Are there any restrictions applicable to cloud-based services?

Technology (second edition)

Indonesia Small Flag Indonesia

A possible restriction imposed on cloud-based services is data onshoring (i.e., having a local data centre and disaster recovery centre). This requirement is contained in Government Regulation No. 82 of 2012 regarding the Provision of Electronic Systems and Transactions (October 15, 2012) (“GR 82/2012”) and its implementing regulation on electronic system providers that provide a public service. The MOCI further elaborates that “public service” shall mean any activity in the fulfilment of services for the public. The MOCI does not refer to any particular regulation as the legal definition of “public service.” The plain understanding of “public service” makes it unlikely that the data-onshoring requirement would be imposed on cloud-based services. In practice, however, all electronic service providers are obliged by the institution issuing their license to establish a data centre in Indonesia.

In addition, the MOCI is currently undertaking a public information campaign regarding content monitoring, as regulated under MOCI Regulation No. 19 of 2014 regarding the Handling of Websites with Negative Content (“MOCI Reg 19/2014”). The handling of such websites with negative content involves blocking the sites to prohibit any access by the public. Pursuant to Articles 7 and 8 of MOCI Reg 19/2014, only two types of entities are required to conduct content monitoring, i.e. Internet Access Service Providers and Site-Blocking Service Providers. Therefore, the determining factor in whether a provider must monitor content is whether the provider is classified as either an Internet Access Service Provider or a Site-Blocking Service Provider. However, MOCI Reg 19/2014 does not provide a clear definition of either type of provider.

Other than data-onshoring and content-filtering, Indonesian law provides various guidelines on such matters as registration, hardware, software (which is only pertinent for an electronic system provider for public service, aside from the general obligation to ensure the secrecy of the source code of the software used), expert workforce, electronic system management procedures, security measures, electronic system feasibility certificate, and supervision.

The Netherlands Small Flag The Netherlands

There are no specific 'Cloud laws', indeed a recent study for the European Commission ( found that in general, no specific "cloud laws" exist in the 28 investigated countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.

For example, in the financial services sector, the Dutch central bank De Nederlandsche Bank (DNB) has stated that financial institutions can make use of cloud-based services without falling foul of regulatory obligations. The published guidance ( stipulates a number of requirements (such as reporting and auditing obligations).

Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.

Brazil Small Flag Brazil

Cloud services remain broadly unregulated in Brazil, although subject to existing laws regarding data privacy, the consumer protection and contract law. Certain restrictions or requirement may apply to the use of cloud-based services by government and, in the financial sector, specific requirements shall be observed in the contracting of cloud-based processing and storage services by financial institutions.

Luxembourg Small Flag Luxembourg

There are no specific 'Cloud laws' in Luxembourg, and that applies to many European countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies.

The May 2017 Circular 17/654 of the Luxembourg supervisory authority of the financial sector (CSSF – Commission de Surveillance du Secteur Financier) deals with the use of cloud services by financial institutions. It addresses the obligations which have to be met when financial institutions use or rely on a cloud computing infrastructure. An entity needs to obtain prior approval by the CSSF to be able to lawfully outsource any material IT infrastructure. However, if the IT infrastructure is outsourced to a Luxembourg based Professional of the Financial Sector (PFS), a prior notification to the CSSF is sufficient.

Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.

Romania Small Flag Romania

Cloud-based services are of significant importance in light of data protection law, since the data stored in the cloud moves freely between different jurisdictions. The data protection legislation does not provide per se restrictions applicable to cloud-based services. However such restrictions are implied from data protection rules and principles.

One of the data protection principles provides that data must be safeguarded and not transferred to third countries unless adequate safeguards are in place. For this reason, data controllers are legally required to conclude agreements when contracting with cloud service providers with a view to store data in the cloud. When storing personal data in the cloud the data controller must ascertain that the location of the data is known. This is of utmost importance, since the data may be stored on servers located in another country that may or may not provide an adequate level of protection as required under Romanian law.

In other words, the data controller must ensure that the agreement concluded with the cloud service provider is in line with data protection rules. Throughout this agreement the data controller must make sure that he will not be in breach of any rules with regard to processing and transfer of personal data.

