SOUTH AFRICA: NEW DRAFT NATIONAL DATA AND CLOUD POLICY
On 1 April 2021, the Minister of Communications and Digital Technologies (Minister) published a Draft National Data and Cloud Policy (Draft Policy) together with an invitation for interested parties to submit written submissions to the Department of Communications and Digital Technologies within 30 business days of publication of the Draft Policy, by 18 May 2021.
The Draft Policy aims to transform South Africa’s economy into a digital economy that is both data-intensive and data-driven. In particular, the Draft Policy acknowledges the need to realise the socio-economic value of data through policy and law and to ensure open data, which is defined in the Draft Policy as ‘…data that is made freely available for use, re-use and republishing as [a party wishes], subject to ensuring protection of privacy, confidentiality and security in line with the Constitution [of the Republic of South Africa, 1996 (the Constitution)]’.
The key objectives of the Draft Policy include the need to:
- enhance investment opportunities;
- drive inclusive economic growth;
- create jobs and enhance skills development;
- enhance universal access to broadband connectivity, data and cloud services;
- remove regulatory barriers and enable competition, effectively implement data privacy, cloud privacy and cybersecurity measures;
- develop institutional mechanisms to govern data and cloud services;
- support small, medium and micro enterprises (SMMEs);
- advance technological developments;
- strengthen the State’s capacity to deliver services to the public; and
- promote South Africa’s data sovereignty and security.
In addition, the Draft Policy also seeks to align the proposed South African developments with the Fourth Industrial Revolution (4IR) and global trends, particularly the OECD Framework and standards adopted in the European Union where data is viewed as a strategic asset.
Who will the Policy apply to once finalised?
The Policy, once finalised, will apply to the all levels of the State (i.e. national, provincial and local spheres of government); organs of state and public enterprises; the private sector; and the general public and citizens of South Africa.
The Policy will also apply to foreign multinational companies investing in digital infrastructure (specifically cloud computing infrastructure such as data centres) given the proposal that multinationals will be required to make investments in skills and digital technologies transfer, as outlined below.
Policy proposals relating to digital infrastructure
The Draft Policy contemplates the need to further the objectives of universal access to electronic communications networks, mobile communication networks, and cloud and data infrastructure services.
As part of universal access and service delivery obligations, the Draft Policy proposes that government entities develop a common digital platform and that an online identity is developed for all South African citizens.
The Draft Policy touches briefly on the need for a Wireless Open Access Network (WOAN), which was to be established following South Africa’s IMT spectrum auction initially set to take place at the end of March 2021.
The WOAN is, however, unlikely to be established in the near future given the current spectrum litigation that is underway, and the recent interdict granted against the Independent Communications Authority of South Africa preventing it from considering any applications received by it for high-demand spectrum and delaying the closing date for the WOAN application process.
The Draft Policy nevertheless proposes that the existing networks of state-owned enterprises, such as Sentech and Broadband Infraco, be consolidated to form a State Digital Infrastructure Company (SDIC) which will then provide network connectivity.
Cloud services and cloud computing infrastructure
The Draft Policy highlights not only the increased need to store and access data, but also the increased need to process data using cloud computing infrastructure, which provides for flexible data storage architecture, and to buy capacity from cloud service providers.
Under the Draft Policy, cloud computing is described as ‘…a platform to provide solutions to problems associated with the storage and management of the enormous amounts of data generated…[and is] a large computational infrastructure [which] ensure[s] successful data processing and analysis’.
Cloud computing services include the following:
- infrastructure as a service (IaaS) where users can purchase computing resources on a metered basis similar to how water, electricity and other utility services are purchased;
- software as a service (SaaS) where users can purchase software and run the software in the cloud computing infrastructure rather than run the software locally on a personal computer; and
- platform as a service (PaaS).
The use of cloud services will enhance the potential of 4IR technologies such as artificial intelligence (AI), blockchain, and the Internet of Things (IoT).
The Draft Policy proposes that a Digital Transformation Centre (DTC) be established for purposes of steering 4IR technologies.
In respect of managing cloud computing capacity for the State, state-owned entities, universities, research centres and companies registered in South Africa, and to provide user-on-demand cloud services, the Draft Policy proposes the establishment of a High-Performance Computing and Data Processing Centre (HPCDPC) which will have access to excess capacity of publicly funded data centres owned by entities such as Sentech, Broadband Infraco, Eskom and Transnet.
Neither cloud services nor any of the listed 4IR technologies are currently regulated in South Africa. In addition to the current lack of regulation, other challenges include investment and energy supply.
In respect of data centres specifically, the Draft Policy notes that investment in data centres is centralised in large metropolitan areas in South Africa, such as in Gauteng, KwaZulu-Natal and the Western Cape, and that data centres are mostly owned by foreign companies.
The Draft Policy proposes supporting local and foreign investment in data and cloud infrastructure and services by establishing a digital or ICT ‘Special Economic Zone’ (SEZ). Where foreign multinational companies invest in data centres, the Draft Policy proposes that such companies be required to ensure that there is a skills and digital technology transfer to ensure that South Africans benefit from foreign direct investment (FDI).
This is in addition to the need to ensure that any investment in data centres must enhance broad-based black economic empowerment (BBBEE) objectives. Further, cloud computing infrastructure, such as data centres, and the use of cloud services generally will require a stable and reliable energy supply, such as the use of green energy or self-generation energy capabilities, given the existing strain on South Africa’s national energy grid.
Access to data and cloud services
The Draft Policy proposes the need to develop an open data framework similar to frameworks adopted in other jurisdictions, such as the United Kingdom.
