Chapter 10: Cloud Computing Borders – National and International Deployment 244 – Cloud Computing: Assessing the Risks

CHAPTER 10: CLOUD COMPUTING BORDERS – NATIONAL AND INTERNATIONAL DEPLOYMENT

Notwithstanding the benefits gained from Cloud Computing, Cloud Computing can introduce a number of legal and international challenges for your organisation.

From an international legal perspective, the key difference between traditional IT outsourcing and Cloud Computing is where the data resides, is processed and stored. Data can (and almost always is) be stored in various locations, data centres and different jurisdictions all over the world and across multiple platforms. This can result in multiple copies of data being stored and processed in different locations.

The Cloud revolutionises the term ‘outsourcing’ and introduces numerous implications of outsourced data handling, contract terms and conditions, intellectual property rights and insurance coverage. These are some of the most encountered issues for those new to outsourcing and Cloud Computing. There are numerous other elements that should be assessed and addressed with the help of qualified and experienced Cloud Computing legal experts.

We are by no means claiming to be legal experts; the primary objective of this chapter is to illustrate and communicate some of the many legal aspects associated with Cloud Computing.

As with all elements of Cloud Computing, if in any doubt regarding organisational requirements, obligations and legal rights, contact a legal professional who specialises in Cloud Computing (or outsourcing agreements) to assist in the due diligence review of Cloud provider contracts and agreements.

Regardless of organisation type, business objectives, drivers, business sectors or mission, the following points should be assessed and understood.

Data location

Depending on where data is at any given time will dictate which laws and legislation govern it. This will also include the terms and conditions of the contract, and will impact on any disputes, settlements and privacy laws affecting the locations and jurisdictions involved.

Assumption is the worst possible mistake when determining data location.

Keep in mind is that even though data may be housed within your legal jurisdiction, the contract and service level agreement (SLA) might be from an international parent company located in a different geographical location, thereby falling under different laws.

In all contracts, SLAs and associated agreements including data protection and privacy, it is imperative to ensure the exact location and jurisdictions involved, as this can prevent or hinder the application and enforcement of the contractual terms.

Legislation and regulatory (including privacy)

Each jurisdiction provides stringent rules on defence, health, and financial services related information, which directly impact on Cloud Computing. Stringent regulatory provisions and restrictions concerning the transfer of certain types of data across borders and export or trade restrictions may impact on where data in the Cloud can be stored and who can store it or on the transfer itself of the data and applications to and from the Cloud.

Data protection and data privacy

Data protection and privacy is, without doubt, one of the largest headaches for multinational corporations based across several countries, continents and different jurisdictions. Data protection and privacy regulations often vary greatly depending on the country in question, irrelevant of partner relationships. An example of this would be that certain EU Members States’ data protection laws contradict the EU data privacy acts. France and Germany are renowned for legislation that does not comply with other European data protection rules.

In contrast to the United States (discussed later in this chapter), in Europe privacy is a human right.

Data retention

An often overlooked and less considered aspect of Cloud Computing is how long the data is held for. Why does it matter? There are various legal and regulatory reasons, depending on the nature of the organisation, industry and jurisdictions that require organisations to retain data for specific periods of time.

Unfortunately, most organisation do not specify this in Cloud contracts, SLAs and contract negotiations, resulting in legal and regulatory requirements not being fulfilled prior to migration.

Data types should be listed, understood and defined in accordance with relevant retention periods.

Retaining information indefinitely, for unspecified time periods is not good practice, and eventually can come back to haunt organisations.

EU Data Protection/Privacy

Under recently revised and updated EU data protection acts, the following provide key aspects for companies to consider:

These directives were required to be implemented into local laws on 25 May 2011. The following European States are all required to comply with the EU Data Protection and Privacy Directive as per requirements outlined for all 27 Member States: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

Additionally, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland have been approved as their data protection and privacy principles satisfy those of the EU. Canada has received approval for certain types of personal data, but as yet has not obtained full acceptance from the EU.

EU Data Protection Directive 95/46/EC

The EU Data Protection Directive 95/46/EC outlines the requirements and guidelines for all organisations collecting personal information from data subjects.