The provisions of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”) related to cloud computing services will be applicable in Romania after its transposition into national legislation. A draft law concerning cyber security in Romania is under legislative procedure.

Spain Small Flag Spain

The Spanish legislation does not foresee specific restrictions or limitations for cloud-based services. However, where the use of cloud-based services entails the processing of personal data, the requirements of the data protection legislation will have to be complied with. In general terms, the GDPR will require companies using such services to:

  • Certify that when processed in the could-based platform, the personal data is processed in accordance with the data protection principles set out in the GDPR.
  • Ensure that the use of such services complies with the requirements laid down by the GDPR for international data transfers (especially relating to where the cloud service provider is located, or where data is hosted in countries that are located outside the EEA).
  • Ensure that the relationship with the service provider is regulated under a written agreement that provides the mandatory provisions required by Article 28 of the GDPR, which sets out the requirements for the relationship between data controllers and data processors.
  • Guarantee that the affected data subjects can exercise the rights recognised under the GDPR for the data stored in the cloud.
  • Guarantee that the cloud-based service is subject to appropriate technical and security measures that prevent personal data from being lost, altered or accessed by unauthorised personnel.

India Small Flag India

There are no laws exclusively regulating cloud-based services in India.

That said, sectoral regulators have from time to time indicated cyber-security measures which touch upon the dos and dont’s while utilising cloud based services. For instance, the Insurance Regulatory and Development Authority of India (IRDAI) provides guidelines on service level agreements, access control mechanisms and data security measures to be used while engaging cloud-based service providers.

Turkey Small Flag Turkey

Although there is no omnibus legislation on cloud-based services several sector specific legislations include data localization requirements (i.e. certain data of the entities must be kept within the borders of the Turkey) which might hinder the use of cloud services by the actors in their corresponding sectors. The following examples can be given for such requirements:

  • Financial Sector:
    • Article 11/4 of the Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital
    • Article 5/2 of the Communiqué on the Principles to be Considered by Information Exchange, Clearing and Settlement Institutions for the Management of the Information Systems and Audit of the Work Flows and the Information Systems
    • Article 16 of the Communiqué on the Management and Supervision of the Information Systems of Payment Institutions and Electronic Money Institutions.
    • Article 23 of the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions.
  • Fiscal Records:
    • Article 6 of the Tax Procedural Law General Communique numbered 397
    • Article 9(h) of the Tax Procedural Law General Communique numbered 433.
    • General Communique on the E-Ledger numbered 1.
  • Capital Markets:
    • Article 26/1 of the Communiqué on Information System Management
    • Article 50/7 of the Communiqué on the Principles of Establishment and Activities of the Investment Firms No. III-39.1

In addition to above, processing (including storing) of personal data is subjected to requirements under Law on Protection of Personal Data. Please refer to our answer under the question regarding “transfer of personal data overseas”.

Sweden Small Flag Sweden

Typically, a cloud service provider will qualify as a data processor according to the GDPR. In order for the processing of the data processing to be compliant with the GDPR there has to be a written contract between the data controller and the data processor. This contract is supposed to make sure that the data processor protects the personal data with all technical and organisational measures necessary to ensure the protection of the rights of the data subjects.

Switzerland Small Flag Switzerland

There are no restrictions specifically applicable to cloud services. In general, personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity. Further, the use of cloud services constitutes an outsourced processing service if the personal data is not encrypted during its storage in the cloud and, in case the servers of the cloud are located outside Switzerland and the personal data is not encrypted during its transfer and storage, an international transfer of personal data (see Question 8). FDPIC has issued a non-binding guide outlining the general risks and data protection requirements of using cloud services ( Specific rules may apply in regulated markets (e.g. Circular 2018/3 relating to outsourcing issued by the Swiss Financial Market Supervisory Authority (FINMA) applies to banks and securities dealers organised under Swiss law, including Swiss branches of foreign banks and securities dealers subject to FINMA supervision).

