Legal aspects of cloud security

Enterprise (large organisation) computing workloads are moving from ‘on-prem’ to ‘in-cloud’ increasingly quickly, and the cloud is forecast to account for almost half of enterprise IT by 2026, up from 10% today. But the benefits of the enterprise cloud need to be weighed against increasingly burdensome duties around cloud and data security. This comment piece provides a checklist of the sources of enterprise cloud security duties and a checklist of best practices to manage them.     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

Citizens' perceptions of data protection and privacy in Europe

Data protection and privacy gain social importance as technology and data flows play an ever greater role in shaping social structure. Despite this, understanding of public opinion on these issues is conspicuously lacking. This article is a meta-analysis of public opinion surveys on data protection and privacy focussed on EU citizens. The article firstly considers the understanding and awareness of the legal framework for protection as a solid manifestation of the complex concepts of data protection and privacy. This is followed by a consideration of perceptions of privacy and data protection in relation to other social goals, focussing on the most visible of these contexts–the debate surrounding privacy, data protection and security. The article then considers how citizens perceive the ‘real world’ environment in which data processing takes place, before finally considering the public's perception and evaluation of the operation of framework against environment.     

The necessity of legally compliant data management in European cloud architectures

Taking advantage of flexible resource provisions enabled by Cloud Computing, many businesses have recently migrated their IT applications and data to the Cloud, allowing them to respond to new demands and requests from customers. However, Cloud Computing also moves functions and responsibilities away from local ownership and management to a third-party provided service, and brings with it a set of associated legal issues, such as data protection, licensing, intellectual property rights and the need to comply to necessary regulation. In this paper we evaluate commonly-observed Cloud Computing use cases against the law applying to Cloud Computing to find where legal problems may arise. We derive a general architecture for Clouds and use it to illustrate common Cloud Computing usage patterns. The use cases are assessed against evaluation criteria derived from the relevant Cloud Computing law for the data processing of end-user details and materials, including roles and responsibilities necessary for legal compliance. The Data Protection Directive of the European Union has been used in this evaluation, as it is a commonly accepted and influential directive in the field of data processing legislation.     

Protecting digital identity in the cloud: Regulating cross border data disclosure

Widespread use of cloud computing and other off-shore hosting and processing arrangements make regulation of cross border data one of the most significant issues for regulators around the world. Cloud computing has made data storage and access cost effective but it has changed the nature of cross border data. Now data does not have to be stored or processed in another country or transferred across a national border in the traditional sense, to be what we consider to be cross border data. Nevertheless, the notion of physical borders and transfers still pervades thinking on this subject. The European Commission (“EC”) is proposing a new global standard for data transfer to ensure a level of protection for data transferred out of the EU similar to that within the EU. This paper examines the two major international schemes regulating cross-border data, the EU approach and the US approach, and the new EC and US proposals for a global standard. These approaches which are all based on data transfer are contrasted with the new Australian approach which regulates disclosure. The relative merits of the EU, US and Australian approaches are examined in the context of digital identity, rather than just data privacy which is the usual focus, because of the growing significance of digital identity, especially to an individual's ability to be recognized and to transact. The set of information required for transactions which invariably consists of full name, date of birth, gender and a piece of what is referred to as identifying information, has specific functions which transform it from mere information. As is explained in this article, as a set, it literally enables the system to transact. For this reason, it is the most important, and most vulnerable, part of digital identity. Yet while it is deserving of most protection, its significance has been largely under-appreciated. This article considers the issues posed by cross border data regulation in the context of cloud computing, with a focus on transaction identity and the other personal information which make up an individual's digital identity. The author argues that the growing commercial and legal importance of digital identity and its inherent vulnerabilities mandate the need for its more effective protection which is provided by regulation of disclosure, not just transfer.     

Independence of data privacy authorities (Part I): International standards

Part I of this article analyses the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concludes that a more satisfactory answer needs to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It finds that only the OECD and APEC privacy agreements did not require a DPA (and therefore have no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others. Part II of the article will consider how these criteria have been implemented in laws in the Asia-Pacific.     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

Independence of data privacy authorities (Part II): Asia-Pacific experience

Part I of this article in [2012] 28 CLSR 3-13 analysed the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concluded that a more satisfactory answer needed to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It found that only the OECD and APEC privacy agreements did not require a DPA (and therefore had no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

Narratives about privacy and forgetting in English law

This paper examines narratives about the right of privacy in the UK. It argues that until relatively recently the dominant narrative was one that associated privacy with celebrity claimants and media defendants. Other narratives, such as those concerned with digital privacy and data protection, did not feature as prominently. But changing technological and social contexts mean that these narratives are now understood to be of immense importance too. This paper explores these narratives against the backdrop of the European Commission's proposals for a ‘right to be forgotten’ (now relabelled a ‘right to erasure’), the subject-matter of this special issue, as well as the 2014 Google Spain judgment. The paper emphasises the importance of forgetting as an aspect of the right to privacy and argues that while the UK legislator and courts have been slow to give effect to erasure remedies, they must now start exploring the bounds of legal possibility in order to meet the challenges of the digital age.     

