CLOUD COMPUTING
A)Cloud Computing Services in the Philippines
Articles by Disini & Disini Law Office
Cloud Computing Services in the Philippines and Data Privacy
Every day, we see the impact of the digital age on traditional industries and businesses. For example, the
print industry (i.e. newspapers, magazines, books) is struggling to compete with their electronic
counterparts. Either they beat the digital form, or they join it. Last April 2018, we saw Summit Media, a
prominent publisher of lifestyle magazines such as Cosmopolitan Philippines, Preview, PEP (YES!
Magazine), Topgear, FHM, and Town and Country, completed its shift from print to digital[1].
This shift to the digital platform requires a presence in the cloud. Cloud computing is the “use of hardware
and software to deliver a service over a network (typically the Internet). With cloud computing, users can
access files and use applications from any device that can access the Internet[2].” This is different from
accessing files and applications on a computer’s hard drive because it would only be accessible through the
computer’s storage.
There are several types of cloud computing, depending on its purpose, which include: Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Disaster Recovery as a Service
(DRaaS). IaaS provides hardware and software components to support businesses, which include
hardware, storage, servers and data center space or network components[3]. IaaS allows “automated
administrative tasks, dynamic scaling, platform virtualization, and internet connectivity[4].” It essentially
works as the server of the enterprise without it having to invest in infrastructure.
PaaS “provides a platform and environment to allow developers to build applications and services over the
internet[5].” It allows app or web developers to develop their own applications and services using the PaaS
providers’ virtualized servers and associated services such as source code control and tracking, versioning,
and testing[6]. Examples of these would be websites or apps that teach one how to build their own app or
website.
SaaS delivers software and applications to users through the internet[7]. It is the equivalent of buying a CD
or DVD of a software and application and downloading and installing it in one’s computer. Now, through
SaaS, one can merely download it through internet. DRaaS is not usually identified as a type of cloud
computing, but it one of the most common things users encounter. It allows users to restore backups
saved on the cloud in case of a system failure[8].
Despite the different types of cloud computing available in the market, it is evident that it is beneficial to
its users. It is cost-effective, flexible, and adaptable to the needs of the users. It “democratizes access to
technology” by allowing users to pay for what they only need. It protects loss of data through disaster
recovery mechanisms and provides software and security updates. Lastly, it serves as an avenue for
collaboration between employees and users[9].
One of the biggest IaaS providers is Amazon Web Services (AWS), a subsidiary of Amazon.com, which offers
IT infrastructure services to businesses for cloud computing. Based on a study conducted by Synergy
Research, a research facility that covers market intelligence and analytics for the networking and telecoms
industry[10], since AWS’ launch in 2006 until 2016, it is considered to be the most successful IaaS
company, beating Microsoft, IBM, and Google combined[11]. Some of its clients include Netflix, NASA,
Slack, Samsung, Airbnb, General Electric, Spotify, Time, Inc., Unilever, US Department of State, USDA Food
and Nutrition Service, and UK Ministry of Justice[12].
�Last May 2016, Amazon Web Services (AWS) entered the Philippine market and [13] has been catering to
Coins.Ph, Globe Telecom, Jollibee, Max’s Group, Meralco, Robinsons Retail Holdings and Unionbank[14].
Given the amount of data these companies and AWS handle, one may wonder on the safety of their data.
Is our data privacy laws, rules, and regulations sufficient to protect one’s data?
Under Amazon Web Services (AWS)’s contract with its customers, it has a “Shared Responsibility Model”
for security, wherein Amazon ensures the security OF the cloud while the customers are responsible for
the security IN the cloud[15]. On the one hand, AWS would be “responsible for protecting the
infrastructure that runs all of the services offered in its cloud, including the hardware, software,
networking, and facilities that run AWS Cloud services[16].” It would ensure that its servers where data is
stored, where it is managed and processed, are secure. On the other hand, the customers have to provide
system updates and patches of their OS and configure the network and firewall on all AWS services. They
are responsible for the manner the data is controlled, accessed, and used.
Under the Data Privacy Act (“DPA”) of 2012, the customers would be the Personal Information Controller
(“PIC”) while AWS would be the Personal Information Processor (“PIP”), as defined by Section 3(h) and (i),
respectively.
Amazon discussed in a White Paper that it will not fall under the ambit of the DPA because it is the
customer who has the control over the manner on how the data will be used and that AWS “only uses
customer content to provide the AWS services selected by each customer to that customer…[17]”
However Section 4 of the DPA provides that the “Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal information processing including
those personal information controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch
or agency in the Philippines x x x.” Rule I, Section 3(o) of DPA’s Implementing Rules and Regulations (“IRR”)
defines processing as “any operation or any set of operations performed upon personal data including, but
not limited to, the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed
through automated means, or manual processing, if the personal data are contained or are intended to be
contained in a filing system.”
This is bolstered by Section 14 wherein it covers instances when PICs (Customers) would subcontract the
processing of personal information to a third party such as the PIP (Cloud Provider). The PICs have to install
the “proper safeguards are in place to ensure the confidentiality of the personal information processed,
prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and
other laws for processing of personal information. It also imposed the obligation on PIPs to comply with
DPA and all other applicable laws.
