This opinion article by Mark Burke looks at where South Africa's data is physically hosted and who owns and controls the infrastructure that stores citizens' data across public and private sector systems.

The Informational Travels of Citizen X

Meet Citizen X. She was born in a public hospital in Durban, registered at a Home Affairs office in Pietermaritzburg, and her birth record was entered into the National Population Register (NPR). She pays taxes through SARS eFiling, and visits a clinic where her health data is captured in the Health Patient Registration System (HPRS). Where is all this information stored, who owns the servers that house the data, and which country's laws govern access to her most intimate details? She reasonably assumes that her government holds her data and protects her rights. The reality, however, is more complicated.

This essay asks where South Africa's data is physically hosted and who owns and controls the infrastructure that stores citizens' data across public and private sector systems. The answer matters because it reveals the gap between legal sovereignty and strategic dependency. South Africa has laws that claim control over citizen data. It has policies that assert digital sovereignty. But the physical and commercial architecture of its digital infrastructure tells a different story. It is one in which foreign corporations own most of the infrastructure capacity that determines who can access what, when, and under whose authority.

The Invisible Geography of Data

The digital life feels weightless. We tap screens, submit forms, and receive confirmations with little sense of the material infrastructure that makes this possible. Yet every byte of Citizen X's data travels through a physical pathway with a precise geography. It moves from her phone or a government terminal through fibre optic cables, into a data centre, across an internet exchange point, possibly onto a submarine cable, and into a cloud server that may be located in Johannesburg, Cape Town, or Virginia in the US.

This infrastructure is physical and material. It consumes electricity on an industrial scale. It requires cooling systems that draw water. It sits on land subject to zoning laws, environmental regulations, and foreign ownership rules. The servers that store Citizen X's biometric data, tax records, and health history are housed in buildings with addresses and connected to power grids. Understanding where South Africa's citizen data lives requires mapping this invisible geography to assess whether the country can achieve digital sovereignty.

What Is Data and Digital Sovereignty?

Data sovereignty and digital sovereignty are related but distinct concepts, and conflating them obscures the real challenges South Africa faces.

Data sovereignty refers to a government's ability to control data produced within its borders by setting rules for how data is collected, stored, shared, and protected, and by enforcing those rules on local and foreign companies. It is about jurisdictional authority, that is, the power of the South African state to say that data belonging to its citizens shall be governed by South African law, stored on South African soil, and accessed only under South African legal process.

Digital sovereignty extends this framing to encompass the broader infrastructure of the digital economy. It includes the undersea cables that connect the country to the world, the internet exchange points that route domestic traffic, the data centres that store information, and the cloud platforms that process it. It asks not only where data is stored, but who owns the means of storage, who controls the pathways of transmission, and whose technical standards shape how systems interoperate.

Following the Data Trail of Citizen X

To understand South Africa's data sovereignty in practice, follow Citizen X's data through the systems that process it.

When Citizen X is born, her details are entered into the NPR, administered by the Department of Home Affairs. The department is upgrading its biometric infrastructure through the Automated Biometric Identification System (ABIS), which will support fingerprint, facial recognition, iris scan, and palm print identification. The Department’s core identity and biometric systems are hosted through State Information Technology Agency- (SITA-) managed infrastructure and data-centre environments located within South Africa. There is, however, insufficient public transparency to assess the full extent of state versus private-sector control over the underlying infrastructure stack, network pathways, disaster recovery systems, and cloud dependencies.

Citizen X's health records are increasingly digitised. The National Department of Health has rolled out the HPRS as an initial step toward a national patient electronic health record. The looming National Health Insurance (NHI) will require a centralised national health information system where each patient has a "portable" health record accessible anywhere. Whether SITA-managed infrastructure can keep pace with the likely increase in demand for data hosting and processing remains unclear, given existing capacity constraints. Where this centralised health data will be hosted, and under what sovereignty safeguards, is a key future concern.

Citizen X's tax records are held by the South African Revenue Service (SARS), which has undergone significant digital modernisation. SARS eFiling and the broader tax administration system represent some of the most sophisticated public-sector digital infrastructure in South Africa. The agency has historically maintained its own data centre capabilities. The broader question is whether SARS, like other government departments, is migrating workloads to private cloud platforms and, if so, under what data-sovereignty and access-control arrangements.

The shift to digital identity in South Africa will have significant implications for demand for data hosting and processing. The key question is whether current public infrastructure will be adequate to meet this demand or whether private corporations will play an increasing role in providing these services.

Who Owns South Africa's Digital Infrastructure?

The ownership structure of South Africa's data centre market reveals the depth of foreign control over the physical infrastructure of the country's digital economy.

Total investment in South Africa's data centre market stood at over R39-billion in 2023 and is projected to reach R68-billion by 2029. The market is dominated by a handful of players, most of them foreign-owned or foreign-controlled.

