The risk of digital dependence

Note: the following article was published in Business Day and is available here
Digital technologies increasingly underpin critical functions within modern economies. Thus, a central challenge facing governments is to balance the benefits of global digital technologies with the risks of strategic dependence on foreign-owned technologies and services, particularly during periods of geopolitical tension or strained bilateral diplomatic relations.
As an example, on the sixth of June this year, Cuba suspended the use of Mastercard and Visa in their country in response to a US executive order. The order resulted in foreign companies that were involved with processing credit card payments withdrawing from the country. This meant that the Central Bank could no longer receive income from international credit cards, including Visa and Mastercard. The suspension of these digital payment service providers has decimated the country’s tourism industry since tourists are wary of using local payment systems.
This mirrors Visa and Mastercard’s decisions to suspend operations in Russia after two separate events: Russia’s support for separatists in Ukraine in 2014 (at the time, Visa and Mastercard processed 90% of Russia’s card payments) and its full-scale invasion of Ukraine in 2022. Similar sanctions against Venezuela were considered in 2019.
These examples demonstrate how geopolitical actions, like sanctions, can have tangible consequences for countries that rely on digital infrastructure beyond their control. This is especially pertinent given the recent volatility in the relationship between South Africa and the US.
Trying to ensure that the digital transformation agenda increases our data sovereignty is central to current discussions around digital public infrastructure (DPI) in South Africa. Data sovereignty refers to the state’s capacity to classify, regulate, secure, process, lawfully access, and derive public and economic value from data generated within or materially affecting South Africa.
It is important to recognise that the aims of DPI and digital sovereignty sometimes conflict: DPI aims to achieve interoperability, data exchange mechanisms, private-sector participation, increased access to services and sometimes cross-border data flows, while sovereignty requires meaningful public control over critical data, secure infrastructure and data flows, and institutional decision-making.
However, this relationship is not one of conflict alone. In many respects, DPI also supports digital sovereignty. Interoperable digital systems allow South Africans to build digital services using South African digital infrastructure, creating local alternatives to foreign technologies.
Public digital payment infrastructure can increase resilience by reducing reliance on externally controlled payment systems. Indeed, following the sanctions imposed on Russia, it developed its own digital payment system (MIR) which now dominates the local payment market. Brazil’s PIX and India’s RuPay are similar examples of DPI that reduce their dependence on foreign digital services.
Similarly, government data exchange systems can enable more coordinated approaches to procurement, security and data storage. This can reduce fragmentation across departments, improve the availability and accessibility of South African data, and strengthen the state’s capacity to govern and derive value from its own data resources.
Taken together, these examples illustrate the need for a nuanced approach to DPI and sovereignty – one that harnesses the benefits of interoperability, innovation, and digital inclusions, whilst also maintaining meaningful control over critical data, infrastructure, and services.
These examples illustrate that DPI and sovereignty require a nuanced approach. If DPI is built and operated using foreign hardware and software, then states may lose control over their digital future. However, across-the-board insistence on local data residency and service provision means that systems may not have the affordability, scale, sustainability and security that large multinational corporations can provide. The challenge, therefore, is not to eliminate dependencies altogether, but to ensure that they are appropriately governed.
Additionally, while South Africa may be dependent on foreign hyperscalers, other African countries may, in turn, be dependent on South African data infrastructure. This creates opportunities for strategic partnerships where data can be stored or processed between partners while developing legal interoperability frameworks to ensure that the laws of all partners are upheld.
The Policy Innovation Lab at Stellenbosch University has been supporting the development of a data sovereignty strategy for the development of South African DPI. The proposed strategy takes a tiered approach, where data is classified by risk and each data category has proportional procurement, privacy and other regulations applied. For example, national security data, core identity systems, population registers and other critical public sector datasets may require stricter localisation, hosting and operational control requirements, while less sensitive categories of data may be governed through safeguards that allow appropriate cross-border flows, interoperability and innovation.
This type of approach is important because it recognises that sovereignty is not achieved simply by keeping all data within national borders, nor is it achieved by allowing critical public systems to become dependent on digital infrastructure that South Africa cannot meaningfully control. The approach is to distinguish between different kinds of data, different levels of risk and dependency, and then to build legal, institutional and technical safeguards that are proportionate to those risks.
The Cuban and Russian examples are a reminder that digital dependence can quickly become a material, economic and governance vulnerability. For South Africa, the lesson is not to retreat from global digital systems, but to ensure that the country has sufficient domestic capacity, industrial policy, regulatory clarity and strategic control over the infrastructure that underpins public services and the digital economy.
As South Africa builds its DPI, data sovereignty should be treated as a core design principle rather than an afterthought. Done well, this can help the country deliver better services, strengthen public trust, support local innovation, develop digital capacity and reduce exposure to external shocks. Done poorly, DPI could deepen dependence on foreign-owned infrastructure, expose citizens’ data to external influence, and allow much of the economic value it creates to flow offshore.