The cloud's the limit


1. Introduction

'Cloud computing' is a term commonly used to describe the practice of using a network of remote servers hosted by third-parties ("Cloud Providers") on the Internet to store, manage, and process data, rather than a local server or a personal computer.

The purpose of this article and the instalments that follow is to provide a proper understanding of the legislative environment governing the processing of clients' personal information by organisations using Cloud computing ("Cloud Users").

In doing so, I hope to resolve the concerns traditionally held by potential South African Cloud Users (and their clients) as to the cloud environment and promote a wider acceptance to adopting Cloud computing, thereby creating new economic opportunities for Cloud Users, Cloud Providers and the South African economy as a whole.

2. The Global Experience

Since the adoption of Cloud computing by organisations ("Cloud Users") to process the personal information of their clients has become more widely accepted it has gained global recognition for its significant economic and operational benefits. These benefits, specifically the opportunity to outsource costly infrastructure and services, become more relevant for SMEs operating in developing countries, such as South Africa. However, these benefits are only attainable if the Cloud computing services are rendered in a cloud environment which is secure and trusted by the Cloud Users.

3. The South African Experience

In South Africa potential Cloud Users (and their clients) do not trust the cloud environment. For clients, the thought of losing their ability to protect the confidentiality, security, and availability of their data, which occurs as data is transferred to Cloud Providers and stored and processed all over the world, is enough to deter most. Whilst for potential Cloud Users, the potential (uncertain) liability associated therewith is enough to do the same.

If one looks at the laws which traditionally regulated the protection of data, it is clear that they are based on the premise that it is always apparent:

  1. where personal data is located;
  2. by whom it is processed; and
  3. who is responsible for processing the data.

Data entrusted to Cloud Providers can be stored and relocated anywhere in the world and processed by anyone, depending on where the requisite capacity lies. Consequently, traditional laws are unequipped to regulate Cloud computing and the concerns of potential Cloud Users and clients were well founded.

In November 2013 the legislative landscape of the cloud environment changed. The Protection of Personal Information Act, No. 4 of 2013 ("POPI") was signed into law with the aim of addressing the concerns of potential Cloud Users (and their clients) and promoting the adoption of Cloud computing. POPI transformed the proper processing and correct protection of information from being a vital function of an organisation, to a legal requirement. It establishes a truly secure cloud environment.

However, adoption of cloud-based services in South Africa remains unreactive and lags behind the rest of the world,[1] as potential Cloud Users remain distrustful of the cloud environment. The question is, why?

The answer is that potential Cloud Users (and their clients) do not perceive the cloud environment to be secure (and therefore trustworthy). It is my opinion that this perception is not the result of a lack of security in the cloud environment created by POPI, but stems from a deficient understanding of the legislation itself.

It is crucial that potential Cloud Users fully understand POPI and the legislative environment it creates. If this can be achieved I believe that adoption of cloud-based services in South Africa will become widely accepted.


4.1 Introduction

POPI, signed into law in November 2013 and expected to become fully effective by the end of 2016, applies to the processing[2] of personal information[3] of data subjects (clients) by responsible parties[4] (the Cloud Users), or on their behalf, by operators[5] (Cloud Providers).

In essence the purpose of POPI is to give effect to the constitutional right to privacy, by safeguarding client's personal information when processed by Cloud Users and/or Cloud Providers, subject to justifiable limitations that are aimed at[6]:

  • balancing the right to privacy against other rights, particularly the right of access to information; and
  • protecting important interests, including the free flow of information within the Republic and across international borders.

To this end, POPI imposes a number of duties on Cloud Users and Cloud Providers in relation to processing individuals' personal information, and provides individuals with concomitant rights in respect of their personal information.

Importantly, POPI applies to the operation or activity of processing personal information. It is not concerned with the juristic nature or identity of the person processing the information. Therefore, if you process a client's personal information, you are required to comply with the provisions of POPI.

POPI is about much more than just compliance. if Cloud Users (and Cloud Providers) can protect the client's data they can establish trust, gain a reputation[7] and take advantage of the economic and operational benefits of this arrangement.

4.2 Commencement, Enforcement and what this means

Only a limited number of relatively insignificant sections have commenced. The sections that create compliance requirements have not yet commenced. However, the President is expected to proclaim the date upon which the remainder of POPI's provisions will commence later in 2016. Once these provisions have commenced, there will be a one year grace period before the Information Regulator will enforce POPI.

