While cloud services had seen small-scale uptake within South Africa prior to 2020, the national working environment was fundamentally challenged by the onset of lockdown regulations following the COVID-19 Pandemic. As staff members were required to stay at home, many organisations were obliged to shift their data onto cloud platforms for staff members to continue working. In many instances, this emergency operational modification did not consider the legislative implications of data migrations and, following the relaxation of lockdown regulations, companies have been forced to consider the risk and compliance aspects of their migration.
In this OneTrust Dataguidance Insights Article, PR De Wet and Davin Olën unpack the regulatory position of cloud service providers and organisations making use of cloud services. To shed light on the phenomenon, this article commences with an overview of the most relevant legislative provisions regarding cloud storage facilities, followed by the applicable operational aspects of the regulatory framework.
The applicability of POPIA
At a foundational level, the processing of personal information is regulated by the Protection of Personal Information Act, 4 of 2013 (“POPIA”) in South Africa. The POPIA is, in turn, guided by Section 14 of the Constitution of the Republic of South Africa, which provides a right to privacy for all. The POPIA serves as the first manifestation of South African legislation considering data specifically and several OneTrust Dataguidance Insight articles consider the POPIA broadly (please include a link/s here to relevant article(s)).
Before considering the impact of POPIA on cloud services specifically, it is crucial to recognise that regardless of type of organisation, whether a cloud service provider (“CSP”) or any other company, the POPIA requirements and particularly the requirements relating to the processing of information remain applicable. Therefore, when South African companies make use of CSP’s their obligations as Responsible Parties do not shift to CSPs. The conditions for the lawful processing of personal information by Responsible Parties, as set out in Section 4(1) of the POPIA, remain valid and applicable to Responsible Parties. Similarly, CSPs which are conducting business within South Africa also need to adhere to the requirements of POPIA for their own business operations, however, the relationship between CSPs and Responsible Parties gives rise to most of the CSP’s obligations as will become clear in what follows.
Regulative framework and key sections of the POPIA
This article specifically considers matters related to cloud regulation. Sections 19 and 21 of the POPIA are arguably the most relevant insofar as it relates to CSP relationships and will be discussed first. Section 72 of the POPIA, which is particularly relevant to instances where CSPs process data outside of the Republic, is discussed thereafter.
Firstly, Section 19 of the POPIA considers the security measures required to ensure the integrity and confidentiality of personal information and holds that Responsible Parties must take appropriate, reasonable technical and organisational measures to prevent the unlawful processing, access or alteration of data. To give effect to this requirement, Responsible Parties must identify risks to the personal information it holds, establish safeguards against the risks, regularly ensure that the safeguards are effectively implemented and updated as new risks come to the fore. Specific industries, like the banking industry for example, have additional generally accepted security practices and procedures which may further apply.
The requirements contained within Section 19 apply regardless of whether a Responsible Party makes use of a CSP or not. Yet, provided this obligation, Section 19 of the POPIA is crucial for organisations considering CSPs since it requires Responsible Parties to govern the risks associated with data processing. Essentially, Section 19 manifests the obligation of ensuring the safety of the Responsible Party’s information with the Responsible Party and not with any CSP. When procuring a CSP, a Responsible Parties will therefore need to be cognisant that they will still be required to ensure compliance with the specific obligations raised by Section 19.
The management of the compliance relationship between Responsible Parties and CSPs is further unpacked within Section 21 of the POPIA. Section 21 of the POPIA requires organisations considering CSPs to ensure that the necessary due diligence has been taken in appointing a CSP which can adhere to the requirements set out in Section 19 of the POPIA. Organisations acquiring CSP services also need to ensure that the applicable CSP conforms to the security requirements detailed within Section 19. CSPs, in turn, need to inform Responsible Parties immediately should reasonable grounds exist to believe that data has been subject to any type of unauthorised access. Unauthorised access to data may constitute a criminal offence and is further considered within a separate OneTrust DataGuidance article available here (please insert a link to the appropriate article we had written on the Cybercrimes Act). In addition to Sections 19 and 21 of the POPIA, Section 72 is also particularly relevant and will be discussed in the following section of this article followed by the operational considerations of CSPs in light of POPIA.
