SciELO - Scientific Electronic Library Online

vol.22 issue1Gender and cognitive factors influencing information seeking of graduate students at Kenyatta University LibraryThe age factor in the use of peer-reviewed electronic journals by Zimbabwean academics author indexsubject indexarticles search
Home Pagealphabetic serial listing  

Services on Demand



Related links

  • On index processCited by Google
  • On index processSimilars in Google


South African Journal of Information Management

On-line version ISSN 1560-683X
Print version ISSN 2078-1865

SAJIM (Online) vol.22 n.1 Cape Town  2020 



Exploring the impact of cloud computing on existing South African regulatory frameworks



Mpho MohlameaneI; Nkqubela RuxwanaII, III

IResearch Department, Da Vinci Institute for Technology Management, Modderfontein, South Africa
IICybersecurity Research Centre, Defence and Security, Council for Scientific and Industrial Research, Brummeria, Pretoria, South Africa
IIIInformatics Department, Faculty of Information and Communication Technology, Tshwane University of Technology, Pretoria, South Africa





BACKGROUND: The use of cloud computing services raises policy and regulatory challenges globally, more specifically on data security and privacy, amongst other issues. There is a concern on whether South African information and communications technology (ICT) policies and regulatory frameworks are sufficient to address emerging cloud computing regulatory challenges. Therefore, this necessitates a review to determine the extent to which existing regulatory frameworks are applicable to cloud computing and the challenges thereof.
OBJECTIVES: The study determines the impact of cloud computing on existing South African ICT policies and regulatory frameworks and ascertains whether they are sufficient to address challenges regarding the use of cloud computing services.
METHOD: The study followed an interpretivism philosophical stance. A multi-method qualitative research approach was employed and a thematic analysis was applied in which the data was collected through interviews, questionnaires and document analysis.
RESULTS: The existing policies and regulatory frameworks as applicable to computing are playing 'catch-up' where technology has a footprint. Moreover, some existing policies use a blanket approach and are not specific to the subject matter. As a result, there is a need for policies that are future-proof and specific to the subject matter.
CONCLUSION: The emergence of cloud computing has exposed the existing ICT policies and regulatory laws as being inadequate to address cloud computing developments, complexities and challenges, especially challenges related to public confidence regarding the use of cloud computing services and cloud competitiveness.

Keywords: cloud computing; policy; law; regulation; cloud computing regulatory; South African cloud regulatory framework.



Background of the study

Cloud computing is considered to be a cost-effective information and communication technology (ICT) solution that, when implemented appropriately, can help mitigate challenges experienced with the use of traditional ICT, such as high costs of procurement and maintenance of ICT infrastructure within organisations (Alharbi 2017; Mohammed & Ibrahim 2015).

Even though cloud computing services provide essential benefits for individuals and organisations, there are challenges that negatively impact on the public confidence regarding the adoption and use of cloud computing, as well as cloud computing competitiveness. The public confidence challenges in relation to cloud computing services foster doubt and uncertainty regarding the safety and privacy of data and the loss of control on data in the cloud computing environment. While the competitiveness challenges impede the growth of the cloud computing market as this could lead to digital monopoly, hampering the growth of new cloud services providers into the market.

The challenges that impact on public confidence regarding the adoption and use of cloud computing includes security and reliability issues (Abolfazli et al. 2015; Mahler 2014; Vasiljeva, Shaikhullina & Kreslins 2017); access to underlying ICT infrastructure that enables cloud computing to thrive (i.e. broadband costs and quality issues); and regulatory, governance, and legal uncertainties (Abolfazli et al. 2015; Gillwald & Moyo 2016; Kumar & Vajpayee 2016; Vasiljeva et al. 2017).

Cloud computing challenges that impact on the cloud computing market growth and competitiveness includes, but is not limited to, data portability and interoperability, vendor lock-in, vertical integration and discrimination issues, data cross-border and jurisdictional challenges, and lack of cloud computing standards (Scholtz, Govender & Gomez 2016; Sluijs, Larouche & Sauter 2012; Van Gorp & Batura 2015). These challenges can negatively impact new entrants into the market by means of digital monopolisation, and thus impact on cloud computing competitiveness.

In addition to these challenges, what is important to note is that the lack of a national cloud computing policy framework has been identified as a barrier and explains the slow cloud computing adoption, more specifically in the public sector (Gillwald & Moyo 2016; Scholtz et al. 2016). The absence of a cloud computing policy framework to help build public confidence regarding the adoption and use of cloud computing services and to improve competitiveness is not only affecting South Africa but Africa as well. There seems to be slow progress in Africa in developing cloud computing policies (Abubakar 2016; Muhammed et al. 2015). These challenges emphasise the need for a cloud computing policy framework, not only for the public sector, but also for the other sectors of the economy since some of these challenges cut across all sectors of the economy.