POPI both creates the Information Regulator and provides it with extensive powers. Clients will be able to complain to the Information Regulator and the Information Regulator will be empowered to investigate and fine Cloud Users and Cloud Providers found to be in contravention of POPI's provisions. 

Cloud Users and Cloud Providers must comply with POPI and the time to begin to begin ensuring compliance is now.

4.3 Conditions, Duties and Measures

POPI prescribes a number of fundamental conditions for the lawful processing of personal information and requires Cloud Users to implement measures to give effect to, and maintain compliance with, such conditions at all times during processing. The conditions are:

  • Accountability[8]– The organisation must ensure the conditions for processing are complied with at all times
  • Processing limitation[9]- Personal information is Processed lawfully, with the consent of the individual and in a reasonable manner that does not infringe the privacy of the individual.
  • Purpose specification[10]- personal information is collected and Processed for a specifically defined and lawful purpose; and retained for a period no longer than is necessary for achieving the stated purpose.
  • Further processing limitation[11]- further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
  • Information quality[12]- the personal information is complete, accurate, not misleading and updated where necessary.
  • Openness[13]- documentation of all processing operations is maintained and that the individual is aware of either the information being collected, or the source from which it is collected.
  • Security safeguards[14]- the integrity and confidentiality of personal information in your possession or under your control is secured and loss, damage destruction and unlawful access to personal information is prevented. If a third-party is used to process information on your behalf, a written contract is in place which ensures that the third-party only Processes personal information as authorised; treats the personal information as confidential; and does not disclose it.
  • Data subject participation[15]- the client has the right to request an organisation to confirm whether or not it holds personal information about the client; and request a record or description of the personal information held.

It is essential that the abovementioned conditions, and the concomitant measures employed to satisfy such, are understood by Cloud Users as they form the basis of the legislative environment within which they must operate.

4.3 Transfers of personal information outside Republic

POPI prohibits the transfer of personal information outside the Republic.[16]  There are however five useful exemptions, namely:

  1. the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection; [17]
  2. the client consents to the transfer; [18]
  3. the transfer is necessary for the performance of a contract between the Cloud User and the client, or the implementation of pre-contractual measures taken in response to the client; [19]
  4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the client between the Cloud User and a third party; [20]and
  5. It is not reasonably practicable to obtain the consent of; but the individual would be likely to give it. [21]

Exemptions are thus a critical consideration when a Cloud User wishes to process clients' personal information using Cloud computing and or Cloud Providers who are either based or Process information offshore. Maintaining compliance with the provisions of selected exemptions is similarly critical to ensuring the continued lawful processing of personal information offshore.

5. Conclusion

In the next instalment I will begin to unpack the rights and duties which define the cloud environment created by POPI. Specifically, I will be examining the duties, measures and rights relating to the condition of Accountability.

[1]    Deloitte, Cloud Computing in a South African business context [Online]. Available: & id=33683.

[2]     The term 'processing' applies to a definitive range of operations and activities, including the collection/receipt, storage, use, access, disclosure and disposal of personal information.

[3]    "personal information" is defined by POPI as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person"

[4]    "responsible party" is defined by POPI as "a public or private body or any other person who determines the purpose of and means for processing personal information"

[5]    "operator" is defined by POPI as being "a person who processes personal information for a responsible party in terms of a contract or mandate"

[6]     Section 2(a)(i)&(ii) of POPI

[7]    D Taylor, POPI: More Than a Compliance Issue, [Online]. Available:

[8]     Section 8 of POPI

[9]   Sections 9-12 of POPI

[10]   Sections 13 & 14 of POPI

[11]   Section 15 of POPI

[12]   Section 16 of POPI

[13]   Sections 17& 18 of POPI

[14]   Sections 19-22 of POPI

[15]   Sections 23-25 of POPI

[16]   Section 72(1) of POPI

[17]   Section 72(1)(a) of POPI

[18]   Section 72(1)(b) of POPI

[19]   Section 72(1)(c) of POPI

[20]   Section 72(1)(d) of POPI

[21]   Section 72(1)(e) of POPI

Contact Details

Tel: 021 795 0345

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Contact Us


15 Wittebomen Road,
Silverhurst, Constantia
Cape Town
South Africa


* indicates required
/* real people should not fill this in and expect good things - do not remove this or risk form bot signups */

Intuit Mailchimp