Cloud computing is becoming part of our life. Our daily activities such as sending emails and photographs, internet banking, online shopping or video streaming all involve the use of cloud. As a corporation using cloud services, are you fully aware of their potential threats to the personal data privacy of yourself or of your customers?
There has been a growing trend for corporations to fully embrace cloud services in place of on-premises servers. Netflix, for instance, was among the first large companies shutting down its last data centre in 2015.
So, what is cloud computing? The National Institute of Standards and Technology (NIST) of the United States defines it as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
A Cloud Services Provider (CSP), through providing IT infrastructure, platform and/or software to corporations as a service, has significantly lowered the hurdles of doing business online even for small companies.
Cloud services usually operate on a shared responsibility model: a CSP must ensure that its infrastructure is secure and that the data and applications of a corporation using its service are protected, whereas the corporation must take measures to fortify its application and use strong passwords and authentication measures. That said, it is the corporations (being “data users”) who are ultimately responsible for protection of personal data collected and held by them under the Personal Data (Privacy) Ordinance (PDPO). On the other hand, a CSP would be regarded as a “data processor” as it only processes the data for a purpose other than its own. Whilst the PDPO does not impose direct obligations on a data processor, a corporation using cloud services is required to adopt contractual or other means to prevent the personal data transferred to a data processor (ie the CSP) from being kept longer than is necessary for processing, and against unauthorised or accidental access, processing, erasure, loss or use.
Personal data privacy concerns for corporations in the use of cloud computing are largely related to the lack of control over the retention and security of personal data entrusted to the CSP. Here are some of the practical tips that a corporation may adopt to manage its responsibilities under the PDPO when using cloud services:
• A corporation should carefully evaluate the standard services and contract terms provided by the CSP to see if they meet the requirements of the PDPO and commonly accepted data security standards, and ask for ‘customised’ contract terms if necessary;
• A corporation should require the CSP to notify it of data breaches so that speedy remedial action may be taken;
• A corporation should obtain formal, contractual assurance from the CSP that the same level of protection and compliance controls are equally applicable to their sub-contractors;
• A corporation should scrutinise the audit reports on data security and privacy compliance of the CSP, if it is not possible to audit the operation of the CSP; relevant industry standards in this regard include:
• information security management systems requirements (ISO/IEC 27001:2013);
• code of practice for information security controls for cloud services (ISO/IEC 27017:2015); and
• code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018:2019).
• A corporation should implement encryption for personal data in transit to and from cloud and in cloud storage.
Data Transfer out of Hong Kong
Very often, a CSP has data centres distributed across multiple jurisdictions. Personal data entrusted to them may flow from one jurisdiction to another based on an algorithm that optimises the use of the CSP’s storage and processing resources.
The word ‘transfer’ is not defined in the PDPO. My interpretation, as set out in the “Guidance on Personal Data Protection in Cross-border Data Transfer” (https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_...), is that “[s]toring personal data in the cloud may also constitute a transfer outside Hong Kong if the cloud server is accessible outside Hong Kong.”
To address the issues arising from data transfer out of Hong Kong, a corporation using cloud services should always seek disclosure from the CSP the locations / jurisdictions where the data will be stored, so that this information may be made known to the corporation’s customers being the data subjects. A corporation should opt for a CSP that would allow it to choose or specify locations / jurisdictions where there is adequate legal protection to personal data.