In this paper we review some of the ICT and legislative frameworks and ascertain to what extent these regulatory frameworks relate to the emergence of cloud computing. This will ascertain if there are any gaps that need to be addressed.

Cloud computing services are accessible over the internet. It is necessary to look at policies and regulatory laws that govern electronic communication and transactions. It is also necessary to include policies that govern consumer protection and ascertain what impact these policies could have on cloud computing. As cloud computing services are geographically dispersed, it is necessary to look into policies that protect personal information in relation to the emergence of cloud computing. For these reasons four legislative policies were reviewed, namely the Electronic Communication and Transaction Act (ECTA), the South African Competition Act, the Protection of Personal Information Act (POPI), and the National Integrated ICT Policy White Paper.


South African information and communication technology regulatory frameworks related to cloud computing

This section discusses some existing South African ICT policies and regulatory frameworks in relation to the emergence of cloud computing, starting with the Protection of Personal Information Act (POPI).

Protection of Personal Information Act (No. 4 of 2013)

The POPI Act is a positive initiative by government as it strives to ensure privacy, safety and confidentiality of data subject personal information, that data is processed in a lawful manner and that there is accountability. It ensures that the data subject participates in the processing of personal information. Moreover, it holds the responsible party and the operator accountable with regard to the unlawful processing of personal information. The POPI Act empowers data subjects and affords them the opportunity to take legal action when they believe that their personal information is being processed in an unlawful manner, such as the processing of personal information without data subject consent. However, it is worth mentioning that the POPI Act has its own challenges.

One of the key challenges of the POPI Act is the organisation's readiness to comply with the Act. This is exacerbated by the lack of necessary skills, knowledge and awareness of the Act (Baloyi & Kotze 2017; Jangara & Bezuidenhout 2015). A survey conducted by Baloyi and Kotze (2017) reveals that there is limited familiarity with the POPI Act and its non-compliance implications. Moreover, the study found that most organisations do not have systems available to help with the classification of personal data and that most organisations in South Africa are not ready to implement compliance with the POPI Act (Baloyi & Kotze 2017). There are also concerns regarding loss of direct marketing as a strategy, and as a result this might lead to job losses (Botha, Eloff & Swart 2015).

There are challenges related to cross-border data flow. Jangara and Bezuidenhout (2015) note five emerging challenges: data location, security, privacy, legal compliance and cloud service providers. They argue that transferring data outside countries gives data owners less control over their data. These five emerging challenges require special attention to ensure that trans-border data transfer is conducted in a secure manner and privacy of data is managed through legal compliance controls.

Chapter 9 of the POPI Act makes provisions for cross-border data transfer, when data is to be transferred to other countries provided the data subject gives consent and the laws of the foreign country regarding privacy policies are similar to those prescribed in the POPI Act. Cloud computing raises security and privacy concerns, especially when it involves multiple cloud platforms across various countries with various legal systems that are not in harmony. This raises legal concerns for policymakers and the legal fraternity and necessitates a review of the POPI Act to address areas within the Act where there might be sections that are considered vague, and assess whether the Act should provide further clarity for those conditions relating to cloud computing. This could address some of the legal concerns regarding the storage of personal information on various cloud platforms.

In most instances the cloud computing services providers have data centres in geographically dispersed locations to meet the high demand for computing resources from various tenants. This also assists where there are outages such as hardware failure or a natural disaster. The cloud service provider can seamlessly provide resources in another country. However, due to the fact that the service provider might require client permission to affect such a move, this can affect the speed at which the resources can be provided.

Electronic Communication and Transaction Act (No. 25 of 2002)

According to Schofield and Abrahams (2015), the ECTA of 2002 is a South African legislation with the potential to be applicable to cloud computing; the ECTA of 2002 consists of 14 chapters on the government's regulatory position regarding the use of electronic communication and online transactions. Furthermore, the Act addresses factors such as facilitating electronic transactions, registration of cryptography providers, accreditation of authentication services providers, consumer and personal information protection in relation to electronic communication and transactions, the liability of service providers and cybercrime. Some of these factors are discussed below, starting with the facilitation of electronic transaction.

The provision for cybercrime in the ECTA of 2002 positively aims to address issues of cybercrime. A further positive factor is that there are initiatives in place to address issues of cybercrime awareness, spearheaded by institutions such as the Centre for Scientific and Industrial Research (CSIR), the University of Venda, the University of Pretoria (UP) (ICSA-PumaScope), and the University of Fort Hare (UFH). The South African government in 2012 approved a National Cybersecurity Framework for South Africa, aimed at addressing the challenges and consequences of cybercrime.

