Cloud computing service
Background
Due to pandemic situation the cloud services becomes immediate priority by individuals, students, businesses, government institutions, and any organizations for myriad of purposes, such as for communication, information, entertainment, education, business/trading, payment, meeting and collaboration, etc. The cloud computing, therefore plays a significant role to the world’s economy to stay connected and productive including Indonesia. No doubt that the cloud services becomes immediate priority.
Relevant Regulations
The following are some IT regulations which are relevant to cloud computing:
(1) Regulations on the Electronic Information and Electronic Transactions which is stipulated under the Law No. 11 Year 2008 on as amended by Law No.19/2016 dated 25 November 2016 (“IT Laws”), Government Regulation No. 71/2019 on the Operation of the Electronic Systems and Transactions [“GR 71/2019”] and, Minister of Communication and Information Regulation No. 5 Year 2020 on the Electronic System Provider in Private Sector [“MOCI 5/2020”].
(2) Regulations related to personal data protection which is regulated under the Minister of Communication and Information Regulation No. 20 year 2016 on personal data protection in the electronic system.
Cloud Computing
- MOCI 5/2020 defines the cloud computing service as a model of delivering of a broad and easy network access based on a demand/request of a pooling of computing resources which is configured together with server networks, storage, application and services that can be rapidly provided with minimal management or interaction services.
Hence based on the above definition, the cloud computing service is basically an internet-based computing and data storage services.
- Articles 12 and 42 of MOCI 5/2020 provides the cloud activities namely (a) to establish and implement rules on: (i) terms and conditions of the service to users/customers; (ii) obligations and rights of the provider concerning the operation of the service, and (iii) responsibilities of the users if the users keep/store their electronic information/ documents in the cloud computing; and (b) to open its electronic system and/or electronic data for law enforcement in the case of terrorism, child pornography, human trafficking, organized crime and/or other emergency situation which is life threatening.
The cloud computing Provider
Cloud computing provider is regarded as a Private Electronic System Provider (“Private ESP”) that provides, organizes, manages and/or operates the cloud computing services.
MOCI 5/2020 encompasses Private ESP as individuals, business entities and community who owns a portal, site, or application that provide, manage and/or operate among other things:
(i) Trading of goods/services transactions, (ii) Financial transactions, (iii) Paid digital content, or (iv) Communication services, such as voice call, video call, email, and chatting through digital platform or social media.
The obligations of Private ESP under MOCI 5/2020 in general are to register its electronic system at MOCI, to take down prohibited/illegal electronic information/document, to open its electronic system access to the law enforcement.
Since a cloud provider is regarded as an ESP, the general obligations of an ESP under the IT Laws and GR 71/2019 shall also be applicable to cloud providers. The followings are some of the general obligations of ESP:
(i) to manage and operate Electronic System in a reliable way, secure, and accountable over the operations of Electronic System (ii) to meet minimum standards in operating Electronic Systems (iii) to register its electronic system to the MOCI (iv) to apply data protection measures (v) to secure its electronic system infrastructure/component from interruption, failure and loss; and (vi) to maintain audit records of the service activities.
The cloud computing service models
In general based on the applicable practice, the cloud computing service provides 3 categories/models of service which are infrastructure, platform and software. They are called: IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service).
These models have their own characters in terms of scope of activities, delivery mode, limitations, and accordingly also the risks.
Each of the cloud service models above in their respective practices, has created and determined roles and responsibilities for them as provider and for their respective customers/users among other as follows:
- Under IaaS model, the cloud provider provides and manages IT infrastructure services to customers for data storage, server, networking through the web; and the cloud users can manage their own data storage, server and networking through the web virtually without having to physically manage it on site.
- Under PaaS model, the cloud provider provides and manages IT platform to customers; and the customers can develop, run, and manage by its own custom application code/software without maintaining the cloud infrastructure.
- Under SaaS, the cloud provider provides customers with a software licensing of the cloud system via a web browser which the customer can access over an internet connection which is centrally hosted by the provider, owned and managed by cloud provider.
Data Protection
Data protection and data privacy has become a major issue in the cloud computing environment due to the fact that under the applicable regulation particularly under Article 21 of GR 71/2019, now, data center can be located in other countries, and also, the data can be stored in different machines and storage devices including servers, PC, and mobile devices.
Hence both the Cloud computing provider and customers, will have their own responsibility to protect the data including personal data.
The cloud computing provider as the ESP that provides IaaS, PaaS, and/or SaaS will be responsible for its electronic system/cloud infrastructure and also be responsible to protect personal data as required under IT Laws and its implemented regulations mentioned above, among others are (i) to limit the collected data which must be specific, and relevant with the objective of the service (ii) to get prior consent from the data subject for collecting, processing, analyzing and transferring the data, (iii) to determine the subject who has the right to access, revise and delete their data, and (iv) the obligation to notify the data subject if the data protection fails.
Under the above description, based on ownership and service provided it is reasonable to determine and stipulate the agreement between cloud provider and customer:
- under IaaS model, the provider to be responsible for security of the physical infrastructure (data centers) and other hardware that power the infrastructure including the networks, and the customers to be responsible to protect and secure their application and data.
- under PaaS, the provider as the platform provider to be responsible to secure the operation of the underlying infrastructure, overall operating system and the data storage, and the customer, as the user which will develop and operate its own application including the data which is hosted on the platform, to be responsible to secure such development, operation and data security hosted thereon.
- under SaaS, the provider which provides the software and manage the data stored thereon by customer to be responsible to secure such software and data protection and, the customer who can access and store its own data thereon to be responsible to secure its own data.