The EU Directive on Data Protection of 1995 mandated that each EU nation create and pass a national privacy law for a Data Protection Authority. The function of this Data Protection Authority is to protect citizens’ privacy and investigate breaches or failures to do so.

The EU Data Protection Directive focuses on personal information, which is categorised as ‘any information relating to an identified or identifiable natural person’, known as the ‘data subject’. A data subject is a living and identifiable person who can be identified (directly or indirectly) by reference to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

While this might be somewhat vague and subjective, the spirit of the EU Data Protection Directive looks to encompass any significant pieces of information that could link that information to a living identifiable individual.

The ‘data controller’ refers to a legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations. The data controller is typically the person who collects the information from the data subject.

A ‘data processor’ refers to a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller. In today’s world many organisations will utilise outside agencies or contractors to conduct activities on their behalf – for instance, marketing, support and related activities.

These agencies and third parties are data processors, as they are processing information on data subjects on behalf of the data controller.

It is important to note that while the data processor may be in possession of the information, it remains the ultimate responsibility of the data controller to adhere to the key principles and guidelines of the EU Data Protection Directive throughout the life cycle of the information or data.

EU Data Protection Requirements

Under the EU Data Protection Directive 95/46/EC, all data controllers collecting personal information are required to ensure the following guidelines and principles are adhered to at all times (slight variations may occur depending on local laws and regulations):

  • Obtain and process the information fairly.
  • Keep it only for one or more specified and lawful purposes.
  • Process it only in ways compatible with the purposes for which it was given initially.
  • Keep it safe and secure.
  • Keep it accurate and up to date.
  • Ensure that it is adequate, relevant and not excessive.
  • Retain it no longer than is necessary for the specified purpose or purposes.
  • Data subjects should be allowed to access their data and make corrections to any inaccurate data.

An important article in the Directive is: ‘It shall remain the responsibility of the data controller to ensure that the above mentioned items are complied with.’

For those who fail to adhere to these clauses, these failures can be met with significant financial penalties, imprisonment (which is rare in the majority of cases, with only a handful of convictions leading to imprisonment) and the prevention of future data collection and processing. Depending on the countries themselves, the enforcement tends to be wide and varied.

For instance, in the United Kingdom the fines imposed by the Information Commissioner’s Office can be up to £500,000, subject to the findings of an investigation (this number was increased in 2010 following a large number of high-profile data breaches and losses of personal information). For most organisations, this is a significant penalty to pay for non-compliance or a data breach that could have been prevented.

Separately, while instances of imprisonment are rare, recent cases in the United Kingdom have shown that those in ‘positions of power’ who knowingly breach the Data Protection Act will face significant actions.

In April 2011, Karen Howie, a 34-year-old police constable from Scotland, breached the Data Protection Act when she took details of an investigation from police computers and passed them onto her partner, who used the details to warn a suspect. Howie subsequently received a 27-month sentence for the disclosure of these details.

Duty to report breaches

In recent amendments to EC requirements, the Directive 2009/136/EC of The European Parliament and of The Council of 25 November 2009 includes:

amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on co-operation between national authorities responsible for the enforcement of consumer protection laws.

Article 2 (2) (4) (c) adds a requirement to notify security breaches to ‘national authority’ and to those affected by this vulnerability, at least if the flaw is ‘likely to affect negatively’ their personal data.

While these changes require notification of security breaches to the relevant national authority, many organisations continue not to do so. Most breaches are currently reported ‘voluntarily’ by organisations that communicate and co-ordinate with the relevant authorities, before contacting the individuals concerned.

Recent reporting trends

Depending on the size, structure and nature of organisations who find themselves in the unenviable position of having suffered a data protection breach, a somewhat worrying trend has begun to emerge.

Recently, a number of organisations have informed customers of data breaches or data loss by letter, email or press releases. These materials often highlight very standard methods of protection applied to the devices or data affected, such as passwords, in an attempt to reassure those affected of the data’s security.

Any information security practitioner worth their professional credentials would seriously challenge these statements. Password protection can often by bypassed or cracked by either an experienced IT savvy person or by a number of freeware and low-cost applications within minutes.