It is worth noting that while ECTA legislation may somehow be applicable to cloud computing, there are some noticeable challenges around trans-border jurisdiction and enforcement of judgment (De Villers 2004; Erasmus 2011), and the use of cryptography as a form of data security in the cloud environment (Issi & Efe 2018; Van Dijk & Juels 2010). Schofield and Abrahams (2015) argue that some of the provisions in ECTA are not specific to cloud computing instances, therefore making it difficult to be applicable in law more particularly, especially computing activities in the cloud environment.

Although ECTA have some provisions that are applicable to cloud computing, this regulatory law needs to be aligned with international best practice. The 2018 BSA cloud computing scorecard lowered South Africa's ranking due to factors such as continued internet filtering and censorship and this can become a barrier to the development of a digital economy (Business Software Alliance 2018). Although cloud service providers are partially free from mandatory filtering or censoring, there are still gaps in this regard which require alignment with international best practice.

South African Competition Act (No. 89 of 1998)

The purpose of the South African Competition Act is to promote and sustain competition in South Africa by ensuring that there is inclusive participation and a spread of ownership specifically to previously disadvantaged individuals (Western Cape Government 2013). Additionally, the Act is premised on ensuring the development of the economy and creation of employment opportunities. Moreover, the Act is premised on ensuring that there are competitive services for consumers in the market.

The South African government preferential procurement policies and regulatory laws (such as the Preferential Procurement Policy Framework Act 2000) have been viewed as a potential barrier to competitiveness. The 2018 BSA cloud computing scorecard perceived these regulatory laws to be complex and this could negatively affect the promotion of free trade. This is a challenge because computing services are not able to operate free from laws that discriminate based on the nationality of the vendor, developer or service provider. Although this might be seen as a potential barrier, South Africa's past economic laws were discriminatory and the majority of black South Africans were excluded from participating in the economy. The purpose of these regulatory laws is thus in part to ensure the participation of those who were previously disadvantaged. While this is necessary, it has to be applied in a manner that does not discourage foreign companies from participating in the local economy.

Another challenge that might arise is around cloud computing pricing and determining whether the pricing is fair and competitive. In most cases, cloud service provider (CSP) might sell cloud computing services at a discounted price in order to discourage competitiveness and push competition out of the market. This type of exclusionary practice requires intervention from a policy or regulatory perspective. Competition issues in the cloud computing environment can be complex, and the complexity can evolve quickly as the technology grows. This necessitates intervention to ensure that competitive challenges such as interoperability and data portability, price discrimination, and vertical integration are addressed.

National Integrated information and communication technology Policy White Paper by the Department of Telecommunications and Postal Services

The National Integrated ICT Policy White Paper is an inclusive paper, taking into account some of the emerging technologies such as cloud computing and internet of things (IoT). Even though the White Paper is not detailed in relation to emerging technologies, it indicates that government is aware of such emerging technologies.

Access to the necessary ICT infrastructure is critical for cloud computing services as they are heavily dependent on the availability of the internet, therefore making broadband accessible will help. However, since broadband tends to be expensive in South Africa, the White Paper acknowledges this and proposes measures to ensure that broadband is accessible and is of high quality. It is worth noting that the White Paper in its current form has its own limitation when it comes to issues of cloud computing.

Cloud computing by its very nature can be sophisticated and if left unattended can be a problem for government and policymakers. While policies such as the National Integrated ICT Policy White Paper promise benefits, from a policy and regulatory point of view there is more to be done in relation to cloud computing. Cloud computing services, reliability and liability, vendor lock-in, and other cloud contractual challenges require further attention. From a consumer protection point of view, consumer protection challenges must be mitigated and consumer concerns addressed in regard to the use of data on the cloud, concerns about the possibility of law enforcement access to data on the cloud as well as secondary use of data, and concerns regarding fairness in terms of service, transparency, interoperability and portability.

Implications of lack of cloud computing policy

The lack of policy to address cloud computing challenges can negatively impact on areas such as security and privacy, competition, intellectual property and liability, consumer protection, and cross-border and juridical challenges. Additionally, the study conducted by Scholtz et al. (2016) revealed factors that affect the adoption of cloud computing, specifically in the public sector. Amongst those factors is a lack of approved cloud standards. Also data availability and privacy concerns, cloud multi-tenancy issues and trans-border information flow. Lack of a national cloud computing policy framework, as well as cloud computing adoption guidelines was identified as a challenge for cloud computing adoption (Gillwald & Moyo 2016; Scholtz et al. 2016).

The implication of the lack of a cloud computing policy framework is that such challenges will continue and raise policy and legal uncertainty. Cross-border data transfer in the cloud computing environment contributes to complex juridical legal challenges. From a cloud computing legal perspective, some of the existing regulatory laws require updates and alignment with international standards and best practice, while others require a thorough revision to take into consideration new technological developments (Gillwald & Moyo 2016).