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.
Due to pandemic situation the cloud services becomes immediate priority by individuals, students, businesses, government institutions, and any organizations for myriad of purposes, such as for communication, information, entertainment, education, business/trading, payment, meeting and collaboration, etc. The cloud computing, therefore plays a significant role to the world’s economy to stay connected and productive including Indonesia. No doubt that the cloud services becomes immediate priority.
Relevant Regulations
The following are some IT regulations which are relevant to cloud computing:
(1) Regulations on the Electronic Information and Electronic Transactions which is stipulated under the Law No. 11 Year 2008 on as amended by Law No.19/2016 dated 25 November 2016 (“IT Laws”), Government Regulation No. 71/2019 on the Operation of the Electronic Systems and Transactions [“GR 71/2019”] and, Minister of Communication and Information Regulation No. 5 Year 2020 on the Electronic System Provider in Private Sector [“MOCI 5/2020”].
(2) Regulations related to personal data protection which is regulated under the Minister of Communication and Information Regulation No. 20 year 2016 on personal data protection in the electronic system.
Cloud Computing
- MOCI 5/2020 defines the cloud computing service as a model of delivering of a broad and easy network access based on a demand/request of a pooling of computing resources which is configured together with server networks, storage, application and services that can be rapidly provided with minimal management or interaction services.
Hence based on the above definition, the cloud computing service is basically an internet-based computing and data storage services.
- Articles 12 and 42 of MOCI 5/2020 provides the cloud activities namely (a) to establish and implement rules on: (i) terms and conditions of the service to users/customers; (ii) obligations and rights of the provider concerning the operation of the service, and (iii) responsibilities of the users if the users keep/store their electronic information/ documents in the cloud computing; and (b) to open its electronic system and/or electronic data for law enforcement in the case of terrorism, child pornography, human trafficking, organized crime and/or other emergency situation which is life threatening.
The cloud computing Provider
Cloud computing provider is regarded as a Private Electronic System Provider (“Private ESP”) that provides, organizes, manages and/or operates the cloud computing services.
MOCI 5/2020 encompasses Private ESP as individuals, business entities and community who owns a portal, site, or application that provide, manage and/or operate among other things:
(i) Trading of goods/services transactions, (ii) Financial transactions, (iii) Paid digital content, or (iv) Communication services, such as voice call, video call, email, and chatting through digital platform or social media.
The obligations of Private ESP under MOCI 5/2020 in general are to register its electronic system at MOCI, to take down prohibited/illegal electronic information/document, to open its electronic system access to the law enforcement.
Since a cloud provider is regarded as an ESP, the general obligations of an ESP under the IT Laws and GR 71/2019 shall also be applicable to cloud providers. The followings are some of the general obligations of ESP:
(i) to manage and operate Electronic System in a reliable way, secure, and accountable over the operations of Electronic System (ii) to meet minimum standards in operating Electronic Systems (iii) to register its electronic system to the MOCI (iv) to apply data protection measures (v) to secure its electronic system infrastructure/component from interruption, failure and loss; and (vi) to maintain audit records of the service activities.
The cloud computing service models
In general based on the applicable practice, the cloud computing service provides 3 categories/models of service which are infrastructure, platform and software. They are called: IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service).
These models have their own characters in terms of scope of activities, delivery mode, limitations, and accordingly also the risks.
Each of the cloud service models above in their respective practices, has created and determined roles and responsibilities for them as provider and for their respective customers/users among other as follows:
- Under IaaS model, the cloud provider provides and manages IT infrastructure services to customers for data storage, server, networking through the web; and the cloud users can manage their own data storage, server and networking through the web virtually without having to physically manage it on site.
- Under PaaS model, the cloud provider provides and manages IT platform to customers; and the customers can develop, run, and manage by its own custom application code/software without maintaining the cloud infrastructure.
- Under SaaS, the cloud provider provides customers with a software licensing of the cloud system via a web browser which the customer can access over an internet connection which is centrally hosted by the provider, owned and managed by cloud provider.
Data Protection
Data protection and data privacy has become a major issue in the cloud computing environment due to the fact that under the applicable regulation particularly under Article 21 of GR 71/2019, now, data center can be located in other countries, and also, the data can be stored in different machines and storage devices including servers, PC, and mobile devices.
Hence both the Cloud computing provider and customers, will have their own responsibility to protect the data including personal data.
The cloud computing provider as the ESP that provides IaaS, PaaS, and/or SaaS will be responsible for its electronic system/cloud infrastructure and also be responsible to protect personal data as required under IT Laws and its implemented regulations mentioned above, among others are (i) to limit the collected data which must be specific, and relevant with the objective of the service (ii) to get prior consent from the data subject for collecting, processing, analyzing and transferring the data, (iii) to determine the subject who has the right to access, revise and delete their data, and (iv) the obligation to notify the data subject if the data protection fails.
Under the above description, based on ownership and service provided it is reasonable to determine and stipulate the agreement between cloud provider and customer:
- under IaaS model, the provider to be responsible for security of the physical infrastructure (data centers) and other hardware that power the infrastructure including the networks, and the customers to be responsible to protect and secure their application and data.
- under PaaS, the provider as the platform provider to be responsible to secure the operation of the underlying infrastructure, overall operating system and the data storage, and the customer, as the user which will develop and operate its own application including the data which is hosted on the platform, to be responsible to secure such development, operation and data security hosted thereon.
- under SaaS, the provider which provides the software and manage the data stored thereon by customer to be responsible to secure such software and data protection and, the customer who can access and store its own data thereon to be responsible to secure its own data.
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.