THE CLOUD IS HEAVY WITH DATA: OF CLOUD COMPUTING AND DATA PROTECTION

THE CLOUD IS HEAVY WITH DATA: OF CLOUD COMPUTING AND DATA PROTECTION

Effective data security has raised the question of data storage. In recent times, the question of data localisation has been debated across different fora. The European Court has given a judgement which has cast aspersions on the concept of data transfer. Many companies with foreign cloud computing and data storage have argued against the propriety of such. Determining the location of the data centre of a multinational is dependent on several factors and putting the GDPR into consideration many companies now decide to locate their data centre in Europe. In the last couple of weeks, several talks have been held between the US and Europe and some top US-based multinationals on privacy shields and the movement of data between the two continents.

The issue of saving in the cloud will get many to question the possibility of data localisation. Many have raised the fact that it is costly to save data locally and so it will be hard not to save data in the cloud. Now many issues can also arise from saving in the cloud. Are we talking about data localisation in the sense of not using foreign cloud providers or we will prevent our companies from using foreign cloud service providers? How many companies can even afford local cloud providers? Do we even have local cloud providers in countries like Nigeria? Do Cloud Providers like AWS or Google have local Data Centre as they do in some parts of Europe in Africa? If they don’t, any concept of data localisation is a practical impossibility as far as Nigerian data protection application is concerned. However, there is a procedure for the transfer of data abroad and storing data in a cloud located in a foreign country is an example. The Nigerian Data Protection Regulation provides that before such transfer is conducted there should be permission received from the Attorney General of the Federal Republic of Nigeria. In Europe after SchremsII, it is now important to conduct a data transfer impact assessment before transferring data out of EEA.

?

Many companies in Nigeria still put and save their data in the cloud owned by either Google or AWS or others. Of course from the standpoint of data security, it appears that most cloud providers don’t hold liability for what happens to your data in their cloud. In a research conducted by Queen Mary University as recorded in a Cloud Computing Law Textbook edited by Christopher Millard, it was discovered that most cloud providers find a way to reduce any liability arising from data loss on their platform. Now, if data theft or loss occurs on the cloud for any reason the terms of service of the cloud contract have reduced the liability of the cloud providers from any loss and so the client is at a great loss without compensation. In the same textbook on cloud computing law edited by Christopher Millard, the researchers found out that concepts of data retention and data deletion after the termination of cloud computing agreement seem not to be clear as some cloud providers may still have your data in their data vault years after the data retention period has expired. Indemnities is also one of the issues as cloud providers in their terms of services always raise that customers have agreed to indemnify them of any case or fine that may arise due to any loss to the data of any third party the customer interacts with.

Now, that it is necessary to secure the data of your customer in the light of different data protection laws there are issues you must check before agreeing to any terms of service of any cloud provider. Of course, there are other things to look at apart from the terms of service. You may want to consider the data security issues and compliance issues that may get to do with your business especially if you are in the financial sector. Let's take a look at the key things to look for in the cloud service terms of service first;

1. Indemnity and Limitation of Liability Clause; It is important that you know if the cloud provider is indemnifying itself against any consequential damage. Most cloud service providers often reduce the liability they hold in case of consequential damage to your data. So it is important you pay attention to what the clause is saying and negotiate a favourable stand.

2. Availability of Service and Speed of Performance: One of the most important clauses in cloud terms of service is the service provision clause talking about the availability of the cloud service. Pay attention to what time will be excluded of availability of service, emergency work or force majeure events. What percentage of availability can the cloud service provider guarantee to provide?

3. Audit Rights: You may be required by your regulator to carry out an audit on the cloud service provider, if your agreement does not make provision for the same it will be devastating. Negotiate a fair auditing right that will even allow independent auditors to check the CSP when required or ordered by investors or regulators.

4. Disaster Recovery: Pay attention to what the Cloud Service Provider seeks to do in case of disaster. How will data be recovered in case of an unforeseen disaster? Outline the plan in case of a prolonged disaster.

5. Remedies: Sometimes remedies may be limited by the cloud service provider. It may not necessarily mean payment of monetary reward, it may consist of repairs, credits on the next invoice or other possible remedies. Hardly will any cloud service provider assure refunds. However, the customer can request the cloud service to conduct a root cause analysis on the situation to discover where the liability arises from and look for how to negotiate compensation.

