Post on 15-Jan-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Charles Mok Legislative Councillor (Information Technology)
Data privacy & compliance considerations on using cloud services
Benefits of moving to public cloud
• Flexibility• Disaster recovery• Reliability• Cut costs• Scalability for expansion• Performance
Cross-border data operations
Dispersed data storage in multiple jurisdictions through cloudOutsource data processing procedures to contractors around the world.
Are these your concerns on using cloud services?
How to know the location at any point in time, its security, and who will have access?
What laws must I follow when engaging a cloud service provider to store personal data in a cloud server that is accessible outside Hong Kong?
How can my company achieve regulatory compliance with the data protection regulations in my jurisdiction?
Challenges to privacy in cloud computing
• Location of data and blurred division of responsibilities• Complexity of risk assessment in a cloud environment• Emergence of new business models and their
implications for consumer privacy• Data sovereignty and retention requirements
Implications on data protection and privacy
Security
Is the data protected from theft, leakage,
spying or attacks?
What is the level of control and protection?
Residency
Where is the data stored?
geographically disbursed?
What to do with data in transit &
outside territory?
Privacy
Who can see personally identifiable information
(PII)?
Storing, transferring, locating and protecting PII
Challenges of cloud
and security
Maintaining ownership
and control of data
Info on 3rd party service
and distributed
infrastructure Deliver resiliency, availability
and flexibility of cloud services
Data protection law in HK: DPP3 of PDPO
By virtue of Data Protection Principle 3 under the Ordinance, personal data can be transferred outside Hong Kong only if the purpose of the transfer of personal data is the same as or directly related to the original purpose of collecting the data, or with the consent of the data subject.
Hong Kong:Section 33 Personal Data (Privacy) Ordinance
• prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met.
• Data users who, without reasonable excuse, contravene Section 33 commit an offence under Section 64A of the Ordinance which carries a fine of up to HK$10,000.
• The Commissioner may also issue enforcement notices • The only provision in the PDPO not been executed since
1995
What are the legal requirements of Section 33?
Section 33 prohibits the transfer of personal data to places outside Hong Kong unless 1 of the following 6 conditions is met:
• Destination of transfer included in “white list” specified by the Commissioner• Destination of transfer have comparable data protection law as PDPO• Data subject’s consent in writing to the transfer• Avoidance or mitigation of adverse action against data subject (proof
required)• Exemption under Part VIII towards DPP3 (purpose) applies• Taken all reasonable precautions and exercised all due diligence against
mishandling
Who is required to comply with Section 33?
Data Usera person who either alone or jointly or in common with
other persons, controls the collection, holding, processing or use of the data.
…what does that mean?
A person who is merely transmitting data on behalf of another and not for any of his own purposes is not a data user in relation to that data.
What types of transfers are subject to s.33?
(i) transfers of personal data from Hong Kong to a place outside Hong Kong(ii) transfers of personal data between two other jurisdictions where the transfer is controlled by a Hong Kong data user…when data users "consciously" engage outside parties to handle personal data and the process involves data transfer outside Hong Kong.
Voluntary compliance
Status to-date
Business Impact Assessment by government to assess compliance measures required of data usersReviewing of “White List” jurisdictionsConsider setting a commencement date?
Still a long way to go...
• Policies and laws should evolve with cloud computing technology
• Is HK’s legal framework relevant and adequate? Multiple stakeholder approach in policy-making
• Maintaining standard and reliability - importance of testing & certification of cloud service providers