Cloud technologies and personal data
Today, cloud technologies are no longer considered something new and extraordinary. Having appeared in 2006, cloud computing has penetrated into various IT fields, it being reflected in the changes in the approaches to organizing and conducting business. Owing to their flexibility and mobility, and having no prototypes in the world, cloud services and technologies began to grow in demand on the market. Let’s take, for example, the increase in investment by businesses in cloud infrastructure and services, which, according to expert projections, will reach an unprecedented amount by 2019 - 312 billion dollars – and will continue to grow annually by 15%.
In the most general sense, a cloud service refers to an automated means of providing computing power, including software, remotely via the internet at the client’s request. Cloud services, the best known today being Amazon, Alphabet, Microsoft and IBM SoftLayer, include the following features: the possibility of providing universal access to the internet, self-service, keeping track of the data used, the possibility of combining resources. As A.I. Savelyev aptly notes, at the moment a number of existing organizations use “cloud” technologies in their infrastructure, and users usually get modern digital services from the “cloud”. Mobility, affordability and the possibility of reducing IT-infrastructure costs are definitely strong advantages of cloud technologies.
In the technical, as well as in the legal field, there is still no clear definition of the cloud service and cloud computing concepts. At the same time, the draft law “On amendments to certain legislative acts of the Russian Federation regarding the use of cloud computing” is going to introduce the concept of “cloud computing services”, which is defined as follows “services related to computing power (including providing hardware and a software license) for processing and storing the information of the consumer of cloud services using hardware that interacts through information and telecommunication networks”.
Taking into account the forecast of the Ministry of Communications and Mass Media of the Russian Federation (Minkomsvyaz), according to which the use of cloud services in the corporate sphere in Russia will be widespread by 2018, especially among small and medium-sized, and that the global market of cloud computing may reach 240 billion dollars by 2020, questions of a technical and legal nature arise. Often the cloud stores or cloud servers process sensitive information, for example, a trade secret, confidential information, physician-patient privilege and personal data. For quite some time now personal data have been referred to as “the new oil” or “the new currency” in the digital world, as this information is very valuable to companies and businesses as a whole. Lately, personal data has garnered the attention of not only businesses but the regulatory authorities as well. Using cloud services to process sensitive information, including personal data, raises many additional questions. Hence, for example, it is not very clear which regulations should be applied if the provider of a cloud service is registered on the territory of a foreign state and whether or not localization regulations can be applied to him? How does a cloud service provider secure the data? How should access to processed personal data by the staff of a cloud provider be classified under the legislation on personal data, will it be considered as a data transfer or a processing request? Some of the questions mentioned will be examined below.
Personal data processor
Under the Law on Personal Data, an entity providing “cloud” services is a processor, although, at the moment, the term has not been codified by law. Article 6, part 3, of the Law on Personal Data only specifies an entity that processes personal data at the operator’s request. It should be noted that the State Duma of the Russian Federation has passed in first reading the draft of Federal Law No. 416052-6 “On amendments to the Federal Law on Personal Data” and Article 28.3 of the Code of Administrative Offenses of the Russian Federation” (hereinafter – Draft Law). This Draft Law, in particular, introduces the concept of “processor” and defines it as “an entity that processes personal data at the operator’s request”.
The difference between an operator and a processor lies in the purpose of data processing. A processor processes personal data with the sole purpose of fulfilling the terms of the contract signed with the operator (and to have the latter satisfy the contractual terms in return). Also, a processor does not interact directly with the subject of personal data and does not receive his/her consent to process data (this has been clearly enshrined in the effective revision of Article 6, part 4, of the Law on Personal Data, as well as in the Draft Law).
To recruit a processor, the operator has to send a processing request, for example, under a “cloud” service contract. The request should contain a list of actions (operations) with personal data to be performed by the processor, the purpose of processing, indicate that the processor’s obligation is to keep information confidential and secure, and specify the requirements to the protection of personal data.
An important condition for recruiting a processor, including a provider of a “cloud” service, is obtaining consent from the subject of personal data. This requirement is specified in Article 6, part 3, of the Law on Personal Data. The requirements as to form of consent have not been established by the legislation. Article 9, part 1, of the Law on Personal Data only specifies that the subject’s consent may be obtained in any form confirming its receipt. Thus, the operator may receive consent from the subject in electronic form, if the latter can be confirmed.
It is always the operator, and not the processor, that is held liable before the subject of personal data. The processor is held liable before the operator.
