Are there any restrictions applicable to cloud-based services?

Technology

United States Small Flag United States

There are no data security restrictions that apply only to cloud-based platforms. Regulated businesses and other entities that use cloud platforms to store or process personal information must secure the information on the cloud platform in a manner that satisfies generally applicable regulations.

Malta Small Flag Malta

There are no restrictions or specific legislation in respect of cloud-based services. However, local authorities follow closely the developments and initiatives taken at EU level especially the EU Commission Strategy for Unleashing the Potential of Cloud Computing in Europe, the EU Parliament resolution and the EU Commission Staff Working Document.

Norway Small Flag Norway

Norwegian law imposes several restrictions on the provision and use of cloud-based services.

Cloud-based services that processes personal data are governed by the Personal Data Act, cf. question 7 for further information. A common issue with cloud-based services is their conformity with the rules and regulations on the transfer of personal data to another country, cf. question 8 on the restrictions pertaining to such transfer.

Where an administrative body utilises cloud-based services in its internal administrational work or to communicate with private individuals or other administrative bodies, the Regulation on Electronic Communication with and in the Government Administration of 25 June 2004 no. 988 provides certain rules on security. Of interest to an administrative body’s use of cloud-based services, the Regulation prescribes requirements pertaining to risk assessment, access control, and the safeguard of confidential information.

Furthermore, the Norwegian National Archive has stated that Act no. 126 on Archives of 4 December 1992 Section 9 letter b prohibits the transfer or storage of the archive databases or security copies thereof by cloud providers who store the material in another country, without prior consent from the Norwegian National Archive.

Act no. 73 of 19 November 2004 relating to Bookkeeping (the Bookkeeping Act) Section 13 second paragraph prescribes that as a main rule, accounting materials must be stored within Norway. Exceptions are provided for the permanent storage of such materials in Denmark, Finland, Sweden or Iceland. Where entities are subject to the rules for the financial management of administrative bodies, the storage of accounting materials outside of Norway is strictly prohibited.

Turkey Small Flag Turkey

There aren’t any specific restrictions applicable to cloud-based services however if the server of the cloud service provider is located outside of Turkey, this is accepted as an international transfer and restriction mentioned in Question 9 would apply.

China Small Flag China

Key restrictions applicable to cloud-based services providers are the rules in telecommunication laws and cyber security laws. Cloud-based services, as a type of VATS, is categorized in Internet Digital Center (IDC) and subcategorized as Internet Resource Collaboration Service (IRCS) of the Catalogue of Telecommunications Business (2015 Revision). To engage in Cloud-based services, entities should obtain IRCS license from MIIT. Qualified cloud-based service providers shall meet the requirements in operation funding, professional personnel, reputation and capability, registered capital and etc. according to the Administrative Measures for the Licensing of Telecommunication Business Operations (2017 Revision). Cloud-based service is not open to foreign investors, except that Hong Kong or Macao service provider may secure the IDC/IRCS license through joint ventures in accordance with CEPA.

Pursuant to the Cyber Security Law, cloud-based services providers shall duly perform their duties to protect the network security. If the facilities in providing cloud-based services are categorized as CII, the personal information collected and generated by cloud-based services providers during operating their business in China may have to be stored in China, and security assessment have to be carried out if the personal information needs to be transferred abroad.

Mexico Small Flag Mexico

Regarding the use of cloud based services, the Regulations to the Mexican Data Protection Law establish certain specific requirements when processing personal data by cloud computing services.

The cloud based service provider must comply with the following requirements in order for the data controller to be able to use such services: (i) it shall have policies to protect personal data similar to the ones established in the Mexican Data Protection Laws; (ii) subcontracting must be disclosed to the relevant data controller; (iii) it will not be allowed to acquire title over the information processed in the cloud; and (iv) the personal data processed has to be preserved as confidential information.