Password protection and other standard methods of security are no longer effective against current threats and targeted cyberattacks. Cybercriminals and malicious hackers are becoming highly successful at compromising and exploiting traditional methods of security to obtain commercially valuable and sensitive information.

Recent events have been examples of why organisations should be proactive and be forthcoming in the event of data breaches. Sony, Citigroup and a number of other headline grabbers in 2011 have left a lot to be desired, especially the manner and means by which they decided to postpone, deny and refute claims that their relevant standards, processes and procedures ultimately led them to fail and in return leave 100 million+ individuals to possibly pay for their mistakes.

Should your organisation fall victim to any of these attacks, or, indeed, experience data breaches, leaks of information, data corruption or similar issues, it is often discovered that openness, honesty and transparency can go a long way when dealing with those who have been affected!

European Privacy Directive 2002/58/EC

Confidentiality requirements

The European Privacy Directive 2002/58/EC was designed, and introduced to address the emergence of mobile devices and the processing of personal data in the electronic communications sector. While not as widely known and acknowledged as the European Data Protection Act, the Privacy Directive plays an important role outlining the requirements for privacy, security and the governance of services for publicly available electronic communications.

Aside from defining the security requirements (without explicitly stating levels of security) the Privacy Directive focuses on the important aspect of confidentiality.

For those familiar with information security and the three core pillars on which it is founded (confidentiality, integrity and availability), this should be commonplace. However, never underestimating the requirements to ensure confidentiality will go a long way to staying compliant with the Privacy and Data Protection Directives.

The Confidentiality of Communications section in the Directive places emphasis on the European Member States to ensure that the following aspects of communications and related traffic data over public communications and publicly available systems are adhered to.

The following actions are prohibited, and are required to be enforced through national legislation:

  • listening, tapping, storage or other kinds of interception or surveillance of communications;
  • and the related traffic data by persons other than users of the relevant services, without the explicit consent of these users concerned.

These actions are not permitted, except in the case where the organisation is legally authorised to do so, and then this must be in accordance with relevant laws and directives of that jurisdiction or country.

Measuring compliance against these prohibited actions might prove a challenge for any organisation.

Current EU data protection and privacy challenges

Technology

With technology evolving and being replaced at such a rapid rate, it is understandable that the law and policy makers are going to be playing ‘catch up’. As changes in national laws and legislations can take years to complete, and then additional time to transfer into practice, regulations and laws will, for the foreseeable future, be lagging behind.

With current financial pressures being felt throughout the EU and worldwide, efforts are understandably focused on economic recoveries and ensuring long-term viability. These times should be when the EU states are boosting their efforts to ensure legislation and relevant laws are brought up to speed and in line with other technologyleading nations (Ireland, Malta, Denmark, Sweden, Switzerland, and the United Kingdom), which have ensured such laws exist in an effort to protect citizens and personnel.

Many of these nations (particularly Ireland) are promoting themselves as excellent places to do business and provide technology-related services. Ireland alone has had significant investment (in the billions of euros/dollars) from companies, such as Dell, Microsoft, Google, Salesforce, EMC, Oracle and a number of other Cloud Computing providers. Many other EU nations are attracting significant investments along with Ireland.

In order for these investments (and further investment) from other multinationals to continue, many of these nations’ governments have placed particular emphasis on ensuring relevant laws and legislations are met.

Never more so than at present has the focus been on data protection, and data privacy between organisations and citizens alike. Until such time that a uniform approach is taken by all nations and parties involved to implement practices according to the required regulations and requirements, the Internet and Cloud Computing will continue to pose numerous challenges and headaches.

Cookies

Recent developments and changes to the EU Privacy and Electronic Communications Directive now require the 27 Member States to pass into law rules regarding websites, and specifically the log data collected about the visitors to the sites.

This law has caused a fair amount of debate and criticism from certain circles; however, it is not all bad. The law came into effect on 26 May 2011, and requires website owners to obtain consent from site visitors to put a cookie on their computer. For those website owners out there, approximately 90% of websites in use today currently utilise cookies to log traffic to their websites. These include Google Analytics™, WordPress Blogs and WordPress plugins along with other website development tools and platforms.

