Feeds

Privacy lawsuits: Will sueballs lobbed at US cloud services hit you where it HURTS?

Probably not... yet

Security for virtualized datacentres

Sysadmin blog Thinking of using US cloud services, outsourcing to a US-based provider or just leasing a piece of their cloud and concerned about lawsuits? Here's some food for thought.

Privacy, of course, became the overarching concern of many after former US National Security Agency sysadmin Edward Snowden leaked documents about the country's global web surveillance scheme PRISM. At present, however, there is no legal precedent that says that using US cloud services has any implications when it comes to privacy suits.

This is not to say that that there aren't laws that can be used to sue businesses for storing data in the cloud. It is also not saying that there aren't legal theories on how such lawsuits might succeed.

What this means is that there are no precedent-setting cases in the EU, Canada, Australia or New Zealand that have successfully gotten a company in trouble for using American cloud services (under existing laws).

Cloud advocates might point to this lack of extant precedent and say: "It is safe because nobody has gone to jail or paid huge fines for this." But the flip side of this is that it only means nobody has succeeded yet, and there remain some nasty untested legal waters.

Canada has slightly more lax laws than the European Union has regarding privacy and should theoretically have a smaller privacy attack surface. I'll use Canadian law to illustrate what I mean by untested waters.

Fact sheets

The Canadian government has put out a charmingly vague "fact sheet" about cloud computing privacy concerns. It says "privacy is not a barrier but it must be taken into consideration". This – and the rest of the document – doesn't exactly tell you much, but it is actually a great summary of the Canadian approach to this whole mess. The FAQ "fact sheet" (a separate document) is far more helpful:

According to the document:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected.

Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Now we're getting somewhere. So under Canadian law, I can send my data wherever I please, however, I must ensure ("by contract or other means") that whomever is sent that data agrees to treat that data more or less the same way that a Canadian would expect the data to be treated under Canadian law. There are some big squigglies on the details here, though; we're Canadian and we try to be accommodating and understanding that different places do things a little differently.

The Canadian Privacy Commissioner's "Guidelines for Processing Personal Data Across Borders" promises to clear this up once and for all. The first thing I note is that the guidelines are from January of 2009, which means the review that generated these guidelines took place in 2008, at the earliest. Not exactly post-Snowden guidance, but we'll trundle on.

Under a section labelled "What Must Organizations Do?" there is a discussion of a very important complaint investigation: PIPEDA Case Summary #313 (Bank's notification to customers triggers PATRIOT Act concerns). I won't go in to full detail here, but the result is summarised in the document thusly:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

Not discussed in the document – but critically important – is PIPEDA Case Summary #365 (Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered) in which the conclusion reached is essentially the same: banks don't need your OK to transfer data out of Canada. That data is subject to the laws of the nation where it will reside when transferred outside of Canada, and Canada is OK with this as long as those laws are more or less like our own.

But what happens when the laws are substantially different than our own? The short answer: nobody knows.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Forget silly privacy worries - help biometrics firms make MILLIONS
Beancounter reckons dabs-scanning tech is the next big moneypit
Microsoft's Office Delve wants work to be more like being on Facebook
Office Graph, social features for Office 365 going public
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.