Aug 11,2012 / News / Legal Brief

In our last article on contracting in the cloud (Legal Brief, May 2011), we explained what cloud computing is, the risks and benefits to cloud computing, security and data privacy issues and considerations to be taken into account when considering using public cloud services.

In this article we look at:

  • Considerations when negotiating contracts with public and private cloud providers
    a comparison of public cloud and private cloud agreements
  • Considerations for cross border data transfer including looking at the impact of
    international developments in data protection laws.

CONTRACTS WITH PUBLIC CLOUD AND PRIVATE CLOUD PROVIDERS1

What is the difference between a public cloud and a private cloud?

  • A public cloud2 is where infrastructure is shared by many subscribers and use is via the Internet.
  • A private cloud is where infrastructure is accessible by a single customer and access may
    be via the Internet, a dedicated network or VPN.

PUBLIC CLOUD CONTRACT VERSUS PRIVATE CLOUD CONTRACT

Topic Public Private
The Contract Customer has little or no control over the provider’s terms and conditions, policies, features and functions.Standard terms, conditions and policies made available on the providers website. “Take it or leave it” approach.Requires customer to undertake a thorough audit of various cloud providers, including a review of their terms, security and privacy policies, service levels, disaster recovery and termination policies.Once audit is complete, customer will be in a better position to choose its cloud provider/s, taking into account factors such as the purpose for which the cloud will be used and what type of data will be held in the cloud. Customer has greater ability to negotiate the agreement, including terms pertaining to data privacy and security and to impose own requirements for certain features and functionalities.
Data protection/privacy Provider’s data protection policy usually made available on the providers website. “Take it or leave it” approach.Consider what the provider can do with personal data placed in the cloud and whether the cloud provider can move personal information to another jurisdiction which may have lesser data protection laws (certain jurisdictions provide greater regulatory protection for personal information than others).If the cloud customer is a responsible party3(“Responsible Party”) in terms of the Protection of Personal Information Bill (“POPI”)4 and is using the cloud service to outsource its data processing obligations, the Responsible Party must ensure that the terms and conditions and privacy policy comply with Sections 19 to 21 of POPI5. Customer can impose its own data protection requirements.Prescribe what the Provider can and cannot do with the data, place restriction on data transfer.If the cloud customer is a Responsible Party and is using the cloud service to outsource its data processing obligations, the Responsible Party must ensure that the terms and conditions and privacy policy comply with Sections 19 to 21 of POPI6.
Confidentiality Usually no undertakings given by the provider. To be included in the Agreement.
Liability for breach Highly unlikely that provider will assume any liability. Provider to assume liability for data breach, data loss and data restoration as well for other damages suffered by the customer due to acts or omissions of the Provider.Provider to be liable for indirect damages arising from data breach where such breach is due to the provider’s gross negligence and recklessness.7
Security Security policy made available on the providers website. “Take it or leave it” approach.If the cloud customer is a Responsible Party and is using the cloud service to outsource its data processing obligations, the Responsible Party must ensure that the legal terms and security policy comply with Sections 19 to 21 of POPI [see above].Investigate and ask for information of past security breaches as well as details of the breach such as the circumstances of the breach and how many/what records were compromised.Accept provider’s accreditations and certifications. Ask for the provider’s security policy and procedures.Impose own requirements around security. Include requirements for proper firewalls, employee security, password protection, server protection etc.If the cloud customer is a Responsible Party and is using the cloud service to outsource its data processing obligations, the Responsible Party must ensure that the legal terms and security policy comply with Sections 19 to 21 of POPI [see above].Customer must reserve the right to regularly audit provider’s security processes.Cloud provider to notify customer of past and future security breaches as well as full details of the breach such as the circumstances of the breach and how many/what records were compromised.

Customer entitled to impose its requirements in respect of security certifications of is obtained by the provider.