The mandatory notification of data breaches: Issues arising for Australian and EU legal developments

Public and private sector organisations are now able to capture and utilise data on a vast scale, thus heightening the importance of adequate measures for protecting unauthorised disclosure of personal information. In this respect, data breach notification has emerged as an issue of increasing importance throughout the world. It has been the subject of law reform in the United States and in other jurisdictions. This article reviews US, Australian and EU legal developments regarding the mandatory notification of data breaches. The authors highlight areas of concern based on the extant US experience that require further consideration in Australia and in the EU.     

Are data protection laws sufficient for privacy intrusions? The case in Hong Kong

An area of concern which relates to privacy intrusions in Hong Kong is the substantial changes that have taken place in recent years in relation to news gathering and reporting and the activities of local paparazzi. The issue that needs to be addressed is how intrusions of privacy can be protected in Hong Kong. The most significant reform to date has been the enactment of the Personal Data (Privacy) Ordinance which provides rules for the fair handling of information about living individuals. However, the Ordinance is concerned only with data protection and does not provide a general privacy right. This article demonstrates the inadequacies of existing legislation for general privacy protection and examines the possibility of developing a separate action for general privacy via a) an action of extended breach of confidence as demonstrated by the UK model and b) a sui generis cause of action as can be seen in the New Zealand courts.     

The United Nations data privacy system and its limits

ABSTRACT

While the United Nations (UN) pioneered in recognizing the impact of modern technological developments on (data) privacy as far back as 1968, little has so far been achieved in terms of introducing a truly global data privacy framework. The present UN data privacy framework is by and large a mere patchwork of rules that exhibit a number of weaknesses. This weak structure of the present framework is a result of political and ideological controversies of the Cold War era. This article considers the extent to which the current UN data privacy system provides protection to data privacy and highlights its major limitations. It concludes that the discourse at the UN set in motion, particularly in the aftermath of the Snowden revelations, wields a potential to result in a major reform in the UN data privacy system.     

Property and the cloud

Data is a modern form of wealth in the digital world, and massive amounts of data circulate in cloud environments. While this enormously facilitates the sharing of information, both for personal and professional purposes, it also introduces some critical problems concerning the ownership of the information. Data is an intangible good that is stored in large data warehouses, where the hardware architectures and software programs running the cloud services coexist with the data of many users. This context calls for a twofold protection: on one side, the cloud is made up of hardware and software that constitute the business assets of the service provider (property of the cloud); on the other side, there is a definite need to ensure that users retain control over their data (property in the cloud). The law grants protection to both sides under several perspectives, but the result is a complex mix of interwoven regimes, further complicated by the intrinsically international nature of cloud computing that clashes with the typical diversity of national laws. As the business model based on cloud computing grows, public bodies, and in particular the European Union, are striving to find solutions to properly regulate the future economy, either by introducing new laws, or by finding the best ways to apply existing principles.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

Cross border data transfer: Complexity of adequate protection and its exceptions

The majority of the fear that exists about the cloud arises due to the lack of transparency in the cloud. Fears have persisted in relation to how the data are frequently transferred in a cloud for various purposes which includes storing and processing. This is because the level of protection differs between countries and cloud users who belong to countries which provide a high level of protection will be less in favour of transfers that reduce the protection that was originally accorded to their data. Hence, to avoid client dissatisfaction, the Data Protection Directive has stated that such transfers are generally prohibited unless the country that data is being transferred to is able to provide ‘appropriate safeguards’. This article will discuss the position of the Data Protection Directive and how the new General Data Protection Regulation differs from this Directive. This involves the discussion of the similarity as well as the differences of the Directive and Regulation. In summary, it appears that the major principles of the cross border transfer are retained in the new regulation. Furthermore, the article discusses the exceptions that are provided in the standard contractual clause and the reason behind the transition from Safe Harbor to the new US-EU Privacy Shield. This article subsequently embarks on the concept of Binding Corporate Rule which was introduced by the working party and how the new regulation has viewed this internal rule in terms of assisting cross border data transfer. All the issues that will be discussed in this article are relevant in the understanding of cross border data transfer.     

The legal construction of privacy and data protection

In this contribution, the authors explore the differences and interplays between the rights to privacy and data protection. They describe the two rights and come to the conclusion that they differ both formally and substantially, though overlaps are not to be excluded. Given these different yet not mutually exclusive scopes they then apply the rights to three case-studies (body-scanners, human enhancement technologies, genome sequencing), highlighting in each case potential legal differences concerning the scope of the rights, the role of consent, and the meaning of the proportionality test. Finally, and on the basis of these cases, the authors propose paths for articulating the two rights using the qualitative and quantitative thresholds of the two rights, which leads them to rethink the relationship between privacy and data protection, and ultimately, the status of data protection as a fundamental right.     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.