Teraco, South Africa's largest data centre operator, was acquired in 2022 by Digital Realty, a US-listed real estate investment trust (REIT). Digital Realty acquired a 55% majority stake, with the remaining 45% retained by a consortium including Berkshire Partners LLC and Permira, both US and European private equity firms. Teraco operates Africa's largest internet exchange point, NAPAfrica, and hosts the on-ramps for Amazon Web Services (AWS), Google Cloud, and Microsoft Azure within its facilities. It is the physical gateway through which much of South Africa's internet traffic passes. In 2025, Teraco completed a major expansion of its JB4 Bredell Campus data centre to 50MW of critical IT power load, making it the largest standalone one built in Africa.

Africa Data Centres (ADC), another major player, is a business of Cassava Technologies, which also owns Liquid Intelligent Technologies. While African-owned in branding, Cassava Technologies has significant international investment linkages and operates across multiple jurisdictions. Vantage Data Centers, backed by DigitalBridge (a US-based digital infrastructure investment firm), is building a large data centre campus at Waterfall, near Midrand, in a $1-billion investment. Equinix, a US-listed global data centre provider, opened its JN1 hall in Johannesburg in late 2024. NTT Global Data Centers (formerly Dimension Data) is Japanese-owned.

The Development Bank of Southern Africa's 2025 Digital Infrastructure Investment Study notes that, apart from local operators, South Africa has attracted investments from large global data centre operators, including Alibaba, AWS, Google, Huawei, and Microsoft. Global hyperscalers have established cloud regions in Gauteng and Cape Town, with most leasing halls in the large data centres in the country. AWS, notably, followed its strategy of building its own brick-and-mortar data centre facilities rather than leasing.

The implications are stark. While South Africa has the most developed data centre market in Africa, the majority of its carrier-neutral capacity and virtually all of its hyperscale cloud infrastructure is owned or controlled by foreign entities. The infrastructure that potentially hosts Citizen X's data is owned by American, European, and Asian corporations. The internet exchange point that routes her traffic is owned by an American REIT. The cloud platforms that her government departments increasingly rely upon are subsidiaries of US technology giants subject to US law.

Cloud Empires and Jurisdictional Power

The rise of hyperscale cloud computing has introduced a new layer of dependency that extends beyond ownership of physical infrastructure. When a South African government department stores citizens' data on AWS, Microsoft Azure, or Google Cloud, even within its South African cloud regions, the data remains subject to the legal jurisdiction of the United States.

The US Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, of 2018 allows American law enforcement to compel US-based technology companies to produce data stored on their servers, regardless of where those servers are physically located. A South African citizen's records stored in an AWS Cape Town data centre can be accessed by US authorities without South African court approval, and potentially without the knowledge of the South African government or the citizen concerned. This directly conflicts with South Africa's Protection of Personal Information Act (POPIA), which requires that personal data be processed within the Republic unless adequate legal protection exists in the recipient jurisdiction.

The National Data and Cloud Policy, introduced in mid-2024, aims to address some of these concerns. It states that data generated or processed within the country will be stored in reliable storage systems in the country, and that data centres providing services to government must be situated in South Africa. The policy allows for all government IT services to be hosted in the cloud, creating interoperability within government departments, while decentralising cloud services to allow private sector infrastructure ownership.

However, the policy does not resolve a fundamental tension. Data can be physically located in South Africa while remaining legally and operationally controlled by foreign entities subject to foreign law. The policy's emphasis on local data centre location does not address ownership, jurisdiction, or the extraterritorial reach of the CLOUD Act. As one analysis notes, keeping data physically inside the country does not necessarily mean it is under local control. It is a built-in structural problem that cannot be solved simply by hosting agreements.

South African ministers have publicly acknowledged this vulnerability. At GovTech 2025, Minister of Science, Technology and Innovation Blade Nzimande stated: "We can't be having our data being controlled by everybody anywhere... we must do that within the context of guarding our digital sovereignty. Because without digital sovereignty, we have no national sovereignty as a country". Statements such as this reflect growing official awareness of the gap between policy aspiration and infrastructural reality.

SITA has been repositioned as the government's cloud and data hosting coordinator. SITA's Cloud Framework Agreement 2.0 requires that all cloud or hosting services storing state data prove full data sovereignty, localisation, and residency compliance before procurement. The agreement is part of the evolving government-wide procurement and governance framework intended to standardise and accelerate cloud adoption across the South African public sector.

It forms part of SITA’s broader Government Cloud Programme, under which SITA seeks to operate a sovereign government private cloud while simultaneously enabling departments to procure services from multinational commercial cloud providers through standardised framework agreements. From this perspective, the framework represents a hybrid sovereign-cloud strategy that combines state governance with overlapping dependence on private-sector and foreign-owned cloud infrastructure providers.

