Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
Technology (3rd edition)
Pursuant to the Civil Code of Armenia, an electronic communication service provider shall not be liable for the content of electronic documents transferred by third persons through its information system, as well as for obligations arising between third persons as a result of the transfer, unless otherwise provided for by law or the contract concluded with the service provider. However, electronic communication service providers shall be liable where, without having the authority to do so or acting beyond their authority, they have:
- transferred an electronic document in the name of another person;
- selected, in the name of another person, a receiver of an electronic document;
- selected and made changes to an electronic document of another person.
An operator of a website or an electronic application serving as a platform for third persons to conclude and implement contracts (electronic trading platform operator) shall not be liable for obligations arising from contracts concluded between third persons, unless otherwise provided for by law, by the contract concluded between the electronic trading platform operator and the third person. This rule not applicable in cases where the electronic trading platform operator has operated the electronic trading platform in violation of the requirements of the law.
An electronic trading platform operator shall not be obliged to monitor the lawfulness of the content submitted by the users of the platform and its conformity with the legislation of the Republic of Armenia, except for the cases when the electronic trading platform operator knew or should have known that the content submitted by the users was manifestly unlawful, manifestly unreliable or manifestly contradicting the legislation of the Republic of Armenia.
An electronic trading platform operator shall show the mandatory information on sellers (performers of works, service providers) as prescribed by law and save it throughout the entire time the seller (performer of works, service provider) is registered on the platform and at least one year after the end of said registration, unless a longer term is provided for by law or the contract concluded with the electronic trading platform operator.
There is no regulation in place to restrict or guide the use of cloud-based services.
The Cyber Crimes Law, which was recently enacted, provides for certain obligations on the service providers regarding data storage. This may extend to cover cloud-based services.
Further, certain sectors may either prohibit or restrict storage of information through cloud-based services; including, the Central Bank of Egypt which, we understand, requires banks to obtain pre-approval for storing any information outside of Egypt.
There is no single law that regulates cloud-based services, however certain provisions from various legal acts do specifically apply.
In terms of personal data, cloud-based services can generally be considered as data processors, therefore the conditions and obligations stipulated in the General Data Protection Regulation need to be followed. For example, the processing must be governed by a contract with a controller or other legal act. The processor also must comply with the rules concerning the security of processing. As the servers hosting the data for cloud-based services could be located anywhere, data controllers and processors must also be diligent and comply with the regulation regarding data transfer to third countries. The potential fines for violating the obligations are provided by the Personal Data Protection Act (Isikuandmete kaitse seadus). There is a guide from the Estonian Data Protection Inspectorate regarding cloud-based services and data protection, however it precedes the GDPR and is based on prior regulation.
The Estonian Financial Supervision and Resolution Authority has issued guides for the subjects of financial supervision regarding the outsourcing of activities and requirements for the organisation of IT and information security which also touch upon cloud-based services. Companies are required to maintain adequate control over information containing customer data. Information systems must, at a minimum, be separated in a logically secure way from the information systems of a service provider’s other clients.
Cloud-based services are also qualified as digital service providers in the Cybersecurity Act (Küberturvalisuse seadus), which mandates the service provider to notify the Estonian Information System Authority in cases of cyber incidents. The Information System Authority also exercises state supervision over cloud-based services who are established in Estonia, belong to a group whose parent company is established in Estonia or have a representative in Estonia.
Cloud-based services as information storage services are regulated in the Information Society Services Act (Infoühiskonna teenuse seadus). Information storage services have restricted liability, provided they have no actual information of the contents of the information and upon obtaining knowledge of illegal activity or information on their service, act expeditiously to remove or disable access to the information. Services are not obligated to monitor the information they store or actively seek facts or circumstances indicating illegal activity.
Most, if not all, cloud-based services involve the processing and/or transfer of personal data within the meaning of the RGPD. Consequently, the clients of such services should be considered as ‘data controllers’ and must assume full responsibility to comply with the associated obligations from the beginning to the end of the processing (including those described in Questions 9 and 10), despite any belief that delegating their IT activities to cloud service providers should exempt them therefrom.