Furthermore, it is also established that the cloud computing service provider must have mechanisms to: (i) notify changes of its applicable privacy notices and of its T&C; (ii) allow the data controller to limit the processing of personal data; (iii) establish and maintain proper security measures to protect the personal data; (iv) delete the personal data once the services are terminated; and (v) prevent unauthorized access to the personal data, or if properly requested by a competent authority, notify such circumstance to the data controller.

United Kingdom Small Flag United Kingdom

There are no specific 'Cloud laws', indeed a recent study for the European Commission (http://ec.europa.eu/justice/contract/cloud-computing/studies-data/index_en.htm)
found that in general, no specific "cloud laws" exist in the 28 investigated countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.

For example, in the financial services sector, the Financial Conduct Authority (FCA) has stated that financial services companies operating in the UK can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf) is not binding but the FCA said it expects firms to take note of them and use them to inform their systems and controls on outsourcing.

Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.

Romania Small Flag Romania

Cloud-based services are of significant importance in light of data protection law, since the data stored in the cloud moves freely between different jurisdictions. The data protection legislation does not provide per se restrictions applicable to cloud-based services. However such restrictions are implied from data protection rules and principles.

One of the data protection principles provides that data must be safeguarded and not transferred to third countries unless adequate safeguards are in place. For this reason, data controllers are legally required to conclude agreements when contracting with cloud service providers with a view to store data in the cloud. When storing personal data in the cloud the data controller must ascertain that the location of the data is known. This is of utmost importance, since the data may be stored on servers located in another country that may or may not provide an adequate level of protection as required under Romanian law.

In other words, the data controller must ensure that the agreement concluded with the cloud service provider is in line with data protection rules. Throughout this agreement the data controller must make sure that he will not be in breach of any rules with regard to processing and transfer of personal data.

Italy Small Flag Italy

There are no laws in Italy specifically aimed at regulating cloud-computing services, although legislation targeting internet service providers and telecommunications providers may be applicable depending on the service offered. However, it is worth underlining that:

  1. (i)with Regulation n. 285 of 17 December 2013 the Bank of Italy has set forth certain requirements for banks which intend to be provided with cloud computing services. According to such regulation (which is binding for Italian banks), should a bank resort to cloud computing services, the relevant cloud computing agreement shall, inter alia, provide for the supplier’s obligation to (i) inform the bank of the data centres locations;

    (ii) isolate and separate the bank’s data from other suppliers’ customers’ data;

    (iii) guarantee that the service levels will be met also in case of emergency or in case of dispute among the supplier’s customers for the use of the supplier’s resources; (iv) ensure that any access or modification to the data is duly tracked, also for supervisory purposes; (v) grant the bank a right of audit, which shall be appropriate in consideration of the criticality of the outsourced activities and the architecture of the supplier’s services; and

  2. the Italian Digital Agency (“Agid”, formerly “DigitPA”) has published some recommendations and proposals on cloud computing in the public sector, which however are not binding.

The Netherlands Small Flag The Netherlands

There are no specific 'Cloud laws', indeed a recent study for the European Commission (http://ec.europa.eu/justice/contract/cloud-computing/studies-data/index_en.htm) found that in general, no specific "cloud laws" exist in the 28 investigated countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.

For example, in the financial services sector, the Dutch central bank De Nederlandsche Bank (DNB) has stated that financial institutions can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (http://www.toezicht.dnb.nl/binaries/50-224828.pdf) stipulates a number of requirements (such as reporting and auditing obligations).

Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.

Brazil Small Flag Brazil

Cloud services remain broadly unregulated in Brazil, although subject to existing laws regarding data privacy, the consumer protection and contract law. Certain restrictions or requirement may apply to the use of cloud-based services by government.

Indonesia Small Flag Indonesia

A possible restriction imposed on cloud-based services is data-onshoring (i.e., having a local data centre and disaster recovery centre). This requirement is contained in Government Regulation No. 82 of 2012 regarding Provision of Electronic Systems and Transactions (October 15, 2012) (“GR 82/2012”) and its implementing regulation on electronic system providers that conduct a “public service.” “Public service” is defined as an “an activity or series of activities in the fulfilment of the need for services in accordance with laws and regulations for every citizen and resident toward the goods, services, and/or the administrative services provided by the public service provider.”