The Ocean Floor and the New Information Highways

South Africa's position at the southern tip of Africa makes it a critical node in the global network of submarine communications cables. Nine international subsea cables currently land in South Africa. These cables carry the vast majority of the country's international internet traffic, connecting it to Europe, Asia, and the Americas.

The ownership and control of these cables matter for sovereignty. Equiano, owned by Google, connects Portugal to South Africa with branching units to Nigeria, Togo, Namibia, and St Helena. It was ready for service in March 2023 and represents part of Google's $1-billion investment plan for Africa. 2Africa, a consortium cable backed by Meta, Vodafone, China Mobile International, and others, lands at four stations in South Africa and will be the longest submarine cable system ever deployed, extending over 45 000 km.

The landing stations for these cables are controlled by South African telecommunications operators Telkom, MTN, Vodacom, Liquid Telecom, but the cables themselves are owned by foreign technology companies and international consortia. When Citizen X's data travels from a government server in Pretoria to a cloud backup in Europe, it traverses infrastructure owned by Google, Meta, or international carrier consortia. The routing decisions, capacity allocation, and maintenance schedules are determined by foreign-owned entities.

NAPAfrica, the internet exchange point hosted within Teraco's data centres, has become one of the world's top ten internet exchanges by traffic volume, reaching 6 Tbps by late 2025 (MyBroadband, 2025; Teraco, 2025). It keeps African internet traffic local, reducing costs and latency, and hosts over 655 networks from more than 50 countries. But NAPAfrica is owned by Teraco, which is majority-owned by Digital Realty. The exchange point that keeps South African traffic within the continent is itself owned by an American corporation.

This creates a paradox. South Africa has achieved a degree of network sovereignty through NAPAfrica's success in localising traffic. But the sovereignty is exercised through infrastructure owned by a foreign entity. The traffic stays in Africa, but the control over how it is routed, who peers with whom, and what terms govern interconnection remains subject to the commercial decisions of a US-listed company.

South Africa's Legal and Institutional Architecture

South Africa has a foundational legal framework for data protection and digital governance. POPIA, 2013 establishes rights for data subjects, conditions for lawful processing, and restrictions on cross-border transfers. The Cyber Crimes Act (2021) criminalises the transfer of classified security data to foreign hosting infrastructure without ministerial authorisation. The National Data and Cloud Policy (2024) establishes a framework for government cloud adoption, including data sovereignty requirements.

The gap between law and implementation is substantial. POPIA has been unevenly enforced since its full commencement in 2021. The Information Regulator, tasked with overseeing compliance, has a limited budget of approximately R110 million per year and fewer than 120 staff across all functions.

The National Data and Cloud Policy Implementation Plan sets out ambitious timelines for establishing a Data Advisory Council by March 2025, developing compliance regimes for data infrastructure with 99.995% uptime requirements, and capacitating SITA to implement policy obligations. But many of these timelines depend on the "repurposing" of SITA, a process that has been ongoing for years without resolution. The plan acknowledges that individual departments currently maintain their own data centres and cloud services, creating fragmentation that undermines both sovereignty and efficiency.

South Africa's regulatory framework provides the legal foundations for data sovereignty. What it lacks is the institutional capacity, coordination, and enforcement power to make those foundations operational.

The Global Contest Over Digital Sovereignty

South Africa's data sovereignty challenges are not unique, but they are shaped by the specific models of digital sovereignty being pursued by major global powers.

The United States has pursued a strategy of extraterritorial data access through the CLOUD Act while simultaneously dominating the global cloud market. American hyperscalers such as AWS, Azure, Google Cloud, control approximately two-thirds of the global cloud infrastructure market. Their business model depends on scale, lock-in, and long-term contracts that make switching costly. The US approach treats data access as a national security prerogative, with limited regard for the sovereignty claims of other jurisdictions.

The European Union (EU) has taken a different path, constructing a regulatory architecture based on the GDPR, the Digital Services Act, the Digital Markets Act, and the eIDAS 2.0 framework, that treats data protection as both a rights issue and a competitive strategy. The Gaia-X initiative aims to create a European-controlled, interoperable cloud infrastructure as an alternative to US dominance. The EU's approach is not without its own tensions, but it represents a coherent sovereignty project that South Africa could learn from.

China has built a tightly controlled domestic internet with state-owned infrastructure, strict data localisation requirements, and limited foreign platform access. The Chinese model prioritises state control over citizen privacy, creating a sovereignty framework that is robust at the state level but weak at the individual level. For South Africa, the lesson is not to emulate China's surveillance architecture but to recognise that sovereignty requires domestic control over critical infrastructure.

