Clicky

Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Legal Implications of Cloud Computing — Part Two (Privacy and the Cloud)

Posted in Breach Notice, Breach Notification, Cloud Computing, Cloud Computing Series, Special Series

Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues.  What is the cloud?  Why is everyone in the tech community talking about it?  Why do we as lawyers even care?  Dave provided a few things for our readers to think about — privacy, security, e-discovery. 

Now, let’s dig a little deeper. 

I am going to start with privacy and cross-border data transfers.  Is there privacy in the cloud?  What are the privacy laws to keep in mind?  What are an organization’s compliance obligations?   As with so many issues in the privacy space, the answer begins with one key principle – location, location, location.  For those of you who prefer to listen, check out my recent webinar on International Regulatory Issues in the Cloud, or you can download the slides (PPTX). For everyone else, read on after the jump.

In the world of the cloud, location appears to be irrelevant.  In the cloud, data effortlessly flows around the globe, ignoring boundaries and time zones, and magically appears on demand.  Not surprisingly, the existing legal structure is far from prepared for the reality of existing technology.  Every jurisdiction has its own laws, and its own compliance requirements.  As that data instantaneously circumnavigates the globe, it may already be too late to comply with privacy laws in every jurisdiction.

You have undoubtedly heard that the laws of this country are like a patchwork quilt.  They have popped up in certain sectors (financial, health) and with respect to certain types of sensitive information (e.g., kids’ data).  There are federal laws like Gramm-Leach-Bliley (applicable to financial institutions), HIPAA (applicable to health care providers and others dealing with health information and related entities), COPPA (applicable to data of children under 13 collected online), and the USA Patriot Act (may be applicable to foreign companies that work with cloud providers that allow data to reside in or flow through the US).  In addition, we have a panoply of state laws requiring notification in the event of a breach of sensitive information and, in some cases, requiring the implementation of safeguards to protect sensitive information and/or secure disposal of such information.

By contrast, the European Union has a comprehensive privacy framework, the EU Data Protection Directive.  Each member state has its own unique law implementing the Directive.  The most notable thing about the EU Directive and member state laws for purposes of cloud computing is this — in the absence of specific compliance mechanisms, the EU prohibits (yes, you read correctly, prohibits) the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.

What does this mean for cloud computing?  If you want to put data in the cloud that includes personal information of EU residents (and that might be something as simple as an email address or employment information), and the data will flow from the EU to almost anywhere in the world, you cannot simple throw the data in the cloud and hope for the best.  You need to have, at a minimum, one or more of the following:

  • International Safe Harbor Certification (which allows data transfer from the EU to the US, but not from the EU to other countries);
  • model contracts (which allow data transfer from the EU to non-US countries, but do not always work well with multi-tiered vendor relationships); or
  • Binding Corporate Rules (which are designed for a multinational company and therefore may not function well for cloud provider relationships).

So what, what does this tell us?  All of the stakeholders within an organization should be part of the cloud discussion and due diligence — IT, legal, information security, and all of the relevant business groups.  And those stakeholders, in investigating a potential cloud relationship and in negotiating the terms of a relationship with a cloud provider, should consider and pose the following questions internally and to the vendor long before any contract is signed: 

  • What kind of data will be in the cloud?
  • Where do the data subjects reside?
  • Where will the data be stored? 
  • Where are the servers? 
  • Will the data be transferred to other locations and, if so, when and where?
  • Can certain types of data be restricted to particular geographic areas?
  • What is our compliance plan for cross-border data transfers?

Is that the end of the inquiry?  No, it is just the tip of the iceberg, but it is a good start.

  • http://WWW.TerraVerdeSerivces.com Don Turnblade

    First, I am very glad to see the legal profession engaged in foresighted discussion of this topic. I also appreciate your acknowledgement that both Legal and Information Security interests should interact as stake holders in Cloud Computing issues.
    I have a few suggestions on this topic. But first, I think it is fair to give a brief on my background. I am a Security Architect for Terra Verde Services. I maintain background information at the following site, http://www.linkedin.com/in/arctific. My perspective in this matter comes from my work in Information Security. I span both policy and technology approaches to build secure transactions for both US domestic and multination corporate clients.
    My take on your blog leads me to the following core issues. How do we build into Cloud Computing natural break points in responsibility? When is the Cloud computer user responsible for exposed data and selection of a reckless vendor? When is the Cloud computing group responsible for misrepresentation? When is an individual Cloud resource provider responsible for misrepresenting the secure processing of transactions delegated to them?
    As a cloud service vendor business, I see that the cloud computing industry has a natural incentive to build for itself a security computing standard that each of its member services members must meet or exceed. By doing this, the client purchaser of Cloud Computing services receives a “cloud quality seal” that can be matched up against their sensitive data processing needs. Compliance would this “cloud quality seal” creates a natural accountability point for Cloud members as well as a industry wide marketing point to potential customers. Computing law is not completely hardened in silicon stone, yet. Such “cloud quality seals” could also be used in various global regions to advocate for reasonable accommodation in emerging law and precedent.
    As a cloud service customer problem, I see a few steps that would create a fair level of due care. First, sensitive data should be defined and appropriately encrypted to the client’s satisfaction. Second, to be allowed to process this sensitive data, processing systems must provide satisfactory evidence of encrypted data processing and application integrity for systems processing cloud available data. Third, cloud computing vendors must create the ability to regionally restrict the location of data, or the client may begin refusing to buy cloud computing services that do not certify the allowed regional locations of data.
    In effect, regional data requirements are similar to export controlled library books. Such a book might be checked out of a regional library but may not leave the country – even as the reader moves freely about inside the country “processing” the information in that book. Fortunately, computer software can be made deliberately “forgetful” so export controlled information will never leave the country in the long term memory of the reader, even after the book gets checked back in to the library. Failure to comply with such a requirement would amount to a breach of good faith contractual agreement.
    With some thought to the content of “cloud computing seal” requirements. Standards meeting or exceeding a number of present and evolving computing laws can be maintained. This is no more complex than the present state of affairs by “non-cloud” computing companies. Whether by plan or default, inside each multinational corporation there is an effective working understanding of a “cloud computing seal” that each of them uses to navigate and govern its approach to the present patch work of laws governing sensitive data. The business model of cloud computing will hinge on its ability to provide quality assurance and outsourcing cost advantage.
    At the personal level, I might see visible indicators of quality in sensitive data handling of my individual records as more reassuring than the present state of affairs.

