Nº 1 2013 > Cover story
Data protection and privacy in the cloud
Whose cloud is it anyway?
An individual may choose to give away or trade personal data in the cloud, but it should be an informed choice. One task of an effective regulator (whether for information and communication technologies — ICT — or for data protection) is to facilitate the education of consumers on the risks to privacy and to their personal data when using cloud services. Can policy-makers, regulators and business work together to promote cloud literacy?
What if an individual has knowingly provided personal data, and no longer expects the information to remain private? Should policy-makers step in to protect such personal data?
Questions such as these are raised in ITU’s latest report Trends in Telecommunication Reform 2013 in a chapter entitled “The Cloud: Data Protection and Privacy — Whose cloud is it anyway?”, authored by Stephanie Liston, Senior Counsel, Charles Russell LLP. The chapter discusses cloud services and their economic and social benefits, current privacy and data protection regulation as applied to cloud services, and the effectiveness of current regulation and enforcement to preserve privacy. It goes on to recommend the development of a fit-for-purpose regulatory model that balances commercial needs and opportunities, technological reality and a citizen’s reasonable expectation of privacy in an international digital ecosystem. This article is adapted from that chapter.
How to strike a balance?
The financial benefits that cloud services offer to governments, businesses, citizens and consumers must be balanced against the risks that such services may pose to an individual’s privacy or personal data.
Yet there is increasing confusion as to who has the duty to protect personal data.
Freely putting personal information in the cloud has perhaps desensitized individuals to the idea of private information. Do consumers know how these data might be used or understand the possible risks to data security? What is the intrinsic value of personal data, which are being referred to as “the new oil” from a commercial perspective? And should consumers have an economic right to benefit from trading these data?
To answer the questions of privacy and data protection that arise in the cloud, individual attitudes need to be explored and taken into account. After all, whose personal data are we trying to protect?
According to the 2011 Special Eurobarometer survey on individual attitudes to privacy, 74 per cent of respondents considered online disclosure of information an increasing part of daily life. A majority expressed concerns over the recording of their behaviour via mobile phones, payment cards and mobile Internet, but 58 per cent saw no alternative to disclosure of personal information if they wanted to obtain products and services.
Consumer groups tend to take a more active role than individual consumers in trying to protect personal information. Promoting cloud literacy is key to ensuring that consumers understand the real value of personal information.
Trends in Telecommunication Reform 2013 reviews existing privacy and data protection frameworks in the European Union (EU), as well as from a diverse group of countries representing the developed and developing world. Many countries that have adopted or are considering the adoption of data protection regulation have followed the European model, so the review treats Europe in the greatest depth. The European model also usefully illustrates the problems presented to business and the economy by the lack of clear and consistent laws implemented seamlessly across international borders.
At a regional level, the European Union Data Protection Directive (more simply referred to as the European Directive) was enacted in 1995. Under the European Directive, data protection obligations are generally imposed upon data controllers, while data processors are subject only to specified security requirements. But differing definitions used in different European countries, along with the blurred categorization of a cloud service provider as a controller or processor, lead to ambiguity.
The client is often responsible for the full burden of data protection obligations and compliance, despite having little control over the actions of the provider or movement of the data. Cloud clients are required to exercise due diligence with respect to choosing a provider who offers sufficient guarantees of reliability, competence and security safeguards to be compliant with relevant laws.
What about the transborder flow of data?
Under the European Directive, personal data must not be transferred to countries outside the European Economic Area that are judged to have inadequate personal data protection measures. Amazon, for example, has created a European Cloud to provide customers with confidence that data will not cross borders in breach of the Directive. The United States Safe Harbor Scheme is also accepted as adequate for the purposes of transferring certain personal data, subject to some notable exceptions and to specific due diligence.
Cloud computing, however, is typically conducted without a stable location and providers are unlikely to be based only in specified countries. The customer may not be able to ascertain the real-time location of data that are being processed or stored. Regulators face the same problem, which renders restrictions on transborder data flows difficult to enforce.
