"Cloud computing and data protection"
Watch out for this new technology of Cloud computing:
Cloud computing is more than simply a technical challenge. By putting our personal data on remote servers, we risk losing control over that data. Because the right to the protection of personal data is a fundamental right in the EU, this demands several actions. Fundamentally, the Commission believes that we need further research to enhance the security features of these technologies. And indeed we are funding such research at European level – which looks at "privacy-by-design" and "privacy-enhancing technologies".
more on this on here.
I have to admit to being rather underwhelmed by the current debate about cloud computing since, to my mind, there is not really anything new here.
ReplyDeleteFor years, people have stored data "in the cloud" - they just referred to it under other names, such as "on my web server," "in my email account," or simply "on the network." Much of the concern appears to be around simple remote storage, and, whilst it obviously does have an impact on user freedom, since, in most cases, the act of committing data to a remote machine is a loss of control, or, at least, the sharing of that control, it's not an issue unique to the cloud.
In all I've read and heard so far, the issue which strikes me as being close to unique is that the uploader might not know where in the world the data are stored, on the grounds that "cloud providers" may not announce where data is at any point, and how it might be shifted around the world. However, even before the cloud, I'm not sure that everyone could have said exactly where their data were stored. As long as it is stored securely - a technical issue - the jurisdiction - a legal issue - is far less relevant.
I'd be fascinated if anyone had a view / opinion which helped convince me otherwise, that there's a particular risk here?
Neil,
ReplyDeleteI absolutely agree with you. "Clouds" are nothing new; probably are even older than PC computing!
Indeed in the past all the CPU/Storage power used to be on the central mainframes, while the working station were purely "dumb" terminals.
In the 90's we've seen a fast growth of the CPU power and decrease of storage space, which has yield to powerful (and isolated) working stations.
Now that the communication lines are becoming less expensive, the growth is again on the mainframes (or "Clouds", as we like to call them now). Emails are by definition "in the cloud" (jumping from hop to hop to reach the final destination).
Indeed nothing new (perhaps the distance and uncertainty of the storage/CPU location?).
Another point of interest (besides the physical location) in the case of these cloud providers, is the security. The data owner/processor owes some guarantees in terms of security of data process. It's hilarious to see how more and more application providers (incl. Dropbox) are now trying to dismiss their responsibility with "back to back" security provisions of their cloud services (in Dropbox case, I think it's Amazon S3). In some cases, you can also find some copy&paste of the cloud provider in the disclaimers of the application provider.
I don't think that stating that the user data are secure "since they're hosted by a secure cloud provider" is enough; one could probably outsource the physical storage to the cloud but this does not seem enough to satisfy the data security requirements.
As Neil and Salvator said, e-mail services as Google is one category of cloud computing (Software as a service).there are other categories as (Platform as a service) allowing customers to develop or configure applications using APIs. The other category is called (Infrastructure as service), where it provides virtual machines, hardware and operating systems which maybe controlled through a service API.
ReplyDeleteSo to look at the legal aspects; since the cloud provider could be located in a different country than the country of the customer, we would need an international legislation for data protection.
The risks include; handling of sensitive information which may include loss, leakage and dissemination. What happen to the data upon contract termination with the cloud provider? Data processing performed on remote hardware/operating system is not protected and ciphered which allows access to this data. Also activity logs and who has access to what and so on...!
Referring to http://en.wikipedia.org/wiki/Data_Protection_Directive you can see that US does not provide adequate data protection as the EU Directive 95/46/EC, therefore, global harmonization of data privacy and security issues especially is required.
Transfer of personal data to third countries:
Third countries is the term used in EU legislation to designate countries outside the European Union. Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.
The Directive's Article 29 created the "Working party on the Protection of Individuals with regard to the Processing of Personal Data," commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.
The Working Party negotiated with U.S. representatives about the protection of personal data, the Safe Harbor Principles were the result. According to critics the Safe Harbor Principles do not provide for an adequate level of protection, because it contains less obligations for the controller and allows the contractual waiver of certain rights.
I must admit I'm not a huge fan of international agreements and treaties, and I'm not sure that an international law of data protection would be the right way to go:
ReplyDelete1.) Will there really be international accord on this issue? I am not sure that there is sufficient agreement as to what should be covered, the standards to which whatever is covered should be protected and the like for an international approach to be achievable if it is to remain meaningful. Different countries have very different notions of privacy, and as to who is in need of protection from whom / what (see, for example, the differences between European, US and Canadian approaches), and so there might be no fundamental basis of agreement.
In particular, I would envisage problems with country-specific desires, especially those based on national security objectives. India and Turkey, for example, place very different restrictions on the exportation of personal data from within their boundaries than exist within European countries at the moment, and I would be surprised if they were willing to give up these requirements. However, if they do not, I would fear that the international law would be little more than a benchmark, rather than a true harmonisation, with some countries placing additional limitations, thereby still preventing true internationalisation.
2.) I'm not sure that an approach based on legislation, or rigid compliance frameworks, is desirable - part of the problem I have with the European regime at the moment.
My preference would be for an approach which required that providers within Europe must ensure that, wherever their customers' data are stored, there is appropriate security (i.e. to European standards) in place. Rather than forcing a particular restrictive model, which may or may not work with technical and societal changes, the companies have the power to determine the best method of achieving the required protection, with the threat of a legislative stick in the event of their failure. I would be in favour of enabling companies to take responsibility, with sanctions for failure. I would have thought that this would be a more flexible approach, capable of dealing with risks specific to particular arrangements, than a more rigid approach. (Binding corporate rules has yet to gain considerable traction, even with changes to the approval procedure, so something more flexible is required.)
3.) This is part of a much wider picture, which is the regulation of the Internet as a whole - data protection is but one aspect of the regulatory considerations for an international network.
This is not a new argument, of course, but I still wonder whether it makes sense to regulate the Internet on a national basis, or, indeed, whether an supra-national alternative is even achievable, inline with my comments above. Whilst some elements are supra-national at the moment (although debates around US proximity to ICANN/IANA), regulation is still largely national, which, whilst understandable from the point of view of sovereignity, and a desire not to cede control, perhaps is not in the best interests of a global digital society. Although perhaps not everyone sees that as desirable or beneficial.
4.) Do we need any new or changed legislation / regulation at all, or could we adopt a free market approach to solve European problems? If companies are not willing to use clouds which cannot provide guarantees as to where their data are stored, or else are unable to use such clouds for compliance purposes, there is a clear market need for regional clouds - shifting between data centres within a defined region (e.g. within Europe). Someone will step up to the market with a commercial offering, compliant with existing law, negating the need for costly reform.
Thank you for your detailed analysis :-)
ReplyDeleteI think if the EU members would not want to imply regulations or agreements beyond the EU for utilizing the cloud computing then they may need to be clear on this.
One issue which could even be of concern within the EU when using cloud computing; if one is drafting a patent, for example, and the company is using cloud computing to process and store this data, then how would the company/individual ensure that there is no breach of this information? Sure looking into the data is a breach; however this example may have a huge economical impact as well!
ReplyDeletehow would the company/individual ensure that there is no breach of this information?
Decent encryption ;)
(Storing sensitive data outside one's direct control without encryption would seem to be poor business practice to me!)
I definitly agree that data encryption is perfromed before storing data remotely. However we are talking about processing the data remotely here.. so I assume the data is not encrypted while it is processed.
ReplyDeleteIt is possible to encript the data from the user to the processor and de-encrypt it while processing and then again encrypt it.. this means the other end has the encryption keys (the credentials).