China Small Flag China

Key restrictions applicable to cloud-based services providers are the rules in telecommunication laws and cyber security laws. Cloud-based services, as a type of VATS, is categorized in Internet Digital Center (IDC) and subcategorized as Internet Resource Collaboration Service (IRCS) of the Catalogue of Telecommunications Business (2015 Revision). To engage in Cloud-based services, entities should obtain IRCS license from MIIT. Qualified cloud-based service providers shall meet the requirements in operation funding, professional personnel, reputation and capability, registered capital and etc. according to the Administrative Measures for the Licensing of Telecommunication Business Operations (2017 Revision). Cloud-based service is not open to foreign investors, except that Hong Kong or Macao service provider may secure the IDC/IRCS license through joint ventures in accordance with CEPA.

Pursuant to the Cyber Security Law, cloud-based services providers shall duly perform their duties to protect the network security. If the facilities in providing cloud-based services are categorized as CII, the personal information collected and generated by cloud-based services providers during operating their business in China may have to be stored in China, and security assessment have to be carried out if the personal information needs to be transferred abroad.

Mexico Small Flag Mexico

Pursuant to the Regulations to the Privacy Act, Data controllers may only hire cloud-based data processing services if the relevant vendor:

i. Operates under data protection policies in compliance with the principles provided under the Data Protection Legal Framework;

ii. Provides information about subcontracted processing services;

iii. Does not claim ownership of the personal data subject to processing;

iv. Guarantees the confidentiality of the personal data;

v. Has in place mechanisms to disclose any amendments to privacy policies;

vi. Allows data controller to limit the purposes of the processing of personal data;

vii. Keeps adequate security measures for the protection of the personal data;

viii. Guarantees to supress the personal data once the services has been provided;

ix. Prevents access to the personal data by unauthorised users.

Malaysia Small Flag Malaysia

There is currently no legislation specific to cloud-based services in Malaysia and such services may be subject to other legislation depending on the services provided, in particular:

(a) cloud-based service providers which provide or intend to provide cloud-based services would need to determine whether the cloud-based services would fall under any of the licensing requirements of the CMA. The different types of licences prescribed under the CMA are addressed in Question 1 and licensing requirements would vary from different cloud-based service providers; and

(b) cloud-based service providers would fall under the purview of the PDPA as “data users - a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data” as the act of “processing” has been defined in the PDPA to include “storing of personal data”. Cloud-based service providers storing personal data using cloud-based services would have to ensure that they comply with the provisions of the PDPA.

France Small Flag France

Most, if not all, cloud-based services involve the processing and/or transfer of personal data within the meaning of the GDPR. Consequently, the clients of such services should be considered as ‘data controllers’ and must assume full responsibility to comply with the associated obligations from the beginning to the end of the processing (including those described in Questions 7 and 8), even although they might still believe that delegating their IT activities to cloud service providers should exempt them therefrom.

When qualifying as ‘data processors,’ cloud service providers must comply with a series of specific obligations also set forth in the GDPR, including, in particular:

  • to process data only in accordance with documented instructions from their clients;
  • to take all measures required to ensure a level of security appropriate to the risks incurred by the data and data subjects;
  • and to provide information as necessary (including through audits) to demonstrate that they comply with their obligations.

Where cloud-based services include standard services governed by adhesion contracts, i.e., the service provider plays a role in defining the ways and means and, possibly, the purposes of the data processing, the service provider could appear to be jointly liable with its client towards the persons concerned (‘data subjects’). This is why the GDPR requires ‘data controllers’ and ‘data processors’ to specifically define, in their agreements, the allocation of their obligations and responsibilities regarding personal data processing..

In order to help clarify such situations, efforts are being made to nurture the development of codes of conduct (such as by software end user groups), standards (for instance, SecNumCloud initiated by a government agency, ANSSI), as well as certifications.

Aside from general texts, sector-specific regulations applicable to the outsourcing of IT activities may apply to cloud based services insofar as they form a subset of outsourcing services. Recommendations or guidelines specific to cloud based services have also been issued by regulatory authorities such as the Autorité de Contrôle Prudentiel et de Résolution (ACPR), in the bank and insurance sector, and the CNIL.

Germany Small Flag Germany

There is no law that general prohibits cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.

There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.

Moreover there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG) . Cloud computing often qualifies as “outsourcing” in this respect. Similar specifications are found in the Stock Exchange Act (BörsG) and the Securities Trading Act (WpHG) . Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG) , according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X revised in the course of the GDPR and for taxation the restrictions are regulated in section 146 (2, 2a) tax code (AO) . According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory.

