Cloud computing. A practical guide to legal risks and issues

Transcription

1 Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Cloud computing A practical guide to legal risks and issues

2 Attorney advertising

3 Cloud computing A practical guide to legal risks and issues A Norton Rose Fulbright guide 2013

4

5 Contents Executive summary 07 What is cloud computing? 08 Why is the cloud being used more and more? 12 What service levels should the customer expect? 14 What are the inherent risks of a public cloud? 19 What about being locked in to a particular 24 vendor or technology? Security and privacy what are the specific legal 27 and regulatory issues around the world? What are the practical deployment and 68 operational issues? What are the taxation issues? 70 Cloud computing and the USA PATRIOT Act 72 Cloud computing and government take-up 74 Cloud computing and the financial services industry 79 Contacts 82

6

7 Executive summary Executive summary Businesses can derive many benefits from public cloud computing it saves them money, keeps them agile, and connects their employees. But a public cloud solution doesn t come without risk. A public cloud essentially involves the commoditisation of IT infrastructure and services, a process which introduces new risks that sit alongside all the usual ones inherent in any IT deployment. Of course, with foresight and planning, the customer can mitigate these extra risks. The infrastructure behind a public cloud is typically rather opaque. This lack of transparency, together with limited flexibility, can pose security challenges and complicate disaster planning and recovery. Businesses may face issues if they want or need to change cloud services provider, or move back to a traditional IT infrastructure. Even with open standards for cloud computing platforms emerging, the transition out process can be a troublesome one. And the use of encryption or proprietary storage formats, together with network bandwidth limitations, can cause data access and migration headaches. A business that stores personal information about itself in a public cloud needs to make sure it doesn t breach any relevant data privacy legislation by transferring this personal information across borders. In addition, financial services companies usually have their own extra legal and regulatory obligations to meet. There are also practical deployment and operational issues to think about: increasing the scope of the deployment can quickly push up costs; getting extra resources to cope with higher demand won t necessarily happen automatically; and having a highperforming, always available platform isn t guaranteed. To get the real commercial benefits from public cloud computing, businesses need to understand all these issues and mitigate the risks properly in the first place. This can be achieved by carrying out thorough due diligence before taking on a provider, and putting in place a solid contract as they would with any bricks and mortar outsourcing, with provisions on service levels, legal and regulatory compliance, audits and transition planning. Norton Rose Fulbright

8 Cloud computing What is cloud computing? Cloud computing at its simplest is any IT service made available over the internet. While the concepts it covers have been around for some time, the term cloud computing itself is relatively new. Launched back in July 1996, Hotmail (or Outlook.com as it s now called) is an example of a classic cloud computing application. Since then, application service providers (ASPs) have delivered many more services over the internet and become the pioneers of the cloud. Today, virtually any application can be run in the cloud and accessed from anywhere in the world. The results below, from our recent survey Outsourcing in a brave new world 1, show that more and more companies are beginning to use the cloud. Use of cloud computing: suppliers Use of cloud computing: customers 30% 45% 55% 70% Use Don t use Use Don t use Norton Rose Fulbright 2013

9 What is cloud computing? Since technology is their business, it makes sense that suppliers use cloud computing more than their customers. But a large percentage (45 per cent) of customers are now also using the cloud. Cloud computing services can be categorised in two different ways: as service models looking at what is being provided; and as deployment models looking at how it is deployed. With different service models available, almost any IT service can be provided in the cloud. The three main service models are: Infrastructure as a service (IAAS) This is cloud computing at its most basic. An IAAS provider simply sells raw computing power, like processing or storage. The user is left to choose what to run on the system, and is responsible for installing everything, including basic operating systems. It s like installing your own server in your own data room, but having extra computing power available if you need it. Platform as a service (PAAS) This is a mid-level service, where a PAAS provider delivers a platform consisting of an operating system, programming language execution environment, database and web server. The user can develop and run systems using the underlying software and hardware layers without having to invest a significant amount up front. Software as a service (SAAS) This is what most people think of as typical cloud computing. An SAAS provider installs and operates applications in the cloud, and the user then pays to access these applications (or in some cases accesses them for free). It s cheaper for the user than purchasing the application, environment and related hardware. Different deployment models are available depending on the particular application and industry sector. Norton Rose Fulbright

10 Cloud computing The three main deployment models are: Public cloud This is the traditional cloud model, where many different users share the same infrastructure. It s the cheapest service, and also tends to be the most flexible as users can buy extra services as needed. However, it does carry the greatest risk because all user data is stored and processed on the same machines. Private cloud This is at the other end of the spectrum. A provider allocates infrastructure and applications to one particular user for its own exclusive use, as if the user had bought the hardware and software itself. The user benefits from being able to have their say on the design of the cloud and the redundancy arrangements, and from having their data kept apart from others. But this is the most expensive cloud model (it s often more expensive than in-house hosting) and it s generally not flexible on short notice. Hybrid cloud As the name suggests, this is a combination of the public and private models and offers the benefits of both. The user has a private cloud for their high-risk applications and a public cloud for their lower risk ones. For example, a bank s unlikely to allow its core banking solution or even onto a public cloud, but might use one for its marketing materials. 10 Norton Rose Fulbright 2013

11 What is cloud computing? Configuration model Hybrid service Public service Architectural layer Private platform Hybrid platform Public platform Increased abstraction Private infrastructure Hybrid infrastructure Public infrastructure Increased client control And why is it called cloud computing? Opinions vary, but the general consensus is that it s because it s usually difficult to know exactly where your data is spread over many different machines, in many different data centres, often in many different countries. And what s more, you probably don t really need to know. Norton Rose Fulbright

12 Cloud computing Why is the cloud being used more and more? There are three main reasons why organisations are looking at cloud computing. To save money and become more efficient Cloud computing s pay-per-use model means that an organisation only has to pay for the resources it needs. It doesn t have to worry about infrastructure maintenance or upgrade costs. Lower capital expenditure and recurring IT costs are tempting reasons to move to cloud computing. Because it s scalable, users can increase or decrease resources based on actual demand, and pay accordingly. Almost all users of cloud computing made peak cost savings of between 10 per cent and 20 per cent (International Data Corporation, Research In Future Cloud Computing Workshop, May 2012). Cloud computing is highly cost effective because the cloud can be accessed from any computer with an internet connection and is independent of any machine, device or geographical location. This works well for organisations that have representatives who travel regularly. Interestingly, however, the CSC Cloud Usage Index Survey (2011) (CSC Survey) found that relatively few organisations (14 per cent) reduced the size of their IT department after moving to the cloud. In fact, 20 per cent of organisations hired more IT staff to help with developing and managing cloud environments. 64 per cent of organisations indicated that adopting cloud computing has helped to reduce waste and lower energy consumption. 12 Norton Rose Fulbright 2013

13 Why is the cloud being used more and more? To stay agile and move quickly IT organisations see cloud computing as an effective way to implement new applications quickly in order to keep pace with application backlogs and business demands (North Bridge Venture Partners, Future of Cloud Computing Survey, June 2011). It s quicker to meet a demand for higher computing capacity because fewer approvals are needed, there s less paperwork and there s no need to rely on hard-todeploy physical servers. The arrival of cloud computing gives organisations a greater ability to easily and cost effectively expand and reduce computing resources to meet fluctuating demands. To connect employees Significantly, the CSC Survey found that connecting employees across today s multitude of computing devices was even more important than cutting costs and staying agile. 33 per cent of 3,645 responses to the CSC Survey put this forward as the number one reason for choosing cloud computing. This trend among small businesses is especially pronounced in the United States, with almost half (46 per cent) citing information access as most important, compared with just 10 per cent citing cost reduction. Norton Rose Fulbright

14 Cloud computing What service levels should the customer expect? The idea of unlimited and cheap IT resources is becoming increasingly popular, with more and more business systems and data being moved to the cloud. This is even the case for business critical processes. But the 100 per cent reliability of these services is an illusion, as the outage of Amazon s Elastic Compute Cloud (EC2) services, in April 2011, clearly brought home. Cloud outages may not only result in a temporary unavailability of services, but also in the non-recoverable loss of data. This raises questions about the liability of the provider if services fail. This section looks at how off-the-shelf service level agreements (SLAs) rarely meet the customer s expectations and how, as a result, the negotiation of an individual SLA is needed. It also highlights the most important points to be considered when negotiating SLAs. Standard service levels for the cloud Although service levels are very important to most customers, many cloud services providers sell services as they are, with no, or only very basic, service levels. According to a standard SLA used by one of the world s largest providers, the provider will use commercially reasonable efforts to make [the service] available with an Annual Uptime Percentage (defined below) of at least per cent during the Service Year. The provider doesn t promise a certain level of availability, and doesn t even commit to use best efforts. Its obligations are limited to what is commercially reasonable, suggesting the amount of effort it will make depends on the outcome of business decisions. When it comes to working out the Annual Uptime Percentage, the service level states that the only relevant downtime is a situation where more than one Availability Zone in which you are running an instance, within the same Region, is Unavailable to you. Unavailable means that all of your running instances have no external connectivity. 14 Norton Rose Fulbright 2013

15 What service levels should the customer expect? So the only relevant downtime in the context of this service level is nothing less than the complete outage of the entire cloud service in a minimum of two locations in a region. If the service fails in a single location, several locations in different regions, or regarding certain functionalities, the provider wouldn t be in breach of the SLA. Monitoring the availability of cloud services is the customer s burden. To make a claim under the SLA, the customer has to provide the dates and times of each incident of Region Unavailable that you claim to have experienced including instance ids of the instances that were running and affected during the time of each incident [and ] server request logs that document the errors and corroborate your claimed outage. Assuming the customer can actually prove an outage the provider is liable for and that the minimum availability hasn t been met, the customer is eligible to receive a Service Credit equal to 10 per cent of their bill [ ] for the Eligible Credit Period. This is the sole and exclusive remedy for any unavailability or non-performance of [the service] or other failure by [the provider] to provide [the service]. So the customer s only compensation under the standard SLA would be 10 per cent off their next bill. The provider isn t liable for any damages resulting from the outage, for example profits lost because of a damage to reputation or the costs of recovering lost data. The need to negotiate an individual SLA The service level arrangements described above are unlikely to meet most customers expectations, particularly where business critical processes are concerned. After all, they amount to a limitation of liability rather than, as you d want, a warranty. Although it may be questionable whether a limitation like this would be enforceable in the jurisdiction where the customer is based, they won t want to rely on court proceedings to determine this. Proceedings may take years, and the outcome would be uncertain. The case might even threaten the customer s very existence, particularly when high damages are in question. So, in most cases, the customer should negotiate an individual SLA with the provider. The contents of it will depend on the nature of the cloud services, the particular customer s needs, and whether the SLA is a standalone document or part of another agreement. Norton Rose Fulbright

16 Cloud computing The SLA should always clearly define the cloud services to be provided. Although this point might seem obvious, standard SLAs don t necessarily set out the services at all, or only very loosely, and might allow the provider to change or stop the services at its discretion. The other areas to cover are: availability and other service levels error correction monitoring and reporting sanctions. Availability and other service levels As 100 per cent reliability of cloud services isn t feasible in practice, the SLA will have to define the level of service the provider should maintain. The agreement will usually set out a minimum availability for each cloud service. Apart from defining availability and an availability percentage, this also means agreeing on a reasonable assessment period. As a rule of thumb, the shorter, the better for the customer. For example, 98 per cent availability in a 365 day assessment period means that, in the worst case, an outage of up to 7.3 consecutive days would still be allowed under the SLA. However, with the same percentage agreed, an outage of more than 14.4 hours would breach the SLA in a 30 day period. It s also important to clearly describe what availability actually means and where it is measured. In traditional outsourcing agreements, customers normally strive for an end-to-end availability, meaning that the service is available only when it can be used by the end user. A cloud services SLA can t adopt this model because cloud services providers are normally only responsible for certain components and resources they are not usually responsible for the internet connection, for example. It is therefore even more essential for the customer to have a clear idea of which components the SLA covers and at which point the availability is actually measured. This will also depend on the particular nature of the service, for example, whether 16 Norton Rose Fulbright 2013

17 What service levels should the customer expect? it s an infrastructure or an application service. To make it easy for the customer, the provider should have to measure availability and send reports to the customer. What s more, the provider and the customer should agree the rules on scheduled downtimes. Scheduled downtimes, for taking care of things like maintenance and upgrades, should be kept to a minimum and only allowed at certain times, for example, outside the customer s business hours. The provider should be required to give the customer sufficient prior notice of a scheduled downtime, if possible. Scheduled downtimes should be taken into account when calculating the availability of services. Depending on the cloud services in question, the particular requirements of the customer, and on what is practically feasible for the provider, other service levels should be defined to guarantee the quality of the cloud services provided. Error correction The provider and the customer should also agree the rules on correcting possible errors. The agreement should state how long the provider has to start and finish correcting any error. It should also specify when the time limits start, for example, at the point the customer reports the error to the provider. It might also set out specific service hours during which mistakes will be corrected. The obligations of the provider may depend on certain defined error classes. Ultimately, error correction will be a matter of negotiation. It will largely depend on what is feasible for the provider considering the types of error in question. For example, it might be easier for a provider to commit to a maximum time limit where it just has to replace a piece of hardware rather than fix a software problem or sort out a third party issue. Norton Rose Fulbright

