Wednesday, 10 October 2012 12:42

Cloud Computing and Data Protection Risks

Written by Mark Reich
Rate this item
(0 votes)

The following are the opening statements in the EU - Opinion 05/2012 on Cloud Computing and this post will cover the major relevant points from it and offer our comments on it

"For some, cloud computing is one of the biggest technological revolutions to emerge in recent times. For others, it is just the natural evolution of a set of technologies aimed to achieve the long awaited dream of utility computing. In any case, large numbers of stakeholders have put cloud computing to the fore in the development of their technological strategies. Cloud computing consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage and memory space. Cloud computing can generate important economic benefits, because on-demand resources can be configured, expanded and accessed on the Internet quite easily. Next to economic benefits, cloud computing may also bring security benefits; enterprises, especially small-to-medium sized ones, may acquire, at a marginal cost, top-class technologies, which would otherwise be out of their budget range. There is a wide gamut of services offered by cloud providers ranging from virtual processing systems (which replace and/or work alongside conventional servers under the direct control of the controller) to services supporting application development and advanced hosting, up to web-based software solutions that can replace applications conventionally installed on the personal computers of end-users. This includes text-processing applications, agendas and calendars, filing systems for online document storage and outsourced email solutions.



Data Protection - Risks

The majority of these risks fall within two broad categories namely lack of control over the data, and insufficient information regarding the processing operation itself (absence of transparency). Specific cloud computing risks for each of these broad categories are: Lack of control By committing personal data to the systems managed by a cloud provider, cloud clients may no longer be in exclusive control of this data and cannot deploy the technical and organizational measures necessary to ensure the availability, integrity, confidentiality, transparency, isolation, intervenability and portability of the data. This lack of control may manifest itself in the following manner:

• Lack of availability due to lack of interoperability (vendor lock-in): If the cloud provider relies on proprietary technology it may prove difficult for a cloud client to shift data and documents between different cloud-based systems (data portability) or to exchange information with entities that use cloud services managed by different providers (interoperability).

• Lack of integrity caused by the sharing of resources: A cloud is made up of shared systems and infrastructures. Cloud providers process personal data emanating from a wide range of sources in terms of data subjects and organizations and it is a possibility that conflicting interests and/or different objectives might arise.

• Lack of confidentiality in terms of law enforcement requests made directly to a cloud provider: personal data being processed in the cloud may be subject to law enforcement requests from law enforcement agencies of the EU Member States and of third countries. There is a risk that personal data could be disclosed to (foreign) law enforcement agencies without a valid EU legal basis and thus a breach of EU data protection law would occur.

• Lack of intervenability due to the complexity and dynamics of the outsourcing chain: The cloud service offered by one provider might be produced by combining services from a range of other providers, which may be dynamically added or removed during the duration of the client’s contract.

• Lack of intervenability (data subjects’ rights): A cloud provider may not provide the necessary measures and tools to assist the controller to manage the data in terms of, e.g., access, deletion or correction of data.

• Lack of isolation: A cloud provider may use its physical control over data from different clients to link personal data. If administrators are facilitated with sufficiently privileged access rights (high-risk roles), they could link information from different clients.

Lack of information on processing (transparency)

Insufficient information about a cloud service’s processing operations poses a risk to controllers as well as to data subjects because they might not be aware of potential threats and risks and thus cannot take measures they deem appropriate.

Some potential threats may arise from the controller not knowing that:

• Chain processing is taking place involving multiple processors and subcontractors.

• Personal data are processed in different geographic locations within the European Economic Area. This impacts directly on the law applicable to any data protection disputes, which may arise between user and provider.

• Personal data is transferred to third countries outside the European Economic Area. Third countries may not provide an adequate level of data protection and transfers may not be safeguarded by appropriate measures (e.g., standard contractual clauses or binding corporate rules) and thus may be illegal.

It is a requirement that data subjects whose personal data are processed in the cloud are informed as to the identity of the data controller and the purpose of the processing."

How does this line of though impact cloud computing in general and in Europe specifically? Though the full text of the “opinion” as published by the EU contains a lot of text focused on the legal impact and the extent to which the “opinion” can be implemented, the first points it makes around lack of control and transparency are cogent and in our mind, accurate.

The opinion clearly outlines the way they see the data privacy laws in the EU to be translated into rules and behavior, and at the same time recognizes that regulation alone will not by itself get the industry to where it needs to be. For that, the active involvement of suppliers is required, and those suppliers need to understand that, contrary to popular belief, cloud is not impossible in Europe. European Data Privacy laws do not make it impossible for Cloud based solution to be successful. Europe as a market is fragmented when compared to the US, both in terms of language and the sophistication of IT services markets across the countries. It is the reason there is no European Amazon, except for perhaps Amazon itself operating out of Ireland for their European operations.

Because the different viewpoint the EU has on data privacy, and the fact that some technology related rights and responsibilities go far beyond what is common in the US (like the fundamental right to internet access in the EU, or data privacy) it is easy to say Cloud wont work in Europe. However, cloud is very much a vibrant topic and actively pursued in many of the EU markets. However, in stark contrast to the US, the word “Cloud” has a lot of negative connotations in the EU, implying a lack of control, and risks to privacy. In Europe, by all means implement cloud based solutions, but communicate how those solutions comply with EU regulations clearly and above all, do not call them cloud.

Last modified on Wednesday, 10 October 2012 18:39