Feeds

Privacy lawsuits: Will sueballs lobbed at US cloud services hit you where it HURTS?

Probably not... yet

Providing a secure and efficient Helpdesk

Sysadmin blog Thinking of using US cloud services, outsourcing to a US-based provider or just leasing a piece of their cloud and concerned about lawsuits? Here's some food for thought.

Privacy, of course, became the overarching concern of many after former US National Security Agency sysadmin Edward Snowden leaked documents about the country's global web surveillance scheme PRISM. At present, however, there is no legal precedent that says that using US cloud services has any implications when it comes to privacy suits.

This is not to say that that there aren't laws that can be used to sue businesses for storing data in the cloud. It is also not saying that there aren't legal theories on how such lawsuits might succeed.

What this means is that there are no precedent-setting cases in the EU, Canada, Australia or New Zealand that have successfully gotten a company in trouble for using American cloud services (under existing laws).

Cloud advocates might point to this lack of extant precedent and say: "It is safe because nobody has gone to jail or paid huge fines for this." But the flip side of this is that it only means nobody has succeeded yet, and there remain some nasty untested legal waters.

Canada has slightly more lax laws than the European Union has regarding privacy and should theoretically have a smaller privacy attack surface. I'll use Canadian law to illustrate what I mean by untested waters.

Fact sheets

The Canadian government has put out a charmingly vague "fact sheet" about cloud computing privacy concerns. It says "privacy is not a barrier but it must be taken into consideration". This – and the rest of the document – doesn't exactly tell you much, but it is actually a great summary of the Canadian approach to this whole mess. The FAQ "fact sheet" (a separate document) is far more helpful:

According to the document:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected.

Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Now we're getting somewhere. So under Canadian law, I can send my data wherever I please, however, I must ensure ("by contract or other means") that whomever is sent that data agrees to treat that data more or less the same way that a Canadian would expect the data to be treated under Canadian law. There are some big squigglies on the details here, though; we're Canadian and we try to be accommodating and understanding that different places do things a little differently.

The Canadian Privacy Commissioner's "Guidelines for Processing Personal Data Across Borders" promises to clear this up once and for all. The first thing I note is that the guidelines are from January of 2009, which means the review that generated these guidelines took place in 2008, at the earliest. Not exactly post-Snowden guidance, but we'll trundle on.

Under a section labelled "What Must Organizations Do?" there is a discussion of a very important complaint investigation: PIPEDA Case Summary #313 (Bank's notification to customers triggers PATRIOT Act concerns). I won't go in to full detail here, but the result is summarised in the document thusly:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

Not discussed in the document – but critically important – is PIPEDA Case Summary #365 (Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered) in which the conclusion reached is essentially the same: banks don't need your OK to transfer data out of Canada. That data is subject to the laws of the nation where it will reside when transferred outside of Canada, and Canada is OK with this as long as those laws are more or less like our own.

But what happens when the laws are substantially different than our own? The short answer: nobody knows.

Providing a secure and efficient Helpdesk

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.