18 Cloud computing Monitoring and reporting Evidence is needed to prove breaches of an agreement and to enforce sanctions. Standard SLAs may require the customer to measure how the provider performs the services, but usually the customer won t be able to do this accurately, if at all. So instead the agreement should require the provider to continuously monitor the performance of its services and send regular reports to the customer on the achievement of the agreed service levels. Sanctions If the provider doesn t meet service levels or correct errors as agreed, it breaches their contractual obligations. Customer claims resulting from these breaches will depend on the law that applies to the SLA. Depending on the jurisdiction in question, it might be unclear what claims exist and existing claims might be difficult to enforce for example, it s often difficult to prove specific economic damage where an outage harmed the customer s reputation. So the SLA should include a regime of sanctions triggered if the agreement is breached. What the actual sanctions are is a matter of negotiation between the customer and the provider, but a fee reduction or a penalty payment would be typical. The amount of the reduction or payment will depend on the extent and duration of the SLA infringement. So the amount might go up in cases of severe or repeated breaches of the SLA. In the most extreme cases, the customer might have the right to end the agreement. From a customer s point of view, the sanction regime should not be exhaustive they should be free to claim for any higher damages they might have suffered because of the contract breach. Having a sanction regime in place not only protects the customer in cases where statutory damage claims are unclear or hard to enforce, but also encourages the provider to avoid a liability in the first place. 18 Norton Rose Fulbright 2013

19 What are the inherent risks of a public cloud? What are the inherent risks of a public cloud? By the very nature of cloud computing, the customer cannot typically see how everything is implemented. A cloud services provider simply agrees to provide a specified functionality, like data storage, software hosting or raw computing power, and to meet certain service levels. While this lack of transparency can help simplify the deployment of a cloud solution and allow efficiency gains to be made, it can also bring up issues. It is particularly a problem for highly regulated industries, like financial services. Things are made more difficult in the case of a public cloud, where providers are often reluctant to negotiate standard terms and conditions. Some providers will refuse all requests made by customers to amend terms and conditions, making it very hard indeed for customers to negotiate better terms to protect their interests and mitigate perceived risks. Some providers simply display their standard public cloud terms and conditions on their website, and update them from time to time. This section looks at several inherent risks that arise from the lack of transparency and ways to address them. The risks Security breaches Research we conducted for our survey, Outsourcing in a brave new world 2 revealed that both suppliers and customers thought the greatest risk associated with cloud computing was a security breach. A security breach can take the form of a physical breach of security at a data centre, or a remote attack over the internet. Security breaches pose a particular problem for cloud computing. Depending on the nature of the breach, the customer might not even be aware a breach has taken place because either there s no apparent loss of data, or the data lost has been recovered from the provider s backups unknown to the customer. And if the provider isn t contractually 2 Norton Rose Fulbright

20 Cloud computing obliged to tell the customer about a security breach, this could cause the customer a major problem if they ve got a legal or regulatory obligation to report this kind of breach. Providers of public cloud services often buy services from third parties, like data centre operators or providers of data processing services. As the customer s only contractual relationship is with the cloud services provider, they won t normally have any right to impose security requirements on third parties and they might not have any legal remedies against them in relation to any security breaches either. Disaster recovery and other technical issues One of the inherent benefits of cloud computing is that the provider might be able to recover from disasters or rectify technical issues in a transparent manner. For example, the provider might be able to bring a backup online in another location this is especially common for cloud solutions where data is stored in several locations, both physically and virtually. But this could also mean that the underlying configuration of the cloud infrastructure might change without the customer s knowledge. This might affect the reliability of the cloud itself, especially regarding its use as a redundant solution. In these circumstances, the problem could be made worse by the fact that the customer can t impose business continuity planning or disaster recovery requirements on the provider s suppliers. This issue might have legal or regulatory consequences for the customer. A cloud services provider s disaster recovery plans can also create particular issues. If litigation arises in relation to data that is stored in a public cloud, a customer might need to take control of their data and to preserve their communications and documents for discovery, in order to avoid court-imposed sanctions. There s also a danger that legally privileged communications could lose their privilege if they are disclosed because of the nature of the data lifecycle in the cloud, or if backups are archived and stored at off-site locations in another jurisdiction. Insolvency of the provider There is clearly an issue if the cloud services provider stops trading. However, even insolvency and the appointment of a receiver, administrator or controller in relation to the provider s assets could affect their ability to carry on providing services. 20 Norton Rose Fulbright 2013

21 What are the inherent risks of a public cloud? If the provider becomes insolvent, telecommunications services between the provider s data centre and the customer might very well be stopped, resulting in an immediate loss of access for the customer. The customer is unlikely to be able to get physical access to the data centre, and might not even know which data centre or centres to visit. To make matters worse, there s also a risk that a financier, liquidator or administrator might seize the provider s hardware before the customer can retrieve their data. Even if the customer does get hold of the relevant hardware, there s no guarantee they ll be able to fully recreate the complete dataset particularly if the provider has stored their data in a proprietary or non-standard format, or has used encryption or other security systems the customer can t break through. How to address these risks Carry out due diligence One of the best ways for the customer to manage risk is to carry out thorough due diligence on the cloud services provider before engaging them. It is crucial to know what data format and storage systems the provider will use to store data, because any proprietary or unusual ones might make it very hard to move to another provider if the customer needs to do so in the future. The customer should also ask about the technical and security controls the provider uses, and maybe even about the security plans, governance, escalation processes, breach detection procedures and notification process the provider has in place. Finally, if the customer is concerned about particular legal or regulatory risks, they should query the potential jurisdictional issues, such as the location of the provider s data centres and how the provider will communicate the customer s data back to them. For example, some providers promote the fact that their infrastructure is located in the European Union, because of the perceived risk that the USA PATRIOT Act might potentially give the US government access to their data. We look at this issue in more detail in chapter 10. Get ongoing disclosures As well as getting information on the provider s cloud computing infrastructure at the due diligence stage, the customer might also require that the provider complies Norton Rose Fulbright

22 Cloud computing with any industry standards relating to data storage, or make sure the infrastructure continues to meet certain requirements, after the contract has started. Depending on how important it is to them, the customer might want to carry out an audit themselves or simply ask the provider for proof. This extra burden might affect the price of the service, of course. The customer might want to consider asking to see the provider s business continuity and disaster recovery plans, so they can understand how the provider will deal with issues that affect more than one customer. And, if the provider is prepared to make them available, the results of any disaster or security breach simulations the provider has carried out. Keep some control The customer might look to contractually control the underlying implementation of the cloud and restrict the provider s ability to change that implementation. A common condition is to restrict the physical location of the data centres used. This is particularly relevant when there are legal or regulatory restrictions, for example, on the transfer of personal information across borders. The customer might require their data to be segregated from the data of other customers. The provider can do this either physically, by dedicating one or more servers that make up the cloud to a specific customer, or virtually, by using virtual servers that are transparent to the underlying physical infrastructure. The customer might also require their data to be encrypted when stored. Encryption gives the customer extra peace of mind, but the need to continually encrypt and decrypt data can slow performance, and losing the encryption keys obviously brings its own problems. The customer will decide at what point their data is encrypted, either before it is sent to the provider or when it arrives. Encrypting data before it is sent to the provider adds an additional layer of security useful for particularly sensitive data. The customer might also consider imposing other security requirements, like ISO security certification. Finally, the customer might decide to abandon a public cloud altogether and opt for the more secure but more expensive private cloud, or a combination of the two. Depending on the degree of control and customisation the customer wants, a private cloud can eventually resemble little more than a dedicated data centre-type arrangement. 22 Norton Rose Fulbright 2013

23 What are the inherent risks of a public cloud? Make arrangements with the provider s own suppliers The customer could enter into agreements directly with their cloud services provider s own suppliers, ensuring continuity of service should their provider fail to perform. For example, the customer might make an arrangement with a data centre operator so that they can access their provider s servers and retrieve their data in the event of a breach or termination. Although dealing directly with multiple third parties can be a useful risk reduction exercise, it can also become troublesome and add an extra layer of complexity. As a result, cloud services providers might be reluctant to agree to their customers having relationships with their own suppliers, especially as it goes against the one-stop-shop nature of a public cloud. Put the cloud into escrow Escrow of the relevant software and source code is often used as a risk management tool in the IT industry. However, a traditional software escrow arrangement will not work in a cloud computing environment. The software needed for the cloud to function may be distributed across a range of different systems or may require external resources from third party providers. Depending on the nature and type of the cloud deployment, some physical hardware or other platform element may also be required for the cloud to function. Escrow of a cloud would essentially require the creation of a mini cloud, consisting of a number of virtual machines under the control of the customer, or provided by another cloud services provider, which would emulate the existing cloud platform. This mini cloud could then be subject to a form of escrow where, when an escrow release event is triggered, data would be moved from the main cloud to the mini cloud, which would then start operating. In practice, this arrangement is quite similar to normal disaster recovery procedures. The difference is that it is the customer that implements the failover change to their infrastructure, by using an escrowed version of their provider s own systems, to allow operation to continue. Setting up and maintaining this kind of arrangement is potentially complex, and the cost of doing so may well wipe out the cost savings made from using a cloud solution in the first place. Norton Rose Fulbright

24 Cloud computing What about being locked in to a particular vendor or technology? Using cloud computing comes with another risk the potential for vendor or technology lock-in. While it s relatively straightforward to move your IT infrastructure to the cloud, it can be much harder to go back to a traditional infrastructure, or even just change cloud services providers. As previously discussed, carrying out thorough due diligence is vital for the customer to understand the potential complications that could arise if they ever need to move away from their provider. The customer should be particularly wary if a provider simply says their public cloud infrastructure complies with open standards this doesn t necessarily mean the customer s cloud solution could be easily transferred to another provider. Depending on the particular cloud deployment used, the customer might face a range of issues if they decide to end the arrangement with their provider. There is the question of how to access their data in the first place, how to extract it, and how to move it to the new system and then there s the cost of doing so. The extraction and migration process can be complicated, especially if the provider uses multiple software platforms and third party suppliers. Getting access to data The nature of a public cloud inherently means that the customer will lose some level of control over the storage and retention of their own data. This is a problem if the cloud services agreement ends or expires because the customer will need to extract their data so they can carry on their normal business operations. The main question is whether the customer can access their data over the internet or not if the amount of data is too much, they will need physical access to the servers themselves. If this is the case, they will need to know the location or locations of the relevant servers, and get permission from the data centre operator to access those servers. The provider might also have to retrieve archived or backed-up data from offsite or offline storage systems. 24 Norton Rose Fulbright 2013

25 What about being locked in to a particular vendor or technology? Extracting and migrating data The process of extracting and migrating data will be determined by the nature of the provider s systems a well-designed cloud platform should make extracting the data relatively easy. The main issues here will be how long it takes to extract the data and how much downtime the customer will face. If the data transfer process is done over the internet, the customer is likely to encounter bandwidth bottlenecks, which might affect the rest of the business. Whether the data is going back in-house or to another cloud services provider, transferring it is likely to be a costly and time-consuming process especially if there s a lot of it, or it needs to be decrypted or re-formatted before it can be used. How to address the risks The customer should begin to think about potential data extraction and migration issues at an early stage in the cloud deployment process, and certainly during the due diligence process. They should agree a transition out plan with their provider before, or at least soon after, the initial deployment of the cloud platform. The best time for the customer to negotiate a suitable transition out plan is before the deployment period, when the parties are on good terms and the provider remains keen to win the customer s business. The worst time is when the contract is about to expire or has been terminated, and the provider has little incentive to help the customer. Putting a transition out plan in place early also means the customer can ask their provider to test the plan, even on a limited scale. This will help the customer understand the viability and ease of the transition out process, and could even result in improvements being made to it. The customer might also ask the provider to restrict the data centres used to specified locations or jurisdictions. We ve already seen how this course of action can address some of the risks that arise from the lack of transparency in public cloud deployments, and it could also help bring down the time and cost of moving data. It is worth bearing in mind though that restricting the data centres used could reduce the resilience of the cloud computing platform. Norton Rose Fulbright

26 Cloud computing Finally, the customer could seek to hold back a fixed percentage of the fees payable to their provider to fund the transition out process in the event that the contract is terminated. However, cloud services providers are generally reluctant to agree to this kind of arrangement, except in cases involving more complex bespoke cloud solutions. 26 Norton Rose Fulbright 2013

