Cloud data protection Frameworks: Globally, a plethora of laws, regulations and other legal requirements for organizations and entities exist to protect the security and privacy of digital and other information assets.
Organization for Economic Cooperation and Development—Privacy and Security Guidelines
On September 9, 2013, the Organization for Economic Cooperation and Development (OECD) published a set of revised guidelines governing the protection of privacy and trans-border flows of personal data.
This updated the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.
These revised guidelines focused on the need to globally enhance privacy protection through improved interoperability and the need to protect privacy using a practical, risk-management-based approach.
According to the OECD, several new concepts have been introduced in the revised guidelines, including the following:
Asia-Pacific Economic Cooperation Privacy Framework
Asia-Pacific Economic Cooperation (APEC) provides a regional standard to address privacy as it relates to the following:
- Privacy as an international issue
- Electronic trading environments and the effects of cross-border data flows
The goal of the framework is to promote a consistent approach to information privacy protection as a means of ensuring the free flow of information within the region.
The APEC privacy framework is a principles-based privacy framework that is made up of four parts, as noted here:
- Part 1: Preamble
- Part II: Scope
- Part III: Information Privacy Principles
- Part IV: Implementation
The nine principles that make up the framework are as follows:
- Preventing harm
- Use of personal information
- The integrity of personal information
- Security safeguards
- Access and correction
EU Data Protection Directive
The EU Directive5 95/46/EC provides for the regulation of the protection and free movement of personal data within the European Union.
It is designed to protect the privacy and protection of all personal data collected for or about citizens of the European Union, especially as it relates to the processing, using, or exchanging of such data.
The cloud data protection directive encompasses the key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and personal correspondence.
This directive applies to data processed by automated means and data contained in paper files.
It does not apply to the processing of data in these instances:
- By a natural person in the course of purely personal or household activities
- In the course of an activity that falls outside the scope of community law, such as operations concerning public safety, defense, or state security
The directive aims to protect the rights and freedoms of persons concerning the processing of personal data by laying down guidelines determining when this processing is lawful.
The guidelines relate to the following:
- The quality of the data: Personal data must be processed fairly and lawfully and collected for specified, explicit, and legitimate purposes. It must also be accurate and, where necessary, kept up to date
- The legitimacy of data processing: Personal data may be processed only if the data subject has unambiguously given her consent or processing is necessary:
- For the performance of a contract to which the data subject is party
- For compliance with a legal obligation to which the controller is subject
- To protect the vital interests of the data subject
- For the performance of a task carried out in the public interest
- For the legitimate interests pursued by the controller
- Special categories of processing: It is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life.
- This provision comes with certain qualifications concerning, for example, cases where processing is necessary to protect the vital interests of the data subject or for preventive medicine and medical diagnosis.
- Information to be given to the data subject: The controller must provide the data subject from whom data is collected with certain information relating to himself.
- The data subject’s right of access to data: Every data subject should have the right to obtain from the controller the following:
- Confirmation as to whether or not data relating to her is being processed and communication of the Data undergoing processing
- The rectification, erasure, or blocking of data for which the processing does not comply with the provisions of this directive either because of the incomplete or inaccurate nature of the data and the notification of these changes to third parties to whom the data has been disclosed
- Exemptions and restrictions: The scope of the principles relating to the quality of the data, information to be given to the data subject, right of access, and publicizing of processing may be restricted to safeguard aspects such as national security, defense, public security, the prosecution of criminal offenses, an important economic or financial interest of a member state or the European Union, or the protection of the data subject.
- The right to object to the processing of data: The data subject should have the right to object, on legitimate grounds, to the processing of data relating to her.
- She should also have the right to object, on request and free of charge, to the processing of personal data that the controller anticipates being processed for direct marketing.
- Finally, she should be informed before personal data is disclosed to third parties for direct marketing and be expressly offered the right to object to such disclosures.
- The confidentiality and security of processing: Any person acting under the authority of the controller or of the processor, including the processor himself who has access to personal data, must not process the data except on instructions from the controller.
- In addition, the controller must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.
- The notification of processing to a supervisory authority: The controller must notify the national supervisory authority before carrying out any processing operation.
- Prior checks to determine specific risks to the rights and freedoms of data subjects are to be carried out by the supervisory authority following receipt of the notification.
- Measures are to be taken to ensure that processing operations are publicized, and the supervisory authorities must keep a register of the processing operations notified.
- Scope: Every person has the right to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question.
- In addition, any person who has suffered damage as a result of the unlawful processing of his data is entitled to receive compensation for the damage suffered.
- Transfers of personal data from a member state to a third country with an adequate level of protection are authorized. However, they may not be made to a third country that does not ensure this level of protection, except in the cases of the derogations listed.
- Each member state is obliged to provide one or more independent public authorities responsible for monitoring the application within its territory of the directive’s provisions.
General Cloud Data Protection Regulation
On January 25, 2012, the European Commission unveiled a draft European General Data Protection Regulation to supersede the Cloud Data Protection Directive.
The European Union is aiming to adopt the General Cloud Data Protection Regulation by 2016, and the regulation is planned to take effect after a transition period of two years. As of June 15, 2015, a common position on the EU data protection regulation was agreed to, allowing the first trialogue meeting to take place on June 24, 2015, to begin negotiations to finalize an agreement for implementation across the European Union.
The ePrivacy Directive,6 Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, is concerned with the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directives 2006/24/EC and 2009/136/EC).
Beyond Cloud Data Protection Frameworks and Guidelines
Outside the wider frameworks and guidelines, several countries are currently adopting and aligning with Cloud data protection and privacy laws to enable swift and smoother business and trade relations, which include several Central and South American countries as well as Australia,
New Zealand, and many Asian countries. For those operating within the United States (or having existing business relationships with U.S. entities),
laws that take into account privacy and subsequent security requirements include Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).
There are additional privacy laws outlined by specific states, such as California and Colorado among others. Country-specific laws and regulations are discussed later in the section “Country-Specific Legislation and Regulations Related to PII, Data Privacy, and Data Protection.”