Cloud computing is rapidly becoming the norm for businesses because of its ability to streamline data protection and sharing both within and outside of the organisation.
A May 2015 study conducted by 451 Research showed that 74 percent of respondents cited the cloud as their primary deployment method for workloads over the next two years.
With such a large number of businesses moving to the cloud, it is critical for IT professionals to be aware of regulations regarding this method of data storage and transfer.
In their report, Data Privacy in the Cloud, 451 Research addresses five issues that IT workers should keep a close eye on as the technological world moves forward:
This issue pits Microsoft against New York federal prosecutors over data that can be seized in a federal investigation. Although Microsoft is based in the US, the data in question is stored in Ireland. Microsoft’s argument is that the US government lacks the authority to issue a search warrant for data housed in another country. The US government argues that it matters not where the data is stored, but who controls the data. Courts originally sided with the prosecution, but Microsoft won an appeal to the US federal appellate court.
Even though the US appellate court did not uphold the ruling in this case, this might not be the last time the issue of allowing search warrants for data worldwide will be considere. Because of this, it is important for IT professionals to know the origin and legal status of cloud providers, as they could be subject to claims from the national government associated with that business.
E-disclosure is the process of litigation evidence gathering, resulting in large volumes of data being transferred internationally. The US has historically provided litigants with a great deal of access to evidence—a practise which contradicts that of many other countries, most notably members of the European Union. EU Members have taken steps to prevent US prosecutors from violating evidence based-sovereignty by way of blocking statutes that levy penalties for transferring documents for use in foreign proceedings unless the transfer complies with provisions in the Hague Evidence Convention.
IT staff may receive legal demands for cloud data. While these demands may be perfectly legal in the US, they may violate blocking statutes and international data privacy laws that could incur substantial fines.
Until recently, data transfers could be made under the US-EU Safe Harbor Framework which required that businesses receive a certification to transfer data to the US. This system was based on self-certification and was essentially unregulated—companies themselves certified compliance to regulations. Due to the NSA Snowden controversy, the Safe Harbor Framework has since been declared invalid and required the US and EU to negotiate a new agreement, the US-EU Privacy Shield Framework, without such framework the transference of data would have been subject to government regulation.
As a result, new windows have been opened for complaints and lawsuits from regulating powers, making data transfer much more of an administrative task.
The newly adopted GDPR replaces the previous data protection plan, a "one-stop-shop" for data protection authorities. Non-EU transfers, legal processes, fines, data protection, and the right to be forgotten have all been consolidated under one governance.
The GDPR changes the way that IT professionals work with data-protection officials. The GDPR also allows steep fines for non-compliance. You can read about how to ensure that your organisation is GDPR compliant.
Recent events such as the NSA Snowden controversy have put cloud computing and data sharing under a microscope. Many laws have strengthened data privacy protections but other laws have posed threats to data privacy for businesses and individuals around the world with the intention of preventing terrorist attacks.
It is critical that IT workers are diligent in researching legislation regarding data privacy. The rules governing cloud computing are becoming as important as the technology that makes it possible.
Understanding the legislation and events surrounding data privacy and cloud computing may help your organisation fully utilise the benefits of this innovative technology by ensuring that you are in compliance with current regulations, thus allowing you to conduct business without any legal hang-ups.