“Clouds Come Floating into my Life…”
Clouds come floating into my life, no longer to carry rain or usher storm, but to add color to my sunset sky.
Rabindranath Tagore, Stray Birds
Cloud computing, along with Big Data, social media, and mobility, is one of the current megatrends that will drive huge changes to the business ecosystem in the next decade. Surveys carried out in recent years unanimously confirm that organisations across the globe are moving rapidly and continuously towards the cloud. For instance, the 2016 IDG’s Enterprise Cloud Computing Survey revealed that 90% of all organizations today either have applications running in the cloud or are planning to use cloud applications in the next year. Furthermore, the worldwide public cloud services market is projected to grow 18% in 2017 to a total of USD 246.8 billion, according to Gartner, Inc., another research firm. It has already become an increasingly mainstream thing not only for large companies, but also for small to medium-sized companies, to develop and then implement their strategies on migration to the cloud.
To date, there are multiple cloud computing models used by companies to meet their business needs, including public, private, community and hybrid, delivering platform, infrastructure or software as a service. However, all these models intrinsically imply that the cloud computing services are rendered via the data centres often located outside of the state where the cloud customer is established. Ultimately, it is fair to say that cloud computing services have broken traditional geographical boundaries and are based on efficient cross-border flow of data. Given the fact that the laws and regulations governing a particular jurisdiction vary substantially, this brings on manifold jurisdictional concerns and complexities impacting cloud service providers (CSPs) and cloud customers. As a result, companies moving to the cloud are becoming increasingly concerned with data security, privacy and access control issues.
On a general note, Ukraine has not yet enacted any sector-specific regulations go- verning cloud computing. The only legal act determining the term “cloud computing” is the Law of Ukraine On Public Procurements. This definition mirrors the proposal of the U.S. National Institute of Standards and Technology to determine cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. That said, data protection and other legal issues deriving from the use of cloud computing services are governed by general rules envisaged by the Law of Ukraine On Personal Data Protection (PDP Law), Law of Ukraine On Protection of Information in Information and Telecommunication Systems (Information Systems Law), etc. The Draft Law On Amendments to Certain Laws of Ukraine Regarding Processing of Information in Systems Using the Technology of Cloud Computing (Draft Law), embodying rules on cloud computing that was prepared for its second reading back in November 2016, still remains on the shelves of the Ukrainian Parliament.
The Information Systems Law lays down the legal framework for protection of information in information and telecommunication systems. Specifically, the owners of such systems are in charge of ensuring protection of information. The procedure and conditions for protection of information, as well as its processing, are to be set out in an agreement between the owner of a system and the owner of information. In addition, the procedure for access to the information, the list of users and their rights shall be determined by the information owner. Conceivably, the CSPs operating data centres or other automated means physically located on the territory of Ukraine would qualify as owners of information systems subject to the mentioned statutory requirements.
It should be noted that there are serious concerns as to what data protection laws should apply to the processing of data using various cloud computing models. By its nature, cloud computing means that the data processed in the clouds may flow across many jurisdictions with no practical possibility to identify its location or who and how processes it at a particular moment. This creates uncertainties and potential conflicts as to whether those responsible for data processing under data protection laws, are in a position to effectively assume their responsibility provided that the processing occurs in the cloud. Practically, it may be argued that Ukrainian law should apply when the data subject is a Ukrainian resident, or when the data controller is established under Ukrainian law and processes personal data in the context of its activities in Ukraine, or when the processing of personal data occurs via the use of equipment situated on the territory of Ukraine. However, given the absence of any guidance in Ukrainian law, the issue as to whether Ukrainian law on data protection applies should be resolved on a case-by-case basis.
Ukrainian law does not provide for legal instruments allowing the export of data protection legislation if the cloud customer is established in Ukraine while the CSP is located in the EU. However, it may be argued that, since the Ukrainian PDP Law was adopted in the course of harmonization of the national and the EU data protection regime set out, inter alia, by the Data Protection Directive 95/46/EC, the same practical application and enforcement principles should also work in Ukraine.
Besides, on 25 May 2018, the EU General Data Protection Regulation (GDPR) will supersede the current 95/46/EC Directive and all local laws relating to it. The GDPR is accompanied by the Privacy Shield Framework replacing the Safe Harbour Framework, which was enacted to regulate EU — US transatlantic data flows. One of the key novelties is that the GDPR will apply not only to all EU member states but will also have extraterritorial jurisdiction over companies headquartered outside the EU that process the personal data of EU residents. Thus, the GDPR may reach Ukrainian companies where their processing activities are related to offering goods or services to EU data subjects or the monitoring of their behavior (e.g., track online activity) within the EU. In other words, Ukrainian companies interacting in some way with personal data from EU residents may become directly subject to the GDPR.
