Cloud and conflicting privacy laws

One of the biggest dilemmas with cloud services is that in theory it shouldn’t matter where your data is stored in the public cloud, just that it is secured appropriately, and only you get appropriate access and nobody else gets inappropriate access 😉

But it’s much more complicated. Every country has its own laws about the transparency of data stored and accessibility from nosing government authorities. The real problems occur when there is a conflict of privacy laws between different countries. So you have personal data stored in a Google public cloud, your data could be stored physically anywhere in the world. And the fact that Google is a US company means requirement to comply with US law (e.g. USA Patriot Act) for the organisation worldwide, not forgetting the regional laws where the data is physically stored. This conflicts with EU privacy law whereby the rights of the data subject are preserved.

Google have been quoted as follows “As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.” Taken from Softpedia.

This could be an interesting time for organisations to set-up clouds but only in a single country in an organisation that is registered in the hosting country. Otherwise, can you really trust the data-holding authority to protect your rights as an EU citizen for example? I know I can’t!

EU ePrivacy Directive amendment

A recently passed amendment to the EU Privacy Directive will require Internet users’ consent before cookies can be placed on their computers. This is part of a revised ePrivacy Directive that is close to enactment, that includes improvements on security breach, cookies and enforcement. The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The revised ePrivacy Directive must be implemented by the Member States within 18 months.

The changes introduced include:

    For the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internetservice provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
    Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
    The possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;
    Substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

What this means is that the current laws that the data subject has increased protection online. If their personal data has been exposed, they must be notified. As such they must be informed if personal information on them is being collected, and they should have the option to opt-out (or more preferably opt-in). This is not possible with the way cookies are used today where they are just downloaded onto the users’ PCs without warning. All security to warn the user of tracking cookies are provided by the web-browser. This will now have to be included in the cookie itself.. I think. Any experts out there that know how this could work in practice, please jump in here and comment 🙂

I also read some references to how the use of RFID for the collection of personal information falls in the scope of this amendment.

And finally enforceability is key. Hence each member state must have the appropriate legilsation implemented to make this amendment effective and enforceable.

U.S. House Passes Data Breach Bill

Last week, U.S. House of Representatives legislators passed the Data Accountability and Trust Act (DATA), which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the U.S. Senate, which is also considering a similar measure.

Article here

Youth Justice Board anonymised data in UK

Seems that the Youth Justice Board has built a new system (Youth Justice Board Information System, YJBIS) that generates statistical information based on so called anonymous data in the UK. We get back to that old discussion, of “how anonymous is anonymous”? Not very if you strip identifying information but in certain circumstances the data does not lose it’s anonymity. Take a look at what has been posted on ARCH blog for example concerning the YJBIS.

How much you earn is now public domain in Norway

It seems that Norway is following the lead of Sweden in making all tax records public in the call for transparency. This means that the earnings of every Norwegian citizen is available online and public.

What do you think about this article?
Personally as a Swedish resident myself and as a privacy avokat, I find this practice unacceptable. I have already made some postings about this.

Great firewall of China filled with ‘twittering’ holes ;-)

On the eve of the 20th anniversary of the Tiananmen killings, social networking sites such as Twitter and the photo-sharing site Flickr were blocked in China in an attempt by the government to prevent online discussion on the subject. However twitterers were finding ways around this. Read more on BBC news.