Cybercrime has become a serious issue in South Africa as it is considered to be the country most affected (Davids 2017; IOL 2017; Van Heerden, Von Soms & Mooi 2016). The government has made strides in addressing cybercrime through the introduction of the National Cybersecurity Bill. One of the impediments to fighting cybercrime in South Africa is lack of skills (Griffiths 2016; Sutherland 2017). Cybercrime has an impact on cloud computing as most cloud computing is conducted online. The lack of skills in fighting cybercrime can thus negatively impact on cloud computing adoption and use.



In this study it was essential to understand human beliefs, views and experiences regarding the phenomena under study (Al-Saadi 2014). Thus, it was important to understand participants' views regarding the impact of cloud computing on existing South African ICT policies and regulatory frameworks. From an epistemology stance, interpretivism philosophy was employed in the study to acquire more knowledge (Chowdhury 2014; Kaplan & Maxwell 1994) and to understand meaning about the nature of reality (Goldkuhl 2012). The interpretivism stance was found to be most suitable for this study purpose as it helps to focus on fresh, complex and rich descriptions of the phenomenon as it is concretely lived (Goldkuhl 2012); and further facilitates the understanding of people's perceptions towards events that are external to them (Chowdhury 2014; Saunders, Lewis & Thornhill 2012). The study employed a multi-method qualitative research approach to provide an in-depth understanding of the phenomena under study (Creswell 2012; Saunders et al. 2012). Data was collected using multi-method collection which included interviews, questionnaires and document analyses with the qualitative study paradigm in a South African organisation based in the Gauteng province. Triangulation was used in this study as the main technique for improving trustworthiness. This assures the reliability and validity of the study through the use of a variety of methods to collect data on the same topic, which involves different types of samples, as well as methods of data collection. The participants in this study were selected by making use of the purposive sampling technique, where a selection criteria included participants involved in cloud computing, expert knowledge of the POPI Act and other South African ICT legislative frameworks, expert knowledge in ICT formulation process, ICT law, as well as expert knowledge in ICT security. Thus, this study comprised a total of 50 participants from different institutions and various sectors of the economy (such as telecoms, government, advisory, legal and financial). Of those participants, 14 participated in semi-structured interviews and 36 participated in the questionnaire. The data analysis followed the qualitative data analysis, in which a thematic analysis technique (Creswell 2012) was followed to effectively analyse data collected.


Findings and discussions

This section presents the findings of this study by making use of interviews which were the primary source of data collection, supported by secondary sources of data such as questionnaires and literature. The findings presented in this section answers the following question:

To what extent do current information and communication technology policies and legislative frameworks in South Africa relate to the emergence of cloud computing?

This question is intended to ascertain how current ICT policies and regulatory laws in South Africa are perceived to relate to the emergence of cloud computing, and to further establish whether they are regarded or viewed as being comprehensive and adequate to address the emergence and complexities of cloud computing. To address this sub-question, data was collected using questionnaires, interviews, literature review and expert reviews. The next section presents the findings from the interviews.

Interview findings

To understand the perspectives on how current information policies in South Africa relate to the emergence of cloud computing, several questions were asked of participants. They were asked if existing policies are sufficient to address cloud computing challenges. They were also asked about their views regarding the POPI Act in relation to cloud computing, and whether there is sufficient awareness of the Act and its impact on cloud computing.

Firstly, the participants were asked to identify the current policies, regulations and legislative frameworks that relate to cloud computing. The findings suggest that while all participants indicated that there is no existing legislative framework for cloud computing in South Africa, there are some that incorporate cloud computing, such as the ECTA, Cybercrimes and Cybersecurity Bill, South African Competition Act and the POPI Act.

When asked whether they think existing policies and regulatory laws are comprehensive and adequate to address cloud computing developments, complexities and challenges, the following points were made:

' I really do not think so that policies are sufficient enough I think lawmakers are playing catch-up instead of actively monitoring trends and trying to develop policies based on those trends I don't think the laws we have currently are able to secure the client's data if they have to be hosted in the cloud environment ' (Participant 1, Mr, Managing Director)

' I think no-one has really thought about what happens to this data that is stored in the cloud and who owns it and who controls it, what the cloud would do with it. I think to that extent no, because there is no-one who has really thought about those issues so, no, the regulation doesn't really adequately deal with them on the security side there is legislation in place that deals with cybercrime, which is a real problem in South Africa, but in terms of enforcing those regulations I think we have a really big problem. I do not think either the will or the skills are there to actually enforce the legislation that is currently on the books ' (Participant 10, Ms, Legal and Regulatory Expert)

