Why the Clouds of Suspicion? - Data Protection and Cloud Computing
Data protection and privacy are often presented as being key risks where personal information relating to individuals ('personal data') is to be stored in a cloud.
Many column inches have been written on the topic of cloud computing. The consensus among most experts is that there are considerable benefits to be derived from using 'pools' of interconnected servers, storage and platforms to deliver internet-based computing services that are flexible, scalable and importantly, cost effective.
There is a 'but' and this takes the form of data protection. Data protection and privacy are often presented as being key risks where personal information relating to individuals ('personal data') is to be stored in a cloud. The EU Digital Agenda Commissioner, Neelie Kroes neatly summed up these concerns in her speech on November 25th 2010 at the University of Paris Dauphine, where she said that by "putting our personal data on remote servers, we risk losing control over that data". So is data protection the enemy of the cloud or are we instead a society of control freaks?
Control is an important data protection concept. Under EU data protection laws, a cloud customer is usually viewed as a 'data controller' where personal data is processed. This means that they bear the legal responsibility for how that data is handled.
As a data controller a cloud customer must ensure, among other things, that any processing of personal data is secure, even where that processing is carried out on its behalf by a cloud provider. A cloud customer is also prevented from transferring that data outside of the European area unless the destination country and the circumstances of the transfer provide an adequate level of protection for the data.
In order for the cloud customer to exert 'control' over the processing of the personal data it places in the cloud, it needs to know who, from a profusion of providers, is processing its data and where the processing is taking place. Due to the ever-changing nature of the cloud, where data storage can shift with available capacity, this can may prove quite a task.
These risks are not however insurmountable provided for example that:
- a prospective customer thinks hard about which data it plans to place in the cloud;
- a thorough risk assessment is made of all prospective suppliers, the location of the cloud and in particular of their security and disaster recovery controls;
- customers enter into written contracts with their cloud providers which ensure the cloud providers act only on the instructions of the customer and apply a high level of security to the data; and
- customers place encryption around any personal data they place in the cloud to limit the risk of unauthorised access to or exposure of the data.
Alarm bells should start ringing where a cloud provider does not offer assurances as to the security or location of their service. Any cloud provider worth their salt should already be aware of the EU law requirements relating to security and data transfers and be able to work with prospective customers to find a solution. In the case of the transfer restrictions there are already cloud providers offering protected environments such as 'Europe only' clouds or processing within the confines of a US cloud covered by the protections of a Federal Trade Commission enforced Safe Harbor regime. Alternatively cloud providers should be able to cooperate with customers by entering into transfer contracts based on EC approved terms.
Despite these important precautions, there are some potential benefits of cloud-based solutions for data protection compliance and these may have been overlooked amid all the concerns regarding the perceived loss of control.
Our current processing world consists of multiple islands of unconnected data repositories. In order to access that data on the move, we need laptops with large hard drives or data storage devices such as CDs and USB sticks. The inevitable result is that this data follows us around in our bags, in the boot of our cars and, even to the pub.
The loss of two CDs holding the personal data of up to 25 million individuals by HMRC in November 2007, led the UK regulator of data protection, the 'Information Commissioner', to start recording those data security breaches reported to his office. Of over 1,000 breaches reported up to July 2010, over half were the direct result of the loss or theft of data or hardware. The loss of this data can be a PR disaster for those involved and can lead to enforcement action or fines being levied by the Information Commissioner.
In contrast, however, the need for multiple portable storage devices and the associated risks are removed where data is hosted in a cloud with appropriate security, user access protection and coordinated restrictions on those who can access the data and under what circumstances.
It is also worth remembering that most businesses are not specialists in data security and will not have the same expertise or financial resources to apply the latest security standards to data that a business whose primary role is maintain the integrity of data it hosts for its customers will have.
So the concerns raised about data protection, privacy and security are valid and should not be ignored, but equally we should not overlook the real benefits that a cloud incorporating sturdy data protections could provide in enhancing current standards of data security and compliance. Perhaps relinquishing a little control is not necessarily such a bad move?
As computing resources move online, the role of data protection and information law will become increasingly important in both protecting and promoting this networked environment.
"Alarm bells should start ringing where a cloud provider does not offer assurances as to the security or location of their service"