In particular, the Draft Policy proposes that Government must develop a National Open Data Strategy. This is to align policy with what was already proposed under South Africa’s National Integrated ICT White Paper – that is, the need to develop an Open Government Action Plan and Manual which would, amongst other things, identify information that should be publicly available to everyone; tools and systems which can be used to discover and search for such data and how government can implement open data policies and involve South African citizens in developing software.
In addition, the Draft Policy recognises the need to enhance the sharing of data in line with ‘Data for Good’ principles. This will enable non-governmental organisations to access relevant data without the need to pay for such data.
Other policy propositions include that:
- all public data must be captured by default in a digital format;
- non-sensitive government data (i.e. data that is already in the public domain) must be stored in the HPCDPC’s public cloud;
- Government must establish frameworks such as a Data Trust to share data generated by the public and private sectors in a fair, equitable and transparent manner;
- localised data banks must be established within the HPCDPC for purposes of big data analytics and South African and Afrocentric solutions; and
- classification of information must be subject to minimum security standards and, in the case of government department and state agencies, sector-specific classification guidelines.
Policy proposals relating to data protection, localisation and cross-border transfers
The Draft Policy notes that the processing of personal data or personal information, specifically metadata (for example, IP addresses), must be compliant with applicable laws. These laws include the Protection of Personal Information Act 4 of 2013 (POPIA), which be fully enforceable from 1 July 2021, the Promotion of Access to Information Act 2 of 2000 (PAIA), and international best practice (such as the General Data Protection Regulation (GDPR) in the European Union).
In addition, the Draft Policy proposes that data generated by the Government and related entities specifically must be stored in the HPCDPC in line with security measures determined by the Minister of State Security.
There are currently no data localisation requirements in South Africa (under POPIA or otherwise). As outlined in the Draft Policy, data localisation refers to ‘…requirements for the physical storage of data within a country’s national boundaries, although it is sometimes used more broadly to mean any restrictions on cross border data flows’.
The Draft Policy notes that, as a likely result of not having any data localisation requirements in South Africa and as a result of most of the data generated in South Africa being stored in data centres situated in foreign countries and owned by large technology companies, South Africa has not been able to realise the value and monetisation of its data.
As such, the Draft Policy proposes the following:
- data sovereignty for certain data in that all data that is classified or identified as ‘critical Information Infrastructure’ (this is not defined in the Draft Policy) must be only processed and stored within South Africa;
- cross-border transfers must be carried out in line with the requirements under POPIA, the Constitution generally and international best practice; this is already required;
- any cross-border transfers must be subject to localisation requirementse. copies of any data that is transferred outside of South Africa must also be stored in South Africa for law enforcement purposes; and
- ownership and control of data must be compliant with POPIA and will be as follows:
- all data generated within South Africa is the property of South Africa even if the technology company is not incorporated in South Africa;
- Government must act as a trustee in respect of all government-related data generated within South Africa;
- all research data must be governed by the Research Big Data Strategy of the Department of Science and Innovation; and
- all data generated from natural resources will be co-owned by the Government and the private sector and a copy of such data must be stored in the HPCDPC.
Policy proposals relating to cybersecurity
The Draft Policy proposes that the Electronic Communications and Transactions Act 25 of 2002 (ECTA) be reviewed to align with cybersecurity policy and legislation.
Curiously, the Draft Policy does not mention the Cybercrimes Bill, which was passed by Parliament in December 2020 and which is currently awaiting signature from the President of South Africa, save to propose that cybercrime legislation will provide for enforcement and sanctions against cybercrimes.
The Draft Policy nevertheless proposes the establishment of a National Cybersecurity Policy Framework (NCPF) which, together with other policies, legislation and international best practice, will provide guidance as to cybersecurity initiatives and measures and will be reviewed from time to time to ensure that the NCPF is responsive to cybersecurity threats and risks.
In addition, the Draft Policy proposes that government develop and implement cybersecurity awareness initiatives to educate the public.
Policy proposals relating to data governance and institutional mechanisms
The Draft Policy describes data governance with reference to the OECD Framework as ‘…an exercise of authority, control, and shared decision making which includes planning, monitoring and enforcement over the management of data assets either within one organisation or across different organisations that share an interest in common data assets’.
In order to achieve this, the Draft Policy proposes that the Minister establish an Advisory Council comprising members from the public, private and academic sectors to advise on data management standards, best practices, guidelines, and to develop a regulatory framework to manage data and cloud services.
In addition, the Draft Policy proposes reviewing the mandates of existing regulatory authorities so as to establish a single data regulatory authority which will report to the Minister.
Policy proposals relating to competition
The Draft Policy proposes reviewing existing competition law legislation to address dominance in the market and anti-competitive behaviour arising within the data and cloud environment. This will also address the need to ensure that local companies have a fair and equitable opportunity to compete with their global counterparts.
In addition, the National Open Data Strategy should be used to aid the development of a regulatory framework (including sector-specific regulatory frameworks) governing the exportability, interoperability, data portability and data trading and sharing.
It is unclear whether the proposals in the Draft Policy on foreign direct investment would apply separately from, or in addition to, the requirements in the amended Competition Act, which are expected to come into effect later this year.
People-centric policy proposals
The Draft Policy also proposes a number of policy interventions relating specifically to skills and capacity development, research and innovation, and human capacity development. These policy proposals include, amongst other things, the need for Government to build programmes and enhance capacity in line with the National Digital and Future Skills Strategy and to foster relationships with the private sector and international organisations to effect policy.
The Draft Policy can be accessed here.