The plain understanding of “public service” makes it unlikely that the data-onshoring requirement would be imposed on cloud-based services. However, in practice, all local electronic service providers are obliged by the institution issuing their license to establish a data centre in Indonesia.

Other than data-onshoring, Indonesian law provides various guidelines on such matters as registration, hardware, software (which is only pertinent for an electronic system provider for public service, aside from the general obligation to ensure the secrecy of the source code of the software used), expert workforce, electronic system management procedures, security measures, electronic system feasibility certificate, and supervision.

India Small Flag India

Cloud-based services are covered under the definition of “application services” as part of the terms and conditions issued by DoT for the registration of OSPs. Any entity that seeks to obtain registration as an OSP from the DoT must be a company registered under the (Indian) Companies Act, 1956 or Companies Act, 2013. Further, an OSP does not have the option to switch to telecom services. Since one of the purposes of cloud-based services is storage of information and provision of services thereto, cloud-based services would fall under the purview of the IT Act. Contracts between a cloud services provider and the client/user of such services form the primary basis for providing cloud-based services. The IT Act provides for penalties for beach of data protection laws as specified in the response to Question 9 above. Further, if a service provider of cloud-based services, in the course of performing a contract, discloses an individual’s sensitive personal data or information without such individual’s consent, then such service provider may be liable for penalties as specified in the response to Question 9 above. Further, specified in the response to Question 8 above, transfer of sensitive personal data or information is permitted only to an entity which ensures the same level of protection for such information, as has been discussed in the response to Question 7 above.

Israel Small Flag Israel

Generally, Israeli law does not specifically address cloud-based services.

If a data-owner uses outsourcing services of cloud-service providers for processing of personal data, it will be subject to the Databases Registrar Guidelines 2/2011 on Use of Outsourcing Services to Process Personal Information. Such guidelines require, among others, to execute background check on the service provider, and to include certain provisions in the agreement between the data-controller and the service provider (such as audit, inspection, training for employees, confidentiality obligations, guarantees (such as professional liability insurance), deletion of information upon termination of the agreement and ensuring data-subjects' rights are fully and duly maintained). Further, if the use of cloud-based services requires the transfer of data overseas, such transfer will be governed by the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 (as described in Section 9 above).

In addition, the Banking Supervision Department of the Bank of Israel has issued a directive on risk management in cloud environment. Such directive applies to the banking industry while using cloud-based services, and is in the process of replacement by a new directive (a draft has been published). It is also worth noting that the the Commissioner of the Capital Market, Insurance and Savings at the Israeli Ministry of Finance has issued directives for cyber-risk management of financial institutional entities (such as insurance companies and pension funds), which among others refer to the use of cloud-based services.

Singapore Small Flag Singapore

Although there is presently no legislation specifically regulating cloud-based services in Singapore, cloud-based services may be subject to other general legislation depending on the scope and nature of the service. Examples of such applicable legislation are:

(a) The PDPA will apply to the handling and storage of personal data using cloud-based services. An organisation intending to adopt cloud-based services and transfer its customer data to a cloud server located outside Singapore should comply with the transfer obligations under the PDPA as discussed above. The Guide to Securing Personal Data in Electronic Medium issued by the PDPC also sets out certain recommendations for an organisation to adopt when engaging cloud-based services to manage personal data.

(b) Cloud-based services offered to consumers in Singapore will also be subject to consumer protection laws such as the Consumer Protection (Fair Trading) Act (Chapter 52A) and the Unfair Contract Terms Act (Chapter 396).

