B a n k i n g
a n d
F i n a n c e
B u l l e t i n
A p r i l
Data sovereignty over
data in the cloud
2 0 1 5
Jonathan Kok
Storing Data in the Cloud
One aspect of cloud service that is seldom considered is the sovereignty of a country
over the data that is stored in that country as part of a cloud service. Most
organisations sign up for cloud services without seriously considering the
implications of their data residing in various jurisdictions. They seldom ask the cloud
provider where their data is stored and who exactly would be providing the storage
service. The cloud provider that the organisation signs up with may not necessarily
be the party providing the storage service, as such service could be outsourced to
another party who is able to provide the service at a location where the cost is
cheaper.
In the not-too-distant past when cloud service was still a novelty, most
organisations would store their data in local servers, and even if they outsourced
the back-up and storage of their data to a third party, they would know exactly
where their data was located as most third party storage providers had their own
dedicated servers. However, with cloud computing, the location of an organisation’s
data and the jurisdiction over the data stored in that location might not be revealed
to the organisation.
With cloud storage, issues concerning the security and storage of data in the cloud
become real and organisations need to address these issues before migrating their
data to the cloud.
Cloud computing refers to the sharing or storage by users of their infrastructure or
content on remote servers that are accessible online. This can be in the form of
infrastructure (IaaS), platform (PaaS) or Software (SaaS). In a cloud structure, the
cloud servers provide computation, software, data access and storage resources,
without requiring the users to know the location and other details of the computing
infrastructure itself as the cloud service can be accessed wherever you have access
to the Internet.
Note: This article is only intended for general reading. Under no circumstances is it to be relied
upon in substitution for specific advice on any issue(s) that may arise relating to its subject matter.
Asia > Middle East > Europe
International Capabilities Delivered Locally
Page 1
Problems Arising
A.
Jurisdictional Issues
One consequence of such a structure is that the cloud providers may site their
servers in multiple jurisdictions and thereby transmit data from one location to
another subjecting the data to the laws of the jurisdiction in which it might pass
through. They may also decide to transfer data from one data centre to another for
cost saving reasons and each data centre may be located in a different jurisdiction,
each with their own laws governing the collection, possession and transfer of data.
This may result in the data being transferred to an undesirable jurisdiction where
the data could be subject to unacceptable controls or legal obligations (e.g. the data
protection laws of that jurisdiction). This exposes the data to the risk of data
sovereignty.
B.
Data Sovereignty
“Data sovereignty” refers to a country’s laws that have control over data residing in
the country’s jurisdiction. The data laws of a country could restrict cross-border
transfer of data. It could also impose legal requirements that may conflict with
those of the user’s own country. The data laws having jurisdiction over data may
change as the data is transferred across borders. Different legal obligations
regarding privacy, data security and transfer obligations may apply if the data is
hosted in different countries or is controlled by different cloud providers.
Unfortunately, there is no uniform worldwide standard in the laws governing data
protection. Differences in the laws of the countries where the data are stored and
where the third party storage provider is based can create complex compliance
issues.
Taking the case of Singapore: Any organisation that stores its data outside of
Singapore must take reasonable steps to confirm that the recipient provides a
standard of protection that is comparable to the protection under the Personal Data
Protection Act 2012 of Singapore (“PDPA”). Unless an exemption applies, an
organisation which fails to do so would be liable for breach of its transfer of data
obligation under s 26(1) of the PDPA.
However, some regulators, especially those regulating banks and financial
institutions, and some government agencies, such as defence contractors, may
require that data be hosted exclusively in Singapore in order to maintain physical
jurisdiction over the data, particularly if most of the data generated and processed
by these organisations are sensitive in nature. These organisations would then have
to engage cloud providers that will host the data exclusively in Singapore.
Recommendations
To address potential data sovereignty issues, organisations can begin the process by
analysing the various technical, legal and business issues in turn. They should
conduct a detailed analysis of: (a) the legal and other constraints on its various
activities and digital assets; and (b) the application of particular provisions of
applicable laws in relevant jurisdictions.
Note: This article is only intended for general reading. Under no circumstances is it to be relied
upon in substitution for specific advice on any issue(s) that may arise relating to its subject matter.
Asia > Middle East > Europe
International Capabilities Delivered Locally
Page 2
Organisations should also be cautious about the nature of the data to be
transferred, the potential interests of the organisations regarding the data and the
increased need to fully understand the characteristics of the foreign legal
environment. They should develop a policy or strengthen their existing data
protection policy to deal with the jurisdictional issues arising from storing data in
the cloud.
Before engaging a cloud provider, organisations should conduct due diligence on
the cloud provider. In this connection, they should inquire into its financial
condition, infrastructure, data centre locations, security procedures, disaster
recovery plans and insurance coverage. They should also evaluate the relative risks
inherent in the cloud environment and implement effective mechanisms to prevent
and mitigate harm to their business.
Some organisations are adopting a hybrid policy where they contract with different
cloud service providers that maintain local data centres and comply with the local
legal requirements of the country in which the service provider operates.
In developing a cloud data location and control policy, the organisation should
consider:
>
What statutes, codes and standards or rules of practices the
organisation is obliged to comply with?
>
What jurisdictions can affect the data, either through its location or
the entities that control the data?
>
Whether there is any particular data which must be or ought to be
kept under its control (especially if it is regulated by an organisation)
and within the jurisdiction in which it is located?
>
How should it respond to such requirements?
The policy should take into account the organisation’s risk profile, technical
infrastructure and operational conditions. It should be able to analyse the situations
where the organisation is required by the laws of Singapore to retain the data in
Singapore or under the control of an entity governed by the laws of Singapore.
If an organisation does not have in-house capability to analyse and develop such a
policy, it should consult data storage and information management professionals to
provide practical advice on this matter.
For more information, please contact:
Jonathan Kok
Head, Intellectual Property & Technology
(65) 6381 6980
[email protected]
© RHTLaw Taylor Wessing LLP 2015
This publication is intended for general information and to highlight issues. While we endeavour to ensure its accuracy and completeness, we do not represent nor
warrant its accuracy and completeness and are not liable for any loss or damage arising from any reliance thereon. It is not intended to apply to specific circumstances or to constitute legal advice.
RHTLaw Taylor Wessing LLP (UEN No. T11LL0786A) is registered in Singapore under the Limited Liability Partnerships Act (Chapter 163A) with limited liability.
RHTLaw Taylor Wessing LLP is a Singapore law practice registered as a limited liability law partnership in Singapore (“The LLP”). It is a member of Taylor
Wessing, a group which comprises a number of member firms which are separate legal entities and separately registered law practices in particular jurisdictions.
The LLP is solely a Singapore law practice and is not an affiliate, branch or subsidiary of any of the other member firms of the Taylor Wessing group. A list of all
Partners and their professional qualifications may be inspected at our main office at Six Battery Road #10-01, Singapore 049909.
Note: This article is only intended for general reading. Under no circumstances is it to be relied
upon in substitution for specific advice on any issue(s) that may arise relating to its subject matter.
Asia > Middle East > Europe
International Capabilities Delivered Locally
Page 3