There are a number of different cookies currently used by developers, including session, persistent, secure, third-party cookies and others depending on the requirements of the relevant website.

Cookies are short text files placed in the user’s computer and used to collect and communicate information between the target website and the device accessing that website. Cookies play an important function for those websites requiring login for user activity (authentication), for the identification of a user and for e-commerce-related sites, such as shopping carts, booking of flights, tickets and anything similar, to track the state of a transaction.

Cookies can also collect information about users, such as geographical location, pages accessed, time spent on each page and functions performed (depending on which type of cookie is being used).

This level of information can provide invaluable information for those website owners to ensure the website performs and functions in accordance with the user requirements and focuses on user demands.

However, cookies are commonly targeted by spyware attacks and in attempts to track user activities online. These include cross-site scripting attacks, session hijacks, to complete theft of cookies.

It is now illegal for websites to collect this information, under various EU and US privacy and data protection laws, without obtaining consent from its users. The viewpoint from the EU on this is that the majority of website users are unaware of this, and as such are not giving their consent for this information to be collected, thus breaching the Directive.

The use of cookies on a website without the user’s consent constitutes the access and collection of personal information without the consent of the user – a violation of the Data Protection Directive and the site user’s privacy.

However, cookies are not being banned or required to be removed from websites. The EU Directive requires the website owner to inform and notify users of the cookies being used and ask for their permission to collect the relevant information. For experienced organisations, a simple pop-up or checkbox informing users of this requirement will suffice and allow the use of cookies to continue; for those who do not incorporate this or suitable other mechanisms, some issues may be encountered further down the line.

At present, The United Kingdom Information Commissioner’s Office (Data Protection Office) has granted a 12-month period (as of 26 May 2011) for UK organisations to comply with the Directive; however, this is not applicable to all EU nations.

A good reference for those looking to publish a statement or pop-up to notify their users of this change and ensure permission can be found at the Information Commissioner’s Office website(www.ico.gov.uk).

Where to next for EU data protection?

On 25 January 2012, the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules. These proposed changes strengthen online privacy rights and boost Europe’s digital economy. The Commission has now published its draft proposals to replace the general Data Protection Directive 95/46/EC with a more detailed Regulation that would apply directly throughout the EU.

The changes put forward in the document are done so with the intention of having EU data protection law apply in a uniform way across the Member States (with a single set of rules for all to play by).

Most notable of these proposed changes is the general requirement to report serious data breaches as soon as possible to the national supervisory authority (if possible within 24 hours).

Other changes include the requirement on companies employing over 250 people (and certain other organisations) to appoint a data protection officer.

Notably for multinational organisations, they will only have to deal with a single national data protection authority in the EU country where they have their main establishment (a one-stop shop).

At present these are only at a draft proposal stage, and are yet to be confirmed or signed into law. The draft proposed changes can be found at the following link: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

United States data protection and privacy

The United States (in contrast to the EU) seems to take a more ‘relaxed’ approach to data protection and privacy, particularly regarding universal legislation for data protection across the United States.

At present, there is no comprehensive data protection legislation across the United States, merely a segregated patchwork combination of legislation, regulatory requirements and self-regulation to govern concepts of data protection.

Interestingly, the word ‘privacy’ does not appear anywhere in the US Constitution, while it is referenced in parts within the Bill of Rights, such as the Fourth Amendment.

While this might come as a bit of a surprise to some, there are quite a number of valid reasons why a single framework does not exist. This may be a culture thing more than anything else.

Let’s face it, Americans have become accustomed to be subjected to a prying government that insists on monitoring anything they desire or deem to be in ‘the interests of the country’ or the greater good. Most US employees surrender any rights to privacy when entering the workplace and, subsequently, utilising corporate assets or company property is subject to monitoring and audit (something that would not be tolerated in certain parts of Europe).

In some part of the United States, there are laws focusing on data protection: the State of California passed a law in 2003 (Data Breach Notification Law) that requires companies to notify consumers when personal information has been lost, stolen or compromised.

There are a number of other similar laws in other states that look to incorporate data protection and privacy; however, none of these are universal or adopted in majority fashion, leading to segregated and fractured data protection and privacy practices.