Of the recent developments, the Department of Telecommunication and Postal Services (2016) developed a policy White Paper the titled National Integrated ICT White Paper. However, the aspect that is not included in the White Paper is the discussion on cloud computing and how these competition factors raised in the White Paper can help mitigate issues of cloud computing competitiveness (such as fair competition, quality, trust and reliability of cloud computing services). An interviewee who was part of the panel that drafted the paper explained that the White Paper is silent on cloud computing and will therefore need to update provisions to include innovations such as cloud computing and the IoT. The following observation was made:

' from a legislative point of view, definitely there is a requirement to update the provisions so there is still a gap you can go through the White Paper [National Integrated ICT White Paper] and you will see that there is only one paragraph that talks to issues of cloud because they are so complex and it is a fast-paced environment what you put in law and regulations might not be relevant in 18 months ' (Participant 13, Ms, Chief Director: ICT Policy)

This reveals some of the weaknesses in the process in which ICT policies and regulatory frameworks are formulated in South Africa, as they are perceived to be designed as a wholesale blanket approach. Most participants hold a view that the ICT policy development approach in South Africa is considered to be holistic rather than being specific to a particular subject matter or domain (i.e. cloud computing, IoT).

The argument being put forward is that cloud computing is very broad and having a wholesale policy approach that is not specific to the subject matter might be a limitation in trying to address technology challenges, especially those that negatively impact on public confidence regarding the adoption and use of cloud computing services, as well as competitiveness. This is because, by focusing on a wholesale policy approach or blanket policy approach, policymakers might overlook the need for rigour and extensive analysis on critical issues. This argument is supported by the findings of the study where interviewees noted that the way policymakers formulate ICT policy and regulatory laws is not adequate, as per below observation from one of the experts:

' the way we handle policies we do not create specific ICT policies, we create IT blanket policies I do not think our policies are adequate we need to create future-proof policies as we have seen how dynamic and ever-changing this environment is, especially the cloud space, so we need to have a forward-thinking type of view ' (Participant 4, Mr, Business Development Manager: Cloud and Data Centre Hosting)

Since the ICT policy development approach is considered to be holistic, some of the existing policies and regulatory laws in relation to cloud computing suggest gaps and concerns regarding their applicability to the pressing challenges of cloud computing (such as data security and privacy, interoperability and portability, cross-border data transfer and jurisdictional challenges). Regulatory laws that were found to be too holistic included the ECTA and the South African Competition Act, as well as the National Integrated ICT White Paper. The Competition Act partially aligns with cloud computing challenges that impact on competitiveness such as data interoperability and portability, as well as vertical integration. These factors are critical in ensuring fair competition and avoiding vendor lock-in, thus ensuring that cloud consumers can move from one cloud provider to the other with minimal costs. The National Integrated ICT White Paper is holistic in a manner that includes other factors such as the postal services policy, radio frequency spectrum policy, broadband policy, National Information Society and Development Plan, and the National Cybersecurity Policy Framework.

It was found that there is a perception that most existing policies in South Africa are playing 'catch-up' because technology has made progress and the process of revising these policies is said to be lacking in agility and scalability to cater for the rapid and continuous technology evolution. This was raised as a concern by most participants, in that the technology evolution is progressing at a rapid rate and this prompts lawmakers to act, thus creating policies that only 'catch-up' with technology, instead of proactively monitoring technology trends and responding quickly to policy issues emanating from technology advancement.

' I think we have been playing catch-up in terms of policies A lot of policies that cover up have been to cater what is already here on our doorstep policies such as POPI and ISO standards have all been put through as a blanket approach to a problem if there is an issue around leaked information, a policy will come through ' (Participant 4, Mr, Business Development Manager: Cloud and Data Centre Hosting)

' technology has moved faster than legislation that we have the legislative framework has not moved as fast as it used to be so it is trying to catch-up where the technology has moved. Cloud is becoming a key enabler for the digital economy that's why we need that type of vigorous and transparent regulation and policy around cloud so we need to have a tight policy framework to regulate the industry and also to protect the consumers ' (Participant 5, Mr, Director, Telecoms & IoT)

The recently developed data privacy regulatory Act known as the POPI Act was identified as one of the best-known regulatory laws on cloud computing. Participants were asked about their views regarding the POPI Act and its impact on cloud computing. The findings reveal that there is unanimity amongst participants that the POPI Act has had a profound impact on cloud computing in the sense that it protects consumers' personal information. Furthermore, it enables the protection and privacy of consumer information by ensuring that it is handled and processed in a responsible manner and within the ambit of the law. Below are some of the participants' views regarding the POPI Act in relation to cloud computing:

' it is a good piece of legislation and it does not impede cloud computing in any way, it protects the privacy and the rights of the consumer but it does require a little bit of work for any cloud service provider to subscribe to the requirements of POPI so for me it is not a barrier but an enabler of cloud ' (Participant 5, Mr, Director, Telecoms & IoT)

