government to streamline and modernise its data collection, storage, and processing systems to meet its digital transformation targets, while also emphasising the importance of data protection in this pursuit. Secure and reliable cloud storage is ultimately underpinned by a robust and effective data protection regime as set out in POPIA and enforced by the Information Regulator.
We welcome the Policy’s acknowledgment of the role of data protection in growing the digital economy and ensuring that appropriate safeguards exist to protect data subjects while promoting the free flow of data across cloud platforms.