India has pursued a model of digital public infrastructure (DPI) that keeps data within national boundaries while enabling population-scale service delivery. India's Aadhaar system, UPI payments infrastructure, and DigiLocker document system are presented as sovereign alternatives to foreign platforms. However, India's DPI model also concentrates power in the state and creates dependencies on the private technology vendors' participation at different levels of the system.

South Africa sits uneasily between these models. It has adopted elements of the EU's regulatory approach through POPIA. It has embraced India's DPI approach through the  MyMzansi and MzansiXchange initiatives. It relies on American cloud infrastructure for much of its public sector digital transformation. It has not developed a coherent sovereignty strategy that selectively draws on these models while addressing its specific context.

How can South Africa Strengthen its Digital Sovereignty?

Strengthening South Africa's data and digital sovereignty requires action across multiple fronts.

First, establish a sovereign public cloud. South Africa should expand its government-owned and operated cloud infrastructure for sensitive citizen data, rather than relying on foreign hyperscalers. This does not mean rejecting private cloud services for non-sensitive workloads. It means creating a sovereign alternative for civic registration, health, tax, and other critical data categories. The strengthening of SITA, referenced in the National Data and Cloud Policy Implementation Plan, should be accelerated and funded at a scale that makes a sovereign cloud operationally viable, as part of the repurposing of the organisation into the State Digital Services Company.

Second, mandate data sovereignty impact assessments. Before any government department procures cloud or data hosting services, it should be required to conduct and publish a data sovereignty impact assessment that identifies the physical location of data, the ownership structure of the hosting infrastructure, the jurisdictional exposure under foreign law (including CLOUD Act implications), and the access control mechanisms. This is over and above current data sovereignty attestation requirements in public procurement.

Third, strengthen the Information Regulator. The regulator's budget and staffing should be increased to match the scale of the data and digital infrastructure it is meant to oversee. It should have the power to conduct unannounced audits of government data hosting arrangements and to impose meaningful penalties for non-compliance with POPIA's cross-border transfer restrictions.

Fourth, secure submarine cable diversity with African ownership. South Africa should work with African partners to develop submarine cable infrastructure with meaningful African ownership and control. The current pattern of foreign-owned cables landing on African shores creates a dependency that undermines network sovereignty. The African Union's (AU's) data policy framework and the Southern African Development Community's infrastructure plans provide platforms for coordinating this investment.

Fifth, build technical sovereignty through open standards and local capacity. South Africa should invest in developing local technical capacity for critical digital infrastructure, including data centre operations, cloud architecture, cybersecurity, and AI governance. The National Data and Cloud Policy's skills development interventions should be prioritised and funded, with a focus on building a pipeline of South African engineers and architects who can design, operate, and audit sovereign infrastructure.

Citizen X and the Future of Sovereignty

Citizen X does not think about data sovereignty when she registers her child's birth or visits a clinic. She trusts that her government protects her information. South Africa has the laws, institutions, and constitutional values to make data sovereignty real.

The physical geography of South Africa's digital infrastructure tells a story that its legal framework, however, does not fully capture. Most data hosting resources, internet exchange, submarine cables, and cloud platforms are foreign-controlled. Citizen X's data may be stored in Johannesburg, but it is not necessarily governed by the country’s laws.

This cannot be resolved by policy-regulatory change only. It is also a structural condition. Today, data has become a form of strategic power, and digital ecosystems are dominated by a small number of global corporations and the states that back them. These are geopolitical power projections that shape what is possible for a middle-income country at the southern tip of Africa. South Africa faces constraints that no single country can resolve alone.

South Africa will have to pursue digital sovereignty in this emerging global digital order, together with other countries, as a strategic mission through diplomatic means. It must champion harmonisation and implement African data protection and localisation standards through the AU, positioning its data centres as regional sovereign hosting hubs that generate collective bargaining power across the continent. Within the multipolar technology contest, South Africa should evaluate BRICS-aligned alternatives as a hedge against concentrated US hyperscaler and CLOUD Act exposure.

Domestically, SITA must be fundamentally strengthened with dedicated sovereign-cloud procurement expertise, transparent vendor-certification criteria that assess extraterritorial legal exposure alongside technical capability, and mandatory contractual provisions prohibiting foreign-government data access without South African judicial authorisation.

Digital sovereignty is an industrial and geopolitical project, not only a policy-regulatory one. South Africa must direct public investment toward technology transfer, local equity participation, and skills development, treating data infrastructure with the same strategic focus it has historically applied to energy and mineral resources.

Citizen X must have the assurance that her data travelling along the information highways is protected under South Africa’s data and digital sovereignty, rather than being extracted for exploitation elsewhere.

Written by Mark Burke, a researcher and advisor with expertise in digital governance, and a focus on public-sector digital transformation. His research interests are digital identity, privacy, and citizenship in the digitalisation of public services.