Cloud database is the system where the data is stored by means of the hardware (such as computers, storage units, etc.) through the system located in a remote place from the computer that generates the data. Those data become available for the re-access of the user from the place where the data is stored over the internet, regardless of device and location. Technological developments related to cloud computing are occurring much faster abroad and the companies providing the service are mainly based abroad. Because of that, people or companies that receive cloud database services receive these services through hardware systems located abroad. Nevertheless, it can be said that important technical innovations have been provided in this field and the legal infrastructure has started to be established In Turkey. In this article, the legal dimension of cloud computing technology and its legal regulations are discussed.
II. CONCEPTS ON CLOUD COMPUTING SYSTEMS
Before going to the legal examination of cloud computing systems, it will be useful to briefly explain the types of the system in order to better understand the technical dimension of cloud computing. In this context, it is possible to mention about three types of cloud computing systems.
- Public cloud environments are cloud systems operated by a cloud service provider that provides a cloud-based platform, infrastructure, application, or storage services as a third party. In the public cloud, all hardware, software and other supporting infrastructure belongs to and managed by the cloud provider.
- Private cloud environments, as the name implies, are used exclusively by a single institution or organization. These environments may be physically located at the center of the institution or organization using the service, or a third-party service provider's location can be used.
- Hybrid cloud environments are cloud environments that are created by combining private and public cloud environments. It provides easier management of various information, software, applications and other data on different cloud services.
It will be more informative to mention about the service items offered to the user by the cloud service provider through the above-mentioned cloud computing systems. In this context, three types of services can be mentioned.
- Infrastructure Service (IaaS) is a type of service where basic computing resources such as processor, storage, network resource are provided by the service provider to the users. In this system, the user does not have full control over the infrastructure but has an authority at operating level.
- Platform Service (PaaS) is a type of service that is provided complementary services and the necessary technological infrastructure with a platform where the user can develop and run their own application. The applications and services which are developed by users can be managed independently, while everything else is managed by the cloud service provider.
- Software Service (SaaS) is a type of service where the software application kept on the server by the service provider is made available to more than one institution or organization.
III. LEGAL DIMENSION OF CLOUD COMPUTING SYSTEMS
The parties of the cloud computing system explained in detail above or the services and the service method which are used in these systems shall be known in order to understand legal aspect of cloud computing systems that are the subject of this article. The legal dimension of cloud computing shall be examined multilaterally. On one hand there is a contractual relation between user and service provider; on the other hand, the data stored in the cloud system have legally importance with respect to The Law on The Protection of Personal Data ("KVKK") numbered 6698.
Furthermore, it shall be taken into consideration that special regulation which came into force in field of banking and capital markets related to cloud computing systems.
1. Legal Dimension of the Relationship Between Service Provider and User
When the contractual relationship established between the user and the service provider regarding cloud computing systems are examined, classification of such contracts as service contracts due to their characteristics will be a very general qualification. There is fundamentally a service provided by service provider to the users but keeping and saving of data that belong to users also is a part of the contractual relation.
Contracts related to cloud computing systems also contains similarities with safekeeping contract which is regulated in the article 561 of Turkish Law of Obligation ("TBK") numbered 6098. However, describing these types of contracts as merely safekeeping (contract of mandate) contracts does not fully provide the content of the contract. Safekeeping contract include the physical storage of a movable property, not being used by the safekeeper, and returning it in accordance with the terms of the TBK. However, data storage is quite different from condition of keeping movable properties.
In context of the reasons that are indicated above, it can be said that the contract regarding the cloud system services made between the user and the service provider is an atypical contract. In the arrangement of these contracts, data storage process and the unique features of cloud computing should be taken into consideration. Additionally; the service to be provided to the user, details of the rights and obligations of the parties, the privacy clauses and protection of personal data should be evaluated within this framework.
2. Interpretation of Cloud Computing Systems in Terms of KVKK
It is obvious that the provisions of KVKK are of great importance in terms of the legal legislation of cloud computing systems. Some points of cloud computing such as data logging, keeping and protecting personal data or data transfer brings obligation of data officer regarding KVKK. Cloud storage service provider and its user are responsible for assessing whether the security measures taken by the cloud storage service provider are sufficient and appropriate in accordance with the decision and precedent review of Personal Data Protection Authority("Authority").
In this context, it is recommended by the Authority to know in detail what the personal data stored in the cloud are, to back up data, to ensure synchronization and to perform two-step authentication control for remote access if this personal data is required. During the storage and use of personal data in cloud systems as a means of data protection, it is recommended to encrypt with cryptographic methods, sending them in cloud environments with crypts and using separate encryption keys where possible for personal data. In particular, it is recommended to use encryption keys separately for each cloud solution1
3. Special Regulations Regarding Cloud Computing Systems
The principles regarding the legal dimension of cloud computing systems are determined by special legislation regulations beside of the basic legal dimensions aforementioned above.
In terms of banking legislation, the Guideline on the Information Systems and Electronic Banking Services of Banks ("Guideline") was issued by the Banking Regulation and Supervision Board ("BRSA"). The enforcement date of the Regulation has been determined as 1 July 2020.Within the scope of the Guideline, regulations have been made regarding the use of private and public cloud services to enable banks to avoid the risks while benefiting from the cloud service model.
Another legislation are Information System Management Citation and Information System Independent Audit Citation which were put into force by Capital Markets Board ("CMB"). The citations include requirements of cloud computing system for companies which are under audition of CMB. If the data called the primary or secondary systems will be uploaded to the cloud database by these companies, the data storage center (hardware which are physical equipment that stores data) of the selected cloud database must be available in Turkey. For instance, if there is desire to use cloud computing for e-mail services, the data center of this cloud computing services should be available in Turkey.
Cloud computing systems, which bring practical solutions to many problems encountered in business and business world, continue to develop rapidly. Besides the advantages of cloud computing services, there are some critical points to pay more attention such as possibility of personal data leaks.
In addition to general legislation, legal regulations in special fields such as banking or capital markets are mentioned. It is important to comply with the rules and procedures that is related to cloud computing systems.
All regulation that are explained above are still new and in the initial phase. Because of that, cloud computer systems still need some detailed legislations. For all those reasons, it is clearly seen that the highest importance should be given for this area to prevent failures and legal mistakes.
1. Personal Data Security Guide (Technical and Administrative Measures), Personal Data Protection Authority, p.22,2018
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.