Cloud computing has become part and parcel of businesses’ daily operations, from real-time processing and managing user inputs to data storage. A much talked-about example would be Alibaba Cloud technology’s success in processing up to USD 1 billion of gross merchandise volume in 68 seconds with zero downtime at the double-11 online shopping campaign. Indeed, more and more financial institutions are considering, or in fact,  sing cloud computing as the underpinning technology in digitalising their banking services to keep up with the public’s expectations for online banking.

The Office of the Privacy Commissioner for Personal Data (PCPD) generally defines “cloud computing” as “a proof of on-demand, shared and configurable computing resources that can be rapidly provided to customers with minimal management efforts or service provider interaction”. Inevitably, cloud computing will be used to process personal data, which is defined as any data that relates directly or indirectly to a living individual,
from which it is practicable to identify such an individual and in a form in which access to or processing of the data is practicable under the Personal
Data (Privacy) Ordinance (Cap. 486)(the “PDPO”) .

Pursuant to Section 65(2) of the PDPO, “any act done … by a person as agent for another person with the authority … of that other person shall be treated … as done or engaged in by that other person as well as by him.” To put it simply, data users are ultimately accountable for any data breach committed by its cloud providers or any outsourced data processors.

Principles in using cloud computing in handling personal data under the PDPO

The legal risks associated with the use of cloud computing mainly relate to (i) the loss and/or (ii) lack of control over the use, retention or erasure and security of personal data entrusted to cloud providers.

In general, the six data protection principles (the DPPs) set forth in PDPO provide basic guidance to data users on the treatment of personal data collected. Some of which are more significant as far as the engagement of cloud providers or any outsourced data processors is concerned.

Apart from the above general guidance, certain unique characteristics of cloud computing may affect how financial institutions devise their personal data handling policies:

(i)Rapid transborder data flow
Often for security reasons and for speed efficiencies, cloud data centres are located across multiple jurisdictions. In such case, personal data would
likely flow from one jurisdiction to the other based on the cloud providers’ algorithm. Section 33 of the PDPO imposes restrictions against the transfer
of personal data outside of Hong Kong. While there is no statutory definition of “transfer” of personal data, the PCPD has referred to the passing of personal data to data processors outside Hong Kong and sharing of personal data of employees/customers with affiliated companies worldwide by storing the data in a centralised database as transfer of personal data outside Hong Kong. Although this section has not come into effect yet, the  PCPD has repeatedly stressed the importance for data users to adopt good practices that are compliant with Section 33 of the PDPO. Accordingly, it is advisable that financial institutions should have full knowledge of the locations of the cloud data centres and it would also be ideal if financial
institutions are allowed to choose the specific location(s). It is also important to enter into enforceable contracts with any data processors which ensures that personal data transferred from the financial institutions are given equivalent protection to that provided for by the PDPO.

(ii)Service and deployment models
Some data users may be at higher risks when engaging cloud providers who also provide cloud deployment models. Some arrangements for the usage of such services would also include cloud services providers gaining more control over the data that is stored on the cloud. In order to adequately protect the personal information collected by financial institutions, it is of paramount importance for financial institutions to understand and ascertain the scope of usage and negotiate the necessary controls by way of contracts.

(iii)Data protection laws in other jurisdictions
On a related note, data users should be aware of foreign regulations that have extraterritorial effects, such as Europe’s General Data Protection
Regulation (GDPR), as it targets to regulate companies outside Europe which collect personal data of European citizens. It is important to note that the GDPR generally has much stricter interpretations and regulations on how personal data could be collected and handled.

Security considerations on cloud services
With regards to licensed institutions, the Securities and Futures Commission (SFC) has issued a circular (SFC circular) regarding the use of external electronic data storage to keep regulatory records on 31 October 2019. It emphasises that licensed institutions should remain in full compliance with the existing regulatory requirements and ensure SFC’s access to those regulatory records as required for legal proceedings initiated by the SFC or
the Department of Justice. The regulatory records should provide detailed and complete audit trail information in a legible form. The licensed institutions should also designate at least two individual experts to be the Managers-In-Charge of Core Functions (MICs) in Hong Kong who are authorised to access all of the regulatory records kept with an external electronic data storage provider (EDSP) at any time. MICs will become
the main contact persons to provide all necessary assistance to the SFC when accessing the regulatory records.

Prior approval must be obtained for the selection of premises used by the EDSP under Section 130 of the SFO. They should also keep the SFC notified of their transitional arrangements with the EDSP where appropriate. In a nutshell, the licensed institutions shall:

(i) implement effective policies and procedures for proper management and control of risks of customers’ data and information related to business
operation of being exposed;
(ii) conduct initial due diligence on the EDSP;
(iii) contain a comprehensive information security policy to prevent any unauthorized disclosure; and
(iv) follow an exit strategy to terminate the external data storage.

