Cloud computing and data privacy

Cloud computing is fast gaining popularity as an alternative to traditional software licensing for businesses - but in addition to scalability and efficiency benefits, cloud computing also brings with it a storm of legal implications.

The Hong Kong Privacy Commissioner for Personal Data (the Commissioner) recently issued an information paper highlighting some key data privacy issues for organisations using cloud computing.

The paper highlights four data privacy issues which arise from the cloud computing business model:

1.   Transferring data out of Hong Kong

Cloud computing often involves transferring customer or employee personal data to servers or users located outside of Hong Kong.

Section 33 of the Personal Data (Privacy) Ordinance (the Ordinance) restricts the transfer of personal data outside of Hong Kong. As discussed in a recent e-update, while this section is not yet in effect, it is expected that it will be brought into effect soon. We recommend that clients entering into multi-year cloud services contracts assume that section 33’s restrictions will come into effect during the term of their contract.

The section provides that that the transfer of personal data to a place outside Hong Kong is only permitted if:

  • the place is on the "white list" prepared by the Commissioner; 
  • the data user has reasonable grounds to believe that the place is subject to data privacy laws similar to those in Hong Kong; 
  • the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will be collected, held, processed and used in accordance with Hong Kong data privacy laws; or 
  • the data subject has consented to the transfer in writing.

To ensure they can meet one of these exceptions, businesses procuring cloud services should:

  • choose cloud services which allow them to specify and control which jurisdictions personal data is stored in; 
  • include a requirement in their cloud services contract requiring the provider to treat all personal data in accordance with Hong Kong data privacy laws; and/or 
  • notify and obtain the consent of their customers or employees to storing and processing their personal data outside Hong Kong.

Multinational companies should also bear in mind that many other jurisdictions impose similar restrictions on transferring data across borders, including the European Union, Singapore, Malaysia, South Korea and Australia. If a cloud service involves exporting data out of any of these jurisdictions – for example, to consolidate customer data on a single server worldwide – then the company will also need to seek advice on those restrictions.

2.   Subcontractors

The Commissioner points out that cloud providers often use subcontractors in order to rapidly meet the changing speed and capacity requirements of their customers; these subcontractors may use subcontractors of their own, and so forth. These subcontractors may be spread across the globe, operate at various levels of professionalism and be engaged under loose or informal arrangements.

Under the Ordinance, the “data user” (i.e. the business procuring the cloud services) remains responsible for the protection of personal data held by a cloud service provider. Further the Data Protection Principles in the Ordinance expressly require the data user to use contractual and practical means to ensure the cloud provider:

  • does not keep any personal data longer than it necessary for the provision of the cloud services; and 
  • takes all reasonably practicable steps to keep the personal data it holds secure from unauthorised access or use.

This can be a challenge, particularly when the cloud provider is using subcontractors. Data users need to ascertain whether the cloud provider is using subcontractors, and if so, obtain assurances that those subcontractors are required to treat personal data in accordance with Hong Kong data privacy laws (even if they are not located in Hong Kong).

It is also important to remember that obtaining contractual commitments is not enough - the data user must also use practical means to ensure that the cloud provider is keeping personal data secure and deleting it once no longer needed. This could mean audit rights or at least requiring the reporting and verification of personal data processing activity.

3.   Standard contracts and services

A decade ago, cloud services were often bespoke and businesses had the opportunity to negotiate and include privacy protections in their cloud service contracts. Today, many cloud services are commodity offerings provided under standard form contracts.

The Commissioner points out that while this makes it more difficult for businesses to ensure that a cloud service meets their data protection regulatory requirements, it is still important that these requirements are met. Businesses should either require that the provider amend their standard terms to include data protection obligations, or seek an alternative provider who can meet these requirements. Otherwise, the business risks breaching the Ordinance.

4.   Cloud service models

Finally, the Commissioner points out that there are a variety of cloud services, and some of these models pose greater data protection risks than others.

Software-as-a-service solutions (where the cloud provider provides a particular software application as a service) tend to raise more privacy issues than platform-as-a-service or infrastructure-as-a-service solutions (where the cloud provider merely provides a platform on which a business can run its own choice of software) because the data user has less direct control over data protection mechanisms under the former model. A user generally has to take a SaaS solution as it comes, whereas a PaaS or IaaS solution allows the user to rollout the specific software and security features it requires.

Similarly, a dedicated private cloud service (which serves one organisation only) will tend to raise fewer privacy issues than a shared public cloud service (which serve many organisations) because the data user has a greater degree of control over a private cloud. For example, a private cloud service is more likely to offer customers the ability to specify which countries data is located in and customise security measures.

The Commissioner’s information paper shows that cloud computing services carry significant compliance issues in addition to their many technical and commercial benefits. Kennedys has extensive expertise in helping clients deal with the data privacy and other regulatory challenges which arise from procuring and using cloud computing services.

Related items: