3

Cloud Computing / July 2015

Data users using cloud services should address the following issues:

• Cloud providers should disclose to data users the locations/jurisdictions where the data will be stored

so that this information may be made known to data subjects. At the same time, data users need to

consider their personal data privacy responsibilities with regard to such storage arrangement. For

example, personal data that is stored in another jurisdiction is subject to the laws of that jurisdiction,

and access by law enforcement agencies of the data in that jurisdiction may not have the same

safeguards as in Hong Kong. Restrictions on data access as stated in a contract between data users

and cloud providers cannot override the law of that jurisdiction.

• Data users should choose cloud providers that would allow them to choose/specify locations/

jurisdictions where there is adequate legal/regulatory privacy protection to personal data (e.g. the

regulatory regime is substantially similar to Hong Kong and that there is judicial oversight over law

enforcement agencies against arbitrary data access).

II. Loose outsourcing arrangements

Cloud providers may engage their own sub-contractors. These sub-contractors may further engage their

own sub-contractors in order to achieve the speed and acquire the capacity necessary to meet customers’

fluctuating computing demands. Such engagements may often be based on loosely formed contracts or

informal agreements.

Data users using cloud service should be sensitised to such arrangements and ensure that data protection

requirements are still effectively complied with by such sub-contractors.

Data users using cloud services should address the following issue:

• Data users need to ascertain the sub-contracting arrangements of cloud providers. If there is a sub-

contracting arrangement, data users should obtain formal contractual assurance from the cloud

provider that the same level of protection (both technical and administrative) and compliance controls

(monitoring and remedial actions) are equally applicable to their sub-contractors.

III. Standard services and contracts

Some cloud providers operate their business in a “quick turnover” and “thin margin” manner so that they

offer only a small number of services to their customers with standard contract terms.

When dealing with cloud providers that offer only standard services and contract terms, data users must

carefully evaluate whether the services and the contract terms meet all security and personal data privacy

protection standards they require. If there is a gap between what is being offered and what is required by

data users, the gap must be addressed.

Data users using cloud services should address the following issue:

• If the standard security level or the personal data protection commitment by the cloud provider fails

to meet customer requirements, data users should ask for customised service/contract terms that

meet such requirements. Data users who fail to address the gap will bear the risks of data breach and

misuse, and subject to regulatory scrutiny should such breach or misuse occur.