07 Jan Cloud Computing Services in the Philippines
Cloud Computing Services in the Philippines and Data Privacy
Every day, we see the impact of the digital age on traditional industries and businesses. For example, the print industry (i.e. newspapers, magazines, books) is struggling to compete with their electronic counterparts. Either they beat the digital form, or they join it. Last April 2018, we saw Summit Media, a prominent publisher of lifestyle magazines such as Cosmopolitan Philippines, Preview, PEP (YES! Magazine), Topgear, FHM, and Town and Country, completed its shift from print to digital[1].
This shift to the digital platform requires a presence in the cloud. Cloud computing is the “use of hardware and software to deliver a service over a network (typically the Internet). With cloud computing, users can access files and use applications from any device that can access the Internet[2].” This is different from accessing files and applications on a computer’s hard drive because it would only be accessible through the computer’s storage.
There are several types of cloud computing, depending on its purpose, which include: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Disaster Recovery as a Service (DRaaS). IaaS provides hardware and software components to support businesses, which include hardware, storage, servers and data center space or network components[3]. IaaS allows “automated administrative tasks, dynamic scaling, platform virtualization, and internet connectivity[4].” It essentially works as the server of the enterprise without it having to invest in infrastructure.
PaaS “provides a platform and environment to allow developers to build applications and services over the internet[5].” It allows app or web developers to develop their own applications and services using the PaaS providers’ virtualized servers and associated services such as source code control and tracking, versioning, and testing[6]. Examples of these would be websites or apps that teach one how to build their own app or website.
SaaS delivers software and applications to users through the internet[7]. It is the equivalent of buying a CD or DVD of a software and application and downloading and installing it in one’s computer. Now, through SaaS, one can merely download it through internet. DRaaS is not usually identified as a type of cloud computing, but it one of the most common things users encounter. It allows users to restore backups saved on the cloud in case of a system failure[8].
Despite the different types of cloud computing available in the market, it is evident that it is beneficial to its users. It is cost-effective, flexible, and adaptable to the needs of the users. It “democratizes access to technology” by allowing users to pay for what they only need. It protects loss of data through disaster recovery mechanisms and provides software and security updates. Lastly, it serves as an avenue for collaboration between employees and users[9].
One of the biggest IaaS providers is Amazon Web Services (AWS), a subsidiary of Amazon.com, which offers IT infrastructure services to businesses for cloud computing. Based on a study conducted by Synergy Research, a research facility that covers market intelligence and analytics for the networking and telecoms industry[10], since AWS’ launch in 2006 until 2016, it is considered to be the most successful IaaS company, beating Microsoft, IBM, and Google combined[11]. Some of its clients include Netflix, NASA, Slack, Samsung, Airbnb, General Electric, Spotify, Time, Inc., Unilever, US Department of State, USDA Food and Nutrition Service, and UK Ministry of Justice[12].
Last May 2016, AWS entered the Philippine market and [13] has been catering to Coins.Ph, Globe Telecom, Jollibee, Max’s Group, Meralco, Robinsons Retail Holdings and Unionbank[14]. Given the amount of data these companies and AWS handle, one may wonder on the safety of their data. Is our data privacy laws, rules, and regulations sufficient to protect one’s data?
Under AWS’ contract with its customers, it has a “Shared Responsibility Model” for security, wherein Amazon ensures the security OF the cloud while the customers are responsible for the security IN the cloud[15]. On the one hand, AWS would be “responsible for protecting the infrastructure that runs all of the services offered in its cloud, including the hardware, software, networking, and facilities that run AWS Cloud services[16].” It would ensure that its servers where data is stored, where it is managed and processed, are secure. On the other hand, the customers have to provide system updates and patches of their OS and configure the network and firewall on all AWS services. They are responsible for the manner the data is controlled, accessed, and used.
Under the Data Privacy Act (“DPA”) of 2012, the customers would be the personal information controller (“PIC”) while AWS would be the personal information processor (“PIP”), as defined by Section 3(h) and (i), respectively.
Amazon discussed in a White Paper that it will not fall under the ambit of the DPA because it is the customer who has the control over the manner on how the data will be used and that AWS “only uses customer content to provide the AWS services selected by each customer to that customer…[17]”
However Section 4 of the DPA provides that the “Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines x x x.” Rule I, Section 3(o) of DPA’s Implementing Rules and Regulations (“IRR”) defines processing as “any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.”
This is bolstered by Section 14 wherein it covers instances when PICs would subcontract the processing of personal information to a third party such as the PIP. The PICs have to install the “proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. It also imposed the obligation on PIPs to comply with DPA and all other applicable laws.
