Why cloud computing providers must comply with data protection principles
Thursday, January 20, 2022

The introduction of cloud computing and virtualization was a major turning point in the history of the technology industry. Rather than creating and managing their own IT infrastructure and paying for servers, power and real estate, etc., cloud computing allows businesses to rent computing resources from cloud service providers.

By renting cloud services, companies pay only for what they use such as computing resources and disk space. It is basically a virtual space.

While cloud computing creates new opportunities, certain standards and regulations must be applied to ensure data privacy/security. Cloud computing allows businesses to have the flexibility and efficiency to meet new and growing demands. It provides the infrastructure, software, and platforms necessary for success in today’s business landscape, no matter where they’re needed.

Like in many countries, the cloud computing services are available in Rwanda. Rwanda has embraced information and communication technology, which is a central engine to driving country’s transformation to a knowledge based economy.

Development of cloud computing technologies, however, requires a regulatory framework. For instance, in USA, there are laws that impose responsibilities to both cloud computing tenants and providers.

Regardless of the importance of these technologies, there is a need to consider the legal issues, especially those related to the data that digital service providers may collect, store and process.

In Rwanda, for example, the National Data Centre [AOS] hosts primarily the government data. The centre, among other things, provides cloud computing services for the government and some companies. Such a provision is in the context of ensuring data sovereignty. With the rise of cloud computing, many countries have passed various laws around control and storage of data, which all reflects measures of data sovereignty.

However, the scope of this article is on companies registered in Rwanda that have contracted with outside companies which provide cloud computing services, namely Amazon Web Services, Microsoft Azure, Oracle Cloud, Google Cloud Platform, et cetera.

Of course, it’s not obligatory that companies registered in Rwanda have to contract with national data center. A question is: do the parties [to a given contract] adhere to data protection principles given that these digital service providers would host Rwandan subjects’ data outside the country? Another related question: is there an oversight over the data collected, stored and processed by [foreign] cloud computing providers?

Recently, Rwanda enacted a law on data protection and privacy [Law No. 058/2021] relating to the protection of personal data and privacy], published, on 15 October 2021, in the Rwanda Official Gazette. However, under Article 67, of this law the enforcement would come in two years’ time from the date of its publication.

Nonetheless, the parties ought to adhere to data protection and privacy principles applicable in Rwanda. To companies registered in Rwanda, they must ensure that the contracting parties [digital service providers] are committed to compliance.

Rwanda, signatory to the AU Convention on Cyber security and Personal Data Protection, enforces the provisions of the AU Convention on Cyber security and Personal Data Protection. Particularly, Article 14 (6, a) of the Convention states: "The data controller shall not transfer personal data to a non-Member State of the African Union unless such a State ensures an adequate level of protection of the privacy, freedoms and fundamental rights of persons whose data are being or are likely to be processed.”

Alternatively, the parties to cloud services may adopt the ‘Standard Terms of Service’ or the standard contractual clauses for cloud computing service in accordance with the relevant provisions of AU Convention on Cyber security and Personal Data Protection.

Data controllers or processors [registered companies in Rwanda] may transfer personal data to cloud computing providers in a third country only if they provide appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects are available.

Providers of cloud computing services such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services.

These security measures should ensure a level of security of network and information systems appropriate to the risk posed. All of these requirements can be met with a robust cyber resilience posture that combines information security and business continuity best practice.

Equally, cloud computing service providers must set out standards for specific control objectives, controls and guidelines to help organisations involved in cloud computing protect personal data in public clouds.

Drawing from EU Commission on standard contractual clauses for the transfer of personal data to third countries in the light of the General Data Protection Regulation, Rwanda’s registered companies and cloud computing service providers must sign up standard contractual clauses in accordance with data protection principles applicable in Rwanda.

These standard contractual clauses must accommodate provisions on the protection of natural persons with regard to the processing of personal data to be transferred to a third country where the contracting cloud computing service providers are located. And, in case of breach of contractual clauses, it should impose liability on the cloud computing service providers.

The writer is a certified data protection and privacy expert.