Data Privacy Acts, Privacy and data protection (P&DP) matters are often cited as a concern for cloud computing scenarios.
The P&DP regulations affect not just those whose personal data is processed in the cloud (the data subjects) but also those (the cloud service customers) using cloud computing to process others’ data and indeed those providing cloud services used to process that data (the service providers).
The Data Privacy Acts key questions follow
- What information in the cloud is regulated under data protection laws?
- Who is responsible for personal data in the cloud?
- Whose laws apply in a dispute?
- Where is personal data processed?
The global economy is undergoing an information explosion; there has been a massive growth in the complexity and volume of global data services.
Personal data is now crucial material, and its protection and privacy have become important factors enabling the acceptance of cloud computing services.
The following is an overview of some of how different countries and regions around the world are addressing the varied legal and regulatory issues they face.
Global P&DP Data Privacy Acts in the United States
The United States has many sector-specific privacy and data security laws, both at the federal and state levels.
There is no official national Privacy Data Protection Authority; however, the Federal Trade Commission (FTC) has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas.
In addition to the FTC, a wide range of sector-specific regulators, particularly those in the healthcare and financial services sectors, have the authority to issue and enforce privacy regulations.
Generally, the processing of personal data is subject to opt-out consent from the data subject, whereas the opt-in rule applies in special cases, such as the processing of sensitive or health data.
However, it is interesting to note that currently, no specific geographic personal data transfer restrictions apply.
Regarding the accessibility of data stored within cloud services, it is important to underline that the Fourth Amendment to the U.S. Constitution applies; it protects people from unreasonable searches and seizures by the government.
The Fourth Amendment, however, is not a guarantee against all searches and seizures, but only those that are deemed unreasonable under the law.
Whether a particular type of search is considered reasonable in the eyes of the law is determined by balancing two important interests.
On one side is the intrusion on an individual’s Fourth Amendment rights; on the other side are legitimate government interests, such as public safety.
In 2012, the Obama Administration unveiled a Consumer Privacy Bill of Rights as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled in the United States.6
Global P&DP Data Privacy Acts in the European Union
The data protection and privacy laws in the EU member states are constrained by the EU directives, regulations, and decisions enacted by the European Union.
The main piece of legislation is the EU directive 95/46/EC “on the protection of individuals about the processing of personal data and the free movement of such data.”7
These provisions apply in all the business and social sectors; thus, they cover the processing of personal data in cloud computing services.
Furthermore, the European Union enacted a privacy directive (e-privacy directive) 2002/58/EC “concerning the processing of personal data and the protection of privacy in the electronic communications sector.”
The European Parliament formally adopted the text of the proposed EU General Data Protection Regulation for replacing the actual EU privacy directive 95/46/EC and of a new specific directive for privacy in the Police and Criminal Justice sector.9
The next steps for both the regulation and the directive are for the EU Council of Ministers to formulate a position and for trilateral negotiations between the European Commission, Parliament, and Council to begin.
Entry into force is not expected before 2017.
Latin American, as well as North Africa and medium-size Asian countries, have privacy and data protection legislation largely influenced by the EU privacy laws.
Global P&DP Data Privacy Acts in APE
The Asia-Pacific Economic Cooperation council, or APEC, is becoming an essential point of reference for the data protection and privacy regulations of the region.
The APEC Ministers have endorsed the APEC privacy framework, recognizing the importance of the development of effective privacy protections that avoid barriers to information flows, ensure continued trade, and ensure economic growth in the APEC region.
The APEC privacy framework promotes a flexible approach to information privacy protection across APEC member economies while avoiding the creation of unnecessary barriers to information flows
Differences Between Jurisdiction and Applicable Law
- For privacy and data protection, it is particularly important to distinguish between these two concepts:
- Applicable law: This determines the legal standing of a case or issue.
- Jurisdiction: This usually determines the ability of a national court to decide a case or enforce a judgment or order.
The applicable law and the jurisdiction about any given issue may not always be the same.
This can be particularly true in the cloud services environment because of the complex nature of cloud hosting models and the ability to geolocate data across multiple jurisdictions.
Essential Requirements in P&DP Laws
The ultimate goal of P&DP laws is to provide safeguards to the individuals (data subjects) for the processing of their data in the respect of their privacy and will.
This is achieved with the definitions of principles and rules to be fulfilled by the operators involved in the data processing. These operators who process the data are playing the role of the data controller or data processor
Typical Meanings for Common Privacy Terms
- Data subject: A subject who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity (such as telephone number or IP address).
- Personal data: Any information relating to an identified or identifiable natural person. There are many types of personal data, such as sensitive and health data and biometric data.
- According to the type of personal data, the P&DP laws usually set out specific privacy and data protection obligations (such as security measures and data subject’s consent for the processing).
- Processing: Operations that are performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
- Processing is undertaken for specific purposes and scopes; as a result, the P&DP laws usually set out specific privacy and data-protection obligations, such as security measures and data subject’s consent for the processing.
- Controller: The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.
- Where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or community law.
- Processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller.
Privacy Roles for Customers and Service Providers
The customer determines the ultimate purpose of the processing and decides on the outsourcing or the delegation of all or part of the concerned activities to external organizations.
Therefore, the customer acts as a controller. In this role, the customer is responsible and subject to all the legal duties that are addressed in the P&DP laws applicable to the controller’s role.
The customer may task the service provider with choosing the methods and the technical or organizational measures to be used to achieve the purposes of the controller.
When the service provider supplies the means and the platform, acting on behalf of the customer, it is considered to be a data processor. Sometimes a service provider is considered either a joint controller or a controller in his own right, depending on concrete circumstances.
However, even in complex data processing environments in which different controllers play a role in processing personal data, compliance with data-protection rules and responsibilities for possible breaches must be allocated to avoid the protection of personal data being reduced to a negative conflict of competence.
Nevertheless, it is ultimately the customer who decides on the allocation of part or the totality of processing operations to cloud services for specific purposes.
The imbalance in the contractual power of a small controller or customer concerning large service providers should not be considered a justification for the controller to accept clauses and terms of contracts that are not in compliance with P&DP applicable to him.
In a cloud services environment, it is not always easy to properly identify and assign the roles of controller and processor between the customer and the service provider.
However, this is a central factor of P&DP because all liabilities are assigned to the controller role, and its country of establishment mainly determines the applicable P&DP law and jurisdiction.