Storing Data In The Cloud
One aspect of cloud service that is seldom considered is the sovereignty of a country over the data that is stored in that country as part of a cloud service. Most organisations sign up for cloud services without seriously considering the implications of their data residing in various jurisdictions. They seldom ask the cloud provider where their data is stored and who exactly would be providing the storage service. The cloud provider that the organisation signs up with may not necessarily be the party providing the storage service, as such service could be outsourced to another party who is able to provide the service at a location where the cost is cheaper.
In the not-too-distant past when cloud service was still a novelty, most organisations would store their data in local servers, and even if they outsourced the back-up and storage of their data to a third party, they would know exactly where their data was located as most third party storage providers had their own dedicated servers. However, with cloud computing, the location of an organisation’s data and the jurisdiction over the data stored in that location might not be revealed to the organisation.
With cloud storage, issues concerning the security and storage of data in the cloud become real and organisations need to address these issues before migrating their data to the cloud.
Cloud computing refers to the sharing or storage by users of their infrastructure or content on remote servers that are accessible online. This can be in the form of infrastructure (IaaS), platform (PaaS) or Software (SaaS). In a cloud structure, the cloud servers provide computation, software, data access and storage resources, without requiring the users to know the location and other details of the computing infrastructure itself as the cloud service can be accessed wherever you have access to the Internet.
A. Jurisdictional Issues
One consequence of such a structure is that the cloud providers may site their servers in multiple jurisdictions and thereby transmit data from one location to another subjecting the data to the laws of the jurisdiction in which it might pass through. They may also decide to transfer data from one data centre to another for cost saving reasons and each data centre may be located in a different jurisdiction, each with their own laws governing the collection, possession and transfer of data. This may result in the data being transferred to an undesirable jurisdiction where the data could be subject to unacceptable controls or legal obligations (e.g. the data protection laws of that jurisdiction). This exposes the data to the risk of data sovereignty.
B. Data Sovereignty
“Data sovereignty” refers to a country’s laws that have control over data residing in the country’s jurisdiction. The data laws of a country could restrict cross-border transfer of data. It could also impose legal requirements that may conflict with those of the user’s own country. The data laws having jurisdiction over data may change as the data is transferred across borders. Different legal obligations regarding privacy, data security and transfer obligations may apply if the data is hosted in different countries or is controlled by different cloud providers.
Unfortunately, there is no uniform worldwide standard in the laws governing data protection. Differences in the laws of the countries where the data are stored and where the third party storage provider is based can create complex compliance issues.
Taking the case of Singapore: Any organisation that stores its data outside of Singapore must take reasonable steps to confirm that the recipient provides a standard of protection that is comparable to the protection under the Personal Data Protection Act 2012 of Singapore (“PDPA”). Unless an exemption applies, an organisation which fails to do so would be liable for breach of its transfer of data obligation under s 26(1) of the PDPA.
However, some regulators, especially those regulating banks and financial institutions, and some government agencies, such as defence contractors, may require that data be hosted exclusively in Singapore in order to maintain physical jurisdiction over the data, particularly if most of the data generated and processed by these organisations are sensitive in nature. These organisations would then have to engage cloud providers that will host the data exclusively in Singapore.
To address potential data sovereignty issues, organisations can begin the process by analysing the various technical, legal and business issues in turn. They should conduct a detailed analysis of: (a) the legal and other constraints on its various activities and digital assets; and (b) the application of particular provisions of applicable laws in relevant jurisdictions.
Organisations should also be cautious about the nature of the data to be transferred, the potential interests of the organisations regarding the data and the increased need to fully understand the characteristics of the foreign legal environment. They should develop a policy or strengthen their existing data protection policy to deal with the jurisdictional issues arising from storing data in the cloud.
Before engaging a cloud provider, organisations should conduct due diligence on the cloud provider. In this connection, they should inquire into its financial condition, infrastructure, data centre locations, security procedures, disaster recovery plans and insurance coverage. They should also evaluate the relative risks inherent in the cloud environment and implement effective mechanisms to prevent and mitigate harm to their business.
Some organisations are adopting a hybrid policy where they contract with different cloud service providers that maintain local data centres and comply with the local legal requirements of the country in which the service provider operates. In developing a cloud data location and control policy, the organisation should consider:
- What statutes, codes and standards or rules of practices the organisation is obliged to comply with?
- What jurisdictions can affect the data, either through its location or the entities that control the data?
- Whether there is any particular data which must be or ought to be kept under its control (especially if it is regulated by an organisation) and within the jurisdiction in which it is located?
- How should it respond to such requirements?
The policy should take into account the organisation’s risk profile, technical infrastructure and operational conditions. It should be able to analyse the situations where the organisation is required by the laws of Singapore to retain the data in Singapore or under the control of an entity governed by the laws of Singapore.
If an organisation does not have in-house capability to analyse and develop such a policy, it should consult data storage and information management professionals to provide practical advice on this matter.
For further information, please contact:
Jonathan Kok, Partner, RHTLaw Taylor Wessing