A lot has been written about the benefits of cloud computing: scalability, flexibility, cost savings, security, reliability, etc, and a lot of companies are seriously considering using some form of cloud services (in my mind, a good thing). As with all new things, one has to factor in the privacy considerations before deciding to move to the cloud, otherwise the benefits of using a cloud service provider becomes, if you pardon the pun, a little bit cloudy.
Before we get into that, it is important to understand that even though you have appointed a cloud service provider to process your information, data protection regimes still generally place the onus of compliance on you. So, even if your cloud service provider fumbles the ball, you will probably be the one who is going to get an earful (and more) from the regulator.
It is also important to appreciate that fundamentally, cloud computing services are not new. It has come in its various forms before (software-as-a-service, platform-as-a-service, and infrastructure-as-a-service). What is different however is the combination of the various forms, the increasing interest in adoption, and the marketing behind it - you have to admit that SaaS, PaaS and IaaS does not sound as mysterious (and sexy) as "the Cloud".
As it is an evolutionary rather than revolutionary change, the legal principles are generally the same as before; the application of the law though may be challenging in some situations. My humble contribution to this is a list of privacy related issues which you may want to consider before appointing a cloud service provider. There are a lot more issues to consider but that would really be too much to digest in one sitting.
Let's dive into it.
What information will be processed and stored within the cloud
Which data protection law will apply to personal information you have collated from various countries, transferred to a foreign third party, and which you then access from various locations? This is an important initial question to consider in order to determine which countries' laws apply. Think about it like a contact sport, it is always good to know what the rules are before stepping into the ring. Playing by boxing rules in a Mixed Martial Arts fight will leave you with a very bloody nose.
On that note, are there any sector specific data protection rules which apply to certain types of personal information (e.g financial services, healthcare)?
What sort of information will you store in the cloud? Some countries have made distinctions between sensitive personal data (e.g. religion and ethnicity, medical conditions) and personal data, and this would affect the way in which the information can be used. For example, the processing (which usually includes the transfer) of sensitive personal data would require the explicit written consent of the individual.
Informing the individual
Has the individual been informed that his personal information will be processed by a third party, and is the individual's consent required for this?
Are there any requirements (like in South Korea) to provide the individual with more specific information like the period of time which the third party will be processing the personal information, and the fact that the individual can refuse to consent.
Transfers to a foreign country
Most data protection regimes prohibit the transfer of personal data outside the country (though in Hong Kong, these prohibitions are not in force yet). In some countries, there are usually some exceptions to this prohibition, and one would have to consider those exceptions in the context of the cloud service.
One of these exceptions is usually the presence of similar data protection laws in the country where the personal data is being transferred to. So, where are the cloud service provider's servers located? Cloud service providers may have different locations for their servers which they use to provide the service, and you may have to consider the adequacy of the data protection laws in these locations, or check whether that country falls within a list of countries provided by your country's data protection regulator.
If the country where the cloud service provider has no data protection laws, have you done due diligence to ensure that the processing of the personal data will not result in the contravention of data protection laws?
In some countries the position is unclear or not as developed. For example, in China, the Guidelines for Personal Information Protection will only permit the transfer of personal information if the individual had expressly consented to the transfer, or where the transfer is permitted by law.
Ensuring reasonable or adequate operational and technical security measures
Ok, that was probably quite mind-numbing. Here is some Dilbert again to keep you going.
Security is one of the concerns that is usually brought up when cloud computing is mentioned. Ensuring that appropriate technical measures are employed will be your responsibility, and the onus is on you to ensure that the cloud service provider is taking steps to protect the personal data from loss or unauthorised access. This may include conducting some due diligence on the service provider and conducting audits.
Contracting with your cloud service provider
It is crucial to get this right the first time. Contract negotiations being what they are, you really have one real chance to set a good foundation for the relationship, and to set the expectation for how the service provider must treat the personal information it is entrusted with.
There is the very thorny issue of liability and indemnification in the event of data breach, and the steps which need to be taken by both parties in the event of a data breach. Including contractual obligations on the cloud service provider to comply with data protection principles or the data protection obligations may be one way to exercise due diligence for the purposes of cross-border transfers of personal information.
At the same time, it should not be a one-way street, and one has to be aware of the contracting practices which cloud service providers will adopt due to the nature of a service being delivered from shared infrastructure. For example, the scope of audit rights would need to balance the interest of the service provider in protecting the confidentiality of its other customers' information, and your interest in discharging your due diligence obligations.
Access to information by an overseas regulator/government
There has been little to no guidance from data protection regulators in Asia on cloud services and what will be done if there is a regulatory information request in another country. The ICO in the UK has weighed in on the issue:
"If a provider is required to comply with a request for information from a foreign law enforcement agency, and does so, the provider will be the data controller in respect of that disclosure. This is because it is making the decision to disclose based on a legal obligation it is under regardless of the client’s wishes. Regulatory action against the client is unnecessary because the client has not acted wrongly simply because it has chosen a provider which is subject to foreign law enforcement agency requests. Regulatory action against a provider, in its role as a data controller, is unlikely because it is responding to a request it is legally obliged to comply with. However if the request comes from a country which has questionable rule of law – then we would have to consider the issue on the facts of the matter."However, from a cloud service provider's viewpoint, the matter has been clouded a bit. From their viewpoint, what is a "questionable rule of law"? Will your regulator take the same view that it is the service provider's responsibility to consider the request?
Data breach notification requirements
Does local law require you to notify the regulator and the affected individuals about any data breaches? Do you have a policy and process for data breach notification, and how that will interact with the service provider's existing policy and process?
These issues are not insurmountable. It just takes a lot of time and energy in sitting down thinking about it and working it out with the relevant folks in your organisation.