Clouds Come Floating Into My Life
December, 2017 - Julia Semeniy, Oksana Legka
To date, there are multiple cloud computing models used by companies to meet their business needs, including public, private, community and hybrid, delivering platform, infrastructure or software as a service. However, all these models intrinsically imply that the cloud computing services are rendered via the data centres often located outside of the state where the cloud customer is established. Ultimately, it is fair to say that cloud computing services have broken traditional geographical boundaries and are based on the efficient cross-border flow of data. Given the fact that the laws and regulations governing a particular jurisdiction vary substantially, this brings on manifold jurisdictional concerns and complexities impacting cloud service providers (CSPs) and cloud customers. As a result, companies moving to the cloud are becoming increasingly concerned with data security, privacy and access control issues.
On a general note, Ukraine has not yet enacted any sector-specific regulations governing cloud computing. The only legal act determining the term "cloud computing" is the Law of Ukraine "On Public Procurements". This definition mirrors the proposal of the U.S. National Institute of Standards and Technology to determine cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. That said, the data protection and other legal issues deriving from the use of cloud computing services are governed by general rules envisaged by the Law of Ukraine "On Personal Data Protection" (PDP Law), Law of Ukraine "On Protection of Information in Information and Telecommunication Systems" (Information Systems Law), etc. The draft law "On Amendments to Certain Laws of Ukraine Regarding Processing of Information in Systems Using the Technology of Cloud Computing" (Draft Law), embodying rules on cloud computing that was prepared for the second reading back in November 2016, still remains on the shelves of the Ukrainian Parliament.
The Information Systems Law lays down the legal framework for protection of information in information and telecommunication systems. Specifically, the owners of such systems are in charge for ensuring protection of information. The procedure and conditions for protection of information, as well as its processing, are to be set forth in an agreement between the owner of a system and the owner of information. In addition, the procedure for access to the information, the list of users and their rights shall be determined by the information owner. Conceivably, the CSPs operating data centres or other automated means physically located on the territory of Ukraine would qualify as owners of information systems subject to the mentioned statutory requirements.
It should be noted that there are serious concerns as to what data protection laws should apply to the processing of data using various cloud computing models. By its nature, the cloud computing means that the data processed in the clouds may flow across many jurisdictions with no practical possibility to identify its location or who and how processes it at a particular moment. This creates uncertainties and potential conflicts as to whether those responsible for data processing under data protection laws, are in a position to effectively assume their responsibility provided that the processing occurs in the cloud. Practically, it may be argued that Ukrainian law should apply when the data subject is a Ukrainian resident, or when the data controller is established under Ukrainian law and processes personal data in the context of its activities in Ukraine, or when the processing of personal data occurs via the use of equipment situated on the territory of Ukraine. However, given the absence of any guidance in the Ukrainian law, the issue whether Ukrainian data protection law applies should be resolved on case by case basis.
Ukrainian law does not provide for the legal instruments allowing export of data protection legislation if the cloud customer is established in Ukraine while the CSP is located in the EU. However, it may be argued that, since the Ukrainian PDP Law was adopted in the course of harmonization of the national and the EU data protection regime set forth, inter alia, by the Data Protection Directive 95/46/EC, the same practical application and enforcement principles should also work in Ukraine.
Besides, on 25 May 2018, the EU General Data Protection Regulation (GDPR) will supersede the current 95/46/EC Directive and all local laws relating to it. The GDPR is accompanied by the Privacy Shield Framework replacing the Safe Harbour Framework, which was enacted to regulate the EU – US transatlantic data flows. One of the key novelties is that the GDPR will apply not only to all EU member states but will also have extraterritorial jurisdiction over companies headquartered outside of the EU processing personal data of EU residents. Thus, the GDPR may reach Ukrainian companies where their processing activities are related to offering goods or services to the EU data subjects or the monitoring of their behavior (e.g., track online activity) within the EU. In other words, Ukrainian companies interacting in some way with personal data from EU residents may become directly subject to the GDPR.
Pursuant to the PDP Law, data subjects must be informed who processes their data, for what purposes and where their data is located. In context of the PDP Law, cloud customers would in most cases qualify as data controllers and the CSPs would deem to be data processors. The potential pitfall of the deployment of cloud computing, where shared systems and infrastructures interact dynamically, is that the cloud customers or even the CSPs may lack control over personal data. Consequently, the CSPs' obligations and responsibilities stemming from the data protection legislation should be set out clearly in an agreement with the cloud customer and not dispersed throughout the chain of outsourcing or subcontracting, in order to ensure effective control over and allocate clear responsibility for processing activities.