Up to now, some professionals which are subject to professional secrecy had to face restrictions with regard to cloud-based services. For example doctors, lawyers, tax advisors and persons working in life and health insurance have a statutory duty of professional secrecy, and in case of unauthorized disclosure, this is considered a criminal offence pursuant to section 203 German criminal code (StGB) . But a recent legislative amendment of section 203 StGB also provides these professionals the opportunity to use e.g. Cloud-Services and external service providers, because pursuant to section 203 (3) StGB it is no longer a problem to pass on the information to involved persons as long as this is necessary for the using of the person’s activity and provided that proper contractual safeguards as regards data secrecy are in place.

Singapore Small Flag Singapore

Although there is presently no legislation specifically regulating cloud-based services in Singapore, cloud-based services may be subject to other general legislation depending on the scope and nature of the service. Examples of such applicable legislation are:

(a) The PDPA will apply to the handling and storage of personal data using cloud-based services. An organisation intending to adopt cloud-based services and transfer its customer data to a cloud server located outside Singapore should comply with the transfer obligations under the PDPA as discussed above. The Guide to Securing Personal Data in Electronic Medium issued by the PDPC also sets out certain recommendations for an organisation to adopt when engaging cloud-based services to manage personal data.

(b) Cloud-based services offered to consumers in Singapore will also be subject to consumer protection laws such as the Consumer Protection (Fair Trading) Act (Chapter 52A) and the Unfair Contract Terms Act (Chapter 396).

(c) For regulated financial institutions in Singapore, the Guidelines on Outsourcing Risk Management issued by the Monetary Authority of Singapore (“MAS”) sets out certain controls and measures for a financial institution to take note of when engaging in cloud-based outsourcing arrangements.

Australia Small Flag Australia

There are no specific cloud laws in Australia. The Privacy Act is principles-based, rather that pre or proscriptive with respect to specific technologies and how they relate to the collection and handling of personal information. Given the nature of cloud-based services, organisations should be particularly wary of the obligations they may have under APP 8 (discussed at question 9) and APP 11 (discussed at question 15).

United States Small Flag United States

Data protection statutes are not directed at specific technologies. Therefore, there are no regulations that apply only to cloud providers.

Japan Small Flag Japan

In Japan, there are no specific laws that directly prohibit, restrict or otherwise govern cloud-based services. Where the data being placed in the cloud is personal information/data, use of cloud-based services may be considered as constituting the provision of personal data to third-parties under the APPI, which requires the prior consent of the relevant individual (subject to certain exemptions depending on whether such third-parties are located in or outside of Japan) (see questions 8 and 9). However, the guidelines published by the Committee provide that the use of cloud services to store personal data does not constitute the provision of personal data to cloud service providers under the APPI as long as it is ensured by contract or otherwise that the cloud service providers are properly restricted from accessing the personal data stored in the cloud.

Aside from the personal data protection regulations, provision or use of cloud-based services may be subject to other restrictions depending on the nature of the services or the stored data, including consumer protection regulations and sector-specific guidelines in medical and financial sectors.

Poland Small Flag Poland

There are certain statutory restrictions applicable to cloud-based services. They result in limitations or conditions to be met, which apply to the commissioning of cloud-based services. They concern in particular the financial sector, as well as the processing of classified information, i.e. information relevant to national security.

The Banking Act of 29 August 1997 obligates the financial institution that outsources the processing of its confidential banking data, both to the cloud or conventionally, to meet the statutory requirements which may include e.g. obtaining a permission from the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego – KNF) and filing a specification of technical and organisational measures undertaken to adequately protect confidential banking data. The KNF has published its recommendations on the use of cloud-based services by entities subject to its supervision – they include planning, risk assessment, verification of the cloud provider’s reliability (based on applicable certification), etc.

Furthermore, the conditions on processing classified information in any type of information system provided for in the Act of 5 August 2010 on the Protection of Classified Information make it practically impossible to process classified information in a public cloud, because the level of actual surveillance that can be exerted over the processing of data in a public cloud is not sufficient.

Updated: February 7, 2019