Cloud computing may be turning data processing on its head, but many users are unaware of the fact that they utilise cloud computing technologies. At the heart of many basic applications, such as webmail, vendors rely on the distributed processing architectures of cloud computing. Instead of data residing on a hard drive or local server, the cloud computing model combines vast networks of data storage and processing capacity, software as an online service and the leveraged connection of wireless devices to services and applications which are offered online. Consumers enjoy easy access to webmail and the online storage of their data files. At a business level, the advantages – and attendant risks – of cloud computing create challenges of trust, accountability and compliance.
For business, the cloud model is the new computing paradigm. Just as the networked PC transformed business, so the cloud computing model heralds equally radical change. Cloud computing allows business to relocate IT functions outside their organisations, so that data storage and processing takes place on the Internet, rather than in a data warehouse. This creates considerable flexibility, not least by allowing computing capacity to be scaled up or down at will, with a direct impact on IT costs. In addition, the cloud environment is dynamic so that business benefits almost immediately from cloud vendors’ constant adjustment, development and change in service offerings.
Data Safety in the Cloud
This dynamic environment raises one of the key concerns about cloud computing: how safe are data processed in the cloud? Of course, security and trust related to data processing are issues which businesses must address in any event, irrespective of whether they venture into the cloud, or not.
In the cloud environment, security considerations touch all data, but have particular significance for the processing of HR, financial and health data. Companies providing or using cloud computing models need to reassure individuals that their data will be adequately safeguarded, across the cloud. Failure to provide this assurance may lead to consumers refusing to permit their data to be processed in this way.
Data Security and Data Protection
The issue of data security is a key feature of European laws on data protection. At an EU level, the Data Protection Directive (EC95/46) imposes responsibility for data security on a ‘data controller’. This is the entity which determines the purposes and means by which personal data are processed. Every business will be a controller (and therefore responsible) in relation to the personal data of its staff, customers and vendors.
The Data Protection Directive refers to the processing of ‘personal data’. This covers any information which relates to an identified, or identifiable, individual. Therefore, in addition to name, e-mail address, postal address and phone number, other information which relates to an individual, such as an opinion about a person, details of their assets, friends, interests and background, will amount to personal data and must be safeguarded.
The Data Protection Directive requires the controller to ensure that any third-party processing personal data on its behalf takes adequate technical and organisational security measures to safeguard the data. This means that there must be a contractual term to this effect between the controller and processor, and controllers typically seek to monitor whether this obligation is fulfilled by undertaking an audit or conducting due diligence inquiries. Seeking such reassurance for data processed in the cloud presents significant challenges, especially where the vendor is small or unproven. Smaller vendors based outside Europe may not even be aware of the requirements of the Data Protection Directive.
Of course larger, more sophisticated vendors who have embraced the cloud model are acutely aware of the need to ensure that data processed in the cloud are adequately safeguarded. Their documentation increasingly reflects these issues and many vendors proactively highlight them to reassure prospective clients.
Security is not the only data protection issue to consider in the cloud context. Generally, the Data Protection Directive promotes fair information practices as a means of protecting consumers. Consumers want to know (and are entitled to know) how and where their data are processed. Transparent data handling practices create trust and enhance brand and reputation, but require thoughtful planning to create and implement.
Considering whether and, if so, how such fair information practices might be promoted within a cloud computing environment raises difficult issues. It may be impossible to determine where the data are processed, other than that the processing takes place somewhere within the cloud. Indeed, where a cloud vendor engages subcontractors, it may be difficult to know who actually processes specific data.
International Transfer of Data
The Data Protection Directive contains a general prohibition on the international transfer of personal data outside of Europe, unless adequate protection can be assured. True cloud computing contemplates data being processed anywhere and everywhere, across multiple jurisdictions, and accessible from everywhere. How can an EU-based controller ensure compliance where data are processed by a vendor operating in the cloud? Depending on the location of the vendor’s servers, standard legal tools (model contracts or safe harbor) may provide a solution but, at best, will be cumbersome to implement and maintain. At a practical level, solutions to these issues are still being created, but some cloud vendors are able to offer solutions that permit EU data to remain within the EU for processing.
Risks of Non-compliance with EU Data Protection Laws
Ignoring the Data Protection Directive (and equivalent local legislation) is risky. Increasingly, European data protection regulators are taking a tougher line on enforcement, driven recently by notorious data breaches. Several European data protection regulators have, or are in the process of being given, the power to fine companies for failure to comply with the Data Protection Directive. Data security failings, in particular, have been the subject of enforcement action. Some data protection regulators have the power to stop certain types of processing, which may affect the manner and location of data processing activities. Restructuring processing arrangements at short notice is expensive and disruptive. In addition, the European data protection regulators publicise their enforcement actions, aware that the risk of adverse publicity can act as a powerful compliance incentive. In the context of data security, any suggestion that an organisation does not adequately safeguard customers’ data undermines the critical relationship of trust between business and consumer.
Businesses which collect and process personal data, whether in the cloud or otherwise, must reassure customers that their data are safeguarded. This requires a focus on data security but it also requires a focus on basic data protection compliance. Businesses must actively take ownership of their information management responsibilities. At its most basic, this requires that businesses know what data they collect and process. Specifically, which individual departments collect and process data, what types of data, for what purposes and how do those data flow through the organisation? Which systems are used to process the data and to what extent do the systems rely on cloud computing architecture? Which data fields are processed using such systems and who is responsible for the data at each stage? Do third parties play a role? How are responsibilities defined and enforced? Where is the data situated and what legal mechanisms ensure that the processing meets the requirements of the Data Protection Directive? How is the fact of compliant processing communicated to customers and what assurances are given to customers? How does this compare with the processing practices adopted by competitors? Is there a strategic advantage and can this be used to leverage trust with consumers?
In the world of cloud computing, data is collected for a wide array of purposes, from people in different jurisdictions, and under the policies of organisations that may differ widely in their business models, culture and technology applications. It is difficult to ensure adequate safeguards for these processing activities. Within the EU, the ‘Binding Corporate Rules’ mechanism developed by European data protection regulators may provide a legal framework which can be expanded to accommodate cloud computing concepts. Binding Corporate Rules are legally binding and enforceable rules or policies of a company which govern how it collects and processes personal data. These rules are based on the concept of accountability and require completion of the detailed internal due diligence described above.
Outside of Europe, the Asia- Pacific Economic Cooperation based its data protection framework on the concept of accountability. The APEC approach provides that organisations that collect personal data remain responsible and accountable for meeting the requirements of the laws, rules and promises associated with that data wherever and by whomever they are processed.
Cloud computing is another step in our technological evolution. As for all new technology, business must identify and assess the implications for information management and data protection. As the cloud model becomes more widely adopted, data protection issues may stimulate wider discussion of the need for a new data governance model, perhaps incorporating in a more direct way the concept of accountablity. For now, businesses seeking to take the lead on these issues are actively exploring accountability concepts.
Bridget Treacy is a partner in the global technology, outsourcing and privacy practice at Hunton & Williams in London. Bridget acknowledges the contribution made to earlier drafts by Paula Bruening, Deputy Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP in Washington, DC.