Cloud computing and data privacy

Cloud computing and data privacy

Although the technologies of cloud computing have blurred international borders from a technological standpoint, and the ‘cloud effect’ on commerce has been impressive, there has been a global backlash against the unbridled use of individuals’ personal data. It has helped create greater divisions between nations from the legal and regulatory perspectives. Whether because of political fallout from the NSA-Snowden controversy or consternation over corporate data collection practices, political events have been catalysts for more stringent data-privacy laws.

An overview of cloud computing

Cloud computing has eliminated the need for a business in the global marketplace to purchase, install and maintain its own computer hardware and software infrastructure. The “Cloud” has eliminated the need for a business to be tethered to a brick and mortar geostationary physical address.

Defining cloud computing

Cloud computing involves more than simply storing data on remote servers.
It took years of work with input from government and industry, and 16 drafts before the US National Institute of Standards and Technology (NIST) in October 2011, defined cloud computing as:

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

NIST noted that its model included five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service; and three service models: SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service); and four deployment models: private cloud, community cloud, public cloud, and hybrid cloud.

Deployment models

The NIST defines a public cloud as a cloud infrastructure for use by the general public that may be owned, managed and operated by business, academic or government organizations or some combination of them existing on the premises of a cloud provider.
General public in the context of public cloud computing means that tenants of the public cloud provider – often businesses rather than individuals – share the public cloud infrastructure.
A public cloud datacenter may host the data of various unrelated businesses, such as medical offices, real estate companies and law firms, with their only connection being that they share a cloud provider. Citing cost savings, scalability and flexibility as reasons for their choice, many businesses use public clouds as the method of deployment.
The private cloud is a cloud infrastructure provisioned for exclusive use by a single organization that is owned, managed and operated by that organization, a third party, or a combination of them, which exists on- or off-premises. Private cloud has become an increasingly popular choice for organizations in heavily regulated industries, those desiring managed services, and other organizations most affected by certain legal and regulatory issues.
The hybrid cloud is an integrated approach that may combine the use of public and private cloud infrastructures. The key feature is that hybrid clouds allow organizations to have unique, distinct infrastructures bound together by standard or proprietary technology enabling data and application portability, often with managed services, interoperating to deliver seamless business functions.

Geographical expansion of cloud computing

North America has been the traditional center of cloud computing and North America remains the home of the most datacenters in the world. The Asia-Pacific region now houses the second-largest number of datacenters in the world, followed by Europe, the Middle East and Africa, and Latin America.
The European cloud market is becoming more localized due in large part to Europe’s strong data-privacy protections.
Current issues in data privacy cloud compliance
Five of the current data privacy issues of concern to American business are the Microsoft Dublin warrant controversy, international e-discovery and e-disclosure, the US-EU Safe Harbor Framework, the pending EU General Data Protection Regulation, and the expansion of data-privacy laws around the world.

The Microsoft Dublin warrant controversy

In December 2013, a US Magistrate Judge issued a criminal search warrant to US government prosecutors in a narcotics trafficking case authorizing them to search and seize email content and other information stored on servers at a Microsoft datacenter in Dublin, Ireland. Microsoft asked the court to invalidate the search warrant, arguing that US courts were not authorized to issue warrants beyond the borders of the US.
The legal issues in the case are complex and involve the Stored Communications Act (SCA), part of the Electronic Communications Privacy Act of 1986 (ECPA), and the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, (the USA PATRIOT Act).
The prosecutors argue that it matters not where the data is stored, but who controls the data, in this case, Microsoft, a company based in the US and subject to a US search warrant. So far, the US courts have sided with prosecutors, but the Microsoft appeals are still pending.
If the US appellate courts and eventually the US Supreme Court affirm the lower court decision, US prosecutors may try to execute search warrants around the world. Various US companies and organizations that are not parties to the case including AOL, Apple, AT&T, eBay, Hewlett-Packard, the National Association of Manufacturers, the National Newspaper Association and the US Chamber of Commerce, have filed amicus curiae (friend-of-the-court) briefs supporting the Microsoft position.
The national origin and legal status of the cloud vendors a business uses may subject them to claims from national governments associated with the vendors. Many national governments, not just the United States, claim the right to search data in criminal and national security investigations. Such claims don’t stop at national borders.