27 Security and privacy Security and privacy what are the specific legal and regulatory issues around the world? The use of public cloud computing can give rise to a range of legal and regulatory issues, especially concerning security and privacy. This section looks at some of the issues in different countries. Australia While there is no specific or targeted legislation that would apply to the use of a cloud computing platform by Australian entities, regulations exist that apply to certain activities or to certain types of customers. Personal information and privacy issues The National Privacy Principles (NPPs) contained in the Privacy Act 1988 (Cth) apply to the use, collection, storage and disclosure of personally identifiable information by Australian companies with an annual turnover of AU$3,000,000 or more, and to federal government agencies. State and territory agencies are also subject to similar legislation in their home jurisdiction. In the context of cloud computing, National Privacy Principle 9 prohibits the transfer of personally identifiable information to foreign countries except in limited circumstances. Accordingly, companies that use a public cloud to store or process their customers personal details might be in breach of the National Privacy Principles if the cloud services provider s servers are located outside Australia. The main exceptions available under the Privacy Act that permit the flow of personal information across borders include: where consent has been given for that transfer; where the recipient is subject to a similar law or binding scheme in the jurisdiction where the personal information is being transferred to; or where the customer has taken reasonable steps to ensure the personal information will be treated in a manner consistent with the Privacy Act. Amendments to the Privacy Act 1988 (Cth) will come into force in March Among these amendments are the new Australian Privacy Principles (APPs) which replace the NPPs and apply to any organisation or government agency that must currently comply with the NPPs. Norton Rose Fulbright

28 Cloud computing APP 8, which replaces NPP 9, tightens the rules on cross-border data flows. APP 8 requires an organisation or government agency to ensure that, before disclosing personal information to an overseas recipient, it takes such steps as are reasonable to ensure that the recipient does not breach the APPs in relation to that information. An organisation or government agency can be held liable for a breach of the APPs by an overseas recipient of personal information. Accordingly, the main issue arising from the use of a public cloud to store or process customer information is determining the location of the cloud services provider s servers and backup infrastructure. This can be done as part of the due diligence process and reinforced by appropriate provisions in the contract. Material outsourcing of activities by financial institutions and insurers Insurers, banks and certain other regulated financial institutions are subject to extra regulation administered by the Australian Prudential Regulation Authority (APRA). Under the prudential standards enforced by APRA, certain steps have to be taken relating to any material outsourcing of a business activity, which can potentially include significant IT outsourcing. For example, if an APRA-regulated financial institution proposes to use a cloud computing platform and that use constitutes a material outsourcing, the customer would need to comply with APRA s Prudential Standard CPS 231 and APRA s Prudential Practice Guide PPG231. APRA has also provided extra guidance in the form of Prudential Practice Guide PPG234 for the management of security risk in information and IT, which can apply in a cloud computing context. For customers covered by these regulations, the issues that will concern APRA here relate to: the scope of the outsourcing; any service levels and performance requirements that are implemented; any provisions relating to the confidentiality, security and privacy of information; the visibility of any subcontracts; whether services will be provided from a foreign jurisdiction; and whether an exit plan or migration strategy can be put in place in the event of default or termination. Business continuity management by financial institutions and insurers APRA also has certain requirements for insurers, banks and certain other regulated financial institutions relating to business continuity management. For example, an APRA-regulated financial institution has to comply with business continuity 28 Norton Rose Fulbright 2013

29 Security and privacy management obligations in APRA Prudential Standard CPS 232 and APRA Prudential Practice Guide PPG233 Pandemic Planning and Risk Management. Accordingly, any use of cloud computing by APRA-regulated entities will have to comply with the regulations above. The main things APRA will look for in the context of business continuity management includes the carrying out of risk assessments, the development of a business continuity plan, and the regular testing of business continuity processes. How to structure the cloud platform The entities covered by the laws and regulations mentioned above will have to take particular care to understand the nature of the cloud deployment and to avoid breaching these obligations. For non-sensitive data or a minor outsourcing of nonmaterial business activities, the use of a public or hybrid cloud platform might be possible. For personal or sensitive information, or a more significant outsourcing, a bespoke private cloud that complies with all of the relevant legal obligations might be a better alternative from the customer s perspective. The cost effectiveness of a customised private cloud solution needs to be considered in the context of the customer s business requirements. However, there may be opportunities for cloud services providers to work with customers and APRA to come up with bespoke cloud solutions for APRA-regulated entities that are more commercially viable. Canada Privacy concerns arise when companies located in Canada use the cloud to process or store the personal data of their Canadian employees and customers, or the personal data they hold on the employees and customers of their subsidiaries located in other jurisdictions. All of this data becomes subject to both federal and provincial privacy legislation 3, regardless of where in the world the data was obtained. Canadian privacy law doesn t distinguish between data controllers and data processors. Canadian companies collecting, using or disclosing personal data, at home or abroad, 3 In addition to federal privacy legislation of general application, the provinces of Alberta, British Columbia and Québec have their own general privacy legislation. Certain provinces, like Ontario and New Brunswick, have their own privacy legislation, but it extends only to health information. Norton Rose Fulbright

30 Cloud computing have to make sure both the cloud services provider and any subsidiaries accessing personal data stored in the cloud respect Canadian privacy legislation. This is typically done by putting in place contractual measures that mirror the rights of the individuals concerned and the obligations of the collecting organisation under Canadian legislation. This means ensuring contractually that the cloud services provider won t use the personal data for its own purposes and that it will put in place appropriate backups that enable the retrieval of data should a malfunction cause its loss. Both the provider and any subsidiaries accessing personal data in the cloud have to also agree to restrict access to that data to only those identified in the contract (those whose jobs require it), notify the Canadian organisation of any data breaches promptly, and institute appropriate measures to contain and eliminate the source of the breach 4. The right to require destruction of personal data, once it has outlived the purpose it was collected for, should also be foreseen. European Union model clauses will often suffice for these purposes. Unlike many European countries, Canada doesn t require these contractual measures to be approved by any of its privacy commissioners. The onus is on the Canadian organisation to make sure the contractual measures comply with all applicable legislation. Some organisations have raised concerns about using cloud services providers with servers located in the United States, given the provisions of the USA PATRIOT Act. In this regard, Canadian privacy legislation generally requires, as a condition of export of personal data to another country, the exporting organisation to make sure a comparable level of security and confidentiality exists around the data once it s exported. Canada, like many other Western countries, has legislation that enables law enforcement authorities to require disclosure of personal data in national security and anti-terrorism contexts. As Canada s Assistant Privacy Commissioner has pointed out on more than one occasion 5, the risk of a US-based provider being ordered to disclose personal data to US authorities isn t a risk unique to US organisations. Not only are Canadian organisations subject to these requests as well, but there are several bilateral agreements in place between the two countries allowing their respective law 4 At the moment, only the province of Alberta has general legislation requiring security breaches to be notified to its privacy commissioner and, in some cases, to the individuals concerned. However, federal privacy legislation has been tabled that foresees similar obligations, and the provinces of Ontario and New Brunswick have mandatory reporting of breaches relating to health information. 5 See, for example, Case Summary #394, 2008, Outsourcing of Canada.com services to a US based firm. 30 Norton Rose Fulbright 2013

31 Security and privacy enforcement agencies to exchange personal information. As a result, the USA PATRIOT Act doesn t mean that a comparable level of security and confidentiality exists around personal data exported to the US. Canadian organisations need to tell individuals that their information will be processed or held in the US, but they don t need to get their consent. While this is the opinion of Canada s federal privacy commissioner, the same reasoning would likely apply under any provincial privacy legislation with two exceptions; both British Columbia and Nova Scotia have legislation prohibiting the transfer to the US of personal data held by their respective Crown corporations, except in certain limited exceptions. Federally regulated financial institutions Cloud computing solutions used by federally regulated financial institutions are subject to guidelines imposed by the Office of the Superintendent of Financial Institutions (OSFI), Canada s federal regulator of federally regulated entities (FREs). FREs can be banks, federally incorporated or registered trusts, loan companies, insurance companies, cooperative credit associations, fraternal benefit societies, pension plans, bank holding companies, or Canadian branches of foreign banks or insurance companies. In 2001, OSFI issued guideline B-10, entitled Outsourcing of Business Activities, Functions and Processes (the B-10 Guideline), a persuasive, though non-compulsory, code of conduct for FREs that outsource business activities. Based on the premise that FREs retain ultimate accountability for outsourced activities and that OSFI s supervisory powers should apply regardless of whether an activity is kept in-house or outsourced, the B-10 Guideline sets out OSFI s expectations regarding the management of outsourcing risks. Under the B-10 Guideline, OSFI expects FREs to: (a) develop a due diligence process for determining the materiality of outsourcing arrangements (b) evaluate risks with all existing and proposed outsourcing arrangements (c) implement a programme for managing and monitoring risks, commensurate with the materiality of these arrangements. Norton Rose Fulbright

32 Cloud computing The minimum requirements of the B-10 Guideline vary, depending on whether the activity in question is outsourced to: (a) an FRE s subsidiary or a controlling entity (if it s an FRE itself) or a subsidiary of the same (b) the Canadian branch, head office or any other branch or agency of a foreign bank, insurance company or entity that controls the FRE, if the entity is regulated by a foreign or provincial regulatory body (c) external auditors or other third parties. The risk management expectations are heightened when an FRE outsources to a third party for example, the B-10 Guideline requires FREs to refrain from outsourcing certain principal business activities to third parties. An FRE s material outsourcing arrangements should be documented in a written contract that includes certain provisions set out in the B-10 Guideline. The FRE should make sure, for example, that its cloud services provider has got appropriate measures in place to guarantee the continuation of the outsourced activity in the event of system breakdowns, natural disasters and other reasonably foreseeable events. The FRE should also require the provider to test its contingency plans on a regular basis, notify the FRE of the results, and address any material deficiencies. OSFI might, with reasonable notice, ask the FRE for a summary of these results. Ownership and access rights should be clearly delineated. Data security and confidentiality policies should be commensurate with those of the FRE and should apply to the provider s subcontracting arrangements. Because the number of cloud deployments in the Canadian financial services marketplace was growing and there was some uncertainty about how to apply the B-10 Guideline to cloud solutions, in February 2012, OSFI confirmed that the B-10 Guideline does apply to all technology-based outsourcing services, including cloud computing. In its memorandum to FREs, OSFI reminded them of their B-10 Guideline obligations, including those regarding: confidentiality, security and separation of property; contingency planning; location of records; access and audit rights; subcontracting; and monitoring material outsourcing arrangements. 32 Norton Rose Fulbright 2013

33 Security and privacy FREs and cloud services providers need to be aware of the challenges created by the application of the B-10 Guideline to the deployment of cloud solutions by FREs. For example, as noted previously, the B-10 Guideline requires an FRE to carry out due diligence on an outsourcing arrangement. The nature of a cloud solution can greatly complicate, or even frustrate, the due diligence process in many respects. Cloud solutions will often use multiple data centre locations in different jurisdictions and a myriad of third party subcontractors and partners conducting even minimal due diligence can be time consuming and expensive, as well as complex. Complying with other requirements of the B-10 Guideline will often mean having to deviate from many providers standard terms and conditions dealing with prohibitions and other controls over subcontracting, audit and access requirements, and reporting obligations. So a cloud services provider that wishes to take on an FRE will need to anticipate the challenges raised by the B-10 Guideline, and be prepared to negotiate a cloud solution that balances the FRE s obligations with the characteristics and limitations often inherent in many cloud solution models. Norton Rose Fulbright

34 Cloud computing Asia Singapore Legal landscape Overview The Singapore government has chosen to adopt a cloud friendly policy, and has itself decided to use cloud computing. Singapore has also taken a light touch approach when it comes to legislating the collection, use and transfer of personal data in the cloud. At the moment, there are no laws in Singapore that prohibit the transfer of an organisation s data, including its customers personal details, to the cloud or through outsourcing. Any legislation covering the collection, use and transfer of an organisation s data tends to be specific to a sector, with an emphasis on the financial services sector and protection of government information. A new Personal Data Protection Act (the PDPA), which is broadly based on established data privacy principles, is expected to come into force by the end of 2012, and will most likely complement existing sector specific legislation. The first reading of the Personal Data Protection Bill (the Bill) took place in early September Privacy Singapore doesn t currently have an over-arching data protection law. Personal data is protected by the common law of confidence and by sector specific legislation. The proposed PDPA aims to curb excessive and unnecessary collection of personal data by organisations and prohibits the unauthorised use and disclosure of this data. Although the PDPA hasn t been enacted yet, it is expected that it will take a light touch, probusiness approach. The Bill defines personal data very broadly to be: data whether true or not, about an individual who can be identified (a) from that data, or (b) from that data and other information to which the organization is likely to have access 6. 6 Extract from section 2, Personal Data Protection Bill Norton Rose Fulbright 2013