While no single framework exists to protect US citizens’ privacy and personal information, a number of the acts and regulations that are focused on specific sectors or industries do look to incorporate such principles, albeit not their sole or primary focus.

These include (but are not limited to) the following.

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The HIPAA Privacy Rule is the first comprehensive Federal protection for the privacy of personal health information. The HIPAA Privacy Rule was enacted and endorsed by the US Congress in 1996, and is also known as the Standard for Privacy of Individually Identifiable Health Information. HIPAA provided the first nationally recognisable regulations for the use and/or disclosure of an individual’s health information.

The HIPAA Privacy Rule defines how entities are permitted to process, use, or store personally identifiable health information or the PHI (Personal Health Information).

Note that HIPAA is only relevant for health-related information.

PHI is classified as any information which contains (or lists) information linked specifically to an individual, including health status, medical conditions, ailments, disabilities, provision of health care or payment for health care.

Entities required to adhere with HIPAA Privacy Rule are referred to as ‘covered entities’, and include the likes of health care clearinghouses, health insurers, medical service providers and organisations providing health care plans for employees.

The HIPAA Privacy Rule focuses on providing the following:

  • giving patients control over the use of their health information;
  • providing clearly stated rules for the use and/or disclosure of health records by relevant entities;
  • establishing nationally applicable standards that healthcare providers are required to adhere to and comply with;
  • limiting the use of PHI, and minimising opportunities of inappropriate disclosure;
  • investigating compliance-related issues and ensuring violations are met with civil, or criminal penalties for violations.

Under HIPPA, a covered entity may disclose PHI to facilitate treatment, payment or health care operations, or if the covered entity has obtained specific authorisation from the individual themselves. When information is disclosed by the covered entity, best effort is required to only make available or disclose the minimum amount of information to fulfil its specified purpose.

As of 23 September 2009, all covered entities are required to notify patients of any security breaches involving their medical information. The Breach Notification Requirements are only concerned with the unauthorised acquisition, access, use or disclosure of unsecured PHI (an example of this would be a lost or stolen unencrypted laptop containing PHI).

United States Patriot Act

The US Patriot Act (342 pages, 15 statutes) was passed into law by Congress on 26 October 2001 following the terrorist attacks of 11 September 2001 (an extremely quick turnaround for such a substantial Act). The Patriot Act gives federal officials greater authority and ability to track, intercept and analyse communications for law enforcement and intelligence uses.

Aside from the national security focus, the Patriot Act also provides the Secretary of the Treasury with additional powers to address and combat corruption involving money laundering and related activities.

The Patriot Act looks to protect the United States borders from terrorists and those who target national security with the view of causing harm to US citizens. It created new crimes, new penalties and new procedural efficiencies for use against domestic and international terrorists (again all done in a space of under two months).

While many critics and privacy professionals state the Patriot Act goes too far in exposing sensitive and personal information that may not be relevant, others, such as the Department of Justice, hold reservations that the Act does not go far enough in assisting them to adequately protect the well-being and security of the United States and its people.

The following points in the Patriot Act are most relevant in terms of data privacy and Cloud Computing (other elements, such as money laundering, are not discussed, in order to maintain the focus of this publication).

Criminal investigations: tracking and gathering communications

The Federal Communications Privacy Law (separate from the Patriot Act; included for completeness) was developed to outline the measures and mechanisms for protecting the confidentiality of private telephone, face-to-face and technology communications. However, it does enable relevant authorities to identify and intercept ‘criminal communications’ for security purposes.

The privacy law gives authorities a specifically defined scope for electronic surveillance, and states that these are to be used as a last resort in serious criminal cases (many industry professionals question whether this is the case). This includes, but is not limited to:

  • permitting trap and trace for electronic communications (most notably e-mails);
  • authorising nationwide execution of court orders for pen registers (a device that captures dialling, routing, addressing or signalling information), trap and trace devices, and access to stored e-mail or communication records;
  • treat stored voice-mail like stored e-mail (rather than like telephone conversations, whether live or not);
  • permit authorities to intercept communications to and from a trespasser within a computer system (with the permission of the system’s owner, i.e. telecom provider or similar);
  • add terrorist and computer-related crimes to predicate offense list;
  • promote co-operation and communication between various law enforcement and foreign intelligence investigators;
  • establish a claim against the United States for certain communications privacy violations by government personnel and employees

Foreign intelligence investigations

The Patriot Act has also reduced some of the restrictions (previously many) on foreign intelligence gathering within the United States, thus affording the US intelligence and related law enforcement agencies access to vast amounts of information discovered, recorded and logged during criminal and other subsequent investigations.