International e-discovery and e-disclosure

As international business has become more common, so has international litigation, making discovery in legal proceedings a major source of international data transfers. Cloud computing has made these data transfers easier from a technological standpoint, but such quick and easy transfers can create compliance challenges.
The process of e-discovery in the US and e-disclosure in the UK results in large volumes of data being transferred internationally. The US legal system gives litigants and lawyers extensive access to evidence, a practice at odds with traditions in other nations, most notably, the member states of the European Union due to their civil law tradition in which evidence is collected by judges in an inquisitorial system – unlike the juries receiving evidence in common-law Courts of the UK and the nations that have adopted its English common-law system, such as Australia, Canada, most of India, Ireland, Hong Kong, Singapore and most of the US. The differences between e-discovery in the United States and evidence procedures in the rest of the world must be considered by any business using Cloud technology.
European nations have enacted “blocking statutes” which provide penalties for transferring documents for use in foreign proceedings unless the transfer complies with the provisions of the Convention on the Taking of Evidence Abroad in Civil and Commercial Matters, known commonly as The Hague Evidence Convention.
The French blocking statute of 1980, Law 80-538, provides criminal penalties, including imprisonment, for parties transferring documents or information relating to commercial, economic, financial, industrial or technical matters outside France without complying with the provisions of The Hague Evidence Convention.
When it comes to international e-discovery and e-disclosure every attorney must be aware of these conflicting laws.

The US-EU Safe Harbor Framework

Under the 1995 EU Data Protection Directive, known formally as Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, which became effective in 1998, data can be transferred outside the EU only to nations that meet adequate data-privacy requirements under EU law. The US does not meet such standards, but data transfers can be made under an agreement known as the US-EU Safe Harbor Framework.
There are actually two Safe Harbor Framework agreements: one between the US and the EU and another between the US and Switzerland. They are administered on the US side by the US Department of Commerce.
Approved in 2000, the US-EU Safe Harbor Framework allows data transfers by binding the 28 member states to the EU Commission’s finding of data-protection ‘adequacy’ based on a company’s certification under the Safe Harbor Framework.
Individual companies can obtain EU certification to transfer data even though the US itself does not meet European data-protection requirements and about 3,200 companies have obtained Safe Harbor certification. Under the current system, compliance is based on self-certification.
However, a 2014 European Parliament resolution called for suspension of the Safe Harbor Framework. In 2015, the High Court of Ireland said, “There is, perhaps, much to be said for the argument that the Safe Harbor regime has been overtaken by events. The Snowden revelations may be thought to have exposed gaping holes in the contemporary US data protection practice.”
The Safe Harbor Framework is at risk and without Safe Harbor, cloud data transfers are in jeopardy.

The EU General Data Protection Regulation (GDPR)

The European Union is considering a General Data Protection Regulation (GDPR), which would replace the current EU Data Protection Directive. The distinction between “directives” and “regulations” under EU law is significant.
An EU regulation is a binding legislative act that must be applied in its entirety throughout the 28 member states in the EU. An EU directive is a legislative act establishing EU policies that are implemented through laws passed by the member states themselves.
The EU Court of Justice anticipated the GDPR in May with its “right to be forgotten” decision in Google Spain SL v Agencia Española de Protección de Datos holding that a right to be forgotten existed and individuals have the right to ask for personal information to be removed from the Internet.
The GDPR is a critical data-privacy-compliance issue for any organization involved in cloud data transfers involving the EU member states: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK, together with Iceland, Liechtenstein and Norway, make up the European Economic Area (EEA).
Although the idea behind the GDPR is to harmonize the laws of the member states to make data protection – and thus commerce – easier throughout Europe, organizations need to be aware of how it will affect their cloud strategies. There is the threat of substantial fines up to €100m or 5% of a company’s annual revenue.

Expansion of data privacy laws around the world

Comprehensive data-privacy laws are nothing new in many nations around the world, but laws such as the USA PATRIOT Act and developments such as the NSA-Snowden controversy have led to new legislation with data-privacy provisions, such as Brazil’s Marco Civil da Internet.

Cloud computing requires due diligence

The expansion of data-privacy laws around the world presents significant challenges to international trade and finance demanding due diligence.
Law and politics can become as important as technology and business considerations in the deployment of cloud computing. Organizations must know at all times where their data is housed and how it is maintained. International data-privacy laws should be a primary consideration in the selection of cloud providers and datacenter locations.
Attorneys representing clients who use the Cloud must have at least a basic familiarity with international data-privacy laws and the regulations of the jurisdiction where the data is housed.

Secure your data

Data breaches will continue to occur and data-breach laws exist in jurisdictions around the globe. A breach often has nothing to do with hackers; inadvertent data breaches are an important part of data security. Securing data is critical.
Cloud computing programs should include service-level agreements that have provisions for data-breach protection and data location along with provisions for retrieval of data.