Cloud Computing update

Cliffe Dekker Hofmeyr offers an appraisal on the Working Paper on Cloud Computing – Privacy and Data Issues, recently published by International Working Group on Data Protection in Telecommunications. Although the guidelines detailed in the Working Paper are not mandatory, it appears that the intended approach to data protection in the cloud is one of uniformity, with a view to ultimately developing best practice based processing of personal information. It would be interesting to understand to what extent S ATrade Hub  and Microsoft, in conjunction with the Customs of Namibia and Botswana, considered any such guideline in regard to their cloud computing initiative on the Trans-Kalahari Corridor?

The recommendations under the Working Paper highlight some of the risks and complexities associated with cloud computing. The overreaching nature of the Working Paper will serve to ensure that there is no lowering of general data protection standards for processing personal data in the cloud. The Working Paper specifically advocates the following general recommendations:

  • Carrying out privacy impact and risk assessments prior to embarking on cloud computing projects.
  • Development of practices by cloud service providers to ensure greater transparency, security and accountability regarding information on potential data breaches; and also more balanced contractual clauses to promote data portability and data control by cloud users.
  • Research, third-party certification, standardisation, privacy by design technologies and other related schemes in order to achieve a desired level of trust in cloud computing.
  • Legislative reassessment of the adequacy of existing legal frameworks allowing cross border transfer of personal information and consideration of additional privacy safeguards.
  • Accounting for independent audit trails with regards to the location of the personal information. Continuity in the provision of information by data controllers to privacy and data protection authorities. These recommendations are aligned to the general principles set out in the European Union and Safe Harbor data privacy frameworks.

The Working Paper also provides more specific recommendations, on ‘best practice’, ‘controllers’, ‘cloud service providers’ and ‘auditing’. These specific recommendations contemplate the implementation of technical measures that can be used to determine the exact physical location where personal information is held and stored, with an audit trail specifying any copying and/or deletion of personal information. In addition, the Working Paper includes a suggestion for encryption of all personal information (both at rest and in transit) and also recommends the conclusion of agreements between data controllers and cloud service providers to expressly designate and limit the physical locations where personal information will be processed. The Working Paper specifically provides that the cloud service provider should not be entitled to use personal information in the cloud for its own purposes.

It is likely that significant steps will need to be taken by cloud service providers in order to comply with the recommendations under the Working Paper and/or applicable data protection laws, which may potentially require substantial financial resources, including for procuring and implementing the appropriate technology required to give effect to the recommendations and/or laws.

In the South African context, the principles under the current draft of the Protection of Personal Information Bill(PPI) (in particular, the provisions which relate to the conditions for lawful processing of personal information and transborder information flows) can be aligned to the recommendations under the Working Paper. The real test for cloud service providers and their customers will however be in the practical implementation of the principles under PPI. Many of the recommendations under the Working Paper will serve to provide guidance in this respect, particularly in the measures which need to be implemented to maintain a level of transparency in the supply chain of personal information in the cloud. Source: www.cliffedekkerhofmeyr.com

RELATED ARTICLES

TKC Pilot – linking regional Customs systems through the “Cloud”

FTW Online recently published an update on recent developments occurring along the Trans-Kalahari Corridor (TKC). It suggests that customs systems throughout the SADC region could soon be talking to each other through the Internet, if the pilot project between Namibia and Botswana is successful. During July 2011, the Southern African Trade Hub unveiled a plan to initiate a pilot programme to link the ASYCUDA systems of Namibia and Botswana via Microsoft’s Cloud Computing technology. Both Microsoft and USAID are partners in this initiative seeking to enable the two customs systems to communicate with each other through a secure portal. View the keynote presentation at the 2011 World Customs Organization IT Conference and Exhibition – Seattle, Ranga Munyaradzi (SATH) and Namibian Customs Commissioner, Bevan Simataa, were invited on-stage to elaborate on this initiative – click here!

According to Oscar Muyatwa, executive director of the Trans-Kalahari Corridor Secretariat, the initiative holds the prospect of opening up African opportunities in the United States for exports, as it is being supported by USAID as part of the African Growth and Opportunities Act (AGOA). Both Namibian and Botswana Customs officials are to be trained in Cape Town over the next few months. The TKC Secretariat believe this initiative will bring about its vision of a ‘automated corridor’. Further ahead the TKCs envisages the establishment of One Stop Border Posts (OSBPs) to reduce border dwell and transit times. Muyatwa says ‘The ‘cloud’ will maintain vast volumes of transit data that will assist future planning along the corridor as well as revenue and budgeting forecasts’. Source: FTW Online.

Comment: lest there be any confusion amongst Customs users, traders and carriers, the concept of cloud computing in the Customs sphere is very ‘clouded’ at this point. What needs to be considered is the ‘ownership’, rights to ‘access’ and ‘integrity of use’ of such information. Furthermore, as this is a first-of-its-kind initiative (in Africa at least); it would be highly recommended that the participants and developers ‘share’ details of the approach with other SACU members in order to better understand the programme. Up to this point it is very unclear how the developer has gone about the integration of customs information, for instance, since ‘users’ have not been fully involved in the scope, proof-of-concept or design of the system. 

Related articles