In the IRR, the treatment of PICs and PIPs are the same in that they have similar duties and obligations. This means that AWS has to comply with the rights of the data subject[18], right to data portability[19], obligation to secure personal information[20], and the principle of accountability[21]. In its obligation to secure personal information, Rule VI, Section 25 of the DPA’s IRR requires that PICs and PIPs “implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data.” They must ensure that any natural person acting under their authority and who has access to personal data only processes it upon their instructions or as required by law[22]. Both must designate compliance officers and implement data protection policies that provide for organization, physical, and technical security measures[23].
In implementing physical security measures[24], PICs and PIPs must be able to monitor and limit access to the room where the processing occurs and the duties of those individuals involved in the processing must be clearly defined. It must also implement measures for the transfer, removal, disposal, and reuse of electronic media to ensure protection of the data and measures that prevent mechanical destruction of files.
Meanwhile, in implementing technical security measures[25], PICs and PIPs must implement measures to protect their computer network against accidental, unlawful or unauthorized usage or interference, which will affect data integrity, to ensure and maintain the confidentiality, integrity, availability and resilience of their processing systems, to regularly monitor for security breaches, and be able to restore the availability and access to personal data, to encrypt personal data during storage and while in transit.
AWS may not be liable for a data breach of the end users of AWS’s customers, given the Shared Responsibility Model because it is the duty of AWS’s customers to secure the data itself. However, AWS may be subject to liability if or when its customers use AWS services for processing as a third party, under the DPA. AWS may also be liable for data breach when its servers are attacked since it has the contractual and legal obligation to ensure that the servers where customers’ data are stored is secure.
[1] CNN Philippines Staff. “Summit Media bids goodbye to print magazines, goes full digital.” April 12, 2018, Accessed December 20, 2018. http://cnnphilippines.com/business/2018/04/12/summit-magazine-stops-print-magazines-digital.html
[2] Lenovo.com. “What is Cloud Computing?” Accessed December 20, 2018. https://www.lenovo.com/ph/en/faqs/laptop-faqs/what-is-cloud-computing/
[3] Techopedia.com. “Infrastructure as a Service (IaaS).” Accessed on December 20, 2018. https://www.techopedia.com/definition/141/infrastructure-as-a-service-iaas
[4] Id.
[5] Interoute.com. “What is PAAS?” Accessed on December 20, 2018. https://www.interoute.com/what-paas
[6]Technopedia.com. “Platform as a Service (PaaS).” Accessed December 20, 2018. https://www.techopedia.com/definition/147/platform-as-a-service-paas
[7]IBM.com. “Defining IaaS, PaaS and SaaS.” Accessed on December 20, 2018. https://www.ibm.com/cloud/learn/iaas-paas-saas
[8]Technopedia.com. “Disaster Recovery as a Service (DRaaS).” Accessed on December 20, 2018. https://www.techopedia.com/definition/29773/disaster-recovery-as-a-service-draas
[9]Microsoft Philippines PR Team. “Cloud Computing to Grow in ASEAN: PH cloud to grow with security and data privacy.” October 16, 2017, Accessed on December 21, 2018. https://news.microsoft.com/en-ph/2017/10/16/cloud-computing-grow-asean-ph-cloud-grow-security-data-privacy/
[10] Synergy Research Group. “About Us.” Accessed on December 21, 2018. https://www.srgresearch.com/about
[11] Miller, Ron. “How AWS came to be.” 2016, Accessed on December 21, 2018. https://techcrunch.com/2016/07/02/andy-jassys-brief-history-of-the-genesis-of-aws/
[12] Wootton, Benjamin. “Who’s Using Amazon Web Services?” January 26, 2017, Accessed on December 21, 2018. https://www.contino.io/insights/whos-using-aws
[13] Estopace, Eden. “Amazon Web Services sets up Philippine office.” May 15, 2016, Accessed on December 21, 2018. https://www.philstar.com/business/technology/2016/05/15/1583487/amazon-web-services-sets-philippine-office
[14] ABS-CBN News. “Amazon cloud unit holds ‘first in the world’ workshop in PH.” June 5, 2018, Accessed on Accessed on December 21, 2018. https://news.abs-cbn.com/business/06/05/18/amazon-cloud-unit-holds-first-in-the-world-workshop-in-ph
[15] Amazon Web Services, Inc. “Using AWS in the Context of Philippines Privacy Considerations.” May 2018, Accessed on December 21, 2018. https://d1.awsstatic.com/whitepapers/compliance/Using_AWS_in_the_context_of_Philippines_Privacy_Considerations.pdf
[16] Stevens, Mark. “Who is ultimately responsible for data security in the cloud?” June 28, 2018, Accessed on December 21, 2018 https://www.scmagazineuk.com/ultimately-responsible-data-security-cloud/article/1486729
[17] Id, note 15.
[18] Rep. Act No. 10173 (2012), Sec. 16.
[19] Id.
[20] Id.
[21] Id.
[22] Implementing Rules and Regulations of Rep. Act No. 10173 (2012), Rule Vi, Section 25.
[23] Id.
[24] Id.
[25] Id.