If transfers need to be made to countries outside those that have “adequate” laws, standard contractual clauses may be required. These clauses contain non-negotiable provisions that set out transfer and security measures deemed adequate under the European Directive.
International businesses can adopt binding corporate rules for the regular transfer of data throughout their corporate networks.
Accountability is key to ensuring compliance and thus audit rights are becoming increasingly important to clients. However, the granting of these rights presents a practical problem for providers who use shared infrastructure for their clients. Granting access may itself compromise the confidentiality and security of data belonging to other clients.
What laws apply in the cloud?
There is no universally binding privacy legislation covering all countries of the world. Of the 89 countries that have adopted privacy or data protection laws, many regulate international data flows as a mechanism for protecting individual privacy and enforcing national policies.
The European Union’s e‑Privacy Directive targets public communication network providers and states that personal data should only be accessed by authorized personnel for legally authorized purposes, and that stored or transmitted personal data should be protected against accidental or unlawful destruction, accidental loss or alteration, and against unauthorized or unlawful storage, processing, access or disclosure. Personal data are defined broadly as “any information relating to an identified or identifiable natural person”.
On 25 January 2012, the European Commission published its proposed changes to the EU Data Protection Directive in an attempt to harmonize the current “fragmented and outdated” data protection legislative framework. Proposed changes include the following:
- National regulatory authorities will have the power to take action against organizations in other Member States in certain circumstances and may issue fines of up to EUR 1 million or 2 per cent of a company’s annual turnover in some cases.
- The definition of personal data will be expanded to cover any information relating to a data subject, and the regulations will require an individual’s explicit consent to allow data capture.
- The regulations will apply beyond the EU, to include non-EU entities that process personal data relating to EU citizens.
- Organizations will be required to report data breaches without undue delay and, if feasible, within 24 hours of the breach.
- Data controllers will be required to carry out data protection impact assessments, appoint data protection officers and inform third parties of any breaches.
- Individuals will be given a new “right to be forgotten” under certain circumstances and will no longer be required to pay to access their data.
- International data transfers will be subject to a more detailed regulatory framework requiring safeguards to be put in place and authorities to undertake prior checks, while the derogations available to data controllers will be more restrictive.
The controversial nature of the proposed reforms has, however, provoked lobbying and debate. This could mean long delays before implementation.
Meanwhile, in the United Kingdom, for example, the courts have narrowed the meaning of personal data, stating that the data must be biographical in a significant sense, and must focus on the individual, rather than on some other person or transaction or event.
In France, the amended Data Processing, Data Files and Individual Liberties Act is regulated by the proactive National Commission on Computers and Liberties. The Commission has published guidance on the legal processing of personal data, imposing notification and cooperation requirements on data controllers, as well as requirements to keep personal data secure and, in certain circumstances, to obtain the Commission’s approval prior to processing.
In Germany, personal data are to be obtained directly from the data subject unless required by law for a genuine business purpose or if disproportionate effort would be required and there are no indications that the data subject’s interests would be affected. Further, the Federal Data Protection Act puts particular emphasis on designing data protection systems to process as little personal data as possible, for example by making the data subject anonymous or by using pseudonyms.
In the United States, legislation changed dramatically following the terrorist attacks of 11 September 2001 with the introduction of the US Patriot Act. The Act permits the sharing of personal data of anybody suspected of involvement with terrorism or money laundering activities. This has resulted in the possibility of broad access to — and sharing of — personal information.
The right to privacy has been recognized by the US Supreme Court based on the US Constitution, despite there being no such explicit constitutional right. Many states have privacy protections within their own constitutions. Only California has extended the protection of data from government interference into an obligation on the private sector.
In Canada, the Canadian Charter of Rights and Freedoms contains a right “to be secure from unreasonable search or seizure”, which the courts have extended to protect an individual’s “reasonable expectation of privacy”. Recent case law from the Court of Appeal in Ontario has also introduced a common law tort of invasion of privacy (“intrusion upon seclusion”). Canadian laws do not restrict international transfers of personal data, but any transfer remains the responsibility of the disclosing party.
