A case for adoption of cloud services and related legal framework
Over the last few years, technology has advanced tremendously and cloud computing is regarded as one of the most significant innovations of the IT industry that provides potential opportunities for public and private business entities. The phrase "cloud computing" was coined as an umbrella term to describe a category of sophisticated on-demand computing services. It denotes a model on which a computing infrastructure is viewed as a "cloud," from which businesses and individuals access applications from anywhere in the world. Cloud computing allows participants in blockchain transactions to remotely record information in decentralised ledgers and subsequently access them. In 2018, analysts predicted that more than half of the enterprises would have adopted cloud computing worldwide and that cloud applications would continue to radically change the way enterprises compete for customers. Most of the countries are increasingly adopting cloud-based solutions. For developing countries like Bangladesh, this technology aims to provide the clients with a cost-effective and convenient means to manage a huge amount of IT resources.
Though cloud technology has not been established in Bangladesh yet, giant cloud service providers like AWS (Amazon Web Services), Azure, Google Cloud Services and Oracle are working actively with their partner companies in Bangladesh to spread their cloud services. Recently, Sook Hoon Cheah, the president of Microsoft Southeast Asia New Markets, remarked during the Microsoft Cloud Innovation Summit on "Transforming Bangladesh with Cloud" held in Dhaka that, "Microsoft is targeting to get huge business through its cloud solution segment in Bangladesh, especially from the private sector, as the country has been advancing digitally for the last few years." Sonia Bashir Kabir, former managing director of Microsoft Bangladesh, said that "we are seeing huge business prospects in Bangladesh as there are 16 crore people in the country and they are generating huge data." She further added: "As there are restrictions from the government of Bangladesh on hosting government data outside of the country, Microsoft is concentrating only on the private sector." (The Daily Star)
However, there are certain issues that discourage an organisation from the adoption of cloud technology in Bangladesh. Firstly, people do not have a clear idea about this new technology. Secondly, there is no legislation that directly and specifically prohibits, restricts or governs cloud technology. However, the Government of Bangladesh Information Security Manual (GoBISM)-2016, made by Bangladesh Computer Council under the ICT Ministry, has provided some guidelines and recommendations for government agencies to adopt cloud computing. Though private organisations are encouraged to use this manual, it has not made such a manual mandatory for all sectors to be followed.
Thirdly, cloud technologies by nature operate across national boundaries and in this solution personal data needs to be hosted outside of the country, which is not permitted by the laws of the land. According to section 12 of the Bank Companies Act, 1991, a bank cannot remove its records and documents relating to its business from its office to a place outside Bangladesh without the prior permission of Bangladesh Bank. It is not clear whether such a restriction is applicable for hosting data in cloud service. Besides, private organisations other than banks do not fall under the ambit of such a restriction. Fourthly, since Bangladesh has no comprehensive data privacy laws, personal data may be disclosed by a cloud provider in unauthorised ways. Moreover, large-scale national and international cyber-security attacks are also common.
For the adoption of cloud service, a prior condition is to have a strong data privacy regulation in the country. Around the world, many of the data protection laws are now being updated to meet new international standards; for example, the European Union adopted the "General Data Protection Regulation (GDPR)" in 2018 with the aim of protecting all EU citizens from privacy and data breaches in today's data-driven world. The APEC Cross-Border Privacy Rules (CBPRs) System, developed by the 21 economies of the Asia-Pacific Economic Cooperation (APEC) forum, provides a mechanism for governments and business stakeholders to safeguard the free flow of data while protecting the privacy rights of individuals.
The Software Alliance, also known as BSA, which ranks countries' preparedness for the adoption of cloud computing services, has released the "BSA Global Cloud Computing Scorecard in 2018" putting additional emphasis on the policy areas that matter most to cloud computing, such as privacy laws that protect data without unnecessarily restricting its movement across borders. Most of the countries in the Scorecard have data protection frameworks in place and have established independent privacy commissioners. Unfortunately, privacy laws are still absent or insufficient in several countries. Brazil and Thailand have no comprehensive laws in place, while laws in China, India, Indonesia, and Vietnam remain very limited. Canada and Mexico score highest in the privacy section.
In order to meet the standard of the 21st-century global economy and to take advantage of the cloud service, our policymakers should provide a legal and regulatory framework for adoption of cloud technology including specific guidelines for users' data privacy without imposing unnecessary restrictions. Comprehensive cybercrime legislation as well as an up-to-date cyber-security strategy are also required. Such policy or regulation should comprise the provision of data encryption, data backup, recovery and archiving, data privacy, data portability and harmonisation of international rules, establishment of necessary IT infrastructure, and risk assessment. Restrictive policies that create actual or potential trade barriers will inhibit or slow the evolution of cloud computing. Cloud services should not be used unless a comprehensive risk assessment is undertaken by the user. Cloud service providers shall ensure that all controls have been properly implemented before the user uses the cloud service and the data stored in the cloud will not be used or disclosed by a cloud provider in unauthorised ways. The success of cloud computing depends on the users' faith that their information will not be used or disclosed in unexpected ways.
Mazharul Islam is a corporate legal practitioner.