Ukrainian law expressly requires written agreement between data controller and data processor, although, is silent as to the specific terms and conditions pertaining to personal data protection that should be reflected in such agreement except for the scope of data and purpose of data processing. There are no guidelines as to the requirements for a cloud computing services agreement with CSPs either. The Draft Law tries to handle this issue and specifies detailed checklist of terms and conditions for such contract which include, among others, (i) obligations of CSPs to take measures against unauthorised access to information in the system, (ii) breach reporting procedure, (iii) terms and procedures for access of customers to platform, (iv) infrastructure and applications, (v) procedure for erasing of information, etc.
Practically, CSPs would offer standard form terms and conditions, which are often one-sided in their favour. Thus, their customers often face difficulties with negotiating the contractual terms of use of the cloud services. The 2012 Sopot Memorandum prepared by International Working Group on Data Protection in Telecommunications lays down a set of practical recommendations for the agreements with CSPs to address this situation. Notably, it is recommended that such agreement provides for (i) a complete list of information in advance about all physical locations in which, throughout the duration of the agreement, data may be stored or processed by the CSP and/or its subcontractors, (ii) a prohibition to transfer data to locations other than the physical locations listed in the contract, (iii) an obligation of the CSP not to use the controller's data for the CSP's own purposes, etc.
Processing of personal data in different geographic locations impacts directly on potential threats and risks that data subjects (cloud customers) may face. The PDP Law does not restrict personal data transfers to a foreign recipient if the relevant foreign country ensures an adequate level of personal data protection. The PDP Law recognizes the EU member states, as well as signatories to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), as the countries with adequate level of personal data protection. No other countries have been afforded such a status under Ukrainian law so far.
By contrast, transfers of personal data to third countries which do not offer the adequate level of data protection require specific safeguards. Notably, the PDP Law permits transfer of personal data to these third countries provided that (i) the data subject has explicitly consented to such transfer (in a written or electronic form); (ii) there is a need to enter into a contract or perform a contract between data controller and the data subject; (iii) vital interests of the data subject require protection; (iv) public interest requires protection, or there is a need to ascertain, perform or secure a legal claim; (v) data controller guarantees privacy of personal and family life of the data subject (although, no further details are provided as to how such guarantee should be issued and implemented).
Apart from personal data, the cloud customers normally use cloud for storage of confidential information and other business sensitive data. Therefore, concerns regarding the guarantees ensuring protection of information stored in the cloud from unauthorized access by third parties, including governmental agencies, are becoming very pertinent for any cloud customer. There always remains a risk that personal data and other information stored or processed via the cloud may become subject to law enforcement requests from law enforcement agencies of Ukraine or a foreign state.
It is well known that the move to cloud by Ukrainian business in the recent years has been driven by the acute problem of seizure of servers or other equipment by the law enforcement agency. The cloud allowing storage and processing of data abroad is often perceived as a more reliable and secure instrument.
Indeed, Ukrainian law does not provide for a legal possibility for the Ukrainian law enforcement agencies to directly liaise with the CSPs seeking to compel them to disclose data stored in another country. However, Ukrainian criminal procedure law provides for various legal mechanisms enabling Ukrainian competent authorities (e.g., the Ministry of Justice of Ukraine, the General Prosecutor Office of Ukraine) to approach governmental authorities in other countries seeking legal assistance within criminal proceedings. In addition, since 2005 Ukraine is a party to the Convention on Cybercrime, which also sets forth basic rules relating to mutual legal assistance for the purpose of collection of evidence in electronic form (i.e. evidence generated by or stored on a computer system) for use in criminal proceedings.
Interestingly, in 2015 − 2016, Ukrainian local courts issued several orders seeking from Facebook Inc. to provide temporary access to their facilities in the UK so that Ukrainian law enforcement offices could access the Facebook servers located in the UK and copy the requested electronic data. Remarkably, this request to provide electronic data has been delivered directly to a foreign legal entity with no submitting it with an intermediary of competent governmental authorities of Ukraine or the UK.
On the other hand, not only Ukrainian law enforcement agencies, but also foreign complainants and governments may be afforded access to personal data and other sensitive information in the cloud being subject to the disclosure rules applicable within the jurisdiction where the data centres are physically located. Thus, a diligent and thorough review of contractual terms, as well as attention to the jurisdictions where the servers and data centres will be located, should be a "must" for a cloud customer.
Link to article