When qualifying as ‘data processors,’ cloud service providers must comply with a series of specific obligations also set forth in the RGPD, including, in particular: to process data only in accordance with documented instructions from their clients; to take all measures required to ensure a level of security appropriate to the risks incurred by the data and data subjects; and to provide information as necessary (including through audits) to demonstrate that they comply with their obligations.
Where the cloud service provider plays a role in defining the ways and means and, possibly, the purposes of the data processing, the provider may appear to be jointly liable with its client towards the persons concerned (‘data subjects’). This is why the RGPD requires ‘data controllers’ and ‘data processors’ (or ‘joint data controllers’) to specifically define, in their agreements, the allocation of their obligations and responsibilities regarding personal data processing.
In order to help clarify such situations, efforts are being made to nurture the development of codes of conduct (such as by software end user groups), standards (for instance, “SecNumCloud,” a set of reference requirements initiated by a government agency, ANSSI), as well as certifications.
Aside from general texts, sector-specific regulations may apply, such as in regard to the national health data system (SNDS) destined to health professionals and organizations (Act n°2016-41 of 26 January 2016), or to the outsourcing of IT activities through cloud based services (for example, guidelines issued by the CNIL or, in the bank and insurance sector, the Autorité de Contrôle Prudentiel et de Résolution (ACPR).
From another perspective, cloud-based services are addressed through regulations aiming at the security of information systems and data, both on the supply and demand side. Thus, since the transposition in 2018 of directive 2016/1148 of 6 July 2016 (NIS - network and information security), cloud services providers must identify the risks that threaten the security of the networks and information systems and must take the necessary and proportionate measures to monitor them, in order to reduce their impact to a minimum and to guarantee the continuity of their services. They must declare to the national information systems security agency (ANSSI) all significant incidents affecting networks and information systems necessary for the provision of their services in the European Union.
On the side of customers and pursuant to the same texts, the entities that may be declared as offering essential services to the functioning of society or the economy and whose continuity could be seriously affected by incidents affecting the networks and information systems they use must also define appropriate measures to prevent such incidents or to limit their impact, in order to ensure the continuity of the essential services they provide.
Pursuant to the National Defense Code, further steps may be required from the entities which operate establishments or use installations and works, the unavailability of which could significantly reduce the war or economic potential, security or survivability of the nation. In particular, these Operators of Vital Importance (OIV) must declare the critical information systems (SIIV) they operate.
Cloud-based services are specifically listed in the Catalog within the category of Internet resource collaborative (IRC) services, itself a sub-category of Internet data centre (IDC) VATS activities. Cloud-based service providers should obtain the corresponding license from the MIIT pursuant to the Telecoms Regulations. Another set of major obligations applicable to cloud-based service providers consists of rules concerning the collection and use of personal information (see above, Questions 15 and 16), and it is likely that at least some major cloud-based service providers could be deemed CIIOs under the PRC Cybersecurity Law and thus be subject to additional obligations.
Cloud services are in principle permitted in Israel, however, the use of cloud-based services is subject to the provisions of the Privacy Law (and the regulations enacted there under) (to the extent data contained in the cloud is considered personal data), to specific guidelines issued by the PPA in relation to the use of outsourcing services for processing of personal data (directive 2/2011) and to specific guidelines pertaining to the use of cloud services in specific sectors, mainly in the public sector and in the banking, health and financial sectors.
The above mentioned sector-specific guidelines set out various rule and principles in relation to the use of cloud-based services (whether with respect to personal and non-personal data). These include, inter alia:
- Corporate governance requirements;
- Risk management;
- Prior approvals from the applicable regulator for the use of cloud-based services with respect to certain operations;
- Engagement with third party cloud service providers, including the obligation to maintain audit and control measures over the activity of the service provider;
- Mandatory security standards to be implemented by the cloud-based service provider;
- Mandatory provisions to be included in tenders for the provision of cloud-based services to public bodies.
