News / Legal Brief

Beware! Draft National Policy on Data and Cloud published

Jul 7,2021

by Ahmore Burger-Smidt, Director and Head of Data Privacy and Cybercrime Practice and member of Competition Law Practice; and Dale Adams, Associate


Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled”

These simple words represent some of the most controversial measures proposed by the Draft National Policy on Data and Cloud (“Draft Policy“). The Draft Policy was published by the Minister of Communications and Digital Technologies (“Minister“) on 1 April 2021 and is still being finalised by the Minister after having received public comment.

The Draft Policy recognises that one of the greatest advantages of data is the value it generates after it is processed into information and knowledge and that the capacity to use and transform data into information and knowledge lies in the hands of mega technological digital companies. Against this backdrop, the Draft Policy seeks to –

  • enable South Africans to realise the socio-economic value of data through the alignment of existing policies, legislation and regulations; and
  • put in place a conducive and enabling environment for the data ecosystem to thrive.

With a vision towards a data-intensive and data-driven South Africa, once the Draft Policy is finalised, it is envisaged that it will apply to all three levels of government, organs of state, private sector and the general public. Furthermore, the Draft Policy will also apply to multinational firms, particularly those who have invested in data and cloud infrastructure and services such as data centres in South Africa, but even in instances where they are not registered as legal entities in South Africa.

The Draft Policy contains a number of proposals relating to, inter alia, –

  • digital infrastructure;
  • access to data and cloud services;
  • data protection;
  • localisation and cross border data transfers;
  • cybersecurity measures;
  • governance and institutional mechanism;
  • competition; and
  • human capital development.

In terms of the Draft Policy, there is a “threat to both national security and social and economic growth” in South Africa if there is no policy to guide on localised data acquisition, ownership, storage, use and analytics. Furthermore, it is submitted in terms of the Draft Policy that the current legal, policy and regulatory regimes do not support and drive the development of the digital economy.

The Draft Policy also proposes that the government stores its data in government-owned data storage centres rather than rely on foreign companies that have set up large storage facilities in South Africa. However, it is not exactly clear how government would enforce compliance with the rules contained in the Draft Policy given that government could very well lack the skills, capacity and finance to set up and manage these large storage facilities.

What is also of particular concern with the Draft Policy is that it does not take cognisance of the fact the internet is borderless and consequently laws that try to own and regionalise data would inevitably be defective.[1]

Additionally, to the extent that government is in fact empowered to take ownership of all data generated in South Africa, this could fly in the face of intellectual property rights – which rights specifically protect and enforce the rights of the creators and owners of inventions, writing, music and other works. This could also impact negatively on foreign investment in the sector as government would be seen as alienating the technology industry in this space, which industry has already invested significant capital and infrastructure.[2]

One would think that the Draft Policy is in fact a move towards data localisation by government. It is generally known that the debate in relation to data localisation increased after revelations by Edward Snowden regarding surveillance programs in the United States. Since then, various governments in Europe and around the world have expressed the desire to be able to control the flow of residents’ data through technology. Criticism is however ever present against governments, being accused of using data localisation laws as a surveillance tool against their citizens, while governments almost always argue that it is in the interest of boosting local economic activity.

It remains to be seen whether, if at all, the Draft Policy will change subsequent to government receiving public comment regarding the contents of the Draft Policy. Should the general public be concerned? One should at least ask the question –

What about my right to privacy as guaranteed in section 14 of the Constitution?

The Draft Policy is available here.

[1] K Child “New data policy ‘could breach intellectual property rights” Business Day, 12 April 2021.

[2] Ibid.

Find out more: POPIA: misconceptions, Whatsapp groups and other deceptions!

Latest News