3
Cloud Computing / July 2015
Data users using cloud services should address the following issues:
• Cloud providers should disclose to data users the locations/jurisdictions where the data will be stored
so that this information may be made known to data subjects. At the same time, data users need to
consider their personal data privacy responsibilities with regard to such storage arrangement. For
example, personal data that is stored in another jurisdiction is subject to the laws of that jurisdiction,
and access by law enforcement agencies of the data in that jurisdiction may not have the same
safeguards as in Hong Kong. Restrictions on data access as stated in a contract between data users
and cloud providers cannot override the law of that jurisdiction.
• Data users should choose cloud providers that would allow them to choose/specify locations/
jurisdictions where there is adequate legal/regulatory privacy protection to personal data (e.g. the
regulatory regime is substantially similar to Hong Kong and that there is judicial oversight over law
enforcement agencies against arbitrary data access).
II. Loose outsourcing arrangements
Cloud providers may engage their own sub-contractors. These sub-contractors may further engage their
own sub-contractors in order to achieve the speed and acquire the capacity necessary to meet customers’
fluctuating computing demands. Such engagements may often be based on loosely formed contracts or
informal agreements.
Data users using cloud service should be sensitised to such arrangements and ensure that data protection
requirements are still effectively complied with by such sub-contractors.
Data users using cloud services should address the following issue:
• Data users need to ascertain the sub-contracting arrangements of cloud providers. If there is a sub-
contracting arrangement, data users should obtain formal contractual assurance from the cloud
provider that the same level of protection (both technical and administrative) and compliance controls
(monitoring and remedial actions) are equally applicable to their sub-contractors.
III. Standard services and contracts
Some cloud providers operate their business in a “quick turnover” and “thin margin” manner so that they
offer only a small number of services to their customers with standard contract terms.
When dealing with cloud providers that offer only standard services and contract terms, data users must
carefully evaluate whether the services and the contract terms meet all security and personal data privacy
protection standards they require. If there is a gap between what is being offered and what is required by
data users, the gap must be addressed.
Data users using cloud services should address the following issue:
• If the standard security level or the personal data protection commitment by the cloud provider fails
to meet customer requirements, data users should ask for customised service/contract terms that
meet such requirements. Data users who fail to address the gap will bear the risks of data breach and
misuse, and subject to regulatory scrutiny should such breach or misuse occur.