35 Security and privacy This definition of personal data means that the PDPA, when in force, will apply to most organisations in Singapore. A key provision of the Bill is the new section 26, which requires an organisation to not transfer data outside Singapore except in accordance with requirements prescribed under this Act to ensure that organizations provide a standard of protection to personal data. Section 26 doesn t appear to require an organisation to carry out a detailed assessment of the laws in the foreign jurisdiction receiving the data. However, the organisation will have to make sure the recipient maintains a level of protection comparable to that in the PDPA. In short, the PDPA, when in force, is unlikely to impede the use of cloud computing services, even those hosted outside Singapore. The Bill also has requirements for letting individuals access and correct personal data 7. Organisations will have to: help an individual obtain their personal data; tell the individual how their personal data has been used; and supply the names of other individuals or organisations that have been given their personal data. Organisations will have to correct any inaccurate personal data at the request of the individual, if the data is under the organisation s control. They will also have to send the correct personal data to any other organisation that has been given it, within a year from the date on which the correction was made. In light of this requirement, it is essential that an organisation chooses a cloud services provider that can cope with this. Until the new PDPA comes into force, any private sector organisation that collects personal data is free to adopt the voluntary Model Data Protection Code (the Model Code). The Model Code imposes practices broadly consistent with the EU Data Protection Principles. Sector specific legislation Both the Banking Act 8 and the Securities and Futures Act 9 require financial institutions to maintain the confidentiality of customers personal details. Both laws allow the 7 Part V of the Personal Data Protection Bill Banking Act (Cap. 19), Section 47 to be read together with MAS Notice Securities and Futures Act (Cap. 289), Section 21. Norton Rose Fulbright

36 Cloud computing disclosure of data for outsourcing purposes, including for cloud computing, provided that the relevant authorities are notified, the confidentiality of customers personal details is maintained, and there are adequate contractual terms in place with the cloud services provider. The Statistics Act 10, the Official Secrets Act 11 and the Statutory Bodies and Government Companies (Protection of Secrecy) Act 12 have extra regulations covering the collection, processing and transfer of personal data, but these are only relevant to private sector organisations when they are dealing with government information. Mutual assistance in criminal matters The Mutual Assistance in Criminal Matters Act 13 allows Singapore to co-operate with foreign governments in criminal investigations and prosecutions. Singapore aims to make sure criminals can t evade investigation, prosecution and asset confiscation on the basis that the evidence or proceeds of their crimes are in different countries. Singapore offers foreign governments a wide range of mutual assistance, including the execution of search warrants to obtain evidence from holders of information contained in databases. There are several exceptions that apply to the provision of mutual assistance, but, in general, if a crime in one country is also a crime in Singapore, Singapore will offer assistance to that country. The main security and regulatory issues Overview The regulations that govern the use of cloud computing in Singapore are largely directed at the financial services sector and take the form of guidelines issued by the Monetary Authority of Singapore (MAS). Regulators like the MAS will often view cloud computing as a form of outsourcing, depending on the type of cloud computing used, the extent to which it s used, and the impact it has if it s unavailable. Financial institutions should be aware that if their use of cloud computing is deemed to be a material outsourcing, they need to tell the 10 Statistics Act (Cap. 317). 11 Official Secrets Act (Cap. 213). 12 Statutory Bodies and Government Companies (Protection of Secrecy) Act (Cap. 319). 13 Mutual Assistance in Criminal Matters Act (Cap. 190A). 36 Norton Rose Fulbright 2013

37 Security and privacy MAS. Before they go ahead and outsource, they also have to complete a Technology Questionnaire for Outsourcing and send it to the MAS. In general, the regulations in Singapore require organisations to be aware of the unique attributes and risks associated with cloud computing, especially in the areas of data integrity, multi-tenancy, recoverability and confidentiality. As most cloud services providers and their data centres aren t located in Singapore, the legal issues organisations should be aware of include sovereignty and jurisdictional ones. Organisations shouldn t view the use of cloud computing as an outsourcing of their regulatory and audit obligations and the authorities will still expect them to comply with these obligations. Data security and storage As cloud services providers use data pooling systems to process data for multiple customers, an organisation should make sure its own provider can isolate and clearly identify the data, and other information system assets, of each of its customers. From the start, the organisation should also have a plan in place to get its data back should it stop using the cloud computing service in the future. Data security The organisation should check its provider has stringent security policies, procedures and controls in place to protect the confidentiality and security of its sensitive information, like personal data, computer files, records, object programs and source codes. It should also regularly monitor and review these policies, procedures and controls. Organisations should only partner with providers that comply with industry standards and have data centres with an acceptable data centre tier rating. Threat and vulnerability Where possible, the MAS recommends that the organisation carries out a threat and vulnerability risk assessment of its provider s data centre on a regular basis 14. The purpose of this risk assessment is to identify the data centre s security and operational weaknesses so that the level and type of protection needed to safeguard it can be determined. The provider should also have a remediation plan to address all the issues identified within a reasonable timeframe. 14 Section 5.1.9, MAS Consultation Paper on Technology Risk Management Guidelines. Norton Rose Fulbright

38 Cloud computing Maintaining control The organisation has an obligation to make sure its use of cloud computing or outsourcing, regardless of location, doesn t result in the weakening of its control over its data. The organisation should carry out regular reviews and audits to make sure the cloud computing services or outsourced functions adhere to its risk management policies. The organisation should set up a technology risk management framework to manage technology risks in a systematic and consistent way, and to give specified people risk management responsibilities. The organisation needs to put effective risk management practices and internal controls in place to protect and maintain the integrity of personal data and to guarantee availability of cloud computing services 15. Contracts The terms and conditions governing the roles, relationships, obligations and scope of cloud computing services should be carefully and properly defined in a written contract. The requirements and conditions covered in the contract would usually include performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery capability and backup processing facility. The organisation should make sure its provider offers their service with a high standard of care, as if the activity were not outsourced but carried out in the organisation itself 16. The contract should take into account the need to protect the confidentiality of personal data and the need to comply with all applicable laws and regulations. It should also document the provider s ability to get their service up and running again within a specified time after a disaster or period of unavailability. Finally, the contract should give the organisation the right to have its data promptly returned or destroyed when the contract is terminated or expires. 15 Extract from sections to 4.0.3, MAS Consultation Paper on Technology Risk Management Guidelines; section 6.7, MAS Guidelines on Outsourcing. 16 Section 4, MAS Guidelines on Outsourcing. 38 Norton Rose Fulbright 2013

39 Security and privacy Service levels The organisation should set up management control groups to monitor the outsourced service on a regular basis. These groups should make sure the provider s service delivery, performance reliability and processing capacity are in line with the agreed services levels. Internal IT policies and processes IT policies, standards and procedures are critical components of a framework to manage the technology risks associated with cloud computing. They should specify the people in the organisation who are responsible for maintaining the policies, as well as the processes for safeguarding data in the organisation. Because of the speed of change in IT operating environments and cloud computing, the organisation should regularly review and update its policies, standards and procedures so that they stay up to date and relevant. The organisation should be able to address any compliance issues as quickly as possible 17. The organisation should set up a comprehensive IT security awareness training programme to improve the overall level of awareness in the organisation, especially if the use of cloud computing is new. The organisation should make sure the programme s content keeps up to date with developments in cloud computing 18. Audit rights A cloud services provider should be required to give all those who need it access to their systems, operations, documentation and facilities so they can carry out any review or assessment for regulatory, audit or compliance purposes. The contract with the provider should allow the regulatory authorities to carry out inspections, supervisions or examinations of the provider s roles, responsibilities, obligations, functions, systems and facilities 19. Organisations, especially financial institutions, shouldn t use cloud computing services based in jurisdictions where regulators can t access their data quickly Extract from section 3.2, MAS Consultation Paper on Technology Risk Management Guidelines. 18 Extract from section 3.4, MAS Consultation Paper on Technology Risk Management Guidelines. 19 Section 6.8, MAS Guidelines on Outsourcing. 20 Section 6.9.2, MAS Guidelines on Outsourcing. Norton Rose Fulbright

40 Cloud computing Risk assessment and management Board supervision and responsibility Board responsibility and accountability is a basic principle of good corporate governance that also extends to the use of cloud computing. The MAS has expressly stated that the board of directors and the senior management of financial institutions are fully responsible and accountable for managing technology risks. This also includes making sure the use of any new technology, like cloud computing, complies with the relevant laws and regulations in Singapore 21. The board and senior management should regularly review and appraise the cost and benefit of investing in controls and security measures in connection with using cloud computing. Some of the things they should look at are reputation, customer confidence, consequential impact, legal implications and cost considerations 22. They need to fully understand the risks associated with outsourcing and using cloud computing 23. Due diligence Before an organisation appoints a cloud services provider, it should carry out due diligence on the provider s viability, capability, reliability, track record and financial position 24. As part of the due diligence process, the organisation might want to ask if it can visit the provider s data centres to assess the quality of operation and security controls. This might not always be possible if the data centres are located offshore. Contingency plan The organisation should have a contingency plan in place, based on credible worst case scenarios, in case its cloud computing services fail or stop working for whatever reason. The plan should identify viable alternatives for resuming operations elsewhere, define the roles and responsibilities of the parties, and involve the regular testing of the recovery procedure Extract from section 3.1.2, MAS Consultation Paper on Technology Risk Management Guidelines; section 4.1, MAS Guidelines on Outsourcing. 22 Section 6.1, MAS Guidelines on Outsourcing. 23 Extract from section 5.1, MAS Consultation Paper on Technology Risk Management Guidelines; section 4.1, MAS Guidelines on Outsourcing. 24 Section 6.2, MAS Guidelines on Outsourcing. 25 Extract from section , MAS Consultation Paper on Technology Risk Management Guidelines. 40 Norton Rose Fulbright 2013

41 Security and privacy Hong Kong Legal landscape Overview Hong Kong encourages the use of cloud computing as long as there are safeguards surrounding the use of personal data. For the financial services sector, there s also specific regulation relating to risk management. Within these limitations, the Hong Kong regulations generally allow users and cloud services providers to establish contractual terms that suit their business needs. Privacy Personal data is protected in Hong Kong by the Personal Data (Privacy) Ordinance (the PDPO). Personal data protection has been controversial in Hong Kong ever since a Hong Kong provider of stored value cards sold personal data in This incident resulted in a series of public consultations on data protection laws, recommendations from the Office of the Privacy Commissioner for Personal Data, Hong Kong and the Hong Kong Monetary Authority (HKMA) relating to direct marketing activities, and amendments to the PDPO. The PDPO defines personal data as any data: relating directly or indirectly to a living individual from which you can directly or indirectly work out the identity of the individual in a form you can access or process 26. The PDPO requires personal data to be collected and used in accordance with six data privacy principles, which are broadly in line with data privacy principles adopted in other jurisdictions. In Hong Kong, these principles are 27 : why and how personal data is collected accuracy of personal data and how long it is kept for 26 Section 2(1), Personal Data (Privacy) Ordinance (Cap. 486). 27 Schedule 1, Personal Data (Privacy) Ordinance (Cap. 486). Norton Rose Fulbright

42 Cloud computing proper and legitimate use of personal data security of personal data data handling policies and other information generally available to the individuals concerned the individuals access to personal data and their ability to correct it The PDPO applies to data users, defined as a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data 28. Under this definition, an outsourcing agent that holds, processes or uses personal data for someone else s purposes and not for their own isn t considered to be a data user. Therefore, a data user that engages a data processor as their agent won t be responsible for the actions of that data processor. From a cloud computing perspective, this means that the customer is responsible for their cloud services provider s handling of their data. If a data user engages a cloud services provider, whether in or outside Hong Kong, to process personal data on their behalf, they have to use contractual or other means to prevent the data from being kept longer than necessary and prevent unauthorised or accidental access to the data, or processing, erasure, use or loss of the data. Transfer of data outside Hong Kong Section 33 of the PDPO prohibits the transfer of personal data to places outside Hong Kong, except in specified circumstances, although this restriction isn t in force yet. Nevertheless, since the provision could be brought into operation at any time, data users with a cloud services provider located outside Hong Kong, or that uses servers located outside Hong Kong, should think about the potential impact of section 33 on their business. Sector specific regulation Schedule 7 of the Banking Ordinance sets out the minimum authorisation criteria that authorised institutions (AIs) should be aware of when outsourcing functions, like data processing, to a third party. For instance, AIs are required to put adequate 28 Section 2(1), Personal Data (Privacy) Ordinance (Cap. 486). 42 Norton Rose Fulbright 2013

43 Security and privacy accounting systems and systems of control in place and to conduct their business with integrity, competence and in a manner not detrimental to the interests of depositors and potential depositors 29. Regarding outsourced data, AIs should make sure they maintain appropriate, up-to-date records on their premises and have them available for inspection by the HKMA 30. The main security and regulatory issues Risk assessment and management for non-authorised institutions Although data users are responsible for the actions of their data processors and are required to have adequate systems of control in place, the general data privacy regulations don t prescribe what form the controls should take. The Office of the Privacy Commissioner for Personal Data, Hong Kong has, however, published an information leaflet with recommendations on the content of a data processing agreement necessary to adequately protect personal data under the PDPO. A contract could impose the following obligations on a data processor: to take measures to protect the personal data entrusted to it and to comply with the data protection principles under the PDPO to return, destroy or delete the personal data when it s no longer required to not use or disclose the personal data other than in the way intended by the data user to not subcontract the service it s engaged to provide to immediately report any signs of abnormalities or security breaches to allow the data user to audit and inspect the way it handles and stores the personal data to face sanctions for violating the contract. 29 Paragraphs 10 and 12, Schedule 7, Banking Ordinance (Cap. 155). 30 Sections 55 and 56, Banking Ordinance (Cap.155). Norton Rose Fulbright