  • http://WWW.TerraVerdeSerivces.com Don Turnblade

    First, I am very glad to see the legal profession engaged in foresighted discussion of this topic. I also appreciate your acknowledgement that both Legal and Information Security interests should interact as stake holders in Cloud Computing issues.
    I have a few suggestions on this topic. But first, I think it is fair to give a brief on my background. I am a Security Architect for Terra Verde Services. I maintain background information at the following site, http://www.linkedin.com/in/arctific. My perspective in this matter comes from my work in Information Security. I span both policy and technology approaches to build secure transactions for both US domestic and multination corporate clients.
    My take on your blog leads me to the following core issues. How do we build into Cloud Computing natural break points in responsibility? When is the Cloud computer user responsible for exposed data and selection of a reckless vendor? When is the Cloud computing group responsible for misrepresentation? When is an individual Cloud resource provider responsible for misrepresenting the secure processing of transactions delegated to them?
    As a cloud service vendor business, I see that the cloud computing industry has a natural incentive to build for itself a security computing standard that each of its member services members must meet or exceed. By doing this, the client purchaser of Cloud Computing services receives a “cloud quality seal” that can be matched up against their sensitive data processing needs. Compliance would this “cloud quality seal” creates a natural accountability point for Cloud members as well as a industry wide marketing point to potential customers. Computing law is not completely hardened in silicon stone, yet. Such “cloud quality seals” could also be used in various global regions to advocate for reasonable accommodation in emerging law and precedent.
    As a cloud service customer problem, I see a few steps that would create a fair level of due care. First, sensitive data should be defined and appropriately encrypted to the client’s satisfaction. Second, to be allowed to process this sensitive data, processing systems must provide satisfactory evidence of encrypted data processing and application integrity for systems processing cloud available data. Third, cloud computing vendors must create the ability to regionally restrict the location of data, or the client may begin refusing to buy cloud computing services that do not certify the allowed regional locations of data.
    In effect, regional data requirements are similar to export controlled library books. Such a book might be checked out of a regional library but may not leave the country – even as the reader moves freely about inside the country “processing” the information in that book. Fortunately, computer software can be made deliberately “forgetful” so export controlled information will never leave the country in the long term memory of the reader, even after the book gets checked back in to the library. Failure to comply with such a requirement would amount to a breach of good faith contractual agreement.
    With some thought to the content of “cloud computing seal” requirements. Standards meeting or exceeding a number of present and evolving computing laws can be maintained. This is no more complex than the present state of affairs by “non-cloud” computing companies. Whether by plan or default, inside each multinational corporation there is an effective working understanding of a “cloud computing seal” that each of them uses to navigate and govern its approach to the present patch work of laws governing sensitive data. The business model of cloud computing will hinge on its ability to provide quality assurance and outsourcing cost advantage.
    At the personal level, I might see visible indicators of quality in sensitive data handling of my individual records as more reassuring than the present state of affairs.

  • https://www.ibm.com/developerworks/mydeveloperworks/blogs/CloudComputing/ Saqib Ali

    Ms. Forsheit,
    I agree that the US Privacy laws are not as cohesive as the EU Data Protection Directive. But would it be fair to say that US Laws, combined, are more stringent than what is required by the Safe Harbor Act?
    saqib

  • Byron Wu

    IMHO it is worth considering that any data (including voice) that is transmitted via an ISP has the potential to leave the state / country of origin even if that communication / transmission is between two parties in the same state. It is one of the methods by which the Internet is so fault tolerant. It is also likely regardless of the path it took that the informatino has been cached, albiet volitile memory and only for a very short time.

  • Byron Wu

    The point is, forget this new cloud computing stuff, if you use an ISP to transmit data, then it is likely the horse has already bolted … it is just that up until now ignorance is bliss.