Applicability of the localization requirement to cloud services
Pursuant to Article 18, part 5, of the Law on Personal Data, when collecting personal data, including using the information and telecommunication network called the internet, data operators shall ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of the citizens of the Russian Federation using databases located within the territory of the Russian Federation.
Naturally, this raises the question of whether or not the data localization requirement can be applied to “cloud” service providers on the territory of the Russian Federation.
To answer this question, one should look at the wording of part 5, Article 18, of the Law on Personal Data. It talks about the collection of personal data, including using the internet. The term “collection” has not been defined in the Law on Personal Data. According to the explanation given by the Ministry of Communications and Mass Media of the Russian Federation “collection” is to be understood as follows: a targeted process where the operator obtains personal data either directly from the subject of personal data or through third parties recruited specifically for this purpose.
If there is no collection, then there is no obligation to localize. Thus, a provider of “cloud” services is not obligated to localize his databases if he is not collecting personal data. Data is usually collected by the operator. He, on the other hand, is obligated to localize his databases. Subsequent transfer to a “cloud” provider may be effected to foreign servers.
Contract with a provider of “cloud” services
For have one’s relationship with the provider regulated, one must sign a contract with him. The contract should specify:
(1) the obligation of the provider to adhere to the principles and rules of processing personal data stipulated by the Law on Personal Data;
(2) list of actions (operations) with personal data to be performed by the provider;
(3) the purpose of processing personal data;
(4) the obligation of the processor to keep information confidential and secure;
(5) requirements to the protection of personal data in accordance with Article 19 of the Law on Personal Data.
In this article our aim is not to describe in detail the content of the contractual requirements stated above. However, we consider it necessary to provide examples of other provisions which we also recommend introducing to the contract with a provider.
Other than mandatory provisions, we recommend specifying the following in the contract with a provider:
(1) actions with personal data (transfer to the operator, destruction) undertaken when a contract is terminated;
(2) processing of personal data directly by the provider or by recruiting third parties;
(3) order and time period for notifying the operator about inquiries submitted by the subjects of personal data, the authorities to the processer as to appropriate processing of personal data, as well as regarding security threats;
(4) reimbursement of the costs incurred by the operator when the provider violates the terms of processing of personal data.
In addition, we recommend specifying in the contract that the provider is not collecting personal data on account of the localization requirement examined above.
Recommendations to companies when using cloud technologies
Based on the above, a number of recommendations can be given to both, data processors and operators.
Recommendations to data processors:
- Process personal data for the purposes initially discussed and agreed upon with the cloud customer or with the operator under the processing contract.
- Ensure compliance with all the legislative requirements on personal data within the operator – processor interaction. Specific rights, obligations and guarantees can be specified in the personal data processing contract between the operator and processor, which we recommend signing.
- We recommend developing an action plan for deleting personal data from the cloud immediately upon the personal data subject’s request, which, in its turn, will require, first of all, an organized data storage system.
- If cloud services are provided under a processing contract, specify the possibility of recruiting subcontractors or other third parties for the processing of personal data and/or their storage and discuss these terms with the subject of personal data or the operator who has recruited the processor. In addition, when working with subcontractors, specify the same scope of obligations in the contract as in the personal data processing contract or any other contract with a provider of cloud services.
Recommendations to data operators
- In your contract with the provider of a cloud service list in detail the requirements to the protection of personal data in accordance with Article 19 of the Law on Personal Data and the provider’s (processor’s) liability if the terms of processing of personal data are violated.
- When collecting personal data for the first time, use servers located in Russia to comply with the localization requirements.
- Obtaining consent from the subject of personal data to recruit a processor under a processing contract.
- In the personal data processing request indicate that the processor’s obligation is to keep information confidential and secure when processing personal data.
These recommendations will enable you to organize the interaction between a data operator and a data processor in the most effective way and take into account the interests of the subject of personal data when processing personal data using cloud services.
 Gartner (August 26th, 2015) Forecast Analysis: Public Cloud Services, Worldwide, 2Q15 Update.
 According to the explanation provided by the National Institute of Standards and Technology USA a cloud service is an information technology concept that enables network access to a shared pool of configurable computing resources. For details see: http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Ref....
 A.I. Savelyev. “The legal nature of “cloud” services: freedom of contract, copyright law and high technologies”//Civil Law Review. 2015. V.5. No. 5//Available at Legal Reference System “ConsultantPlus”.