44 Cloud computing Data users should also consider non-contractual ways to make sure their data processors comply with data protection requirements. For example, data users could: only choose reputable data processors that have a good track record on data protection and guarantee their competency in this area; and make sure data processors have robust policies and procedures in place, including adequate training for their staff. Risk assessment and management for authorised institutions AI s have to follow both the general risk assessment and management procedures in the section above and the industry specific ones set out in this section. The HKMA acknowledges that data processing is one of the typical functions AIs outsource 31. In general, because outsourcing can bring significant benefits to AIs and their customers, the HKMA will let AIs use outsourcing arrangements so long as they are well structured, properly managed and the interests of customers will not be compromised 32. As a result, the HKMA requires AIs to adopt the following measures: The board and management of an AI should be ultimately accountable for the outsourced processing of personal data. So outsourcing can only allow them to transfer their day-to-day managerial responsibility, and not accountability, for the processing of personal data to a cloud services provider 33. Before taking on a cloud services provider, the board and management of the AI should make sure a comprehensive risk assessment of the proposed outsourcing arrangement has been carried out and that all the risks identified have been adequately addressed before launch. Among other things, the risk assessment should look at: how important the processing of the relevant personal data is the reasons for outsourcing the task what operational, legal and reputational risks outsourcing might create Section 1.1.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 32 Section 1.3.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 33 Section 2.1.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 34 Section 2.2.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 44 Norton Rose Fulbright 2013

45 Security and privacy Before choosing a cloud services provider, the AI should carry out appropriate due diligence. As well as the cost and quality of service, the AI should take into account: the provider s financial soundness; reputation; managerial skills; technical capabilities; operational capability and capacity; compatibility with its own corporate culture and future development plans; familiarity with the banking industry; and, ability to keep pace with innovation in the market 35. The AI and its provider should maintain and regularly test their contingency plans 36. The AI should make sure it fully understands its provider s contingency plan and how the plan will affect its own contingency planning in the event the cloud computing service fails 37. The AI should put in place proper safeguards to protect the integrity and confidentiality of customer information. Some of these are: undertakings from the provider that the company and its staff will comply with confidentiality rules and observe the data protection principles set out in the PDPO contractual rights to take action against the provider in the event of a breach of confidentiality segregation of its data from that of the provider and their other clients access rights to its data given to the minimum number necessary of the provider s employees 38. The AI should tell their customers in general terms about the possibility that their data might be outsourced, and specifically about any significant outsourcing initiatives, particularly those in an overseas jurisdiction Section 2.3.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 36 Section 2.7.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 37 Section 2.7.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 38 Section 2.5.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 39 Section 2.5.3, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. Norton Rose Fulbright

46 Cloud computing If the outsourcing agreement is terminated, for whatever reason, the AI should make sure all its customer data is either retrieved from the provider or destroyed 40. The AI should have effective procedures in place for managing the relationship with the provider and the risks associated with the outsourcing, and monitoring the provider s performance 41. Among other things, the AI should look at: contract performance any material problems the provider has the provider s financial condition and risk profile the provider s contingency plan, the results of testing it and how to improve it 42. The AI should have suitable reporting procedures in place so that problems are quickly brought to the attention of its management and the provider 43. The AI s internal audit department should regularly review the outsourcing arrangement s control procedures Section 2.5.4, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 41 Section 2.6.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 42 Section 2.6.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 43 Section 2.6.4, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 44 Section 2.6.5, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA. 46 Norton Rose Fulbright 2013

47 Security and privacy The UK Data protection compliance The following analysis is based on the requirements of the UK Data Protection Act 1998 (the DPA) and Guidance on the use of cloud computing (the ICO Guidance) published by the Information Commissioner s Office (ICO), the UK s data protection authority, on 27 September Who is the data controller? The ICO Guidance says that where a customer is providing personal data to a cloud services provider, the customer is most likely to be the data controller, and therefore responsible for complying with the DPA. This is based on analysis that it s the customer that will determine why any personal data is processed and how it s processed. While the ICO recognises that the customer might find it hard to influence the way a large cloud services provider operates, it still takes the view that the customer can t shed their data protection responsibilities. However, the role of the provider would have to be reviewed in each case. Where the provider uses the personal data for its own purposes, it will be a data controller in its own right (and/or a joint data controller with the customer) and responsible for complying with the DPA. Customers should make sure providers only process personal data for the reasons customers have specified. Contractual arrangements can restrict this. Giving end users information The ICO Guidance says that, as a matter of good practice, customers should tell the end users about the processing arrangements they have in place with cloud services providers. However, if customers have already told the end users that third party contractors will be given access to their personal data to provide outsourced services, customers only need to give more information if the cloud service presents a significant extra risk (for example, by exposing the data to greater regulatory scrutiny in the case of a private banking service) and this risk hasn t been mitigated. Handling security Data controllers have to take appropriate technical and organisational measures to prevent personal data being destroyed, lost, damaged, or illegally processed. They also need to make sure cloud services providers that process personal data on their behalf do the same. The ICO Guidance picks up on the following areas of security: Norton Rose Fulbright

48 Cloud computing Encryption The customer should consider if the data transferred to the cloud needs to be encrypted. This might be particularly important if sensitive personal data is being processed. In an IaaS or data storage scenario, it is much easier for the customer to insist that all data is encrypted before it leaves their device or that of the end user. But in an SaaS cloud, this is harder to achieve because the provider might need access to the data to carry out the necessary processing. Mobile access The ability to access data from any location is a benefit of cloud computing, but the customer needs to ensure end user accounts have sufficient controls like a username and password system in place. If a personal data breach occurs because of a lack of security, for example, a key-logging malware infection captures the end user s username and password, then the customer would still be accountable. Provider access There should be a clear policy in place to specify the circumstances in which the provider may access the personal data it processes, as greater access increases the risk of unauthorised disclosure. Multi-tenancy environment The customer might find that their data is being processed on the same systems as other customers data. The contract should therefore require the provider to protect against the possibility of one customer gaining access to another s personal data, or the activities of one customer affecting those of another. Reliability and resilience The customer should think about the consequences of a provider suffering a major fault that takes the data offline. For example, it might be appropriate for the customer to store a copy of their data in an alternative location to minimise the impact of an outage. Staff training The customer might need to give their staff training on new data protection and security risks and measures. For example, staff might need to be made aware that certain sensitive information should not be uploaded to the cloud. 48 Norton Rose Fulbright 2013

49 Security and privacy Kitemark The ICO supports the use of an industry recognised standard or kitemark to help assure customers of providers security levels. However, no kitemark system is in place yet. Prompt breach notification The provider should be contractually obliged to tell the customer promptly about any personal data security breach and to help them deal with it. To be able to properly assess the risks, the customer needs to know exactly how the cloud service is provided, including in relation to subcontractors, something that many providers are reluctant to divulge. Selecting which data to move to the cloud Some data is too sensitive to move to the cloud, because of, for example, the danger of unauthorised access. So it might not be appropriate for a customer to move all their data or use the same type of cloud service for all their data. For example, it might be appropriate for a school to store online educational resources in the cloud, but not personal data like attendance figures or exam results. Choosing a provider Customers have to choose a provider that guarantees the physical, technical and organisational security measures they have in place. One of the most effective ways to assess these security measures would be to inspect the provider s premises. However, the ICO recognises that this is unlikely to be practically possible, especially in the case of a public multi-tenant cloud. An independent security audit is therefore a good alternative. A sufficiently detailed assessment will help the customer find out if the provider s security is appropriate, and, in turn, help them comply with their data protection obligations. The customer should be aware that audits based on certification standards like SAS 70 / SSAE 16 Type II might not cover all the aspects sufficiently and can only form part of the assessment. The customer could also ask the provider to complete a security assessment questionnaire. Ideally, the provider would warrant their answers. Norton Rose Fulbright

50 Cloud computing Monitoring the provider s ongoing compliance Customers also have to take reasonable steps to make sure their provider continues to have adequate security measures in place and that they keep them up to date, where necessary. The ICO Guidance says that the provider should be able to give the customer regular updates showing this. The customer could also continue to have independent security audits carried out. Data retention and deletion Data retention and deletion issues may be more complex in cloud computing, as the provider is likely to have multiple copies of data stored in multiple locations, potentially including backup tapes or other media not directly related to the cloud. Customers have to make sure their provider is obliged and able to delete all copies of personal data within a timescale that is in line with their own schedule and return personal data in a usable format. Data subject rights Customers have to make sure people can still exercise their data rights, for example, their right to access their personal data and to object to their personal data being processed for certain purposes. Customers must make sure their provider will act in these circumstances. Subcontracting Where cloud services are layered, for example, if one party provides the software and another the cloud platform, customers need to make sure they know about the parties involved, the subcontracted elements, the geographical locations involved and the applicable security. A customer should get assurances from their provider that any subcontractors likely to be involved in the processing of their data will have the same security obligations as the provider themselves. Exporting data The DPA prevents personal data being transferred outside the European Economic Area (EEA) unless the destination country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Transfers within the EEA are permitted on the same basis as transfers within the UK. 50 Norton Rose Fulbright 2013

51 Security and privacy A customer needs to find out where their provider and any subcontractors may process their personal data (this includes access for support purposes). If the personal data may be transferred outside the EEA, the customer should bear the following in mind. Certain countries are white listed by the EU Commission, and personal data can be transferred to these countries on the same basis as transfers within the UK. If the transfer is to the US, and the US recipient has signed up to the US Department of Commerce Safe Harbor scheme, personal data can be transferred on the same basis as transfers within the UK. The provider might have adopted EU Processor Binding Corporate Rules, which will have been pre-approved by EU data protection authorities as providing adequate safeguards for export outside the EEA. In these circumstances, the customer will not have to take any further steps to make the transfer legal. If none of the exemptions above apply, the customer will probably have to enter into an agreement with their provider, and potentially any subcontractors containing a set of EU approved model clauses, to meet the adequacy requirements. Alternatively, the customer could carry out their own adequacy assessment (the ICO has produced guidance on how to do this). Although the customer might find this is more time consuming and offers less certainty than the model clauses route, it might be the only option if their provider won t agree to enter into model clauses with them. Interestingly, the ICO Guidance says that if an IaaS provider operates a number of data centres, including in Asia, adequacy will be met if: the provider gives appropriate assurances that no single data centre is likely to contain a complete and intelligible copy of the customer s data the provider states the location of each of its data centres the customer s data will stay within the provider s own network of data centres independent assessments of security will be regularly carried out. Norton Rose Fulbright

52 Cloud computing This example implies that the customer might not need to enter into model clauses with their provider, presumably because the data would be unintelligible in all non-eea jurisdictions and therefore the customer could conclude that the data was adequately protected (although it s still personal data because the provider has the means to reassemble it). However, we believe the safest route to ensure compliance is to enter into these model clauses. Requests from foreign law enforcement agencies One area of concern with data being held in multiple jurisdictions is foreign law enforcement agencies making cloud services providers give them access to personal data. However, the ICO Guidance says that if a provider were to comply with a request for information from a foreign law enforcement agency, the ICO would be unlikely to take regulatory action against either the provider or the customer. This is as long as the customer has taken appropriate steps to ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud. These steps are likely to include telling the individuals that their data might be stored abroad where it would be subject to regulatory scrutiny. Written contract The customer has to have a written contract in place with their provider, setting out the rights and obligations of each party, including an obligation on the provider to comply with the necessary data protection requirements. It would obviously be negligent to not have this contract in place. Rules for financial services businesses Businesses regulated by the Financial Services Authority in the UK (or its successors, the Prudential Regulatory Body or Financial Conduct Authority) need to comply with certain specific outsourcing requirements, depending on the sector they operate in and the extent of the outsourcing. Banks, building societies and investment firms must follow the rules on general outsourcing requirements set out in section 8.1 of the FSA Handbook s Senior Management Arrangements, Systems and Controls. While most of these requirements are similar to those imposed by the DPA and the ICO Guidance, some are less flexible. In particular, if the function being outsourced is critical or important to the business s compliance with its obligations under the 52 Norton Rose Fulbright 2013