Firstly, the IDPA, in 2012, issued specific guidelines on cloud computing, providing a set of recommendations for private and public entities in order to assess the related risks and verify the implementation of the relevant fulfilments. Specifically, it contains: a description of the main types of cloud systems, an overview of the regulatory framework on data protection (with a focus on the roles of data controller and data processor, the transfer of data outside the EU, the adoption of specific security measures and the exercise of data subjects’ rights), and an indication of the criteria for assessing the costs and benefits of adopting cloud technologies.
Secondly, useful tools for the proper management of data confidentiality and security in the cloud environment are represented by: (i) the ISO/IEC 27018:2019 standard and (ii) the recommendations issued by ENISA in the document “Cloud Computing. Benefits, risks and recommendations for information security”.
Specifically, the ISO/IEC 27018 standard provides precise instructions, guidelines and controls for the processing of personal data in the cloud through public networks (e.g. on the data subject’s consent, purposes of processing, data minimisation, restriction on use, storage and disclosure, transparency, accountability, etc.).
ENISA’s recommendations, in addition, include technical measures to mitigate the risk of unauthorised disclosure of data (e.g. defining the host and network controls, ensuring that adequate backup policies and procedures are in place, etc.).
In Japan, there are no specific laws that directly prohibit, restrict or otherwise govern cloud-based services. Where the data being placed in the cloud is personal information/data, use of cloud-based services may be considered as constituting the provision of personal data to third-parties under the APPI, which requires the prior consent of the relevant individual (subject to certain exemptions depending on whether such third-parties are located in or outside of Japan) (see questions 9 and 10). However, the guidelines published by the Committee provide that the use of cloud services to store personal data does not constitute the provision of personal data to cloud service providers under the APPI as long as it is ensured by contract or otherwise that the cloud service providers are properly restricted from accessing the personal data stored in the cloud.
Aside from the personal data protection regulations, provision or use of cloud-based services may be subject to other restrictions depending on the nature of the services or the stored data, including consumer protection regulations and sector-specific guidelines in medical and financial sectors.
There is currently no legislation specific to cloud-based services in Malaysia, and such services may be subject to other legislation depending on the services provided, in particular:
(a) cloud-based service providers which provide or intend to provide cloud-based services would need to determine whether the cloud-based services would fall under any of the licensing requirements of the CMA. The different types of licences prescribed under the CMA are addressed in Question 1.2 and licensing requirements would vary from different cloud-based service providers. The MCMC in October 2018 registered a technical code on Information and Network Security – Cloud Service Provider Selection (“CSPS Code”) which seeks to set out the requirement for network interoperability and the promotion of safety of network facilities by specifying the requirements for selecting cloud service providers for organisations in ensuring all security requirements are taken into account based on the assessment of the current environment and objectives. While compliance with the CSPS Code is not in itself mandatory, the MCMC is empowered to direct a person or a class of persons to comply with the CSPS Code. Failure to comply with such directions by the MCMC may result in a fine of up to RM200,000 being imposed;
(b) financial institutions which intend to use data services or cloud services providers outside of Malaysia to deliver cloud services are required to seek approval from BNM in accordance with BNM’s Policy Document on Outsourcing (which came into force on 1 January 2019) and BNM’s Guidelines on Data Management and Management Information System Framework for Development Financial Institutions; and
(c) cloud-based service providers would fall under the purview of the PDPA as “data users - a person who either alone or jointly or in common with other persons processes any personal data, or has control over or authorises the processing of any personal data” as the act of “processing” has been defined in the PDPA to include “storing of personal data”. Cloud-based service providers storing personal data using cloud-based services would have to ensure that they comply with the provisions of the PDPA.
No specific restrictions apply.
New Zealand has not enacted any cloud-specific legislation. However, general laws will nonetheless apply (for example, the Privacy Act).
There is no law that specifically regulates cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.
There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.
