Cloud computing is one of the most important trends in information management today. However, though cloud computing promises many new benefits, it also presents its fair share of new risks.
Is cloud computing “bad or risky” for data privacy?
Is personal data more “secure and protected”in the cloud? Or less?
The impact of cloud computing on data privacy is a complex and sometimes controversial topic. There are a number of misperceptions about data privacy that are inhibiting cloud adoption in many parts of the world.
These questions have been addressed at length by Dr. Lothar Determann, data privacy expert, legal scholar and partner at Baker and McKenzie, LLP.
Myth 1: Cloud Computing Presents Fundamentally New and Unique Challenges for Data Privacy and Security Compliance
We have been entrusting personal data with specialized IT and other service providers for a long time. For example, much of our personal data is already in the hands of telecom providers. And what about company HR data that is managed by application service providers?
The very purpose of the Internet is to share data across geographies, devices and connections. The Internet itself introduced a far greater challenge to data privacy and security than does the cloud. Fortunately, the Internet also sparked new policies, processes and tools to manage data privacy and security that can be applied to the cloud.
Myth 2: Cloud Computing Involves More Data Sharing, Which Is Inherently Bad for Privacy
Data has long been shared across geographic boundaries for use in local transactions. The cloud simply changes the way that data is shared. Consider how HR data is distributed in a multi-national company.
But the cloud does require a greater need to distinguish between the legal obligations of data processers (cloud service providers) versus data controllers (cloud consumers) in meeting regulatory compliance. In a cloud services model, while providers must act in the interests of consumers, it is the consumers who are held liable for maintaining compliance overall.
Myth 3: Cloud Computing Is Bad for Data Security
Data security in the cloud depends on three factors: strong internal IT governance, reliable cloud service providers and strong security measures deployed by both. Because service performance is a huge determinant of a vendor’s success, reliable cloud service providers have a built-in incentive to offer better data security than a customer’s own data center.
Myth 4: Cloud Computing Causes Additional Issues Under Privacy Law Because Data Is Transmitted Internationally
Any company using the Internet has already been transmitting data internationally, for example by emailing documents between offices or in relationships with subsidiaries, customers and suppliers in other jurisdictions. Therefore, issues regarding cross-border data transfer are not new. International policies and practices to address these issues are already in place.
But while cloud services can be delivered globally, data privacy laws are largely national. Therefore, when cloud services providers use sub-processors outside their borders, compliance will entail consideration of data privacy laws in multiple countries.
Myth 5: Record Keeping Laws Require Data to Stay Local
It used to be that certain types of tax and financial records, for example, were required by law to stay in country. But this does not preclude transferring such data into the cloud as long as originals or back-up copies are also kept locally.
Myth 6: Contractual Clauses Are Unnecessary If the Service Provider Is Safe Harbor-Certified
Even if cloud service providers are certified under the principles of Safe Harbor, they must meet three additional legal requirements before transferring data across international borders. Those requirements include a) user consent or permission by contract or statute, b) business justification of transfer and c) “proof of adequacy” in meeting EU standards for data privacy protection.
Myth 7: Data Privacy & Security Law Compliance Is the Provider’s Responsibility
The cloud consumer, not the cloud service provider, is responsible for compliance in a service relationship. This entails legal data gathering, consent and notifications and the like. The service provider’s compliance duties include following customer instructions and preventing unauthorized access. Finally, customer and service provider must agree on levels of security for certain data types, division of responsibilities and more.
Myth 8: Cloud Service Providers Cannot Cede Control to Their Customers
Cloud consumers and service providers must maintain clearly distinct roles and responsibilities to ensure proper legal compliance obligations. If a cloud service provider assumes too much control over data tasks, like what to upload, transfer, delete or process, then cloud consumers could violate statutory prohibitions and privacy policy commitments. While service providers assume significant IT systems ownership, cloud consumers must always remain in charge of the data. And service providers must disclose data storage locations, processing practices and use of subcontractors.
Myth 9: Vendor Has and Should Accept Unlimited Liability for Data Security Breaches
Data protection laws do not divide commercial liabilities between service providers and consumers in the event of a data breach. Risk allocations and liability limits are handled in the cloud services contract. They should be based on levels of contribution to the breach, resultant harm, unmet contractual obligations, security policies and applicable law. While the services provider would be held liable for customer infractions like uploaded viruses and illegally copied files, those liabilities are shifted back to the customer in the contract.
Myth 10: Customer Must Have the Right to Access the Provider’s Data Centers and Systems for Audit Purposes
Cloud consumers cannot audit a service provider’s compliance measures unless explicitly called out in the contract. Service provider reluctance to permit individual audits often stems from being unable to allow customers into the data center to avoid a security risk to other customers’ data. Audits can also be expensive and disruptive to operations
In particular, concerns regarding data privacy and security are proving to be a barrier to the broader uptake of cloud computing services.