In addition to the processing requirements created by the POPIA, a further set of requirements apply in instances where data is processed outside of the Republic. Section 72 of the POPIA prevents Responsible Parties from transferring any personal information of a data subject to a third party outside of the Republic without certain protections being in place. Notably, each of these requirements authorise a cross-border transfer of data and Responsible Parties need not adhere to all the requirements listed below.
Firstly, the Responsible Party will need to ensure that the third party is bound to similar or stronger data processing requirements which uphold the principles of reasonable processing discussed above. The requirements may be informed by the data processing laws within the territory of the third party, a binding agreement or binding corporate rules. Further, data subjects could consent to the transfer of their data outside of South Africa’s borders or the transfer may be required as part of the performance of a contract between a data subject and a Responsible Party. Similarly, the transfer may be permitted should it be in the interests of the data subject or the performance of a contract concluded in the interest of the data subject between a Responsible Party and a third party. Finally, a cross-border data transfer could be permitted should it be to the benefit of the data subject and not reasonably practicable to obtain the data subject’s consent and should it have been reasonably practicable, that the data subject would likely provide their consent.
Practice in other jurisdictions tends to suggest that that the requirement for similar or stronger data processing requirements is most readily utilised in cross-border data transfers and is established in terms of Section 72(a)(i) of the POPIA. A similar provision can be found in the GDPR, which formed part of the considerations within the Data Protection Commissioner v Facebook Ireland (the Case). Within the Case the Court of Justice of the European Union found that the United States of America’s surveillance laws did not provide European citizens with sufficient protection in terms of the GDPR. Provided the similarities between the Section 72 of the POPIA and its GDPR counterpart, Responsible Parties who have the intention of transferring data to the United States of America would best consider alternative requirements in terms of Section 72 of the POPIA.
Transitioning from the regulative framework to the practical factors relevant within a business organisation, this section considers some of the most pertinent factors flowing from the legislation discussed above. The matter is addressed by considering the roles of CSPs and Responsible parties in turn, followed by their shared roles.
Should CSP services be procured, Responsible parties will still need to ensure that the organisational networks which access the services of the CSP are secure and that only permitted, secure devices have access to those networks. CSPs, in turn, would need to ensure the security of the data they have been provided and that they perform in accordance with their contract with the Responsible party regarding data storage. CSPs would also need to ensure that access is only provided as required by the Responsible Party and that the integrity of the Responsible Party’s data is safeguarded. Furthermore, CSPs would need to inform Responsible Parties as soon as they have reasonable grounds to suspect that a data breach has taken place.
In addition to the separate roles of Responsible Parties and CSPs, there are also some overlapping obligations. Both CSPs and Responsible Parties need to stay up to date with any prescripts made by the POPIA Information Regulator and both would, therefore, need to ensure that they regularly check for updates in the regulatory framework for the country and their applicable industries. One example hereof is the recent addition of the cloud computing directive within the South African public service where all government departments were all required to reconsider their CSPs in light of the directive.
This article provides an overview of the key legislative aspects which Responsible Parties should consider when undertaking cloud data services with any third parties. It highlights that the obligations created by the POPIA with regard to Responsible Parties are not dissolved by the appointment of CSPs, rather, the primary data processing responsibilities continue to reside with Responsible Parties. Responsible Parties are reminded of the reputational impact of a data breach and the impact thereof on their customers. As such, Responsible Parties need to take particular notice of the data processing requirements applicable to CSPs and, if applicable, the relevant geographical considerations regarding the territory on which processing will take place. Finally, this article considers some of the operational implications of the POPIA in closing.