' the POPI Act has a profound impact on cloud computing wherever the cloud is even if it is in South Africa. If you are using a cloud service, you are using a third party and they have to ensure that all eight conditions of POPI are applied ' (Participant 2, Ms, POPI Act Expert)

Findings reveal that the complexity inherent in complying with the Act is concerning, more specifically for small, medium and micro enterprises (SMMEs), as most of them are not aware of the POPI Act and its compliance requirements. Moreover, the Act becomes even more concerning in terms of compliance when compared to large organisations since SMMEs, unlike large organisations, have limited financial resources to contract consultants to assist with compliance. This suggests the need for compliance to be simplified in order to improve adherence. Another emerging theme is lack of clarity regarding the POPI Act and its impact on cross-border data transfer. There is a view amongst participants that POPI Act compliance might take long as a result of due diligence with cross-border data transfer laws and regulations. Furthermore, the legislation itself is vague as regards cloud computing. Below are some of the participants' views regarding the POPI Act and its challenges:

' POPI is very complicated to implement here is section 57 of POPI that I think is going to create a problem in terms of cloud computing if it is going to take place trans-border ' (Participant 2, Ms, POPI Act Expert)

' I think people that are in this industry (SMEs) know less about POPI I got to know or find out about the Act because I read about it and not because of the awareness or any marketing that would have been done by the organisation that is in charge of the Act but I don't think the awareness is adequate I'm sure that there are people who are transgressing the Act who don't even know that they are transgressing the Act ' (Participant 3, Mr, SME Director)

Although most participants view the POPI Act as an enabler for cloud computing adoption and use, there are several factors that can negatively impact on how organisations comply with the Act. Principal amongst those are the lack of awareness and complexity in complying with the Act. Awareness is necessary, especially from a policy and regulatory perspective, since it informs the general public about the new policies and regulatory laws, how they affect them and what measures and processes need to be followed to comply. Since most policies and regulatory laws are developed to protect the rights of users, it is important that there is an extensive awareness campaign to educate and inform the users about new policies and regulations.

In summary, the interview findings reveal that most existing South African ICT policies are not comprehensive and adequate to address cloud computing developments, complexities and challenges. Moreover, some of the emerging policies are put in place to try and 'catch-up' where technology has already left a footprint. There is a notion that most existing policies are not 'future-proof' and policymakers are not actively involved in analysing digital technology trends to address the policy gaps that might arise. The interview findings reveal that most South African policies and regulatory laws that are put in place are not specific to a particular domain (i.e. cloud computing), but rather are designed in a blanket manner. The findings further reveal that there is a need to formulate ICT policies that are specific to a subject domain, as discussed in the above analysis.

Questionnaire findings

A questionnaire was used to help understand the perspectives on how current information policies in South Africa relate to the emergence of cloud computing. Since most of ICT and legislative Acts were found in the literature review to have an impact on cloud computing, the questionnaire was also used to validate literature review findings. The following questions were asked: Which of the following regulatory Acts have a general impact on cloud computing?

The participants were provided with policy and legislative options to choose from and indicate whether they either agree or disagree that these regulatory Acts have a general impact on cloud computing. The reason why the participants were provided with predefined options is that some of the regulatory Acts were found in the literature review to have an impact on cloud computing and were drawn on to validate literature review findings.

As depicted in Figure 1 below, of all the regulatory laws that were provided to participants to choose from, over 90% agreed that the POPI Act has the greatest impact on cloud computing, followed by the Electronic Communication Act of 2005. There was agreement amongst the participants regarding regulatory policies such as the Standards Act and Copyright Act where over 36% of participants indicated that these regulatory laws have an impact on cloud computing.


Figure 1 - Click to enlarge


Of the participants interviewed, 11% indicated that there are other policies that have an impact on cloud computing such as ISO27001 and the Promotion of Access to Information Act. This confirms that there are participants who are exposed to different policies and the impact of such policies on cloud computing. Even though some policies scored a lower percentage as depicted in Figure 1 above, this confirms that such policies might have little impact on cloud computing.

Figure 1 further indicates that over 90% of participants viewed the POPI Act as a policy that has an impact on cloud computing, meaning that there are conditions in the regulatory Act that might partially apply to cloud computing, specifically regarding the protection of personal information.

Participants were then asked the following questions regarding existing ICT policies and regulatory frameworks in South Africa: Do you think existing ICT policies and regulations in South Africa address issues of cloud computing?

The above question refers to issues such as security, interoperability, cybercrime, and vendor lock-in. Over 50% of the participants indicated that current ICT policies and regulatory laws are not sufficient to address challenges of cloud computing, while 9% agreed that policies are sufficient, as depicted in Figure 2.