Brazil has yet to implement specific data protection legislation although its Constitution does set out fundamental rights to both privacy and secrecy of correspondence. The Civil Code also provides that an individual may request relief from any threat to personality rights, and that the private life of an individual is inviolable. There are also broad protections within the Consumer Protection Code. These include consumer rights of access and correction to any recorded personal data.
South Africa has no specific data protection legislation, but a right to privacy is set out within its Constitution. There are also relevant personal information provisions contained within the Consumer Protection Act 2008 and the Electronic Communications and Transactions Act 2002. Compliance with the latter is voluntary and any adherence must be recorded in an agreement with the data subject. A new Protection of Personal Information Bill has been tabled in the South African Parliament.
Saudi Arabia has no specific data protection legislation, although a right to privacy is established in a number of its laws. In particular, Saudi Arabia’s Basic Law of Governance sets out the overriding principle that all correspondence and communications between parties should be kept strictly confidential and should not be disclosed.
If no legislation is applicable, the courts will apply sharia (Islamic law). The sharia principles establish a tort claim for damages for the wrongful disclosure of a person’s personal information where that disclosure results in loss or harm to the individual.
The United Arab Emirates does not have any specific data protection legislation, although a right to privacy is set out within its Constitution and in various laws. The Constitution states that an individual enjoys “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law.” In addition, the Penal Code establishes certain rights of privacy and the protection of personal data.
There is no specific constitutional right to privacy in India, although the Supreme Court has established that privacy should be included within the right to life and personal liberty. The collection and processing of personal data is regulated under the Information Technology Act 2000, which states that companies must maintain reasonable security practices while processing personal data, and that if obtained under a contract, such data must not be disclosed in breach of that contract without the data subject’s consent.
As a member of Asia-Pacific Economic Cooperation (APEC), Japan subscribes to APEC’s approach to privacy. The Act on Protection of Personal Information regulates the collection and use of personal data in Japan. Any form of data handling is covered, but the Act applies only to situations involving the personal information of 5000 or more individuals. The Act imposes common obligations of consent, security and providing information, alongside additional requirements to supervise employees and third parties who handle the personal data.
Recommendations for best practice
Is the current patchwork of regulation fit for purpose in the cloud? The short answer is no. National regulation with respect to privacy and data protection was established 20 to 30 years ago and did not foresee the advent of a global digital ecosystem. Existing regulations are now outdated.
To address the challenges raised by the cloud ecosystem, Trends in Telecommunication Reform 2013 recommends steps that can be taken by policy-makers and regulators, some of which are highlighted here.
Facilitate cloud literacy: Regulators should assist consumers to make informed choices about what personal information they put in the cloud by enhancing their understanding of the commercial value and potential use of their data. Citizens need to know to whom to complain if their information is misused.
Develop expertise: Policy-makers and regulators should keep up to date with technical and social developments in the cloud, and with the views of all stakeholders, so as to be in a position to establish and enforce relevant laws.
Adopt laws that are fit for purpose: International and national policy-makers should work together to develop efficient, effective, proportionate and enforceable laws to protect the individual’s reasonable expectation of privacy. Responsibility should also be devolved to stakeholders to develop self-regulation.
Review existing laws: Policy-makers internationally should review existing laws to facilitate the national and international use of cloud services. The development of common standards and interoperability requirements will facilitate transborder information flows with appropriate security and privacy protections.
These recommendations were embraced by the 12th Global Symposium for Regulators (GSR‑12) as part of the best practice guidelines on regulatory approaches to foster access to digital opportunities through cloud services (see www.itu.int/en/ITU-D/Regulatory-Market/Pages/bestpractices.aspx).
All articles about the “cloud” are extracts adapted from the upcoming Trends in Telecommunication Reform 2013, prepared and produced by the Regulatory and Market Environment Division of ITU’s Telecommunication Development Bureau (BDT).