Moreover, there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG). Cloud computing often qualifies as “outsourcing” in this respect. The German financial supervisory authority BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) summarized the legal requirements for cloud usage by financial services institutions in a whitepaper dated 8 November 2018 (Merkblatt – Orientierungshilfe zu Auslagerungen an Cloud-Anbieter). Similar specifications are found in the Stock Exchange Act (BörsG) and the Securities Trading Act (WpHG). Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG), according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X revised in the course of the GDPR and for taxation the restrictions are regulated in section 146 (2, 2a) tax code (AO). According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory.
Up to 2017, some professionals which are subject to professional secrecy had to face restrictions with regard to cloud-based services. For example doctors, lawyers, tax advisors and persons working in life and health insurance have a statutory duty of professional secrecy, and in case of unauthorized disclosure, this is considered a criminal offence pursuant to section 203 German criminal code (StGB). But a recent legislative amendment of section 203 StGB also provides these professionals the opportunity to use e.g. Cloud-Services and external service providers, because pursuant to section 203 (3) StGB it is no longer a problem to pass on the information to involved persons as long as this is necessary for the using of the person’s activity and provided that proper contractual safeguards as regards data secrecy are in place.
 Gesetz über den Wertpapierhandel
There is no explicit regulatory guideline or restriction to the operation of cloud-based services. However, perhaps the regulatory challenge will come from the requirement to locate data centre in Indonesia as stipulated in Government Regulation No. 82 of 2012 on Electronic Information and Transaction (“GR 82/2012”).
GR 82/2012 stipulates that if an ESP provides a “public service”, the ESP has the obligation to locate their data centre and disaster recovery centre in Indonesia. Nevertheless, the scope of definition of ESP for public service or ESP for non-public service in private sector remains vague until now.
If the term “public service” is interpreted in a very broad way, the obligation to locate data centre and data recovery centre in Indonesia will apply to many companies within and outside Indonesia. Consequently, it will prevent these companies from using service that use data centre in multiple countries such as cloud-based service.
Cloud-based services are of significant importance in light of data protection law, since the data stored in the cloud moves freely between different jurisdictions. The data protection legislation does not provide per se restrictions applicable to cloud-based services. However, such restrictions are implied from data protection rules and principles. One of the data protection principles provides that data must be safeguarded and not transferred to third countries unless adequate safeguards are in place. For this reason, data controllers are legally required to conclude agreements when contracting with cloud service providers with a view to store data in the cloud. When storing personal data in the cloud the data controller must ascertain that the location of the data is known. This is of utmost importance, since the data may be stored on servers located in another country that may or may not provide an adequate level of protection as required under Romanian law. In other words, the data controller must ensure that the agreement concluded with the cloud service provider is in line with data protection rules. Throughout this agreement the data controller must make sure that he will not be in breach of any rules with regard to processing and transfer of personal data.
For transfer of non-personal data, the applicable legislation is the Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union, entered into force on May 28, 2019. The Regulation ensures that organisations are able to store and process non-personal data anywhere in the European Union. Access to data by competent authorities may not be refused on the basis that the data are processed in another Member State.
The Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”) has been transposed in Romanian legislation through Law no. 363/2018 on ensuring a high common level of security of networks and information systems.
Also, when Regulation (EU) 2019/881 of the Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (“Cybersecurity Act ”) will be enacted, it will be directly applicable in Romania.
The Act on the Development of Cloud Computing and Protection of Its Users (“Cloud Computing Act”) is Korea’s general law applicable to cloud-based services.
If electronic computer systems, equipment, and/or facilities are expressly required under another statute for some type of authorisation, licensing, permission, registration, or any similar action, the relevant electronic computer systems, equipment, and/or facilities are to be viewed as including cloud computing services. As such, in principle, the use of cloud computing services is permitted.
However, such provision does not apply if (i) the use of cloud computing services is explicitly prohibited under the relevant statute, or (ii) the relevant statute requires the installation of physical partitions between lines or facilities, thereby effectively restricting the use of cloud computing services.
The Korean regulator’s position is that the use of cloud computing services qualifies as the outsourcing of the processing of personal information. Therefore, (while there may be some difference in interpretation if the Korean regulator’s position is followed) using cloud-based services to process personal information will require compliance with the regulations on the outsourcing of the processing of personal information.