In response, 39% of participants indicated that they do not know whether existing ICT policies are sufficient to address issues of cloud computing. Since cloud computing is still regarded as a new and emerging technology by most people, there might be limited knowledge regarding cloud computing challenges in relation to existing ICT policies.

In summary, the questionnaire findings revealed that there are some regulatory Acts that might have relevance for cloud computing, with the most prominent being the POPI Act, the Electronic Communication Act and the Electronic Communication and Transaction Act. However, the question is whether these policies are sufficient to address challenges related to the cloud. Based on the questionnaire findings, it can be inferred that the policies are not adequate to address emerging challenges of cloud computing. Most ICT policies are old and were enacted some decades past and are not sufficiently aligned with emerging digital technologies. A further argument is that new emerging legislative policies are lagging behind in addressing the gaps where technology has made an impact.



The study findings revealed that there are some existing ICT policies and regulatory laws that have an impact on cloud computing. The Cybercrime and Cybersecurity Bill is more applicable to cloud computing in relation to challenges that negatively impact on the adoption and use of cloud computing services such as security and privacy. However, the findings revealed challenges with the Cybercrime and Cybersecurity Bill, in particular related to lack of skills and political will to enforce the legislation issues of cybercrime, which can negatively impact on public confidence regarding the adoption and use of cloud computing services. The National Integrated Policy White Paper provides a digital transformation agenda to promote an inclusive knowledge society, taking into consideration technological development. The problem with the White Paper is that it is not comprehensive and adequate enough to address cloud computing developments, complexities and challenges. The findings revealed that the paper has a limited focus on cloud computing and will require additional provisions to comprehensively align the policy with emerging challenges of cloud computing. The POPI Act is generally considered to be a good piece of legislation that is perceived to enable cloud computing when implemented correctly, as it helps to secure privacy of personal information. However, there are challenges that might impact on compliance with the Act. One of these challenges is the lack of understanding of how the regulatory Act should be applied. In addition, there is limited awareness and understanding of the regulatory Act. Based on the findings discussed above, it can be concluded that the emergence of cloud computing has exposed the existing ICT policies and regulatory laws as being inadequate to address cloud computing developments, complexities and challenges, especially challenges related to public confidence regarding the use of cloud computing services and cloud competitiveness. This is aggravated by the notion that the approach that is used to develop ICT policies is a holistic approach, rather than having ICT policies that are specific to a particular issue or problem.



I wish to thank all the participants, but, due to confidentiality, I cannot mention their names. Thank you for the opportunity you offered to collect data and your willingness to participate.

Competing interests

The authors have declared that no competing interests exist.

Authors' contributions

All authors contributed equally to this work.

Ethical consideration

This article followed all ethical standards for a research article.

Funding information

This research received no specific grant from any funding agency in the public, commercial or not-for-profit sectors.

Data availability statement

Data sharing is not applicable to this article as no new data were created or analysed in this study.


The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any affiliated agency of the authors.



Abubakar, D.A., 2016, 'Cloud computing adoption by SMEs in Sub-Saharan Africa', PhD thesis, Robert Gordon University, Aberdeen.         [ Links ]

Abolfazli, S., Sanaei, Z., Tabassi, A., Rosen, S., Gani, A. & Khan, S.U., 2015, 'Cloud adoption in Malaysia: Trends, opportunities, and challenges', IEEE Cloud Computing 2(1), 60-68.        [ Links ]

Alharbi, F., 2017, 'Holistic approach framework for cloud computing strategic decision-making in the Healthcare Sector (HAF-CCS)', Doctoral thesis, Staffordshire University, Stoke-on-Trent.         [ Links ]

Al-Saadi, H., 2014, Demystifying Ontology and Epistemology in research methods, viewed 06 March 2015, from Epistemology_in_Research_Methods.

Baloyi, N. & Kotźe, P., 2017, 'Are organisations in South Africa ready to comply with personal data protection or privacy legislation and regulations?', in IST-Africa 2017 conference, IEEE, Windhoek, Namibia, 31 May - 02 June 2017.

Botha, J.G., Eloff, M.M. & Swart, I., 2015, 'The effects of the PoPI Act on small and medium enterprises in South Africa', in Proceedings: Information Security for South Africa (ISSA), IEEE, Johannesburg, August 12-13, 2015, pp. 1-8.

Business Software Alliance, 2018, The 2018 BSA global cloud computing scorecard, viewed 23 June 2018, from

Chowdhury, M.F., 2014, 'Interpretivism in aiding our understanding of the contemporary social world', Open Journal of Philosophy 4, 432-438.        [ Links ]

Creswell, J.W., 2012, Educational research: Planning, conducting, and evaluating quantitative and qualitative research, 4th edn., Pearson Education, Boston, MA.

