Legal update: Cloud computing in Hong Kong

DLA Piper's Louise Crawford (left) and Edward ChattertonThe Hong Kong Privacy Commissioner for Personal Data (PCPD) recently published an information leaflet outlining the application of the Personal Data (Privacy) Ordinance (the PDPO) for data users looking to engage cloud providers. The information leaflet outlines the data protection principles (DPPs) which apply in the context of cloud services, and highlights the particular characteristics of cloud computing that give rise to risks from a privacy perspective.

What is cloud computing?

While there is no universally accepted definition of cloud computing, the PCPD refers to it as "a pool of on-demand, shared and configurable computing resources that can be rapidly provided to customers with minimal management efforts or service provider interaction." In essence, it involves the storing and processing of data on computers in multiple locations, which are accessed over the internet. This differs from outsourcing which usually involves the customer's infrastructure being managed by a third party, and is also a departure from traditional software licensing or purchase of "on-premises" hardware.

The main benefit of cloud computing is that customers can avoid making the significant investment in IT infrastructure which would otherwise be needed in order to host large volumes of data. All they need is an internet connection, and this permits them to access their data from anywhere in the world. Cloud computing may also enable organizations to exploit other technologies that can give them a competitive advantage, such as big data analytics, which would otherwise be unmanageable given the magnitude and diversity of data involved.

Why does cloud computing engage data privacy law?

Cloud solutions can be used to process all kinds of data, but where that data is "personal data" (that is, it can be used to ascertain the identity of an individual), then the PDPO applies, and the interests of the following parties are engaged:
Data User -- The entity or organization that controls the collection and use of the personal data, and that chooses to adopt cloud services as part of its data management strategy.
Data Subject -- Any individual whose personal data is being processed via the cloud services, e.g. an organization's customer or employee.
Data Processor -- The entity that provides cloud services.

"Under the Hong Kong law (and indeed in many other legal systems), responsibility to comply with privacy law rests with the data user, regardless of the action or inaction taken by the data processor."
-- Edward Chatterton and Louise Crawford, DLA Piper Hong Kong

Under the Hong Kong law (and indeed in many other legal systems), responsibility to comply with privacy law rests with the data user, regardless of the action or inaction taken by the data processor. Accordingly, when engaging a cloud service provider, the data user should be mindful that responsibility for any breach of the PDPO lies with the data user, even if the breach is caused by the cloud service provider.

As a corollary of this, data users should select their cloud providers carefully, impose robust obligations upon them in relation to processing personal data, and obtain contractual indemnities in relation to any breaches. Taking these steps is not only important from a risk management perspective, but it also meets a statutory obligation under the PDPO: when engaging data processors, data users are required to use "contractual or other means" to ensure that:

(i) personal data is not retained by the data processor for longer than is necessary (sometimes referred to as the "Retention Requirement"). This requires the data processor to comply with the data user's retention policy and to return (or destroy) personal data in its possession upon termination of the services; and

(ii) personal data is protected against unauthorized or accidental access, processing, erasure, loss or use (sometimes referred to as the "Security Requirement"). The security measures necessary to meet the Security Requirement are not prescribed, however measures such as encryption, anti-virus software, firewalls and physical security measures are considered best practice. The PCPD makes reference to the ISO 27018 Code of practice for personally identifiable information (PII) protection in public clouds acting as PII processors, which provides specific guidance for cloud providers, and may assist data users in selecting their cloud provider. However, as the PCPD makes clear, compliance with this standard is neither mandated by law, nor guaranteed to achieve compliance with the law.