In the IRR, the treatment of PICs and PIPs are the same in that they have similar duties and obligations.
This means that AWS has to comply with the rights of the data subject[18], right to data portability[19],
obligation to secure personal information[20], and the principle of accountability[21]. In its obligation to
secure personal information, Rule VI, Section 25 of the DPA’s IRR requires that PICs and PIPs “implement
reasonable and appropriate organizational, physical, and technical security measures for the protection of
personal data.” They must ensure that any natural person acting under their authority and who has access
to personal data only processes it upon their instructions or as required by law[22]. Both must designate
compliance officers and implement data protection policies that provide for organization, physical, and
technical security measures[23].
In implementing physical security measures[24], PICs and PIPs must be able to monitor and limit access to
the room where the processing occurs and the duties of those individuals involved in the processing must
be clearly defined. It must also implement measures for the transfer, removal, disposal, and reuse of
�electronic media to ensure protection of the data and measures that prevent mechanical destruction of
files.
Meanwhile, in implementing technical security measures[25], PICs and PIPs must implement measures to
protect their computer network against accidental, unlawful or unauthorized usage or interference, which
will affect data integrity, to ensure and maintain the confidentiality, integrity, availability and resilience of
their processing systems, to regularly monitor for security breaches, and be able to restore the availability
and access to personal data, to encrypt personal data during storage and while in transit.
AWS may not be liable for a data breach of the end users of AWS’s customers, given the Shared
Responsibility Model because it is the duty of AWS’s customers to secure the data itself. However, AWS
may be subject to liability if or when its customers use AWS services for processing as a third party, under
the DPA. AWS may also be liable for data breach when its servers are attacked since it has the contractual
and legal obligation to ensure that the servers where customers’ data are stored is secure.
�B) Cloud Computing in the Philippines
CLOUD COMPUTING is expected to account for 13% of the Philippine information technology services
market by 2020, a report by BMI Research showed.
“Driven by the digitization of government agencies and SMEs, datacenter demand in the Philippines has
been growing strongly over the past few years. We forecast cloud computing spending to grow at an
average annual rate of 31.7% over the five-year period to 2020, reaching P14.9 billion,” BMI Research said
in an industry trend analysis report released on Monday.
“By then, we believe cloud computing will account for 13.3% of the Philippines’ IT services market, more
than double its 6.1% contribution in 2015.”
However, BMI Research, the research arm of the Fitch Group, said the local data center industry, which
would meet the boost in IT service demand, is still “relatively small” and its infrastructure availability “pales
in comparison to other Asian markets.”
“Datacenter operators have to rely on a close partnership with either PLDT or Globe Telecom for
connectivity; the two dominant telcos have the upper hand to limit competitors’ scale and capitalize on
rising demand for IT services themselves.
The research firm specifically cited PLDT for its P10-billion investment in its datacenter business over the
next two years, placing it “in a prime position to fulfill enterprises’ rising IT service demands.”
Despite the industry’s improvements, the Philippines still lags behind other countries in the Asia Pacific in
terms of cloud adoption.
Citing data from Asia Cloud Computing Association’s Cloud Readiness Index (CRI) 2016, it said that the
Philippines ranked ninth out of 14 Asia Pacific countries surveyed, while scoring the poorest in the same
index in terms of broadband quality.
However, BMI noted a “possible liberalization” of the telco industry, citing the promise of the government
to establish a national broadband network, “which could open the market to smaller players.”
“We see one key upside to the development of the Philippines’ broadband market over the longer-term in
possible reform of the telecoms sector headed by the new Duterte administration,” it added.
In his first State of the Nation Address, President Rodrigo R. Duterte said that he would task the newly
established Department of Information and Communications Technology with the development of a
National Broadband Plan for the Philippines.
“Mr. Duterte’s leadership could see the revival of the construction of a national broadband network, a plan
that had been abandoned in 2008 due to a corruption scandal,” BMI said, referring to the National
Broadband Network deal with China’s Zhong Xing Telecommunications (ZTE) Corp.
“A second attempt at constructing a national broadband network, if successful, will only yield results after
our five-year forecast period. Until then, we believe operators will be the primary beneficiaries of growing
cloud service demand through their advantageous ability of bundling services with connectivity.”
Hastings Holdings, Inc., a unit of PLDT Beneficial Trust Fund subsidiary MediaQuest Holdings, Inc., has a
stake in BusinessWorld through the Philippine Star Group, which it controls.
��3) Department Circular: Cloud First Policy - Cloud Computing for Govt agencies -
Data that can be migrated to GovCloud or the public cloud will need to meet security requirements for
accreditation and be verified by internationally recognized security assurance frameworks. Accepted
international security assurance controls include ISO/IEC 27001, Service Organization Controls Report
(SOC) 1 and 2, and the Payment Card Industry Data Security Standard (PCI DSS). Data will be encrypted
using industry-tested and accepted standards and algorithms, such as AES (128 bits and higher), TDES
(minimum double-length keys), RSA (1024 bits or higher), ECC (160 bits or higher), and ElGamal (1024 bits
or higher). (11.3)
The table below outlines the baseline (i.e. required) and optional (i.e. agency discretion applied) security
controls that will be applied to classified government data, which accredited CSPs and GovCloud must have
met to be permitted to host classified government data.
