Organisations need to be familiar with cloud compliance if they use cloud computing services. Cloud compliance is associated with data protection law and organisations should be aware of how these two elements interact. What is cloud compliance? How does the cloud compliance relate to data protection? Can you continue to use the cloud and comply with data protection law?
Does data protection law stop you using the cloud?
Cloud compliance is an important subset of legal compliance. Cloud compliance is all about incorporating data protection elements whilst continuing to allow you to use the cloud effectively. Data protection laws, such as POPI and the GDPR, do not stop you from using the cloud. Data protection laws classify people and organisations as operators and responsible parties or data controllers and processors (in Europe). They have different titles in different countries but they perform the same functions.
The responsible party or data controller determines the purpose and manner of processing of personal information. Operators or processors are organisations who process personal information for a responsible party under a contract or mandate. So, cloud providers are usually operators. It is the responsible party that must ensure that the manner of processing is secure and legally compliant by using cloud contracts. This a key step in cloud compliance. Essentially, the responsible party will enter into a contract with the cloud provider requiring them to process personal information at the standard required by the data protection law.
From a cloud compliance perspective for cloud providers they must only process personal information with knowledge and authorisation of the responsible party. Additionally, the data subject can consent to have their personal information stored by the cloud provider.
Cloud compliance and data transfer under POPI
In terms of POPI, a responsible party may not transfer personal information to a foreign country unless you fall under the following exceptions:
- the data subject consents to the transfer;
- there is a binding agreement or corporate rules with a third party that provides an adequate level of protection that is sufficiently similar to the conditions for lawful processing;
- the transfer is necessary for the performance of a contract or pre-contractual measures between the data subject and the responsible party; or
- the transfer is for the benefit of the data subject and it isn’t reasonably practicable to get the data subject’s consent and even if it were the data subject would probably consent.
Data sovereignty versus data localisation
Data localisation and data sovereignty are important concepts to understand for cloud compliance. Laws in different countries relating to these concepts may that your cloud compliance strategy needs to be adjusted.
Data localisation refers to a legal concept where the data protection law requires that personal data is processed in a particular territory rather than with a cloud provider. For example, there is a law in Russia which requires that the personal information of Russian citizens is only stored on servers in Russia. It is important to look out for data localisation clauses because they can be tender conditions. South Africa does not have any specific data localisation laws.
Data localisation should not be confused with data sovereignty. Data sovereignty is where because data is stored in a certain country and the laws of that country apply to that data. The Safe Harbor Agreement was declared invalid because it overrode data localisation laws and in so doing infringed on the individual right to privacy. What data sovereignty means for cloud compliance is that data stored in the cloud is subject to the jurisdiction of more than one country which can be problematic.
The impact of the Microsoft Ireland decision
An important case about data localisation was the Microsoft Ireland case. In this case, Microsoft challenged a search and seizure warrant issued by the Department of Justice for emails stored on a server in Ireland. The warrant was issued in terms of a US statute. The Second Circuit Court sided with Microsoft and held that the warrant was issued in the US and could not be executed in Ireland.
The outcome of this case does provide some clarity for cloud compliance because it provided guidance on data localisation and the cloud. However, it is only guidance. The reasoning of the court was largely based the statute under which the warrant was issued rather than the broader issue of cloud hosting and data localisation. So, in terms of cloud compliance, you need to make sure that you understand the effect of data localisation on your cloud-hosted data.
Actions you can take
- Resolve your cloud compliance concerns by getting us to draft an opinion on cloud compliance.
- Find out about the impact of information security law on cloud compliance by attending on of our workshops.
- Ensure you manage data localisation and sovereignty with cloud compliance by getting our data protection laws of Africa or for your jurisdiction.
- Audit your organisation for cloud compliance by having us conduct a legal compliance audit.