6. Data Security and Incidents: Pay attention to the level of data security afforded by the services. What shall be done in case of a data incident, notification of such (timeframe for notification must be stated), and how much will be mitigated and controlled. Look at what customer security responsibilities are available and what are the liabilities arising from failure on the customer’s part

7. Termination: After the cloud service has come to an end, what will happen. How will the services be terminated? On what ground will the termination be based? Is there any situation or action from a customer that will force the CSP to terminate the cloud service agreement? Such must be clearly stated. Data Retention issues after termination should also be looked into. What about the position of the CSP on data porting or movement of data to another CSP after termination?

8. Data Protection Clause: The data protection clause may include important issues such as data localisation, third party data access, data export, data deletion, data subject request etc. (Some experts have advised that a separate data protection agreement be executed by parties in a cloud computing deal.) With the recent debate on data localisation, be sure that the cloud service provider has a data centre in a territory closer to you or within the jurisdiction of the data protection regulation regulating you. Will the data stored in the data centre within the jurisdiction be opened to access outside the jurisdiction? If this happens it implies data is being transferred outside the jurisdiction. Also, pay attention to the permitted or restricted data transfers as provided by the terms of service. Be sure whether the information shared will be shared with a third party. How will you conduct any customer data subject request?? If after data erasure from the data collector yet the data processor, in this case, the cloud provider still holds on to the data of the data subject what will be done, how long will such data be retained? On data deletion, The UK Information Commissioner’s Office noted in its guidance on deleting data from computers, laptops, and other devices, that popular means of securely deleting data, such as using overwriting software, may not be achieved easily in the cloud and that customers need to discuss with their provider what service they offer to delete data.?

?

The Text on Cloud Computing Law edited by Christopher Millard raised an important observation on data backup plans as part of cloud service agreements or terms of service. It is observed thus;

“Many providers, including AWS, do not include backup as part of their standard services, though in some instances it can be purchased as a separate service: if customers pay extra, the provider undertakes to make backups and assumes liability for backup integrity and data loss. In any event, customers may need to consider the extent to which force majeure provisions apply generally. The marked increase in cyberattacks by nation-states and their proxies may raise questions as to which events will be considered force majeure events on the basis that they could constitute acts of war and/or terrorism... Providers such as AWS stress that cloud involves shared responsibility. Both customers and providers have responsibility for data integrity, backup, and security, and allocation of responsibilities and risks needs careful consideration. Customers generally have more control with IaaS/PaaS than with SaaS. Our interviewees who were more technically aware, such as technology businesses or integrators, tended to recognize the need for their own backup strategy, rather than expecting providers’ basic services to include backup. An integrator using cloud to provide SaaS services to its own customers implemented its own disaster recovery procedures, backing up or ‘failing over’ to the same or separate data centres or another provider, depending on end users’ risk tolerance.”?

?

The foregoing finding reveals that it is necessary that parties talk about the data backup plan to be sure whether separate payments will be made for such or to look for an alternative. Many experts have advised that data should be backed up in a site outside the original location and such should be placed offline locally to allow accessibility and availability where there is internet shutdown or downtime.

?

?In conclusion, it is important you pay attention to the security facilities of the CSP before seeking to negotiate a cloud service agreement or terms of service. Well-conducted due diligence must be carried out on the potential CSP on several issues ranging from security, legal, commercial and others. Experts have advised that aside from your cloud terms of service it may be necessary to ensure that there is a non-disclosure agreement to ensure confidentiality of your information as most CSPs don’t assure confidentiality of your data. Dealing with data transfer issues is a big headache for CSPs and their customers, it is important for a company wishing to take a potential CSPs to stay safe by considering the location of the CSP’s Data Center. The Cloud is now heavy with data but it may rain fine if care is not taken.

"Your cloud service provider is going to give you a contract and that contract will have certain security and privacy provisions in it. And you need to make sure how you’re using the cloud is consistent with your contractual language. And a lot of those cloud providers are going to be pushing the liability onto the user, the organization that is using that surface. You need to make sure you’ve shored up those liabilities and try to buffer that. And part of that is going to be your cyber liability insurance. If you’re using the cloud, insurance is going to look at you a little differently than if you’re using an on-prem." — Rebecca Rakoski, Managing Partner, XPAN Law Group