What are the risks?
In November 2012, the Commonwealth government released a “Better Practice Guide” to help Commonwealth agencies address legal issues that typically arise in cloud computing arrangements. The Guide highlights privacy and security as two of the key risks associated with cloud computing. In particular, the Guide indicates that:
- to the extent that the data to be transferred into the cloud is personal information (in that it identifies, or could be used to identify, an individual), ensuring compliance with the Privacy Act 1988 (Cth) (“Privacy Act”) must be a key concern; and
- data security is a key risk factor for all cloud computing services, particularly where the data to be transferred to the service provider is sensitive and is to be held offshore. The Guide recommends that the customer should carry out a comprehensive assessment of the service provider’s security procedures (such as encryption levels, access protocols, methods of data aggregation, methods for destroying or sanitising information at the end of the service relationship etc) before transferring data into the cloud.
Foreign government access
Depending on where they are based, cloud computing service providers may be subject to local laws that give foreign authorities rights to access and use their stored data.
For example, the US Patriot Act is designed to give the US government access to information that may help prevent terrorist attacks on their soil. The Act includes provisions that require telecommunications carriers to turn over records and data concerning individual customers if asked to do so by the government. These provisions do not require the government to get a court order, so in effect the Act allows the government to access that information on demand and without any opportunity for objection or public scrutiny.
Customers who are concerned about this level of government intervention may be reluctant to entrust their information to cloud service providers who may store that information in jurisdictions that are subject to these types of laws.
Issues particular to regulated industries
Companies that operate in certain regulated industries need to be cognisant of rules that limit their ability to offshore their operations. For example, the Australian banking and insurance sectors are subject to regulation by the Australian Prudential Regulation Authority (“APRA”), which has rules that require regulated institutions to consult with APRA (including by providing APRA with a comprehensive risk assessment) before outsourcing “material business activities”.
In November 2010, APRA issued an open letter to regulated industries warning that in APRA’s view “regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or offshoring elements in them. As a consequence, the initiatives are not being subjected to the usual rigour of existing outsourcing and risk management frameworks, and the board and senior management are not fully informed and engaged.”
Based on this warning, it is clearly important for organisations that are subject to regulatory oversight may want to test the waters with their regulator before proceeding with cloud computing service solutions.
How should customers respond?
Before proceeding with any cloud computing arrangement, customers should assess whether it is appropriate for the data in question to be transferred into the cloud. For certain types of data, the customer may decide that the potential benefits of cloud computing do not outweigh the heightened data privacy and other risks that follow, particularly where the data may be transferred offshore. However, if the customer determines that it is appropriate to move forward, the next step is to consider what safeguards need to be built into the service contract.
If the data to be transferred into the cloud includes any personal information, then the impact of privacy laws must be considered. Ideally, the service contract would oblige the service provider to comply with Australian privacy laws, including the Privacy Act. Unfortunately, service providers with operations based outside Australia may be reluctant to accept such obligations. These providers may argue that it is unrealistic to expect them to comply with the privacy laws of the home jurisdiction of each of their customers - after all, the laws in different jurisdictions may not be consistent or compatible. Notwithstanding this, some service providers (such as Telstra) are reacting to customer concerns by establishing locally-based cloud operations that use data centres located in Australia. Customers who are nervous about moving data overseas may prefer to use these service providers.
It is also important to consider that Australian privacy law is currently undergoing a process of reform and the rules regarding cross-border transfer of data may be affected by this process. Under current reform proposals, if an Australian entity discloses personal information to an overseas recipient, the discloser will be liable for any privacy breach by the recipient overseas. If these proposals come into force, then the Australian entities will need to make sure they are protected against potential liability arising from privacy breaches by their overseas service providers. In the case of cloud computing services, an Australian customer should seek to negotiate contractual indemnities under which the service provider is required to cover any liability arising from its breach of agreed data privacy and security requirements. However, whether service providers will be happy to provide such indemnities remains to be seen.
Apart from imposing contractual obligations on the service provider to protect the customer’s data, the other key factor that the customer should consider when dealing with a cloud service provider is transparency. Consider the appropriateness of contractual rights to:
- be notified of any security breaches or other incidents that may compromise of any information they have transferred to the service provider; and
- perform audits on the service provider in order to confirm that the provider is, in fact, complying with the data security requirements that have been written into the contract. An alternative is to require the service provider to conduct its own audit and then give the customer a copy of the auditor’s report (or at least the executive summary and key findings).
Finally, if you have these notification and audit rights you should exercise them. You will want to ensure that your cloud providers are doing what they say to monitor and protect your data.