Feeds

Privacy lawsuits: Will sueballs lobbed at US cloud services hit you where it HURTS?

Probably not... yet

Beginner's guide to SSL certificates

Sysadmin blog Thinking of using US cloud services, outsourcing to a US-based provider or just leasing a piece of their cloud and concerned about lawsuits? Here's some food for thought.

Privacy, of course, became the overarching concern of many after former US National Security Agency sysadmin Edward Snowden leaked documents about the country's global web surveillance scheme PRISM. At present, however, there is no legal precedent that says that using US cloud services has any implications when it comes to privacy suits.

This is not to say that that there aren't laws that can be used to sue businesses for storing data in the cloud. It is also not saying that there aren't legal theories on how such lawsuits might succeed.

What this means is that there are no precedent-setting cases in the EU, Canada, Australia or New Zealand that have successfully gotten a company in trouble for using American cloud services (under existing laws).

Cloud advocates might point to this lack of extant precedent and say: "It is safe because nobody has gone to jail or paid huge fines for this." But the flip side of this is that it only means nobody has succeeded yet, and there remain some nasty untested legal waters.

Canada has slightly more lax laws than the European Union has regarding privacy and should theoretically have a smaller privacy attack surface. I'll use Canadian law to illustrate what I mean by untested waters.

Fact sheets

The Canadian government has put out a charmingly vague "fact sheet" about cloud computing privacy concerns. It says "privacy is not a barrier but it must be taken into consideration". This – and the rest of the document – doesn't exactly tell you much, but it is actually a great summary of the Canadian approach to this whole mess. The FAQ "fact sheet" (a separate document) is far more helpful:

According to the document:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected.

Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Now we're getting somewhere. So under Canadian law, I can send my data wherever I please, however, I must ensure ("by contract or other means") that whomever is sent that data agrees to treat that data more or less the same way that a Canadian would expect the data to be treated under Canadian law. There are some big squigglies on the details here, though; we're Canadian and we try to be accommodating and understanding that different places do things a little differently.

The Canadian Privacy Commissioner's "Guidelines for Processing Personal Data Across Borders" promises to clear this up once and for all. The first thing I note is that the guidelines are from January of 2009, which means the review that generated these guidelines took place in 2008, at the earliest. Not exactly post-Snowden guidance, but we'll trundle on.

Under a section labelled "What Must Organizations Do?" there is a discussion of a very important complaint investigation: PIPEDA Case Summary #313 (Bank's notification to customers triggers PATRIOT Act concerns). I won't go in to full detail here, but the result is summarised in the document thusly:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

Not discussed in the document – but critically important – is PIPEDA Case Summary #365 (Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered) in which the conclusion reached is essentially the same: banks don't need your OK to transfer data out of Canada. That data is subject to the laws of the nation where it will reside when transferred outside of Canada, and Canada is OK with this as long as those laws are more or less like our own.

But what happens when the laws are substantially different than our own? The short answer: nobody knows.

Remote control for virtualized desktops

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.