53 Security and privacy regulatory system or the soundness or continuity of its relevant services and activities which has been interpreted as including the provision of data storage and ongoing, dayto-day software and systems management then the rules are mandatory and require the cloud services provider to cooperate with the FSA, and allow the regulated business, its auditors and the FSA to have access to the data, as well as to their business premises. Because these obligations stem from EU legislation, the FSA has to date been inflexible in its interpretation of the requirements. The two specific requirements above are often impossible for providers to agree to in multi-tenancy cloud arrangements and where data is distributed through a subcontracted stack of suppliers. If the function being outsourced isn t critical or important to the business, the regulated business has to take these requirements into account in a manner that is proportionate to the nature, scale and complexity of the function being outsourced. Broadly, similar rules apply to insurers. Here it might be enough to rely on independent auditors, but the area is difficult to call and bright lines haven t been established yet. Similar types of restrictions apply to solicitors through the Solicitors Regulation Authority Code of Conduct, although the need to be able to enter premises is more ambiguous. Norton Rose Fulbright

54 Cloud computing Europe France The French data protection authority, the Commission Nationale de l Informatique et des Libertés (CNIL), launched a public consultation at the end of 2011 to clarify the applicable legal framework, and, on 25 June 2012, issued the following recommendations for French companies wanting to use cloud computing (go to for more details). Clearly identify the data and processing that will be entrusted to the provider The obligations in terms of security and privacy may vary, depending on the type of data the customer entrusts to the cloud services provider. The CNIL recommends that the customer, as data controller, clearly identifies and distinguishes the type of data, for example personal data, sensitive data, strategic data for the company, or data used in business applications, so they can determine the minimum conditions for the transfer of data. Define the requirements for technical and legal security The customer, as data controller, has to ensure the security and privacy of data in the cloud. They must make sure confidential data isn t made available to third parties, especially in a public cloud, and that personal data is kept secure and confidential. Indeed, according to article 34 of the French data protection law n 78-17, as modified, the data controller shall take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorised third parties. However, in practice, the customer generally delegates data security to the provider. Article 35 of the same law states that the processor shall offer adequate guarantees to ensure the implementation of the security and confidentiality measures mentioned in Article 34. This requirement shall not exempt the data controller from his obligation to supervise the observance of such measures. So the customer remains responsible for making sure the provider takes adequate measures. 54 Norton Rose Fulbright 2013

55 Security and privacy To work out whether a cloud computing solution is suitable for their requirements and whether their data will have adequate protection, the customer should look at the legal issues (such as specific regulations regarding the location of the data), the practical issues (such as availability of the service and reversibility) and the technical issues (such as interoperability). Carry out a risk analysis to identify the security level required The customer should assess the security and privacy risks for the data that will be hosted in the cloud. They can then tell their provider what measures need to be taken and can also include specific provisions in the contract. Based on the guidelines of the European Network and Information Security Agency, the CNIL highlights the following risks as the most significant in cloud computing: loss of governance in the area of processing technological dependency on the provider flaws in the isolation of the data judicial requisitions flaws in the subcontracting chain ineffective or non-secure destruction of the data or an excessive retention period issues with management of access rights for the individuals whose data is held unavailability of the service shutdown of the service or the takeover of the provider by a third party non-compliance with regulations on things like international transfers. Work out which cloud computing model is needed for the planned processing The customer should look at the strengths and weaknesses of the different cloud computing models available. They will then understand better the particular risks of each solution and be able to guarantee better protection of the data. Choose a provider offering sufficient guarantees When considering a potential provider, the CNIL says the customer should first determine the provider s legal status. Norton Rose Fulbright

56 Cloud computing One risk of cloud computing is the uncertainty about who can be held liable for the processing of personal data. It is generally presumed that the customer is the data controller and the provider is the processor. However, if the customer uses a public cloud, the provider defines the operation and purposes of the online application accessible to various customers. Depending on the type of service subscribed to, it can be hard to determine the respective roles of the parties. This is particularly true with some PaaS and SaaS public clouds, where the customer can t give their provider instructions or check the efficiency of the provider s security and privacy settings. In these situations the provider could be considered a joint data controller. To mitigate the risk in cases of joint liability, the CNIL recommends that the contract clearly sets out the liability of each party. The customer could then transfer part of the risk to the provider. The CNIL suggests that: the customer should be responsible for making notifications to the CNIL and giving information to the individuals whose data is held the customer and the provider should be jointly responsible for the security and privacy of the data the customer, with the support of the provider, should make sure the individuals whose data is held can exercise their rights to access, correct, alter, update or remove the data. Whatever the potential provider s legal status turns out to be, the CNIL says the customer should then make sure the provider can guarantee the implementation of security and privacy measures. The CNIL recommends that the contract clearly assigns security roles and responsibilities to each party. In summary, the CNIL says the contract should describe: processing compliance (on issues such as the protection of personal data, recipients, subcontracting) 56 Norton Rose Fulbright 2013

57 Security and privacy guarantees given (on issues such data retention period, destruction and/or restitution of data at the end of the service, possibility of audit by the customer) location and transfers (with an indication of the countries hosting the data, an assurance of adequate protection abroad) formalities with the CNIL security and privacy (such as certifications, traceability, continuity of service, SLAs). The CNIL suggests models of contractual clauses in the appendix to its recommendations. The transfer of data outside the EU is a real concern for customers using cloud computing. In its model clauses, to ensure an adequate level of protection, the CNIL recommends clearly indicating those countries hosting the servers and the use of the EU standard contractual clauses or binding corporate rules. The CNIL says that if these essential terms are not included in the contract, customers won t be able to fulfil their legal obligations as data controllers. Customers should therefore avoid providers who don t offer these guarantees and who refuse to negotiate. Review the internal security policies The use of cloud computing might affect the customer s own internal security policies and perhaps introduce related risks like the use of mobile devices or authentication of users. Because of this, the customer might need to reconsider and adapt their policies. Monitor changes over time The CNIL recommends updating risk analysis regularly, especially when legislation changes or new services become available. Norton Rose Fulbright

58 Cloud computing Germany Data protection compliance German data protection law imposes several obligations on companies that transfer personal data to the cloud. To help companies comply with the requirements, several organisations, like the Federal Office for Information Security 45 and BITKOM (the Federal Association for Information Technology, Telecommunications and New Media) 46, have published guidelines. The most important publications are Resolution of the 82nd Conference of the Data Protection Commissioners of the Federation and of the Länder on the design and use of cloud computing in conformity with data protection law 47 and the more detailed Guidelines Cloud Computing issued by the Working Parties Technology and Media of the Conference of the Data Protection Commissioners of the Federation and of the Länder 48. These opinions and guidelines give a comprehensive overview of the obligations. Written and specific agreement on commissioned data processing If a data controller transfers personal data to the cloud, this data processing activity may qualify either as a transfer of data according to Sec. 3 (4) no. 3 Bundesdatenschutzgesetz (BDSG, the Federal Data Protection Act) 49 or as commissioned data processing according to Sec. 11 BDSG. In the vast majority of cases, a customer using cloud services only commissions their cloud services provider to carry out pure data handling and related services, so that these services qualify as commissioned data processing under Sec. 11 BDSG. If the provider acts as a data processor, the customer remains the data controller and is responsible for complying with the data protection rules while the data is processed in the cloud. According to Sec. 11 para. 2 BDSG the customer has to have a written agreement in place with the provider on the commissioned data processing SecurityRecommendationsCloudComputingProviders.pdf? blob=publicationfile 46 (only available in German) (only available in German) 49 An informal English translation of the BDSG is available here: idfv pdf? blob=publicationfile. 58 Norton Rose Fulbright 2013

59 Security and privacy The law also states certain minimum requirements for the content of a data processing agreement. Some of the things it must contain are: the subject and duration of the work to be carried out; the extent, type and purpose of the intended collection, processing or use of data; the type of data and category of data subjects; and the technical and organisational measures to be taken under Sec. 9 BDSG. This turns out to be a problem for cloud computing, providers generally deal with a large number of customers and offer them standardised services without individual arrangements and adjustments. It is therefore almost impossible for a customer to agree terms with a provider that meet all the requirements under Sec. 11 para. 2 BDSG, especially as providers rarely grant the data controller the competent data protection authority rights to monitor the data processing (in other words, the rights to access the data processing facilities) or the rights to instruct the provider as required by Sec. 11 (2) BDSG. Not complying with the requirements stated in Sec. 11 BDSG can constitute an administrative offence that may be punishable by a fine of up to However, the German data protection authorities recognise these special circumstances for cloud computing and have provided the following guidelines on how to deal with the issues: Transparent information According to Sec. 11 para. 2 s. 1 BDSG, the customer should choose the data processor carefully, paying special attention to the suitability of the technical and organisational measures applied. To be able to choose a reliable, trustworthy and competent provider, the data protection authorities recommend that the customer gets at the very least the following information: open, transparent and detailed information about the technical, organisational and legal framework conditions of the services offered, including security concepts transparent, detailed and clear contractual regulations of cloud-supported data processing, especially in relation to the location of data processing, notification of any change in location, portability and interoperability the implementation of security and privacy measures on the part of provider and customer. Norton Rose Fulbright

60 Cloud computing Instructions from the customer Sec. 11 para. 2 s. 2 no. 9 BDSG requires the data controller to specify the extent of their authority to issue instructions to the processor. Due to the standardisation of cloud service agreements, it is generally not possible for the provider to grant the customer a specific right to issue instructions. However, the data protection authorities have acknowledged that it s sufficient for the provider to offer the customer some alternative resources, locations and levels of security. If the provider doesn t offer these alternatives, we recommend that the customer defines the agreed service from the provider very precisely. Monitoring and audit rights A big problem for cloud computing when it comes to data protection compliance is the right of the customer to monitor the provider s data processing activities. But the data protection authorities have stated that the customer can fulfil their obligation to monitor the provider and check the ongoing compliance with data protection legislation if the provider sends them audit or certification reports that a trusted third party has issued. These reports must be detailed, the provider can t just hand over a certificate or the results. They have to contain information on all aspects that are relevant in assessing the provider s compliance with data protection legislation. Reports based on US or banking certification standards like SAS 70 Type II, SSAE 16 Type II or ISAE 3402 might not be sufficient because they won t necessarily cover all aspects that are relevant to German data protection legislation. Co-operation with data protection authorities According to some German data protection authorities, the customer also requires the provider to co-operate with the relevant data protection authority, so that the authority can monitor the customer s compliance with data protection legislation at the provider s premises. We don t think this contractual obligation is necessary, because the provider has to co-operate with the data protection authority under statutory rules anyway. Subcontracting German data protection law requires a data processor s right to subcontract to be addressed in a data processing agreement. However, the German data protection authorities recommend not granting a cloud services provider this right as it would lead to a lack of transparency and control on the part of the customer. If the provider does insist on subcontracting, the data protection authorities require the provider to identify 60 Norton Rose Fulbright 2013

61 Security and privacy all their subcontractors. Furthermore, the subcontractor itself has to give the customer all the information they need to comply with their statutory obligations. Of course, the provider s audit or certification report may include an audit of the subcontractor s own data processing activity. Using cloud services outside the EU or EEA Transferring personal data to a cloud outside the EU or EEA doesn t qualify as commissioned data processing in the legal sense because this privilege is restricted to data processing activities within the EU or EEA. If the individual whose data is held hasn t consented to the transfer of data to the cloud, the data protection authorities say that the transfer would only be permissible under German data protection law if it was necessary to safeguard legitimate interests of the controller and there is no reason to assume that the data subject has an overriding legitimate interest in ruling out the possibility of processing or use. It has to be decided on a case by case basis if these conditions are met. If the customer and their provider have agreed to use the EU Model Clauses for Data Processors established in Third Countries (the Model Clauses) adopted by the European Commission 50, the transfer is likely to be allowed under Sec. 28 BDSG. Special categories of personal data, such as information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sexual matters, must not be transferred to a cloud outside the EU or EEA if the individual concerned has not consented. Some German data protection authorities are even stricter and say that no transfer to clouds outside the EU or EEA is necessary because there will always be plenty of cloud services available within the EU or EEA. Adequate safeguards If personal data is transferred to a recipient outside the EU or EEA, the transfer itself should be permitted, either by consent or on a statutory basis, and the country where the recipient is must have adequate safeguards according to Sec. 4b and 4c BDSG. If the European Commission has decided that the particular country doesn t have adequate safeguards, the customer and the provider need to produce an agreement that gives the data an adequate level of protection. This is usually done by producing an agreement containing the Model Clauses. Because the German data protection authorities say that the obligations set out in the Model Clauses don t go far enough in complying with national statutory requirements, the customer and the provider are recommended to 50 Norton Rose Fulbright

62 Cloud computing agree extra safeguards required under Sec. 11 BDSG (on issues such as the type and duration of work carried out) or address these issues in annexes to the Model Clauses 51. That said, many providers aren t willing to sign the Model Clauses and the amendments according to Sec. 11 BDSG because of the standardised services they offer. If the cloud is located in the US, the adequate level of protection might follow from the provider s participation in the Safe Harbour scheme 52. But again, the German data protection authorities say that participation on its own doesn t imply an adequate level of protection the customer also needs to check that the US provider actually complies with the Safe Harbour principles. Accordingly, the customer has to at least verify and keep on record that Safe Harbour certificates are valid, are issued according to the Safe Harbour scheme, and refer to the kind of data that will be transferred to the US provider. Furthermore, the customer must check that the US provider has committed to co-operating with the competent European data protection authorities, complies with all its information requirements under the Safe Harbour scheme, and has committed to providing the information necessary to answer all enquiries from the individuals whose data is held (only available in German) 52 A list of the participating companies can be found here: 62 Norton Rose Fulbright 2013

