Comments on government’s controversial proposed data policy – the Draft National Policy on Data and Cloud, released on 1 April 2021 – were due yesterday (18 May).
The policy, in which the government will become co-owner of all data generated in South Africa (SA), has already attracted widespread debate amongst commentators, with many saying that it raises issues around privacy and has the potential to scare off much needed investment into the sector.
But, it may be too soon to label the bill a help or hindrance. Aspects of the policy are encouraging, particularly proposals about extending provision of government data. But there are a number of grey areas where more clarity is required in order to accurately form an opinion.
Christoff Pienaar, director and national head of the technology, media and telecommunications practice at commercial law firm Cliffe Dekker Hofmeyr, shares commentary on aspects of the draft policy:
The draft policy document states that data and cloud computing must be based on open and open-source systems rather than exclusive systems. Does this mean that data gathering and storage companies will need to make their data and cloud systems available free of charge?
No, the reference to “open and open-source systems” does not mean that companies must make their systems and data available free of charge.
The concept of “open source” is mostly used in relation to software. Open source software is code that is designed to be publicly accessible and anyone can see, modify, and distribute the code as they see fit. Open source software is provided under a license that allows users to access, change, and improve its source code for their purposes. An open system is a system that has external interactions with other systems and this is typically achieved through the use of application programming interfaces (APIs).
Open systems refers to open platforms, whereas open source refers to the software’s source code and rights regarding its redistribution. Open systems may employ open source software or proprietary software. The “open” part essentially means that anyone can interact with or connect to the open system, provided that certain technical and security requirements are complied with and it allows third parties to make products that plug into or interoperate with it.
The policy refers to a Computing and Data Processing Centre. Does this mean a data-related SOE?
The way we understand it is that the policy seeks to “strengthen the capacity of the state to deliver services to its citizens”, so the focus is less on the regulation of private sector infrastructure and more on improving service delivery through the use of currently available technologies. The Chinese government owns one of the biggest data centres in the world and the US government also owns big data centres in Utah, Georgia, Maryland and Texas.
As a result of the Covid-19 pandemic, governments are more aware of the importance of data centres and digital infrastructure, but there is a danger that this may bring heavy handed regulation. In the EU, the public sector is one of the most data-intensive sectors.
Public sector bodies produce, collect and pay for vast amounts of data, known as public sector information, or government data. Examples include geographical information, statistics, weather data, and data from publicly funded researched projects.
The draft policy references European countries and the UK, saying that these nations have declared data a public entity. Could this be seen as a form of intellectual expropriation of property without compensation, or ‘nationalisation’ of privately generated and stored data?
The mechanism already exists in sections 53 and 54 of the Electronic Communications and Transactions Act, 2002 and allows the Minister (Minister of Communications) to declare certain data as “critical data”. Critical data is data that is of importance to the protection of the national security of the Republic or the economic and social well-being of its citizens.
Once declared as critical data, the Minister may prescribe minimum standards or prohibitions in respect of the general management of critical databases, access to, transfer and control of critical databases, infrastructural or procedural rules and requirements for securing the integrity and authenticity of critical data, procedures and technological methods to be used in the storage or archiving of critical databases, disaster recovery plans in the event of loss of critical databases, and any other matter required for the adequate protection, management and control of critical databases.
If abused, this mechanism could be a form of expropriation without compensation and for this reason, it is critical that there are clear policy rules around this. Also in Europe the Europe Directive (EU) 2019/1024 on open data and the reuse of public sector information was adopted and published on 20 June 2019, and should be implemented by Member States by 16 July 2021. The Directive introduces the concept of high-value datasets, defined as data that is associated with important benefits for the society and economy when reused.
High-value data sets are subject to a separate set of rules ensuring their availability free of charge, in machine readable formats, provided via Application Programming Interfaces (APIs) and, where relevant, as bulk download.
The Department of Communications and Digital Technologies states that the lack of proper policy guidelines with regard to data generation and storage could pose a threat to national security. Is this the case?
Data has always been a very important part of the national security concept. Inadequate data protection legislation could be a threat to national security, especially economic security. The reason for this is that countries with weak data protection legislation are perceived as unsafe destinations for data sharing and storage and this in turn has economic consequences for such country’s ICT sector.