Vous êtes sur la page 1sur 3

Contracting in the cloud

By Tammy Bortz, Director

LEGAL BRIEF | MAY 2011 Cloud computing is not new, but businesses Another concern is that in South Africa,
in South Africa have only recently started there are currently no guidelines, codes of
to consider cloud based services. As with conduct or standards for cloud computing.
The use of cloud services is any new method for providing of technology Internationally, there are a myriad of
services, customers are wary to use this organisations who have issued guidelines and
inevitable, especially as more
method until they fully understand its codes of conduct, from where guidance can be
and more organisations look application and risks. taken. Examples include the Cloud Industry
for ways to cut costs and
Forum (www.cloudindustryforum.org),
improve efficiencies. A careful So, what is cloud computing? Cloud Security Alliance
and comprehensive technical In essence, cloud computing is not new (www.cloudsecurityalliance.org) and the
and legal due diligence of cloud technology, but rather a new way of delivering European Network and Information Security
providers and their offerings is computing services “on demand” whereby Agency (www.enisa.europa.eu).
recommended to mitigate the users can turn the services on and off,
The selection of a cloud provider and any
and scale up or down, depending on need.
risks inherent in the use of cloud subsequent contract that is concluded must
Without knowing it, many people may already
services. be using cloud services. For example, Gmail be approached in the same way that other
or Google Apps are virtual services i.e. services technology-related decisions are made by
that are hosted in the cloud. an organisation. With most public cloud
offerings, contracts are not negotiable and
Benefits and risks so the focus should be on contract / provider
evaluation. A careful process of assessment
The numerous benefits of using cloud
of the various cloud providers, including their
services, such as cost-effectiveness, scalability
security, privacy and redundancy policies and
and resilience, are recognised. Yet many
service level agreements must be undertaken.
organisations are still cautious about cloud
computing, the main concerns being around
security, data privacy, loss of control over
critical business functions and data, and
service interruption.
Security widely defined and includes any operation Additional considerations
(including by automatic means) concerning
Security is one of the most critical issues, personal information, including collection, Service interruptions and outages
especially where one is using the cloud for storage, use, dissemination by means of There have recently been a number of highly
business critical services and sensitive and transmission and distribution. publicised outages of cloud providers, a
personal data is put into the cloud.
notable example being the interruption to
For example, Principle 2 of the Eight
At a minimum, before selecting a cloud service of users of Amazon’s Elastic Compute
Information Protection Principles which form
provider, one should conduct an audit of Cloud. In this regard, it is important to
the core of the PPI Bill requires that subject to
the cloud provider’s security policies and consider the service level agreement of the
certain exemptions, the consent of the person
processes so as to understand both the logical cloud provider to understand guarantees
to whom the personal information relates
and physical security processes. Any process around availability, response and resolution
(defined as “data subject” in the PPI Bill) is
must be such that the security and integrity of times. Not all clouds are equipped for all
required for the purposes of processing. Thus
personal data held in the cloud is maintained. purposes and when assessing cloud offerings,
before personal information is transferred to
If a cloud provider will not allow an audit, a an organisation’s service requirements must
a cloud, the responsible party must establish
report regarding the cloud provider’s security be assessed against service levels offered.
whether the consent of the data subject is
processes and procedures by an independent required for such transfer.
auditor should be requested. Also consider Cross border data flow
what certifications (if any) the provider has. In terms of Principle 7 (Security Safeguards),
Where the cloud provider is an offshore
the responsible party (i.e. the cloud customer)
Also ask whether the cloud provider has entity, the transfer of services may involve
is obliged to secure the integrity of personal
experienced any security breaches and if yes, transferring personal data offshore. In this
information in its possession or under its
full details of such breaches must be provided regard, an important consideration would be
control by taking appropriate, reasonable
as well as what the cloud provider is doing to whether the jurisdiction in which the cloud
technical and organisational measures to
avoid further breaches. provider is situate has laws that protect
prevent loss of, damage to or unauthorised
personal information. Certain cloud providers
destruction of personal information and
Privacy and the impact of the PPI now provide customers with the option to
unlawful access to or processing of personal
Bill request that data not be transferred outside
information.
the jurisdiction in which it was originally
Data protection and privacy are the most In order to give effect to this, the responsible placed, unless the jurisdiction has in place the
commonly presented risks when considering party must take reasonable measures to: same or substantially similar levels of data
placing sensitive and personal data in the identify all reasonably foreseeable protection and security as the first jurisdiction.
cloud. internal and external threats to personal
The PPI Bill will impact on cross border data
A cloud provider should have a comprehensive information in its possession or under its
flows when it becomes law. Section 69 of
privacy policy setting out how it deals with control;
the PPI Bill prohibits the transfer of personal
personal information. Many jurisdictions establish and maintain appropriate
information about a data subject to a foreign
have legislation aimed at protecting personal safeguards against the risks identified;
entity unless for example the recipient
information and impose obligations on “data regularly verify that the safeguards are
of the information (the offshore cloud
processors” or “data controllers” around effectively implemented; and
provider) is subject to a law or agreement
protection of personal information under their ensure that the safeguards are continually
which effectively upholds principles for
control. The most notable example is the UK updated in response to new risks or
reasonable processing of information which
Data Protection Act. Cloud providers situate deficiencies in previously implemented are substantially similar to the information
in the UK must adhere to this legislation which safeguards. protection principles set out in the PPI Bill or
imposes obligations around the manner in In addition, the responsible party must ensure the data subject consents to the transfer.
which personal and sensitive data is used, and that the operator (i.e. the cloud provider)
how such data can be transmitted. establishes and maintains the security Termination and termination support
South Africa currently does not have such measures set out above. Another important consideration when
legislation although this has been in the Cloud providers in turn must, subject to choosing a cloud provider is what happens
pipeline for many years in the form of certain exemptions in the PPI Bill, process when the arrangement with the cloud provider
the Protection of Personal Information personal information only with the knowledge terminates? Does the cloud provider offer
Bill B9 of 2009 (as read with proposed or authorisation of the responsible party and any termination assistance around the return
amendments per the Working Draft issued on treat personal information which comes to of data? Given that currently there are no
24 February 2011) (PPI Bill). Its promulgation its knowledge as confidential. Further the standard data formats or procedures for data
is imminent. Although still a Bill, certain processing by a cloud provider on behalf of portability, the manner and format in which
provisions of the PPI Bill will be relevant for a responsible party must be governed by data will be returned must be understood and
both local cloud providers and organisations a written agreement, such agreement to agreed upfront.
who are considering using cloud services, include an obligation on the cloud provider
whether locally or offshore. to establish and maintain confidentiality and Conclusion
security measures to ensure the integrity of The use of cloud services is inevitable,
In terms of the PPI Bill any person who in any
the personal information. especially as more and more organisations
way processes personal information of third
parties (defined as “responsible parties” in In light of the above, a responsible party will are looking for ways to cut costs and improve
the PPI Bill) and any person who, as part of need to consider whether the security and efficiencies. A careful and comprehensive
their business operations, processes personal privacy policies and procedures of a cloud technical and legal due diligence of cloud
information on behalf of third parties in provider are such that the responsible party providers and their offerings will go a long way
terms of a contract or mandate (defined as in transferring personal data to such cloud in mitigating the risks inherent in the use of
an “operator” in terms of the PPI Bill), will provider, is able to comply with the obligations cloud services.
be bound by the PPI Bill. “Processing” is imposed on it in terms of the PPI Bill.
About the Author