63 Security and privacy Italy Cloud computing is still rarely used in Italy so specific data protection legislation in this area is minimal. New rules for cloud computing, from an Italian point of view, are expected to come in once the European Commission s much awaited Data Protection General Regulation is issued in In the meantime, Italy s data protection authority (the Garante per la Protezione dei Dati Personali ) has published a cloud computing-specific leaflet aimed at businesses and public bodies that contains an analysis of the most significant legal, economic and technological issues. This section draws from this leaflet. Main points According to the Italian Legislative Decree 196/2003 (the Italian Data Protection Code), a company or public body that wants to transfer its personal data to the cloud is referred to as a data controller (interessato titolare) while the cloud services provider (fornitore) selected is referred to as a data processor (responsabile). The act of moving and/or handling personal data is referred to as processing (trattamento). A customer, as the data controller, has a duty to check how any personal data uploaded to the cloud is used and stored. In fact, the customer has the power to control the provider s conduct and needs to check that the provider complies with the instructions they both negotiate and set down in a service level agreement. As a result, the customer is liable for any wrongdoing the provider commits, unless the provider is in breach of the service level agreement. Handling the risks associated with cloud computing There are essentially three main risks associated with cloud computing: security, privacy and service continuity. These risks are more easily contained if all the data collected and stored is kept in one country, because then there would be no jurisdictional issues. Complications arise when data is transferred from one country to another, especially if it s transferred to a country outside the EU. EU data protection legislation, in fact, prohibits personal data being transferred if the level of security and privacy offered in the country of transit and/or destination isn t the same as in the country of origin. Therefore transferring data from one EU member state to another doesn t pose particular problems as EU legislation guarantees the same level of protection throughout the EU. However, if the customer transfers data to a country outside the EU, they need to assess the level of protection, especially if they Norton Rose Fulbright

64 Cloud computing are using a public cloud (the risks are much lower if using a private or hybrid cloud). This assessment isn t necessary if there is a data protection scheme in place, like the bilateral EU-US Safe Harbor scheme. After assessing the risks, the customer needs to identify technical and organisational measures they can adopt to minimise the risk of data being destroyed, lost (including by accident), changed, accessed by unauthorised people, or processed illegally or in a way that is incompatible with the purposes for which it was collected. One way of minimising the risks and avoiding liability is by negotiating and executing a service level agreement. Duty to communicate data breaches Although the Italian Data Protection Code is due to be amended when the Data Protection General Regulation comes in during 2014, there is already legislation, both EU and domestic, that applies to cloud computing services in Italy. For example, EU Directive 2009/136 requires telephone companies and internet providers to notify national authorities and, in certain circumstances, end users of any security breaches that involve the destruction, loss or unwanted disclosure of personal data that is processed as part of a service being provided. If a data breach is notified to end users, each user has the right to have their data blocked, deleted or made anonymous. If a data breach happens in Italy, the provider involved must notify the Garante immediately, and their customers and, if necessary, end users within three days of the breach. If the provider can show that they have got security measures and systems in place to minimise the risks associated with collecting, storing and processing data, they might not have to notify end users. The following sanctions are in place: 25, ,000 for failing to notify the Garante; and/or 150 1,000 per end user for failing to notify end users; and/or 20, ,000 for failing to keep a detailed, up-to-date record of all the breaches suffered (outlining the circumstances, the consequences and the measures adopted to prevent further breaches of the kind suffered). 64 Norton Rose Fulbright 2013

65 Security and privacy The service level agreement As legislation governing cloud computing is minimal, cloud services providers currently enjoy greater bargaining power when negotiating service level agreements. The customer, as the data controller, is responsible for how data is processed and stored, so it s crucial they negotiate and agree stringent contractual terms with their provider, together with solid monitoring and recovery mechanisms. Because valuable information might be out of the customer s direct control, and no system is flawless, disputes can arise. However, the data controller or the individual whose data is held will always have the right to check the data held, stored or processed. Another thing to consider in the event of a dispute is jurisdiction. The location of data directly affects the applicable law as do national rules on data processing, storage and security. Knowing these things beforehand will make the customer/provider relationship more transparent and prevent unforeseen extra costs resulting from the customer s limited control over their data. Questions for the customer to think about The Garante has come up with some questions for potential cloud customers things to think about before they choose a suitable provider and draft a service level agreement: What sort of data have you collected and stored? Which data and how much of it do you intend to outsource? What risks and consequences are there if the data is outsourced? Will data be transferred to a country in or outside the EU? If you re a small company or a small public body, will joining forces with others with the same needs strengthen your bargaining power? Who is actually providing the service you re about to purchase? Is it a company or a group of companies? If the chain is especially long or complex, who will have access to what data? Is the provider reliable? Do they have the appropriate experience, staff and facilities necessary to process your data? Do their cloud services use open formats and standards that will make changing provider, if ever necessary, easier (so-called data portability )? Norton Rose Fulbright

66 Cloud computing Does the provider rely on proprietary technology, which makes it difficult to change provider or move data between different cloud-based systems? Can data be exported easily? In which country is the data ultimately kept? Can you rely only on servers that are located in Italy or in EU countries? Will you be able to keep track of the physical location of your data? Will the data you move to the cloud be available and accessible whenever you need it? What security measures does the provider supply to keep data confidential (look for encryption if your data is sensitive)? Are there safeguards in place if a competitor uses the same services as you? If your internet connection or the cloud service goes down, can you continue working outside the cloud? How long will it take to restore connectivity or the service? Is there a disaster recovery plan in place? Can data in the cloud get lost or be destroyed? What obligations and liability does the provider have if your data is lost or disclosed to unauthorised people? What mechanisms are there for withdrawing from the service? If it is found that a data breach has occurred or data is lost, can the provider pay damages quickly? What happens to your data when the contract expires? For how long, and in what manner, is data kept? 66 Norton Rose Fulbright 2013

67 Security and privacy Sectoral and omnibus privacy and data protection laws Omnibus coverage Countries that have a single or multiple privacy or data protection laws that result in comprehensive coverage. Sectoral coverage Countries that have sectoral privacy or data protection laws,for example the public sector, financial sector, telecommunication sector. None Countries that do not have privacy or data protection laws but may have some coverage in their constitution or other laws. As of December Source: Norton Rose Fulbright

68 Cloud computing What are the practical deployment and operational issues? Customers can come up against hidden or unforeseen problems when they deploy a public cloud computing platform. This section looks at some of these issues. Costs How, and how much, the customer uses the cloud will have a substantial impact on costs. Using a public cloud to run an entire suite of software will be much more costly than using it for specific workloads or just to handle busy times. Cloud services providers use a variety of charging models, but some kind of pay-per-use mechanism is common. This might be a simple charge per physical or virtual server, or a more complex charge per CPU core/ gigabyte of RAM / hard drive space used, depending on the nature of the provider s cloud platform. Therefore, any increase in the scope of the customer s cloud deployment is likely to push costs up. The cost can also go up because of price increase provisions in the provider s terms and conditions, or, in the case of international providers, exchange rate fluctuations. Once the customer has signed the contract, they will have little control over these factors, so they should make sure their initial cost/benefit analysis has taken these things into account. Scalability It is important to understand the limitations of the particular public cloud platform used. The scalable nature of a public cloud doesn t necessarily mean that any applications deployed in that cloud will automatically scale up at times of peak demand. Depending on the provider s systems for administering their public cloud, applications might have to ask for more capacity, rather than expect it automatically. For example, Amazon Web Services is charged on a per instance basis, which means that applications need to be coded to be able to request more CPU resources. 68 Norton Rose Fulbright 2013

69 What are the practical deployment and operational issues? Where a public cloud can t automatically increase or decrease capacity based on specified criteria, the customer might have to carry out significant redevelopment of their existing applications to take advantage of the scalability on offer. In particular, legacy applications are unlikely to run well in a virtualised cloud environment. If the customer wants to take full advantage of the benefits of a public cloud platform, they should deploy scalable applications that measure and report their own performance in real time, and can request increased or decreased cloud computing resources as and when needed. Availability and performance A large-scale public cloud generally offers higher levels of availability because of infrastructure redundancy and cross-site load balancing. However, even the biggest cloud platforms are still vulnerable to the occasional catastrophic failure. The problem can be made worse if the provider s standard terms and conditions aren t responsive to the needs of business customers. The raw performance of a public cloud platform is somewhat harder to measure than availability levels. Performance and throughput can be unpredictable and sometimes beyond the control of both the provider and the customer, particularly where the provider is itself using third party suppliers. As a result, providers are often reluctant to accept a great deal of performance-related responsibility and will typically try to limit their obligations to any relevant application level performance standard. So the customer increasingly relies on sufficient internet bandwidth being available to them to access their public cloud platform. In the case of overseas-based servers, this can be complicated somewhat by latency issues. It is important for the customer to get the right service levels for their business. Some providers are only prepared to offer limited service levels, so the customer might need to focus only on the main performance criteria. It can sometimes be difficult to determine whether service levels have been met or not in the context of a public cloud, so an objective measurement of performance will be needed. And, as mentioned before, sanctions should be available if the service levels aren t met. Where possible, the customer should also try to make sure the provider can t blame third party suppliers and avoid those sanctions. Norton Rose Fulbright

70 Cloud computing What are the taxation issues? Taxation is just one of the many important issues that both the providers and customers of cloud computing need to understand. The key to determining the taxation implications of entering into a Cloud is in the terms of the written agreement between the cloud provider and the customer. The taxation implications of entering into the Cloud will impact the revenue derived, and the payments made, under the agreement. In many cases, the Cloud provider and/ or the Cloud is not located in the country of the customer, so it is both the customer s country tax and international tax implications that need to be considered. The analysis of the taxation issues are often complex for a variety of reasons including there being no standard form of Cloud agreement and there being common types of Cloud agreements such as Software as a service, Platform as a service and Infrastructure as a service. However, the parties to the Cloud agreement will need to identify what is actually being provided. For example, the agreement may provide for a licence or use-right for software, the provision of services, the provision of hardware or a combination of the following: whether the Cloud is public, hybrid or private may impact the characterisation the location of what is provided under the Cloud agreement the fact that tax laws have not kept up with the rapid pace at which technology, such as Cloud, has advanced. The key direct taxation issues that need to be considered in respect of any Cloud agreement include: the characterisation of the revenue derived the source (ie, the country) of the revenue derived which country has a right to tax the revenue derived including the impact of any relevant double tax treaties 70 Norton Rose Fulbright 2013

71 What are the taxation issues? whether the customer is required to withhold tax from payments it makes to the Cloud provider. In addition, if multinational groups are restructuring their business to include a Cloud, then additional direct taxation issues such as transfer pricing and the potential application of the controlled foreign corporation rules may also be relevant. A Cloud agreement may also give rise to a liability to pay indirect taxes in the customer s country such as value-added taxes. For example, in Australia, the value-added tax is known as GST. GST is a consumption based tax. GST at the current rate of 10 per cent is imposed on the supply of goods, services and intangibles that are connected with Australia. The characterisation of what is provided under the Cloud agreement will be the key to determining if there is a supply connected with Australia. For example, the supply of services is generally connected with Australia when the services are supplied in Australia. However, as a practical matter it will be difficult to determine where the supply of services is provided if the customer does not know where the Cloud servers are located. Alternatively, if the servers are located outside Australia, there is a question as to whether the supply is connected with Australia. The liability to pay GST is generally imposed on the supplier. However, there are provisions that allow for the reverse charge of GST to an Australian customer if the supply involves a cross border supply of intangibles (eg, services and intellectual property) by an overseas supplier. Apart from the liability to pay GST, an overseas Cloud provider may need to consider the obligation to register for Australian GST purposes. Norton Rose Fulbright

72 Cloud computing Cloud computing and the USA PATRIOT Act One worry people have when thinking about using cloud computing, especially with many providers being based in the US, is the impact of the USA PATRIOT Act (the Act). It s worth noting that the full name of the Act is the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act. The name doesn t suggest that it was intended to give the US government access to an individual s data unless it relates to terrorism and espionage activities. It doesn t provide for a general right to access data held in the US, it has simply expanded existing rights of access. It is clear however that the Act has made it easier for the US government to access data. We know from experience that, despite all good intentions, governments will use their powers for activities other than those originally intended. The most concerning issue about the Act is that access to data is available using informal national security letters that: are issued by the relevant agency and not by a court, unlike subpoenas always include a gag order requiring the recipient to not disclose the fact that data has been released only have very limited rights to a judicial review. National security letters do have a significant limitation in that they may only be issued if they re relevant to a terrorism investigation. However, press reports indicate that the FBI has interpreted this widely and that the letters are being used for data mining purposes. There is a commonly held misconception that the Act applies only to US companies or to data held in the US. This isn t the case. If a non-us company has a presence in the US, the US government can apply under the Act to access data, even if that data is held outside the US. If there is concern over the impact of the Act, it should be noted that it can apply even if data is held onshore. 72 Norton Rose Fulbright 2013

