The Bill Should Bolster Cloud Computing in South Africa but Success is Dependent on the Country’s Commitment to the New Data Protection Regulator
By Western standards, Africa's IT infrastructure remains severely underdeveloped, limiting economic opportunities in most African countries. While the creation of a traditional large scale IT infrastructure would be prohibitively expensive, the deployment of cloud computing technologies offers Africa the opportunity to quickly develop a robust and flexible IT infrastructure at a fraction of the cost. Just as cellphones have allowed Africa to bypass traditional wired communications, the cloud would allow Africa to bypass the bulky “hub and spoke” server infrastructure of the recent past. However, such a deployment requires the creation of a legal infrastructure which safeguards personal information and allows for smooth data transfers across international borders.
South Africa’s parliament had these considerations in mind as they developed the county’s Protection of Personal Information Bill (PoPI), which was passed by the body last month and is expected to receive President Zuma’s signature by the end of the year. The bill, which is the first piece of South African legislation to address data privacy, follows recent efforts in several other African countries, including Ghana, Malawi, and Nigeria, to protect personally identifiable information. While those countries may have pioneered the continent’s data protection efforts, PoPI is the first African data protection bill that closely models the European Union’s (EU) Data Protection Directive.
The new bill is designed to regulate the use, storage, and transfer of South African citizens’ personally identifiable data in order to prevent the negligent disclosure of such data. PoPI’s supporters hope that a bill modeled on the EU data protection regime will not only protect personal information, but also stimulate South Africa’s IT sector by encouraging external investment. Basing the bill on EU regulations will help to ensure that South Africa’s data protection regulations meet the Union’s “adequacy” requirements, making it easier for European business to do business in the country. In this way, meeting EU requirements would ease the flow of personal data between the EU and South Africa and thus ease the operations of Information Technology (IT) firms operating in both jurisdictions. This is especially important for cloud computing providers who frequently transfer personal information across international borders.
The bill, a version of which has been under consideration by parliament for over ten years, has generated broad support among South African politicians, NGOs, and businesses. Supporters expect PoPI’s compatibility with the EU data protection regime will allow for stronger ties between European IT firms and those in South Africa. The potential benefits of the new bill are great; however, the long term success of PoPI depends on the fate of the data protection regulatory authority created by the bill.
The bill includes many of the key provisions of the EU’s existing data protection regulations, including: requirements for the transfer of personally identifiable data out of the country, a requirement for customers to explicitly consent to the collection and use of personally identifiable data by companies, limits on the period of time such data can be retained, provisions allowing individuals to review the information companies have collected on them, and the establishment of minimum requirements for the protection of personally identifiable data. Perhaps the most important provision of the bill establishes a new South African data protection authority, the Office of the Information Regulator (OIR).
This entity is effectively the lynchpin of the new legislation, having been charged with the interpretation, implementation, and enforcement of the new law. The OIR has a wide range of responsibilities, including the development of specific standards and regulations governing the handling of personally identifiable data, and the review of complaints alleging violations of PoPI. The OIR is also responsible for the collection and review of data breach reports, the investigation of PoPI violations, and the execution of enforcement actions.
Entities that violate PoPI’s provisions are subject to steep civil and criminal penalties. OIR is able seek fines of up to ZAR 10 Million (approximately $1 million) for violations of PoPI’s data protection regulations as part of its enforcement powers. PoPI also allows for individuals to file, or have OIR file on their behalf, lawsuits against alleged violators and seek both compensatory and aggravated damages.
OIR’s widespread responsibility under PoPI ensures that the success or failure of the new law will hinge on OIR’s effectiveness. One of OIR’s first major decisions will regard the timeline for the implementation of the new law. The law allows for a one year transition period that can be extended to three on the recommendation of OIR. A one year transition is ambitious considering the significant changes businesses will need to make in order to comply with the law and the inherent challenges in establishing a robust and effective regulator to oversee the new data protection regime.
The longer term challenge, however, is to OIR itself. Budget challenges across the South African government threaten to leave OIR without the resources it needs to properly address its enormous responsibilities. Budget issues could also make it difficult to secure qualified personnel with the necessary skillsets.
The new regulator must also balance its data protection responsibilities with the regulatory burdens it places on businesses. A particularly burdensome regulatory regime would discourage the very investments in cloud computing and big data that South African leaders hope to encourage. An underequipped OIR, on the other hand, could be overwhelmed by its responsibilities under PoPI, leaving the new data protection provisions unenforced. Such a failure would leave South Africa without the benefits of having an EU-compliant data protection regime and would ultimately undermine the country’s efforts to bolster its IT sector. Both scenarios would limit the ability of South African firms to bring cloud computing solutions to the broader African market.
Ultimately, despite its strengths and breadth of support, PoPI’s success will be dependent on the South African government’s commitment to OIR. The South African government must create a regulator capable of handling the tremendous responsibilities given to it by the bill. This will require the resources to develop clear and minimally intrusive regulations on business, properly investigate data breaches, process individual complaints, and engage in enforcement.
Without these resources PoPI will be no more than a paper tiger, incapable of providing South Africa with the bill’s intended benefits. Meaningful personal data protection, compliance with the EU’s data protection standards, the economic benefits of compliance, and further investment in emerging computer technologies can only come from the creation of a strong and sensible OIR. South Africa has the opportunity to be a leader and data protection model for other African countries as the continent embraces cloud computing technology. South Africa would be wise to set a positive example and help the continent reap the significant economic and social benefits that cloud computing can provide.