Pursuant to the PDP Law, data subjects must be informed who processes their data, for what purpose and where their data is located. In context of the PDP Law, cloud customers would in most cases qualify as data controllers and the CSPs would deem to be data processors. The potential pitfall of the deployment of cloud computing, where shared systems and infrastructures interact dynamically, is that the cloud customers or even the CSPs may lack control over personal data. Consequently, the CSPs’ obligations and responsibilities stemming from data protection legislation should be set out clearly in an agreement with the cloud customer and not dispersed throughout the chain of outsourcing or subcontracting, in order to ensure effective control over and allocate clear responsibility for processing activities.
Ukrainian law expressly requires a written agreement between a data controller and data processor, although it is silent as to the specific terms and conditions pertaining to personal data protection that should be reflected in such agreement except for the scope of data and purpose of data processing. There are no guidelines as to the requirements for a cloud computing services agreement with CSPs either. The Draft Law tries to handle this issue and specifies a detailed checklist of terms and conditions for such contract which include, among others, (i) obligations of CSPs to take measures against unauthorised access to information in the system, (ii) breach reporting procedure, (iii) terms and procedures for access of customers to the platform, infrastructure and applications, (iv) procedure for erasing information, etc.
In practical terms, CSPs would offer standard form terms and conditions, which are often one-sided in their favour. Thus, their customers often face difficulties with negotiating the contractual terms for using cloud services. The 2012 Sopot Memorandum prepared by International Working Group on Data Protection in Telecommunications lays down a set of practical recommendations for agreements with CSPs to address this situation. Notably, it is recommended that such agreement provides for (i) a complete list of information in advance about all physical locations in which, throughout the duration of the agreement, data may be stored or processed by the CSP and/or its subcontractors, (ii) a prohibition to transfer data to locations other than the physical locations listed in the contract, (iii) an obligation of the CSP not to use the controller’s data for the CSP’s own purposes, etc.
Processing of personal data in different geographic locations has a direct impact on potential threats and risks that data subjects (cloud customers) may face. The PDP Law does not restrict personal data transfers to a foreign recipient if the relevant foreign country ensures an adequate level of personal data protection. The PDP Law recognizes EU member states as well as signatories to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), as countries with an adequate level of personal data protection. No other countries have so far been afforded such status under Ukrainian law.
By contrast, transfers of personal data to third countries which do not offer an adequate level of data protection require specific safeguards. Notably, the PDP Law permits transfer of personal data to these third countries provided that (i) the data subject has explicitly consented to such transfer (in a written or electronic form); (ii) there is a need to enter into a contract or perform a contract between data controller and the data subject; (iii) vital interests of the data subject require protection; (iv) public interest requires protection, or there is a need to ascertain, perform or secure a legal claim; (v) data controller guarantees privacy of personal and family life of the data subject (although no further details are provided as to how such guarantee should be issued and implemented).
Apart from personal data, cloud customers normally use the cloud for storage of confidential information and other sensitive business data. Therefore, concerns regarding guarantees ensuring protection of information stored in the cloud from unauthorized access by third parties, including Government agencies, are becoming very pertinent for any cloud customer. The risk always remains that personal data and other information stored or processed via the cloud may become subject to requests from law-enforcement agencies of Ukraine or a foreign state.
It is well known that the move to cloud by Ukrainian business in the recent years has been driven by the acute problem of seizure of servers or other equipment by law-enforcement agencies. The cloud, allowing storage and processing of data abroad, is often perceived as a more reliable and secure instrument.
In fact, Ukrainian law does not provide for the legal possibility for Ukrainian law-enforcement agencies to directly liaise with the CSPs seeking to compel them to disclose data stored in another country. However, Ukrainian criminal procedure law provides for various legal mechanisms enabling the competent Ukrainian authorities (e.g., the Ministry of Justice of Ukraine, Prosecutor-General’s Office of Ukraine) to approach Government authorities in other countries seeking legal assistance within criminal proceedings. In addition, Ukraine has been a party to the Convention on Cybercrime since 2005, which also sets out basic rules on mutual legal assistance for the purpose of collection of evidence in electronic form (i.e. evidence generated by or stored on a computer system) for use in criminal proceedings.
Interestingly, in 2015 — 2016, Ukrainian local courts issued several orders seeking from Facebook Inc. to provide temporary access to their facilities in the UK so that Ukrainian law-enforcement offices could access Facebook servers located in the UK and copy the requested electronic data. Remarkably, this request to provide electronic data was delivered directly to a foreign legal entity without it being submitted to an intermediary of competent Government authorities of Ukraine or the UK.
On the other hand, it is not only Ukrainian law-enforcement agencies, but also foreign complainants and Governments that may be afforded access to personal data and other sensitive information in the cloud being subject to the disclosure rules applicable within the jurisdiction where the data centres are physically located. Thus, a diligent and thorough review of contractual terms, as well as attention to the jurisdictions where the servers and data centres will be located, should be a “must” for a cloud customer.