While the following may not be immediately apparent due to the unknown levels of official/unofficial Cloud usage amongst foreign agencies, diplomats and personnel (whether organisational or personal Cloud usage), it incorporates the following:

  • permits ‘roving’ surveillance;
  • allows application for a Foreign Intelligence Surveillance Act (FISA) surveillance or search order, when gathering foreign intelligence is a significant reason for the application;
  • authorises pen register and trap-and-trace device orders for e-mail, as well as telephone conversations;
  • sanctions court-ordered access to any tangible item, rather than only business records held;
  • expands the prohibition against FISA orders based solely on a US citizen’s exercise of their First Amendment rights.

At the time of printing, The Patriot Act has caused some privacy concerns in the European Union, discouraging a move to the Cloud.

Who is subject to the Patriot Act?

All US citizens, personnel residing within the US and USbased or US-owned organisations are subject to the Patriot Act. This means they are allowed to be monitored and tracked by the FBI and CIA should they be suspected or be thought to pose a threat to the United States and its borders.

But that’s not it! This might come as a shock to some, but any European (or other non-US) or owned data that is stored, processed or handled by a US-owned subsidiary or corporation is subject to the Patriot Act. Any US-owned organisation that touches data on your behalf will make you subject to the Patriot Act. To put it in context, Microsoft, Google, Amazon and all the other large Cloud providers are US-owned organisations, and by using these organisations (any use), you are subject to the Patriot Act unless otherwise specifically stated.

There are some Cloud providers that are specifically designing Clouds and measures to address these concerns from European and other international locations.

With no changes to the Patriot Act currently proposed (the Act was due to expire in 2005 and was extended, with Barack Obama subsequently extending it once more on 26 May 2011), it seems as if the Patriot Act is here to stay for some time, and for any organisations looking to understand which regulations they may be subjected to, the Patriot Act is most definitely an important consideration.

APEC Privacy Framework

In addition to the much publicised and hotly debated EU vs. US data protection/privacy laws and practices, we have the Asia Pacific Economic Cooperation (APEC) Privacy Framework. The APEC Privacy Framework aims to promote a ‘flexible approach’ to information privacy protection across the 21 APEC member economies – of which the USA is one.

The key ‘spirit’ of the Framework is to avoid the creation and introduction of unnecessary or hindering barriers to information flows.

While APEC member countries are predominantly focused on the partnership for trade and economic reasons, the Framework looks to enable the communication of information between these nations for these reasons. The following nations are all part of the APEC member programme: Australia, Brunei, Canada, Chile, China, Hong Kong (not a country, part of China), Indonesia, Japan, South Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, Philippines, Russia, Singapore, Taiwan, Thailand, United States of America and Vietnam.

While the APEC Framework was created to provide clear guidance and direction on privacy issues to organisations within APEC economies, it does so by highlighting what are termed ‘reasonable expectations’ for privacy.

The APEC Framework outlines nine key principles including:

  • Preventing harm  This principle looks to prevent the misuse of personal information to individuals.
  • Notice  This principle looks to ensure that data collection principles are clear and transparent as to what data is being collected and for what purpose it is used. Notice also requires individuals to be notified of any disclosures to other personnel or organisations (i.e. data transfers or sharing with a third party or separate entity).
  • Collection limitations  This principle outlines requirements for information collection to be done by lawful and fair means (i.e. whenever possible, providing notice of the collection and obtaining consent from the individual).
  • Uses of personal information  Personal information collected should be only used to satisfy the purpose for which it was originally collected or other compatible purposes. This is subject to change if the following requirements are satisfied:

   obtaining consent from the individual whose personal information is collected;

   when it is necessary to provide a product or service specifically product requested by the individual; or

   by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.

