On-premises data solutions are great if you have a steady demand for processing, a highly capable and otherwise incentivised IT team, and a regulatory or commercial zeal for keeping everything close. But most organisations do not fall within this bracket. They may wish to commoditise their IT; they may have fluctuating demands for processing power (either owing to development projects, having a penchant for mergers and acquisitions, or simply through the vicissitudes of the business cycle), or they may acknowledge that their in-house IT team does not have sufficient track record in security management. So there are a variety of reasons why organisations are moving to the Cloud.
Software asset management
Simply moving your server from on-premises to a cloud service provider's data centre can cause all sorts of mischief. Software vendors are often astute to check where their software is being run, on which type of computer, and whether data belonging to those other than the licensee are running on the same machine. They will also demand the right to access the server at a time to suit them. Compliance with such a shopping list can cause headaches not only for the operating enterprise, but also for the Cloud services vendor. If the Cloud vendor is providing their own equipment, then they will almost certainly have to make special arrangements. The Cloud vendor will probably balk at signing up to allow an audit right for the benefit of a third party software licensor. The last thing they want is to get drawn into a spat concerning overuse of software, over which they have no effective control, and no commercial interest.
Inevitably, the categories of data to be moved Cloudwards are broadening, beyond simply analytical data and back office accounting, to include customer and employee personal data.
It is here that the gears really start to grind. Irrespective of the interests of regulators (other than data regulators) – about which, more below – moving personal data off-premises can entail all sorts of hurdles. If the data remains, for all purposes, in Hong Kong* this limits the scope for argument to: whether the Cloud vendor will touch the data (even if only theoretically as a result of support, maintenance and remediation); whether the security protocols are adequate, and (possibly) whether there is a change or enlargement of the processing to be undertaken in the Cloud environment. If any of these triggers are met, questions will be raised as to whether the original consent to processing obtained from individual data subjects requires enlarging.
Very often, however, the Cloud service provider will be locating its servers outside Hong Kong. Equally often, perhaps, the operating enterprise will be wishing to move data (including personal data) to the Cloud from more than one jurisdiction. To reap the benefits of Cloud use, this will inevitably mean that there will be some off-shoring of data. Despite section 33 of the Personal Data (Privacy) Ordinance (Cap. 486) ("Section 33"), which is the main provision of Hong Kong's data laws which relates to cross-border data transfer, not yet having been brought into force, the Office of the Privacy Commissioner for Personal Data, Hong Kong has issued guidance which recommends compliance with the tenets of Section 33. Furthermore, it is anticipated that Section 33 may be brought into force shortly, so planning for compliance with it is sensible. Essentially, the exporting data user will need to check whether the data laws of the receiving jurisdiction offer at least an equivalent level of protection to personal data within its borders as pertains to such data in Hong Kong (an exercise which can be fraught with difficulty), or obtain contractual assurances as to equivalence of treatment by the Cloud provider. If neither of these is practicable, individual consents to the offshoring should be obtained from the data subjects.
SFC Circular – Use of external electronic data storage providers ("EDSPs")
For corporations licensed by the Securities and Futures Commission ("SFC"), the SFC issued a new circular on 31 October 2019 ("Circular") setting out the regulatory requirements when using EDSPs. EDSPs include public and private cloud services providers, as well as external providers of data storage at conventional data centres or other forms of virtual storage. The Circular relates to records or documents required to be maintained by licensed corporations under the securities and futures legislative framework, and the anti-money laundering regime ("Records") in an online environment.
Unless the licensed corporation keeps the Records simultaneously at its approved premises in Hong Kong (which would likely remove much of the benefit of using the Cloud services in the first place), the licensed corporation needs to comply with the Circular.
If the Records are to be stored in Hong Kong exclusively with an EDSP, the EDSP must either be incorporated in Hong Kong or registered as a non-Hong Kong company. If the EDSP is offshore, it must provide an undertaking (substantially equivalent to that in a prescribed form) ("Undertaking") to provide Records and assistance as may be required by the SFC. In a similar vein, the licensed corporation is also required to issue a notice (substantially equivalent to that in a prescribed form) to the EDSP authorising the EDSP to provide the Records of the licensed corporation to the SFC. The rationale behind the Undertaking and Notice is to empower the SFC to obtain prompt access to records in carrying its supervisory functions. In the case of the Undertaking, the EDSP consents to assisting the SFC in exercising its statutory powers even though the EDSP is an offshore entity, and the SFC's powers would not extend extra-territorially.
There are also requirements on licensed corporations to conduct due diligence on the EDSPs, and to ensure that an audit trail exists regarding any access to the Records whilst at the EDSP. Licensed corporations need to designate two "Managers-In-Charge" ("MICs") in Hong Kong to be responsible for accessing the Records.
The Circular seeks to modernise the SFC's approach and guidance on data retention, which previously had not specifically contemplated exclusive use of cloud service providers.
Despite this, the Circular, and in particular the Undertaking required from EDSPs are quite onerous. The time for compliance with SFC demands for assistance will be short, and the Department of Justice may also be involved in the process. It remains to be seen whether all major offshore Cloud services providers are prepared to provide these Undertakings.
Based on our engagement with the SFC to date, the SFC is taking a pragmatic and reasonable approach to compliance, but does expect a focused and prompt response to the Circular by all licensed corporations.
The Cloud services providers, of course, are well aware of the regulatory burden associated with take up of their services. Although they may make light of it on occasion, it is surely continuing to act as a brake on Cloud adoption for mainstream customer and employee data storage. These problems, whilst representing a significant compliance burden, do not seem to be outweighing enterprises' interest in adopting Cloud services. In the meantime, compliance teams keep on expanding.
Rocketing into the Cloud – what to do?
Licensed or not, there are some common themes for transition to Cloud services, including:
- Strong due diligence – know your Cloud provider and what services they are providing. Do they match your needs and any regulatory requirements? No question is too silly to ask.
- Good contracts – these can generally be negotiated, even if presented as standard forms. Consider also if you need the Undertaking, if you are a licensed corporation – if so, you should build that into your contract. Open API agreements tend to need their own bespoke terms as well, particularly if you are (or are contracting with) an "authorized institution" regulated by the Hong Kong Monetary Authority.
- Data protection compliance – Cloud presents some excellent opportunities for efficient record management, as well as more advanced functions such as big data analytics. But the data protection rules must not be overlooked – for example, do you have the necessary consents to leverage group-wide data to analyse patterns and create new business development opportunities or risk management tools?
- Stakeholder engagement – Your Board, regulators and customers are three examples of stakeholders who need to understand that you are deploying Cloud solutions. Be prepared to explain the arrangements in clear and simple terms, with a concomitant explanation of risks.
Please contact us anytime about your Cloud arrangements.
*Any reference to "Hong Kong" or "Hong Kong SAR" shall be construed as a reference to "Hong Kong Special Administrative Region of the People's Republic of China".