73 Cloud computing and the USA PATRIOT Act It is not unusual for countries to have wide-ranging investigatory powers. Most countries can investigate organisations carrying out business locally, although in most cases subpoenas are required to access information. Many countries also have longstanding relationships, by way of treaty or other less formal arrangements, which allow investigative co-operation between international law enforcement agencies. One issue to consider is the application of local privacy laws. Some jurisdictions don t allow (or propose not to allow) personal information to be transferred to a jurisdiction that gives law enforcement agencies access to information without a court order. Because national security letters can be issued without a court order, they might fall foul of these laws. In any case, the practicalities of getting information from a cloud services provider under the Act need to be considered. It would be difficult for an agency to know whether the provider holds any data about a particular individual and the agency would probably prefer other, easier ways to get the information. In any event, if the agency really needed the data, it would probably have had the right to access it either onshore in the US and in some cases offshore. The main change resulting from the Act is ease of access. The risk for foreign companies is having the security of data reduced and breaching local privacy laws. This needs to be balanced against the significant benefits of cloud computing. Norton Rose Fulbright

74 Cloud computing Cloud computing and government take-up Data sovereignty is the biggest issue stopping governments from adopting cloud computing. In fact, it is now a major trade issue and one of the hotly debated topics in the Trans-Pacific Partnership Agreement (a trade agreement being negotiated between the US and eight Pacific countries including Australia and Singapore). This is just the start, the free-flow of data across national borders will soon become a significant World Trade Organisation issue in the near future. This chapter looks at what governments around the world are doing in relation to cloud computing. North America The United States of America The US federal government has implemented a Cloud First policy that encourages government agencies to switch over to cloud-based technology. The Department of Homeland Security is developing two separate clouds: an internal private cloud for sensitive data; and, a public cloud for non-sensitive data. The Departments of Defence, Agriculture, Energy, and Interior are early adopters of the technology, with cloud-based systems already in use. Some smaller government bodies, like the Los Angeles City Council and the City of Pittsburgh, have started moving to externally based clouds for certain processes. The main motivation for the US government was to bring down the US$600 million or so spent on technology in the past decade. The government departments or agencies that have disclosed who their providers are, all use US-based companies like Google and Microsoft. 74 Norton Rose Fulbright 2013

75 Cloud computing and government take-up Europe The UK The UK is developing an internal, onshore cloud computing system which has been dubbed the G-Cloud. The development and implementation period is expected to span 10 years and will therefore come to an end in The government has committed to invest 60 million and aims to have an initial service up and running in 12 to 24 months. France The Directorate of Legal and Administrative Information has awarded a three-year contract to Accenture to design, build and deliver an internal, onshore cloud computing system. Azerbaijan The Azerbaijani National Academy of Sciences, a state-owned organisation, has implemented cloud-based computing software. Spain The Catalan government is the largest public sector user of cloud computing technology in Spain. It uses both Microsoft and local provider eyeos for services like storage. Africa South Africa The State Information and Technology Agency is developing an internal, onshore cloud computing system and plans to release it to the government some time this year. While the government has publicly voiced its support for a switch to cloud-based technology, like many other governments, it has also voiced concerns about the security of data held in the cloud. Ghana The University of Ghana, which is publicly funded by the Ghanaian government, is looking to implement cloud-based technology in conjunction with Hewlett Packard. Norton Rose Fulbright

76 Cloud computing Asia Pacific Japan The Japanese government, through the Ministry of Internal Affairs, is looking to have an onshore private cloud developed and implemented by It has been tentatively named the Kasumigaseki Cloud, which roughly translates as gate of fog. Singapore The Singapore government, through the Infocomm Development Authority, has called for tenders on an internal cloud computing system that will cover all governmental agencies and entities. They plan to have the system fully up and running by India Several Indian states have started constructing local private data centres through which government cloud technology will be provided. The Jammu, Gujarat, Andhra Pradesh, Karnataka and Kashmir state governments have already adopted cloud-based technology services, and the federal government is actively encouraging the other states to invest in the technology (through investments of more than US$270 million in infrastructure). South Korea The Korean government is investing 610 billion Won (around US$500 million) into cloud computing. Three quarters of that investment will be used to develop private onshore data centres for government use. The remainder will be used to help stimulate private sector cloud computing development and use. China The Chinese government singled out cloud technology in its most recent Five Year Plan. This is likely to be an onshore private cloud. Reports estimate that the Chinese government has invested around US$150 million in developing the technology so far. The Dongying local government, together with IBM, is already using cloud technology to help economic development in the region. 76 Norton Rose Fulbright 2013

77 Cloud computing and government take-up Australia Through a local data centre located in Sydney, the Victorian Department of Human Services has been using Oracle s cloud technology as part of its management system for the Black Saturday bushfire victims. In addition, the Australian Government Department of Finance and Deregulation, through the Australian Government Information Management Office, has released a paper addressing the implementation of cloud computing technology by the Australian Government, and its potential benefits and risks. In addition, the Australian Government Department of Finance and Deregulation, through the Australian Government Information Management Office, has released a paper addressing the implementation of cloud computing technology by the Australian Government, and its potential benefits and risks. The Australian Government Department of Broadband, Communications and the Digital Economy has released a National Cloud Computing Strategy. The Strategy identifies ways that the government and the private sector can work together to promote the adoption of cloud computing. This includes changes to the government procurement policy to ensure that government agencies consider utilising cloud services in their IT procurements. The Queensland government has similarly announced a cloud first approach to IT services, a move that should result in savings of up to $17 million annually. New Zealand The New Zealand government has awarded a NZ$30 million contract to Sydney-based Datacom to build a private data centre in Hamilton. This will extend existing cloud infrastructure to Auckland, Wellington and Christchurch. Datacom predicts that a standalone service will be available within 90 days of development starting. The cloud development programme for the Department of Internal Affairs is estimated to cost between NZ$50 million and NZ$250 million over the next 10 years. There is also talk of developing a cloud computing and security code of practice to govern the industry. Norton Rose Fulbright

78 Cloud computing Country Investment Deployment US Segregated by department, potentially up Current to US$20 billion UK 60 million South Africa Unknown 2012 Japan Unknown 2015 France Unknown 2012 Singapore Unknown 2015 Ghana Unknown Current India Rs13,780,000,000 = US$270,000,000 Current South Korea 600 billion Won = US$500 million up to 2014 US$2 billion China US$150 million Australia Unknown Current Azerbaijan Unknown Current New Zealand NZ$50 million 2012 Spain Unknown Current 78 Norton Rose Fulbright 2013

79 Cloud computing and the financial services industry Cloud computing and the financial services industry In Australia, most of the country s major financial institutions have taken up, or at least considered, some aspect of cloud computing as a means of driving down their costs. In fact, the CIO of a large Australian bank publicly proclaimed, in no uncertain terms 53 : I will never let any organisation that I work for get locked into proprietary hardware or software again. I ll never tell my teams in the business that it will be weeks to get them hardware provision. I ll never pay upfront for any infrastructure and certainly would never pay for any, or rent any, infrastructure that I would never use I will never implement an internal solution for a common problem that I could procure on subscription across the web. In Germany, Deutsche Bank has been developing internal cloud computing capabilities since about In the US, Morgan Stanley was one of the first banks to use Salesforce.com s hosted CRM software, back in In Spain, Banco Bilbao Vizcaya Argentaria (BBVA) is moving its employees from Microsoft Outlook to Google Apps, with the intention that employees will have access to both systems by the end of The bank is expecting to save money on software licences and to make communication and collaboration between employees easier. The contract is Google s biggest enterprise contract to date. BBVA plans to use Google applications like Gmail, Chat, Calendar, Docs, Video Conferencing and other collaboration tools to achieve a cultural change across the 26 countries where it has offices. The increasing mobility of the bank s workforce was See footnote Norton Rose Fulbright

80 Cloud computing a big factor in deciding to go with Google s public cloud service, with staff now using many more smartphones, tablets, laptops, computers and other devices remotely or on the move. Regulatory response Australia Although there are no specific prudential regulations for cloud computing, the Australian Prudential Regulation Authority (APRA) has indicated it will be watching the industry closely. APRA has emphasised the need for proper risk and governance processes for all outsourcing and offshoring arrangements, including cloud computing. Key prudential concerns that should be addressed relate to the potential compromise of: a financial institution s ability to continue operations and meet core obligations, following a loss of cloud computing services confidentiality and integrity of sensitive (eg, customer) data/information compliance with legislative and prudential requirements. APRA has indicated that the principles in the following materials are pertinent to cloud computing: APRA Prudential Standard CPS 231 Outsourcing APRA Prudential Standard CPS 232 Business Continuity APRA Prudential Practice Guide PPG234 Management of security risk in information and information technology. USA The Federal Financial Institution Examination Council (FFIEC incorporating agencies such as the Federal Reserve Board, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency) considers cloud computing to be another 80 Norton Rose Fulbright 2013

81 Cloud computing and the financial services industry form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. 58 The FFIEC recently issued a joint statement to financial institutions warning that if they contemplate or use a cloud computing model, in which all or part of the service is outsourced, they will have to consider the fundamentals of risk and risk management defined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet. Furthermore, in its statement, the FFIEC identified the following potential issues related to cloud computing: data classification data segregation recoverability. Canada The Office of the Superintendent of Financial Institutions Canada (OSFI) has issued Guideline No B-10: Outsourcing of Business Activities, Functions and Processes (Guideline). This applies to all Federally Regulated Entities (FREs) that enter into cloud and other outsourcing arrangements. Under this Guideline, FREs are expected to: evaluate the risks associated with all existing and proposed outsourcing arrangements develop a process for determining the materiality of arrangements implement a program for managing and monitoring risks, commensurate with the materiality of the arrangements ensure that the board of directors, chief agent or principal officer receives information sufficient to enable them to discharge their duties under this Guideline refrain from outsourcing certain business activities to the external auditor. 58 See Norton Rose Fulbright

82 Cloud computing Contacts If you would like further information, please contact: Asia Australia Gigi Cheah Norton Rose Fulbright (Asia) LLP, Singapore Tel Nick Abrahams Norton Rose Fulbright Australia, Sydney Tel +61 (0) Richard Lewis Norton Rose Fulbright Australia, Melbourne Tel +61 (0) Michael Park Norton Rose Fulbright Australia, Melbourne Tel +61 (0) Keith Redenbach Norton Rose Fulbright Australia, Sydney Tel +61 (0) Norton Rose Fulbright 2013

83 Contacts Canada Jacques Lemieux Norton Rose Fulbright Canada LLP, Montréal Tel Harry Ludwig Norton Rose Fulbright Canada LLP, Calgary Tel Tony Morris Norton Rose Fulbright Canada LLP, Calgary Tel Robert L Percival Norton Rose Fulbright Canada LLP, Toronto Tel [email protected] Marc A Tremblay Norton Rose Fulbright Canada LLP, Montréal Tel [email protected] Norton Rose Fulbright

84 Cloud computing France Germany Marc d Haultfoeuille Norton Rose Fulbright LLP, Paris Tel +33 (0) [email protected] Flemming Moos Norton Rose Fulbright (Germany) LLP, Hamburg Tel +49 (0) [email protected] Italy Jamie Nowak Norton Rose Fulbright LLP, Munich Tel +49 (0) [email protected] Paolo Grondona Norton Rose Fulbright Studio Legale, Milan Tel [email protected] 84 Norton Rose Fulbright 2013

85 Contacts Middle East South Africa Dino Wilkinson Norton Rose Fulbright (Middle East) LLP, Abu Dhabi Tel +971 (0) Rohan Isaacs Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc), Johannesburg Tel +27 (0) Bradley Scop Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc), Johannesburg Tel +27 (0) Glenn Stein Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc), Johannesburg Tel +27 (0) Norton Rose Fulbright

86 Cloud computing United Kingdom Marcus Evans Norton Rose Fulbright LLP, London Tel +44 (0) Sean Murphy Norton Rose Fulbright LLP, London Tel +44 (0) Mike Rebeiro Norton Rose Fulbright LLP, London Tel +44 (0) Norton Rose Fulbright 2013

87 Norton Rose Fulbright Norton Rose Fulbright is a global legal practice. We provide the world s pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia. Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare. Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact. Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members ( the Norton Rose Fulbright members ) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients. This publication was produced prior to June 3, 2013 when Fulbright & Jaworski LLP became a member of Norton Rose Fulbright Verein. References to Norton Rose Fulbright, the law firm, and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). Save that exclusively for the purposes of compliance with US bar rules, where Robert Harrell will be responsible for the content of this publication, no individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. Norton Rose Fulbright LLP NRF /13 (UK) Extracts may be copied provided their source is acknowledged.

88 Law around the world nortonrosefulbright.com