Cloud compliance is about complying with the laws and regulations that apply to using the cloud. Most organisations are moving to the cloud because there are good business reasons to do so. The law does not prevent the adoption of cloud. It does have however have a significant impact. When moving to the cloud it is important to know in which countries your data will be processed, what laws will apply, what impact they will have, and then follow a risk-based approach to comply with them. It can be hard because there are many different kinds of laws, like data protection laws, data localization laws and data sovereignty laws. You also need to consider interception laws or access to information laws, which may enable Governments or others to access your data in the cloud. In addition, the laws of many different countries might apply. It is also important to know what security measures the law requires you to put in place.
Does data protection law stop you using the cloud?
The short answer is no. Data protection laws, such as the POPI Act and the GDPR, do not stop you from using the cloud. There is often a section preventing the transfer of personal information from one country to another (transborder information flows) but there are always many exceptions that you can rely on to transfer data across borders. Here are some examples of when you can transfer data across a border. You can transfer the data if:
- the country to which the data is being transferred has a law that provides an adequate level of protection,
- the data subject consents to the transfer,
- there is a binding agreement or corporate rules with a third party that provides an adequate level of protection that is sufficiently similar to the conditions for lawful processing,
- the transfer is necessary for the performance of a contract or pre-contractual measures between the data subject and the responsible party, or
- the transfer is for the benefit of the data subject and it isn’t reasonably practicable to get the data subject’s consent and even if it were the data subject would probably consent.
Data localization laws
Data localisation and data sovereignty are important concepts to understand for cloud compliance. Data localisation should not be confused with data sovereignty (discussed below). Laws in different countries relating to these concepts may mean that your cloud implementation needs to be adjusted. Data localization law requires that personal data be processed in a particular territory rather than with a cloud provider. For example, there is a law in Russia which requires that the personal information of Russian citizens is only stored on servers in Russia.
It is also important to look out for data localisation clauses in RFPs because they can be tender conditions. So, in terms of cloud compliance, you need to make sure that you understand the effect of data localisation on your data.
Data sovereignty is where the laws of a particular country apply to data for one reason or another (for example, because the data is hosted in that country or the data relates tot he citizens of a country). It is the ability of a country to impose their own laws on data hosted in the cloud. The reasons behind a country’s decision to enact data sovereignty laws varies from wanting local law enforcement to have easier access to data that’s necessary for their investigations, to wanting local organisations to have some advantages over foreign organisations, or just wanting to provide more protection to the country’s citizens.
What data sovereignty means for cloud compliance is that data stored in the cloud can be subject to the jurisdiction of more than one country which can be problematic. Article 3 of the GDPR dealing with territorial scope is a good example of data sovereignty. Data sovereignty also means that if you are not in a position to comply with the applicable laws, you may expose yourself to a number of legal risks, including fines for non-compliance.
Interception or access to information laws
Any law that enables a third party to access your data in the cloud is obviously a concern. An important case that has an impact on the cloud is the Microsoft Ireland case. In this case, Microsoft challenged a search and seizure warrant issued by the US Department of Justice for emails stored on a server in Ireland. The warrant was issued in terms of a US statute. The Second Circuit Court sided with Microsoft and held that the warrant was issued in the US and could not be executed in Ireland. The outcome of this case does provide some clarity for cloud compliance. However, it is only guidance. The reasoning of the court was largely based the statute under which the warrant was issued rather than the broader issue of cloud hosting and access to information.
Actions you can take:
- Empower your organisation with knowledge on complying with the laws that apply to the cloud by asking us to do a private one hour workshop on cloud compliance.
- Make your event a success by asking us to present on cloud compliance. We have presented on this topic many times before.
- Know what laws apply to your use of the cloud by asking us to identify the applicable laws (including data localization law and data sovereignty laws). We can provide you with a report on the laws in many countries, including in Africa.
- Determine the impact of those laws by asking our advice.
- Obtain legal certainty by asking us to draft a legal opinion on a particular issue (for example, can we store these records in the cloud outside the country, or can we transfer data to Ireland).
- Know what security the law requires you to put in place by attending one of our Data Protection and Information Security Law workshop.
- Empower yourself to manage governance, risk and compliance regards the cloud by attending our IT GRC workshop.
- Audit your organisation for cloud compliance by having us conduct a legal compliance audit.
- Find out more about cloud contracts.