Subscribe

Open secrets

Will data privacy laws impact cloud computing?

Stergios Saltas
By Stergios Saltas, MD of Striata SA.
Johannesburg, 20 Jul 2016

The imminent Protection of Personal Information Act (POPI) and the Cybercrimes and Cybersecurity Bill (CAC) will have an impact on how South African companies store and use data. If, as Gartner predicts, the use of cloud computing will be as common in 2020 as the use of the Internet is now, companies must understand how to leverage this new way of accessing resources, without falling foul of data privacy laws.

The lack of clarity regarding these laws and how they will affect companies should not stop businesses from investigating cloud computing, as the benefits in terms of cost reduction, backup, redundancy and scalability are immense. However, it is essential to be aware of the challenges.

For vendors that provide cloud computing, and the companies that use those services, the question of data sovereignty - data being subject to the laws of the country in which it resides - is increasingly in the spotlight. For data related to South African people or entities, POPI allows for cloud computing providers to host data in countries that have equal or better data privacy laws.

Of more concern to cloud providers and users, however, is the CAC Bill. Currently in its second draft, and expected to go through Parliament this year still, the Bill gives government powers to deem certain data as 'critical information' and the system it is housed on as 'national critical information infrastructure'. Simply put, anything the minister of state security thinks could damage SA, its people, or its economy, if lost or stolen, could be declared critical information or infrastructure.

Public property

Once information or infrastructure is declared critical, it becomes subject to a number of obligations that will need to be met. These will be determined by the minister and published as regulations. It will govern things like how the information/infrastructure is accessed, where information is stored and archived, and the security measures required to protect it.

These regulations could possibly oblige companies to house critical infrastructure or data inside the country where it is accessible to the relevant state authorities, and inaccessible to foreign governments. While the detail of these obligations is yet unknown, the implications could be massive for companies leveraging cloud computing for data processing or storage.

Companies likely to be impacted (deemed electronic communications service providers in the legislation) include banks, insurers telcos, healthcare providers; effectively, any company that stores or processes potentially 'critical' data about South Africans.

Maintaining boundaries

Data stored inside SA's borders is subject to South African law, whereas data stored outside is subject to the laws of that jurisdiction. This becomes important when governments want access to data relating to their citizens that is not housed within their own territory.

The current dispute between the US government and Microsoft illustrates the point - the US government is trying to compel Microsoft to give it access to Hotmail e-mails hosted on Microsoft's servers in Ireland. The case has gone to court and will have significant consequences if the government gets its way.

Specifically, a ruling in favour of the US government will create a precedent in which a state entity can legally demand access to data that resides outside of its jurisdiction. Consequently, this could create scenarios that infringe on people's right to data privacy, and diminish the trust they place in the organisations that house their data.

This ruling would also have a significant impact on the cloud computing industry, already experiencing a loss of faith by consumers thanks to several high-profile data breaches. The Dropbox breach in 2012 saw customer e-mail addresses stolen from a hacked Dropbox employee account. The iCloud hack in 2014 saw almost 500 private pictures of various celebrities posted on 4chan (and then shared via other sites). Also in 2014, an Amazon Web Services (AWS) customer, Code Spaces, was hacked and subsequently went out of business after attackers deleted all of the information it had stored on AWS.

For an industry looking to assure customers it can be trusted with their data, a legal compunction to share said data will further erode that trust. Unfortunately, until POPI is fully enacted and the CAC is passed through Parliament and signed into law, the obligations of South African companies that own or process data in the cloud remain unclear.

Share