While the recently published National Data and Cloud policy is comprehensive and says many right things, it comes across as if the government is trying to do too many things with too few resources at its disposal, writes David Monyae.
In April 2021, the South African government published a draft of the National Data and Cloud Policy. This came hard on the heels of the Protection of Personal Information Act (POPIA) commencing in July 2020.
These two developments signify a paradigm shift in the governance of the internet in South Africa. While the latter lays emphasis on protecting the data rights of natural and juristic persons, at the core of the former is an articulation of a desire for national digital sovereignty or self-determination.
Widely understood to mean the government or national "control of data, software, hardware, standards, services and infrastructure", digital sovereignty is at the centre of global geopolitics.
The quest for digital sovereignty in places like Brazil, China, Europe, Russia and now South Africa represents a challenge and rejection of the utopian views of a global and borderless internet exempt from and elusive to state control that have long underpinned US dominance and hegemony in the digital space.
As the internet is increasingly becoming ubiquitous, materially affecting the economic, political, and social well-being of billions of people and their countries, states around the world are bidding for more control of the digital space. The calls for digital sovereignty have been further amplified by the inequitable and the disproportionate control of the global data flow and the enormous wealth and political power that comes with it by a few Big Tech companies primarily domiciled in the US.
Getting a share of the digital economy (estimated to range between 4.5 percent and 15 percent of the global economy) and the need to alleviate risks to national security have fuelled the frantic data race among the world's major powers. The draft National Data and Cloud Policy is an expression and statement of South Africa's position on digital sovereignty.
South Africa is a relatively well-developed digital market.
The country hosts the landing stations of four high-capacity undersea cables and boasts 157 000km of terrestrial fibre optic cables connecting about 1.6 million homes and buildings. The internet penetration rate in the country is at 64 percent (38.19 million out of a 59.6 million population), slightly above the world average of 62 percent and way above the African average of 40 percent. Moreover, 25 of Africa's 79 data centres are in South Africa.
The expansive digital infrastructure that South Africa has witnessed a rapid digital transformation of its socio-economic sectors. The Covid-19 pandemic has further exacerbated this trend.
The intensification of digital transformation has seen South Africa generate vast volumes of data through millions of its citizens, businesses, government, and natural resources. However, this data is stored and processed in infrastructure owned by a few multinational companies who then capture its value by selling it to advertisers and enterprises seeking to remodel their businesses.
The data also includes sensitive information about South Africa's national population characteristics, government, public infrastructure, and natural resources, which threaten national security. Thus, while digital transformation is helping to connect people and add efficiency to the economy, South African businesses, citizens, and government scarcely participate in the lucrative data value chain beyond creating and generating data.
The country is also left nursing a national security headache due to its lack of control of sensitive national data. The new data policy is an attempt to rectify these anomalies.
In the draft National Data and Cloud Policy, the government laments that the digital economy has grown beyond the scope and capacity of existing regulatory regimes and that South African data, including that produced by the government is largely stored in foreign-owned private servers.
Perhaps to compensate for the government's minimal ownership of digital infrastructure, the new policy takes the securitisation route.
Large-scale digital infrastructure is declared a national strategic asset, while data centres and network points of presence are declared national critical information infrastructure.
According to the 2012 National Cybersecurity Policy Framework (NCPF), national critical information infrastructure will be secured by the government both technically and physically. This grants the government some level of control over the largely privately owned digital infrastructure. The government proposes to create digital hubs, especially in rural areas to support local digital innovation and decentralise digital infrastructure investment from metropolitan areas.
Information and Communication Technology Special Economic Zones (ICT SEZs) will be created to build a local tech industry. The ICT SEZs will act as an industrial policy to attract domestic and foreign direct investment in the digital sector, thus helping to build a South Africa tech industry. More importantly as part of realising data sovereignty, the government will establish a High-Performance Computing and Data Processing Centre (HPCDPC) which will provide cloud services for State entities, national departments, provinces, municipalities, metros, SOEs, universities, research centres, civil society organisations, and businesses.
The Senegalese government recently migrated government data to a new national data centre. The EU is also promoting the GAIA-X project which seeks to build pan-European network of cloud services. South Africa can leverage the state-owned Telkom, which owns most of the fibre optic cable network and the private but locally domiciled Vodacom and MTN mobile operators to build a sovereign cloud.
Such a sovereign cloud would be the cornerstone of data protection and localisation. It would also afford local digital apps a chance to compete in the market. By having its own data centre, the government can control and protect sensitive data while also leveraging the data for national planning.
The policy also aims to make data more accessible to South African citizens by adopting an Open Data strategy. This will see the government and the private sector sharing non-sensitive data to improve economic planning and aid scientific research leading to social and economic development.
The localisation and cross-border transfer of data is another key issue that is addressed by the policy. The policy declares that all data generated in South Africa will be the property of South Africa. Data generated from the country's natural resources is to be co-owned by the government while research data will be governed by the Research Big Data Strategy.
Personal data can only be allowed to cross the border in line with the provisions of the POPIA. Somewhat controversially, copies of this information will be stored in South Africa for law-enforcement reasons. This may raise suspicions in the civil society that the government may use its access to citizens' personal information to muzzle free speech.
To bolster cybersecurity, the NCPF will be reviewed to keep pace with new technologies to enable the state to effectively combat cybercrime. Further, the policy seeks to improve data governance by adopting common standards and establishing interoperability between government departments and between the government and the private sector. This will assist the effective management of data and help structure it in a way that contributes to national and development planning.
Moreover, the government intends to reverse the monopolisation of the digital market by the Big Tech through encouraging competition and innovation from local start-ups. Loosening the hold of the big companies on the digital market will give local small, micro, and medium enterprises (SMMEs) a chance to compete, thus aiding the development of indigenous digital capabilities.
Finally, in furtherance of digital sovereignty, the policy identifies skills and capacity development and research and training as critical for developing and nurturing South Africa's own skills and knowledge. This will stem the dependence on foreign experts and encourage indigenous digital start-ups' development and growth.
South Africa is firmly embracing the notion of digital sovereignty.
This is consistent with the African Union's Digital Transformation Strategy (2020-2030) which commits to "ensure Africa's ownership of modern tools of digital management." China, the EU, and Russia have all adopted digital sovereignty policies in response to security risks and to increase local share in the digital economy. South Africa also voted in favour of the United Nations Resolution Countering the Use of Information and Communication Technologies for Criminal Purposes sponsored by China and Russia in 2019.
The resolution promotes national sovereignty in cyberspace. As such, South Africa is part of a widespread global movement on digital sovereignty.
However, while the National Data and Cloud policy is comprehensive and says many right things, it comes across as if the government is trying to do too many things with too few resources at its disposal. South Africa has to contend against the structural disadvantages of being a technology consumer rather than a producer and having a low level of skills and expertise in technology.
As it stands, the policy is essentially a statement of intent. It remains to be seen how the government will implement it in the coming years.
- David Monyae is the Director for the Centre for Africa – China Studies at the University of Johannesburg
Disclaimer: News24 encourages freedom of speech and the expression of diverse views. The views of columnists published on News24 are therefore their own and do not necessarily represent the views of News24.