Following the amendment to the Electronic Transactions Act, B.E. 2544 (2001) in April 2019 authorizing the Electronic Transaction Committee to issue a notification for compliance with the Act or for the benefit of promoting or supporting electronic transactions, the Notification of the Electronic Transaction Committee re: Guideline on Using Cloud Service, B.E. 2562 (2019) (“Cloud Guideline”) was recently issued and became effective on 12 June 2019. The Cloud Guideline prescribes a guideline on the use of cloud services by electronic transactions service providers.
Key summary of the Cloud Guideline
1. Definitions
I.“Cloud Service” means a processing service using mutual computer resources via networks conveniently upon demand, which have the following formats:
- Infrastructure as a Service: IaaS;
- Platform as a Service: PaaS;
- Software as a Service: SaaS;
- Combination of two or more of the above services; or
- Other services as to be prescribed.
II.“Service Provider” means a cloud service provider.
III.“User” means an electronic transaction service provider using cloud service
2. Key considerations for the use of cloud service
The Cloud Guideline prescribes several considerations for the Users around the use of cloud services, whether or not from third-party Service Providers, including:
I. Policy and practice guideline of the organization
Starting from the internal policy and guideline related to cloud platforms, the Users must consider internal policy and practice guideline of the Service Providers related to operation process, physical protection measures, and technical protection measures.
II. Efficiency of the provision of the cloud service
To ensure the efficient provision of the cloud service, the Users must consider the service level agreement in the aspects of availability, response time, capacity, supporting service, and contract terminating process.
III. Security
The Users must consider IT security in the service level agreement related to reliability, authentication and approval, encryption, reporting, security incident management, logging and monitoring, audit and verification, vulnerability management, and good governance.
IV. Data management
In relation to data management on the cloud platform, the Users must consider a service level agreement related to data classification, data back-up and data recovery, lifecycle of data, and data transfer.
V. Personal data protection
For the purpose of personal data protection, the Users must consider a service level agreement related to a code of conduct in accordance with the international standards for personal data protection, objectives identification, necessity, transparency and notification, responsibility for the data, data location, and facilitation in data access.
The Cloud Guideline does not provide a specific scope for ‘electronic transactions service providers’ nor penalties for non-compliance. Thus, it is unclear to whom the Cloud Guideline will apply, to what extent the Cloud Guideline will be applied and enforced, and whether there will be any penalties for non-compliance. Nevertheless, from now on, most public organizations and some private companies using cloud services will likely implement this Cloud Guideline as a minimum standard when choosing and using a cloud service.