Indemnity against third party claims Unlikely that any are given by the provider. Provider to indemnify customer for claims arising from data breach or loss.
Cross Border Data Transfer Usually provider can transfer data to any jurisdiction where the provider has infrastructure. Provider cannot move data from one jurisdiction to another without the customers consent.
Service Levels Usually none given by the Provider. Require service levels around response and resolution times, escalation.
Back up/Redundancy Disaster Recovery and Redundancy policy if any will be made available on the providers website although providers usually silent on this. Impose own requirements in respect of Disaster Recovery and and Redundancy. Ensure comprehensive plan is in place.
Termination Usually no termination assistance given. Impose that provider provide termination assistance, including the manner and format in which customer data is returned/recovered.

CROSS BORDER DATA TRANSFER

One of the main concerns facing third parties who wish to use public cloud services is whether the personal data of its customers can be transferred to a cloud situate outside of South Africa8,and if so, can the customer be sure that such data is sufficiently protected in such offshore jurisdiction.

With regard to the transfer of personal data, two components need to be considered:

  • Can personal data be transferred outside of South Africa?
  • Can personal data be transferred back to South Africa?

TRANSFER OUT

A cloud customer will need to consider if there are legal obstacles to sending a customer’s personal information offshore. Contracts with customers will need to be considered and at comment law, consent of the data owner to such transfer may be required.

Once the Protection of Personal Information Bill (POPI) becomes law, personal data cannot be transferred outside of South Africa unless certain conditions are in place9. These include that the data subject has consented to the transfer.

TRANSFER IN

Once the data has been transferred out, there may then be legal obstacles to bringing a customer’s personal information back to South Africa. There are certain jurisdictions, most notably the United Kingdom, that have very strict laws regarding the transfer of personal information to jurisdictions which do not have in place data protection laws which will provide the same or “adequate” protection as that provided by UK legislation.

Until POPI becomes law, South Africa is recognised as a jurisdiction which is lacking in data protection laws and there have been instances where the EU Data Protection Commissioner has refused to allow the transfer of personal information back to South Africa.

There are other steps that a South African company can take to ensure that there will be no legal obstacles to the transfer of personal data back into South Africa. For example, with regard to the transfer from the UK to South Africa, such prohibition can be overcome through the use of binding corporate rules (BCRs):

“BCRs are legally enforceable rules which ensure that a high level of protection is applied to personal data throughout a corporate group. Once a set of BCRs have been approved by the relevant national data protection authorities, the BCRs will ensure that adequate safeguards are in place so that the data subject’s rights will not be prejudiced as a result of the transfers made between members of the corporate group to countries outside the European Union (EEA) which do not have an adequate level of protection10“.

CONCLUSION

The use of cloud services is a reality, especially as more and more organisations are looking for ways to cut costs and improve efficiencies. Legal concerns around using cloud service can be mitigated by being aware of the steps that can be taken to mitigate such risks.

  1. Other types of clouds include hybrid clouds and community clouds.
  2. Some well know public cloud providers are Microsoft and Google.
  3. POPI defines a “responsible party” as a public or private body or any other person which alone or in conjunction with others, determines the purpose of and means for processing personal information.
  4. Eighth Working Draft, dated 13 August 2012.
  5. These sections set out the security measures that must be taken by a responsible party so as to ensure the integrity and security of personal information processed by it and what security measures must be taken by a responsible party when it outsources such processing to an operator (which for the purposes of this article would be the cloud provider).
  6. These sections set out the security measures that must be taken by a responsible party so as to ensure the integrity and security of personal information processed by it and what security measures must be taken by a responsible party when it outsources such processing to an operator (which for the purposes of this article would be the cloud provider).
  7. See Clark Street Wine and Spirits v. Emporos Systems Corporation 754 F. Supp. 2d 474, 481-82 (E.D.N.Y. 2010) where the New York court awarded damages for liability for gross negligence and recklessness.
  8. Almost all public clouds are situated outside of South Africa in jurisdictions such as the UK, USA, Ireland, Australia.
  9. Refer Section 71 of POPI.
  10. https://uk.practicallaw.com/1-519-9981?q=binding+corporate+rules