Davids, N., 2017, SA is the leading target in Africa for cyber-crime, warns legal firm, viewed 15 February 2017, from

Department of Telecommunication and Postal Services, 2016, National integrated ICT policy whitepaper, viewed 14 June 2017, from Integrated_ICT_Policy_White.pdf.

De Villers, M., 2004, 'Consumer protection under the Electronic Communications and Transactions Act 25 of 2002', Master's dissertation, University of Johannesburg, Johannesburg.         [ Links ]

Erasmus, C., 2011, 'Consumer protection in international electronic contracts', Master's dissertation, Northwest University, Potchefstroom.         [ Links ]

Gillwald, A. & Moyo, M., 2016, Modernising the public sector through the cloud, viewed 12 August 2017, from

Goldkuhl, G., 2012, 'Pragmatism vs interpretivism in qualitative information systems research', European Journal of Information Systems 21(2), 135-146.        [ Links ]

Griffiths, J.L., 2016, 'Cybersecurity as an emerging challenge to South African National Security', Master's mini-dissertation, University of Pretoria, Pretoria.         [ Links ]

IOL, 2017, SA has third highest number of cybercrime victims in world, viewed 20 October 2017, from

Issı, H. & Efe, A., 2018, 'Cryptography challenges of cloud computing for e-government services', International Journal of Innovative Engineering Applications 2(1), 4-14.         [ Links ]

Jangara, T.B. & Bezuidenhout, H., 2015, 'Addressing emerging risks in transborder cloud computing and the protection of personal information: The role of internal auditors', Southern African Journal of Accountability and Auditing Research 17(1), 11-24.         [ Links ]

Kaplan, B. & Maxwell, J.A., 1994, 'Qualitative research methods for evaluating computer information systems', in J.G. Anderson, C.E. Aydin & S.J. Jay (eds.), Evaluation health care information systems: Methods and application, pp. 30-55, Sage, Thousand Oaks, CA.

Kumar, S. & Vajpayee, A., 2016, 'A survey on secure cloud: Security and privacy in cloud computing', American Journal of Systems and Software 4(1), 14-26.         [ Links ]

Mahler, T., 2014, First study of legal and regulatory aspects of cloud computing, viewed 15 October 2015, from

Mohammed, F. & Ibrahim, O., 2015, 'Drivers of cloud computing adoption for e-government services implementation', International Journal of Distributed Systems and Technologies 6(1), 1-14.        [ Links ]

Muhammed, K., Zaharaddeen, I., Rumana, K. & Turaki, A., 2015, 'Cloud computing adoption in Nigeria: Challenges and benefits', International Journal of Scientific and Research Publications 5(7), 1-7.         [ Links ]

Saunders, M.N.K., Lewis, P. & Thornhill, A., 2012, Research methods for business students, 6th edn., Pearson Education, Harlow.

Schofield, A. & Abrahams, L., 2015, Research study on the use of cloud services in the South African government, University of the Witwatersrand, Johannesburg.

Scholtz, B., Govender, J. & Gomez, J., 2016, 'Technical and environmental factors affecting cloud computing adoption in the South African public sector', in International Conference on Information Resources Management (Conf-IRM) proceedings, The International Conference on Information Resources Management (Conf-IRM), Cape Town, May 18-20, 2016.

Sluijs, J., Larouche, P. & Sauter, W., 2012, 'Cloud computing in the EU policy sphere: Interoperability, vertical integration and the internal market', Journal of Intellectual Property, Information Technology and E-Commerce Law 3(2012), 12-32.         [ Links ]

Sutherland, E., 2017, 'Governance of cybersecurity - The case of South Africa', The African Journal of Information and Communication (AJIC) 20, 83-112.        [ Links ]

Van Dijk, M. & Juels, A., 2010, 'On the impossibility of cryptography alone for privacy preserving cloud computing', in Proceedings of the 5th USENIX conference on hot topics in security, ACM, Berkeley, August 10, 2010.

Van Gorp, N. & Batura, O., 2015, Challenges for competition policy in a digitalised economy, viewed 16 June 2016, from

Van Heerden, R., Von Soms, S. & Mooi, R., 2016, 'Classification of cyber attacks in South Africa', in IST-Africa 2016 conference proceedings, IEEE Xplore, Durban, May 11-13, 2016.

Vasiljeva, T., Shaikhullina, S. & Kreslins, K., 2017, 'Cloud computing: Business perspectives, benefits and challenges for small and medium enterprises (case of Latvia)', 16th conference on reliability and statistics in transportation and communication, RelStat'2016, Riga, October 19-22, 2016.

Western Cape Government, 2013, The Competition Act 89 of 1998, viewed 24 December 2014, from



Mpho Mohlameane

Received: 22 July 2019
Accepted: 18 Apr. 2020
Published: 11 Aug. 2020

Creative Commons License All the contents of this journal, except where otherwise noted, is licensed under a Creative Commons Attribution License