(c) For regulated financial institutions in Singapore, the Guidelines on Outsourcing Risk Management issued by the Monetary Authority of Singapore (“MAS”) sets out certain controls and measures for a financial institution to take note of when engaging in cloud-based outsourcing arrangements.

France Small Flag France

Most if not all cloud-based services involve the processing of personal data in the sense of the 1978 Act and the GDPR (see Question 7). Until the GDPR comes into effect (May 2018), the clients of such services will remain ‘data controllers’ and must assume full responsibility to comply with the associated obligations (including those described in Questions 7 and 8), even where they delegate IT activities to cloud service providers (e.g. SaaS, PaaS, etc.).

Since 2012, however, the CNIL has recognized the possibility that cloud service providers be considered jointly liable, as “co-data controllers,” when they propose standard services under adhesion contracts and will not take instructions or allow audits from their customers. This situation is now fully addressed by the GDPR. Consequently, clients are required to define specifically how their obligations and responsibilities regarding personal data processing will be shared with their cloud service providers. These agreements between co-controllers must be made available ‘in essence’ to the concerned data subjects.

Furthermore, where the cloud service provider remains considered as acting on behalf of its client, as a sub-contractor or data ‘processor,’ it must comply with a series of specific obligations, including, for instance, to ensure that its employees and other persons authorized to process the personal data will be legally committed to confidentiality. A number of such requirements must be inserted into the service agreement with its client.

Beyond legal obligations, efforts are being made to nurture the development of codes of conduct, standards (for instance, SecNumCloud initiated by a government agency, ANSSI) as well as certifications. The French CPCE even defines the contents of an ‘electronic vault service,’ a cloud variety that offers the storage of electronic data or documents with full traceability and integrity, for which an administrative certification is proposed in a view to raise confidence from would-be customers.

Aside from general texts, sector-specific guidance is also provided by various regulatory authorities such as in the bank and insurance sector, with the ACPR (Autorité de Contrôle Prudentiel et de Résolution), or the health sector, with the ASIP Santé (Agence Française de la Santé Numérique). For example, the ACPR encourages the firms it controls to take appropriate risk management measures along best practices that the agency described in an analysis issued in July 2013.

Germany Small Flag Germany

There is no law that general prohibits cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.

There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.

Moreover there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG) . Cloud computing often qualifies as “outsourcing” in this respect. Similar specifications are found in the Stock Exchange Act (BörsG) and the Securities Trading Act (WpHG) . Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG) , according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X and for taxation the restrictions are regulated in section 146 (2, 2a) tax code (AO) . According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory. Furthermore, some professionals which are subject to professional secrecy face restrictions with regard to cloud-based services too. For example doctors, lawyers, tax advisors and persons working in life and health insurance have a statutory duty of professional secrecy, and in case of unauthorized disclosure, this is considered a criminal offence pursuant to section 203 German criminal code (StGB) . However, a reform of this law is about to pass the German parliament which will make the usage of cloud computing legally possible also for these professions, provided proper contractual safeguards as regards data secrecy are in place.

Switzerland Small Flag Switzerland

There are no restrictions specifically applicable to cloud services. In general, personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity. Further, the use of cloud services constitutes an outsourced processing service if the personal data is not encrypted during its storage in the cloud and, in case the servers of the cloud are located outside Switzerland and the personal data is not encrypted during its transfer and storage, an international transfer of personal data (see Question 8). FDPIC has issued a non-binding guide outlining the general risks and data protection requirements of using cloud services (www.edoeb.admin.ch/datenschutz/00626/00876/01203/index.html?lang=en). Specific rules may apply in regulated markets (e.g. Circular 2008/7 relating to outsourcing issued by the Swiss Financial Market Supervisory Authority (FINMA) applies to banks and securities dealers organised under Swiss law, including Swiss branches of foreign banks and securities dealers subject to FINMA supervision).

Ecuador Small Flag Ecuador

There is no legal restriction applicable to cloud-based services, since there is no specific legislation in Ecuador that regulates the matter.

Updated: October 10, 2017