With the inception of the Protection of Personal Information
Act 4 of 2013 (‘PoPI’), the use of cloud computing has fallen
under the proverbial legal spotlight. This attention is not
entirely unwarranted, having regard for the amount of valuable personal data that resides in the cloud. However, as a
consequence of this attention, a number of misconceptions
have arisen and it is therefore apt to briefly address some of
the expectations PoPI requires of a cloud services provider.
Must a Cloud Provider’s Services Comply with
PoPI?
All too often a cloud provider is asked if its services are
PoPI compliant. This question likely stems from a misunderstanding that a cloud provider is a Responsible Party
by definition. A cloud provider, while simply providing its
services to a 3rd party, is by definition an Operator under
PoPI. Consequently, a cloud provider’s obligations under
PoPI and the services it provides should not per se be the
fo