It should also be mentioned in passing that the International Organisation for Standardization also has various standards regarding cloud services, including the code of practice for information security controls for cloud services (ISO/IEC 27017:2015).

Outsourcing restrictions for the banking industry

The Hong Kong Monetary Authority (HKMA) has issued a Supervisory Policy Manual on Outsourcing and General Principles for Technology Risk
Management on 28 December 2001 and 24 June 2003 respectively. These guidance were issued a long time ago, but they are still relevant given that most users use third party cloud providers instead of building their own cloud services.

The Manual stated clearly that financial institutions should be aware of their legal obligations to meet the minimum authorisation criteria under the Banking Ordinance in relation to their outsourcing plans. The Board of Directors and management of the financial institutions should retain ultimate
accountability for any outsourced activity. They should ensure that the proposed outsourcing arrangement has been subject to a comprehensive risk
assessment (in respect of operational, legal and reputation risks) and all the risks identified should be addressed before launch. All such requirements shall no doubt be taken into account when deploying cloud services.

Regarding the outsourcing agreement, the contractual liability and obligations of the service provider should be clearly set out and the terms should be reviewed regularly. Financial institutions should ensure that the proposed outsourcing arrangement complies with the statutory requirements of the PDPO and protect the integrity and confidentiality of customers’ information.

IP ownership and licensing related issues

Some cloud services can be customised at the customers’ specific requests, including but not limited to new workflow, algorithm, database and interface design. Such tailored features are protected by copyright, but questions always arise as to their copyright ownership. Customised features will generally be regarded as commissioned work and pursuant to Copyright Ordinance (Cap. 528), copyright ownership of such work shall be determined by the agreement between the parties and in the absence of an agreement, the commissioning party shall at least have an exclusive
licence to exploit the commissioned work for all purposes that could reasonably have been contemplated at the time the work was commissioned. However, with copyright ownership of the new customised features vested in the cloud service providers and such licence only arguably limited to the normal deployment of cloud services, financial institutions would unlikely be able to simply “copy and paste” the coding of such customised features to or for use in another cloud product if they subsequently want to change to a new cloud service provider.

Further, it is also interesting to look into whether certain types of creation on the cloud would be protected by IP rights, and if yes, who owns these IP rights.

For example, when personal data is stored on the cloud, metadata may be generated due to pooling of enormous personal data, which may serve as an excellent database for the data users in understanding the demographic and the preferences of their clients. As it is
created by cloud services providers, or by the system created by them, it may be argued that the IP rights to such work belongs to the cloud services providers. Yet on the other side of the argument, it also contains personal data of the data subjects, which should be confidential and ownership of such should be vested on the subjects themselves. These scenarios over the debate of IP ownership are so common that they should not be left neglected.

The most ideal way to resolve the dilemma is to have IP assignments clauses in service agreements between the financial institutions and cloud service providers or terms and conditions of the relevant financial services to be agreeable by the customers. When it comes to cloud data storage, usually a clear distinction should be made between the cloud service provider’s rights to store and process the data and the ownership of any intellectual property rights that is retained by the users. In short, it is advisable for the parties to set out clearly the ownership rights within the terms and conditions in the agreement whenever possible.

How to choose a cloud provider?

It is essential to choose providers whose services have met certain ISO standards for cloud security and those who are cooperative in providing contractual safeguards to the data users. Further, according to the SFC circular, the EDSPs should be a company incorporated in Hong Kong or a foreign company that operates and provides data storage at a data centre located in Hong Kong. Otherwise, for EDSPs outside the definition above, the license institution must have an undertaking[2] in place signed by the EDSP agreeing to provide regulatory records and assistance as may be requested under Hong Kong laws or regulations. The licensed institutions should ensure that all its regulatory records which are kept with a surpassingly reliable and suitable EDSP can be fully accessed by the SFC and be reproduced in a legible format under Section 130 SFO. In addition, the licensed institutions should engage a cloud service which is familiarised with their services and potential exposure to cyber threats, and is serious about information confidentiality, integrity and recoverability and has implemented and devised suitable information and security controls. The HKMA guideline also reiterates the importance to perform appropriate due diligence in evaluating and choosing a cloud service provider.

Conclusion

While outsourcing of data processing and storage to cloud providers (other data processors) often provide a convenient and cost-effective solution to data management, financial institutions should be reminded that outsourcing data management and storage does not absolve them (in their role as data users) from its liability and responsible of the collection, handling and storage of personal data under the PDPO and the SFO. They should familiarise themselves with the guidelines as laid out by relevant regulators and authorities, be clear about IP and data ownership and remain prudent when choosing a cloud service provider so as to ensure that personal data security will not be jeopardised.

The article is published in the January – February 2020 Issue of Banking Today, the official bi-monthly journal of the Hong Kong Institute of Bankers

Authors: Alan Chiu     Managing Partner

              Charles To    Partner

Date: 9 March 2020