  • Choice  Where possible, individuals should be provided with clear and easily understandable choices in relation to the collection, use and disclosure of their personal information.
  • Integrity of personal information  Personal information should be accurate, concise and up to date to for the purposes of use.
  • Security safeguards  Appropriate security safeguards or measures should be utilised to protect information against risks, such as loss or unauthorised access, destruction, use, modification or disclosure among others.Levels of security should be proportional to the likelihood (what are the chances of the risk being exploited or realised?) and severity (how could this impact on the individual / organisation?) including the sensitivity of the information (health records / financial information / other).Best practice would dictate this should be subject to periodic reviews to keep in line with any changes.
  • Access and correction  This principle stipulates specific conditions of access and correction of information by the individual. It includes obtaining a copy of the information requested, and having the information rectified, completed, amended or deleted (where relevant).
  • Accountability  This principle ensures the information controller should be accountable for complying with the afore mentioned Principles from the collection of information through to the end of its life cycle.

International privacy at a glance (USA/EU/APEC)

Is it really the Europeans leading the USA and APEC in terms of privacy? For many privacy and data protection purists, this is the belief. While many professionals and businesses are quick to defend and utilise European privacy as a ‘streamlined or uniform approach’, it is worth noting that a single ‘European Privacy Law’ does not exist, and the EU Privacy Directive is merely a list of principles that European nations should abide by.

Ultimately, the European Privacy Directive acts predominantly as a guideline or standard for European nations to follow, but not necessarily an ‘all encompassing’ rule or set of requirements. Add the complication that each of these nations has its own national laws with local agencies interpreting and enforcing those laws.

Currently, there are major variations from country to country, depending on their culture, legacies and history with transparency and privacy.

Depending on who you speak to, some are in favour of the approach taken by US multinational entities, others in favour of UK-based firms, and others preferring the German organisations’ approach.

Privacy is ultimately a human right in some jurisdictions, with it being considered a privilege in others.

Privacy and data protection are just some of the regulations and frameworks that make up a plethora of compliance and regulatory headaches for those looking to make the move to Cloud Computing, and with no current solution in sight.

Guidelines for success

No silver bullet currently exists to simplify and deal with the challenges faced by those organisations looking to adopt and utilise Cloud Computing effectively, In line with relevant laws, regulations and requirements, the following points should be reviewed and explored as a starting point wherever possible:

  • Consider the possible implications for processing/exporting of data to certain geographic locations or territories.
  • Take all reasonable and appropriate steps to ensure that trans-border flows of personal data (including transit through other countries) are uninterrupted and secure.
  • Where possible, restrict flow of data between countries and locations that contradict or violate domestic data protection/privacy regulations in your own location.There are a number of locations in which no legislation or requirements exist for the protection of personal data/information.
  • Beware and understand any government or international relations becoming strained. There is significant risk storing, transmitting or processing data in a location or jurisdiction that is currently experiencing tension, strained relations or military action with your government or nation.
  • Avoid complications and creation of a mesh of various restrictions, policies, practices and frameworks, which become an inhibitor for the organisation itself. Be conscious, realistic and pragmatic in your approach to develop a fit-for-purpose workaround or solution to support the overall business objectives.

In summary

This chapter was a high-level overview to illustrate some of the many challenges organisations will face relating to privacy and data protection from an international perspective. There are a number of substantial publications specialising in far more detail in the various areas and elements discussed in this chapter.

If you are unsure of the effect these elements relating to international Cloud Computing may have for your organisation, we would advise and encourage further research and engagement with suitably qualified and experienced professionals specialising in these areas to assist.

Additional resources

European Data Protection Directive

ec.europa.eu/justice/policies/privacy/index_en.htm

www.dataprotection.ie/

www.ico.gov.uk

United States Patriot Act

www.justice.gov/archive/ll/highlights.htm

epic.org/privacy/terrorism/hr3162.html

HIPAA

www.hhs.gov/ocr/privacy/

APEC Privacy Framework

apec.org/About-Us/About-APEC/Fact-Sheets/APECPrivacy-Framework.aspx