The Spanish legislation does not foresee specific restrictions or limitations for cloud-based services. However, where the use of cloud-based services entails the processing of personal data, the requirements of the data protection legislation will have to be complied with. In general terms, the GDPR will require companies using such services to:
- Certify that when processed in the cloud-based platform, the personal data are processed in accordance with the data protection principles set out in the GDPR.
- Ensure that the use of such services complies with the requirements laid down by the GDPR for international data transfers (especially relating to where the cloud service provider is located, or where data are hosted in countries that are located outside the EEA).
- Ensure that the relationship with the service provider is regulated under a written agreement that provides the mandatory provisions required by Article 28 of the GDPR, which sets out the requirements for the relationship between data controllers and data processors.
- Guarantee that the affected data subjects can exercise the rights recognised under the GDPR for the data stored in the cloud.
- Guarantee that the cloud-based service is subject to appropriate technical and security measures that prevent personal data from being lost, altered or accessed by unauthorised personnel.
Typically, a cloud service provider will qualify as a data processor according to the GDPR. In order for the processing of the data processing to be compliant with the GDPR there has to be a written contract between the data controller and the data processor. This contract is supposed to make sure that the data processor protects the personal data with all technical and organisational measures necessary to ensure the protection of the rights of the data subjects.
There are no statutes specifically drafted for regulation of "cloud-based services". To provide a cloud-based service in Taiwan, the service provider shall comply with all relevant laws in Taiwan, including the PDPA, consumer protection laws, etc. Meanwhile, please note that financial institutions, such as banks or insurance companies, are subject to strict regulations of the Financial Supervision Commission, and they are not freely to adopt cloud-based solution technology. As such, providing cloud-based services to financial institutions will be subject to strict regulation and approval requirements.
Yes. Although there is no particular law or regulation dedicated and specific to cloud-based services, various legislations and regulatory frameworks are applicable to cloud-based services to a certain extent.
For example, in the guidelines published by the Turkish Data Protection Authority (DPA) regarding technical and administrative measures which should be taken by the data controllers, there are references made to cloud-based services and guidelines on erasure of personal data from cloud-based services.
Legislative documents overseen by the Capital Markets Board of Turkey also refer to cloud-based services. For example, Regulation on Operation, Working and Supervision of Data Storage Organizations prohibits storage of certain data on cloud-based services. On the other hand, secondary legislation under the supervision of Banking Regulation and Supervision Agency permits use of cloud-based services for storage of payment information provided that certain precautionary measures are taken.
Most recently, Presidential Circular on Information and Communication Security Measures prohibited storage of data pertaining to public institutions and organizations on cloud services. An exception has been made to the storage of such data on the private systems of public institutions and services provided by local service providers who are under the control of public institutions.
There are currently no specific 'Cloud laws' in the UK, but the direction of travel in the EU is towards a harmonised 'certification' scheme, although this stops short of full-blown regulation. A recent study found that ISO 27001 was still the most commonly-adopted certification scheme among the most prominent Cloud Service Providers (CSPs):
In addition, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.
For example, in the financial services sector, the Financial Conduct Authority (FCA) has stated that financial services companies operating in the UK can make use of cloud-based services without falling foul of regulatory obligations. The published guidance
https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf is not binding but the FCA said it expects firms to take note of them and use them to inform their systems and controls on outsourcing.
Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 10 and 11 above will apply.
Data protection statutes are not directed at speciﬁc technologies. Therefore, there are no regulations that apply only to cloud providers. Sectoral guidelines on cloud computing have been issued, such as the Federal Financial Institutions Examination Council's IT Examination Handbook that addresses financial institutions' information security policies when using outsourced cloud computing services.
There are no specific cloud laws in Australia. The Privacy Act is principles-based, rather that pre or proscriptive with respect to specific technologies and how they relate to the collection and handling of personal information. Given the nature of cloud-based services, organisations should be particularly wary of the obligations they may have under APP 8 (discussed at question 9) and APP 11 (discussed at question 15).