Why Cloud Computing Providers Must Comply with Data Protection Principles | The new times

The introduction of cloud computing and virtualization was a major turning point in the history of the technology industry. Rather than creating and managing their own IT infrastructure and paying for servers, electricity and real estate, etc., cloud computing allows companies to rent IT resources from cloud service providers.

By renting cloud services, companies only pay for what they use, such as computing resources and disk space. It is essentially a virtual space.

As cloud computing creates new opportunities, certain standards and regulations must be applied to ensure data privacy/security. Cloud computing allows businesses to have the flexibility and efficiency to meet new and growing demands. It provides the infrastructure, software and platforms needed to succeed in today’s business landscape, wherever they are needed.

As in many countries, cloud computing services are available in Rwanda. Rwanda has embraced information and communication technologies, which are a central driver in driving the country’s transformation towards a knowledge-based economy.

The development of cloud computing technologies, however, requires a regulatory framework. For example, in the United States, there are laws that impose responsibilities on tenants and cloud computing providers.

Regardless of the significance of these technologies, legal issues need to be considered, particularly those related to the data that digital service providers may collect, store and process.

In Rwanda, for example, the National Data Center [AOS] primarily hosts government data. The center provides, among other things, cloud computing services for the government and some companies. Such a provision is part of the guarantee of data sovereignty. With the rise of cloud computing, many countries have enacted various data control and storage laws, all of which reflect data sovereignty measures.

However, the scope of this article is for companies registered in Rwanda that have entered into contracts with outside companies that provide cloud computing services, i.e. Amazon Web Services, Microsoft Azure, Oracle Cloud, Google Cloud Platform, etc. .

Of course, it is not compulsory that companies registered in Rwanda have to contract with the national data center. One question is: do the parties [to a given contract] comply with data protection principles given that these digital service providers would host the data of Rwandan subjects outside the country? Another related question: is there any control over the data collected, stored and processed by [foreign] cloud computing providers?

Recently, Rwanda enacted a Data Protection and Privacy Law [Law No. 058/2021] on the protection of personal data and privacy], published, on October 15, 2021, in the Official Gazette of Rwanda. However, under the terms of Article 67 of this law, the execution would take place within a period of two years from the date of its publication.

Nevertheless, the parties must adhere to the principles of data protection and confidentiality applicable in Rwanda. To companies registered in Rwanda, they must ensure that the contracting parties [digital service providers] undertake to comply.

Rwanda, a signatory to the AU Convention on Cyber ​​Security and Personal Data Protection, applies the provisions of the AU Convention on Cyber ​​Security and Personal Data Protection. In particular, Article 14 (6, a) of the Convention states: “The controller may only transfer personal data to a non-member State of the African Union if that State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of the persons whose data are or are subject to processing. ”

Alternatively, parties to cloud services may adopt “General Terms and Conditions of Service” or Standard Contractual Clauses for Cloud Computing Service in accordance with the relevant provisions of the AU Convention on Cyber ​​Security and Personal Data Protection.

Controllers or processors [registered companies in Rwanda] may transfer personal data to cloud computing providers in a third country only if they provide appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects are available.

Providers of cloud computing services such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) must take technical and organizational measures appropriate and proportionate to manage the risks posed to the security of the network and information systems they use in connection with the provision of services.

These security measures must guarantee a level of network and information system security appropriate to the risk incurred. All of these requirements can be met with a strong cyber resilience posture that combines best practices in information security and business continuity.

Similarly, cloud service providers should establish standards for specific control objectives, controls, and guidelines to help organizations involved in cloud computing protect personal data in public clouds.

Relying on the European Commission’s Standard Contractual Clauses for the Transfer of Personal Data to Third Countries in light of the General Data Protection Regulation, companies registered in Rwanda and cloud computing service providers must sign standard contractual clauses in accordance with the data protection principles applicable in Rwanda.

These standard contractual clauses must contain provisions relating to the protection of natural persons with regard to the processing of personal data to be transferred to a third country where the contracting cloud computing service providers are located. And, in case of violation of the contractual clauses, it should engage the responsibility of the providers of cloud computing services.

The author is a certified data protection and privacy expert.

Sherry J. Basler