If there is a silver lining to most crises, the accelerated move toward digitized commerce globally and in Africa may be one positive outcome of the COVID-enforced lockdown. It is welcome news there that the South African Minister of Communications and Digital Technologies (“Minister”) published the Draft National Data and Cloud Policy (in Government Gazette no. 44389) (“Draft Policy”) for public comment. The Draft Policy seeks to create an enabling environment for the provision of data and cloud services in an effort to move “towards a data intensive and data driven South Africa” that ensures social and economic development and inclusivity. The Draft Policy affects a few key areas, which we briefly highlight below.

The objectives of the Draft Policy are to:

  • Encourage universal access to broadband connectivity, along with access to data and cloud services;
  • Eliminate regulatory barriers and enable competition in the data and cloud sector;
  • Implement effective measures to ensure the security of cloud infrastructure;
  • Create institutional mechanisms to govern data and cloud services;
  • Support the development of small, medium, and micro enterprises (“SMMEs”);
  • Promote research, innovation, and technological developments in relation to cloud;
  • Increase the government’s capacity to deliver relevant data and cloud-based services to the public;
  • Promote data sovereignty and security with respect to South African data; and
  • Encourage alignment with the Fourth Industrial Revolution (“4IR”), the OECD Framework and standards adopted by the European Union.

Draft Policy proposal relating to digital infrastructure

The Draft Policy recognizes that digital transformation in South Africa relies upon further developing electronic communication networks, mobile communication networks, and cloud and data infrastructure services in the country.

In relation to universal access and service delivery obligations, the Draft Policy recommends a government-backed digital platform and for all South African citizens to be provided with an online identity in order to receive services more easily.

The Draft Policy discusses the need for a Wireless Open Access Network (“WOAN”) “to extend the digital infrastructure footprint and services” across the country. The Draft Policy also refers to various measures to ensure the deployment of electronic communication infrastructure, which will help to bridge the digital divide by ensuring universal access to cloud and data infrastructure services for all South Africans.

The Draft Policy also proposes that existing networks of state-owned enterprises, such as Sentech and Broadband Infraco, be consolidated to form a State Digital Infrastructure Company (“SDIC”), which will provide network connectivity for the State.

Draft Policy proposal relating to cloud computing infrastructure

The Draft Policy also highlights the need to process data using cloud computing infrastructure and makes provision for pliable data storage architecture and the purchase of capacity from cloud service providers.

The Draft Policy highlights the importance of cloud services and their ability to enhance the potential of 4IR technologies (e.g. blockchain, the Internet of Things (“IoT”) and artificial intelligence (“AI”).

In order to leverage the full potential of the South African economy through digital technologies, the Draft Policy proposes that a Digital Transformation Centre (“DTC”) act “as a catalyst to lead Digital South Africa”.

In addition, the Draft Policy proposes the establishment of a High-Performance Computing and Data Processing Centre (“HPCDPC”) for the purpose of managing cloud computing capacity for the State and its functionaries, universities, research centers and South African registered business, and to provide user-on-demand cloud services for the State and its functionaries .

The Draft Policy specifically provides that investment in data centres will be centralised in large metropolitan areas in South Africa, like Gauteng, KwaZulu-Natal and the Western Cape. Further, the Draft Policy proposes supporting local and foreign investment in data and cloud infrastructure and services by establishing a digital or ICT ‘Special Economic Zone’ (“SEZ”).

Draft Policy proposal on data protection, data localization and cross border data transfers

The Draft Policy states that the processing of personal data or personal information, specifically metadata (for example, IP addresses), must be compliant with applicable laws like the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and international best practice (such as the General Data Protection Regulation (“GDPR”) in the European Union).

There are currently no data localization requirements in South Africa (under POPIA or otherwise). However, the Draft Policy seeks to impose data localization requirements and defines data localization as the “…requirements for the physical storage of data within a country’s national boundaries, although it is sometimes used more broadly to mean any restrictions on cross border data flows”.

On the issue of data localization, the Draft Policy provides inter alia that:

  • Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled.
  • Ownership and control of personal information and data shall be in line with the POPIA.
  • The Department of Trade, Industry and Competition through the Companies and Intellectual Property Commission (“CIPC”) and the National Intellectual Property Management Office (“NIPMO”) shall develop a policy framework on data generated from intellectual activities including sharing and use of such data.

Draft Policy proposal on cybersecurity measures

The Draft Policy proposes that the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) be reviewed to align with cybersecurity policy and legislation.

Interestingly, the Draft Policy does not mention the Cybercrimes Act 19 of 2020, which is now an official Act of Parliament. The Cybercrimes Act aims to established a comprehensive cybersecurity framework and provides for the criminalisation of a broad range of cyber-related crimes. The date on which the Cybercrimes Act comes into force is yet to be announced.

Nevertheless, the Draft Policy proposes the establishment of a National Cybersecurity Policy Framework (“NCPF”) which, together with other policies, legislation and international best practice, will provide guidance as to cybersecurity initiatives and measures, and will be reviewed from time to time to ensure that the NCPF is responsive to cybersecurity threats and risks.

In addition, the Draft Policy proposes that the government develop and implement cybersecurity awareness initiatives to educate the public.

Next steps

Upon finalization of the Draft Policy, it will apply to all levels of government (i.e. national, provincial and local authorities); state-owned entities, the private sector (i.e., multi-national entities seeking to invest in the digital infrastructure of South Africa); and the general public.

For further information, please reach out to Witney Schneidman at WSchneidman@cov.com, Deon Govender at DGovender@cov.com, Dan Cooper at DCooper@cov.com, Mosa Mkhize at MMkhize@cov.com or Shivani Naidoo at SNaidoo@cov.com.

 

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.