Tammy Bortz
Title: Director
Office: Cape Town
Direct line: +27 (0)21 405 5171
Fax: +27 (0)86 511 1343
Switchboard: +27 (0)21 405 5100
Email: tbortz@werksmans.com

Tammy Bortz is a director of Werksmans Attorneys. Tammy is a commercial lawyer who specialises in information technology
(IT) law. Her expertise extends to drafting and negotiating all types of IT and e-commerce agreements; preparing internet /
website usage terms and conditions and internal usage policies and procedures; drafting e-commerce and IT related legal opinions;
and advising on regulatory compliance with numerous pieces of legislation. She has represented technology vendors and their
customers and therefore has an excellent understanding of both perspectives. In addition, Tammy regularly presents in-house
training courses on basic contract law, contract service levels and risk management. She has a BA LLB from the University of the
Witwatersrand.

Keep us close

THE CORPORATE & COMMERCIAL LAW FIRM

JOHANNESBURG +27 (0)11 535 8000 CAPE TOWN +27 (0)21 405 5100
www.werksmans.com

About Werksmans Attorneys

Established in the early 1900s, Werksmans Attorneys is a leading South African corporate and commercial law firm serving multinationals,
listed companies, financial institutions, entrepreneurs and government.
Operating in Gauteng and the Western Cape, and connected to an extensive African network through Lex Africa*, the firm’s reputation is built
on the combined experience of Werksmans and Jan S. de Villiers, which merged in 2009.
With a formidable track record in mergers and acquisitions, banking and finance, and commercial litigation and dispute resolution, the firm is
distinguished by the people, clients and work that it attracts and retains.
 Werksmans’ more than 170 lawyers are a powerful team of independent-minded individuals who share a common service ethos. The firm’s
success is built on a solid foundation of insightful and innovative deal structuring and legal advice; a keen ability to understand business and
economic imperatives; and a strong focus on achieving the best legal outcome for clients.
* In 1993, Werksmans co-founded the Lex Africa legal network, which now has member firms in 30 African countries.
TLG_JN3780

Nothing in this publication should be construed as legal advice from any lawyer or this firm. Werksmans’
legal briefs should be seen as general summaries of developments or principles of interest that may not apply
directly to specific circumstances. Professional advice should therefore be sought before any action is taken.

Vous aimerez peut-être aussi