The International Working Group on Data Protection in Telecommunications (“Working Group”), an organization of European data protection agencies, recently released a report on the protection of data and privacy in international cloud computing. Although the European Union (EU) and the United States take different approaches to data privacy, the Working Group’s report draws on U.S. practices in presenting a series of recommendations for data protection between countries. Whatever actions the U.S. takes regarding international data protection, the Working Group’s recommendations offer a useful guide for U.S. businesses that use cloud computing and wish to minimize their risk of data breaches and other losses.
The Working Group, founded in 1983, operates under the auspices of the European Commission, the executive body of the EU. Its headquarters is in Berlin, Germany. A directive from the European Parliament, passed in 1995 and becoming effective in 1998, established procedures to protect individuals’ personal data, facilitate the “free movement” of data, and restrict the movement of data to non-EU countries with less-stringent privacy protections. Article 29 of the directive established a “Working Party on the Protection of Individuals with regard to the Processing of Personal Data,” whose mandate is similar to that of the Working Group. In 2000, the U.S. and the EU entered into a “safe harbor” agreement that affirmed the adequacy of U.S. data protection laws under the EU’s own framework. The Federal Trade Commission (FTC) has authority over data protection issues in the U.S. The Article 29 Working Party has called for the U.S. to make further agreements with the EU regarding data security between government agencies.
The report from the Working Group, released on April 24, 2012 and titled “Cloud Computing – Privacy and data protection issues,” draws upon the definition of “cloud computing” developed by the U.S. National Institute of Standards and Technology (NIST). Calling cloud computing an “evolving paradigm,” the NIST identified the fundamental characteristics, service models, and deployment models that comprise the current cloud-computing system. We previously summarized the NIST’s working definition of cloud computing.
Cloud computing presents new concerns for data protection between nations, according to the Working Group. The technology is still developing, putting pressure on service providers to deliver new products and services. No international agreement yet exists as to terminology. Cloud computing is inherently “boundless and transboundary” and lacks transparency. This makes risk assessment and enforcement of data protection rules difficult. It also increases risks, such as data security breaches, transfers of data to jurisdictions with lesser privacy protections, improper access to data by private service providers, and a general erosion of accountability and trust.
The Working Group’s recommendations are understandably vague, given the work-in-progress nature of cloud computing and the difficulty of assessing risks across national boundaries. Data protection standards must not, it stresses, be lowered to meet any momentary needs of cloud computing technologies. Government privacy agencies, known as “data controllers,” should perform risk assessments before launching cloud-based projects, and should demand strict compliance from service providers. American businesses who use cloud computing technology to engage in international business should be aware of these privacy protections, both for the security they provide for their data and for the obligations they impose.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today online or at (512) 901-0070.
Web Resources:
Working Paper on Cloud Computing – Privacy and data protection issues (PDF), International Working Group on Data Protection in Telecommunications, April 24, 2012
Press Release (PDF), Article 29 Data Protection Working Party, November 19, 2010
More Blog Posts:
SEC Disclosure Guidelines Urge Businesses to Disclose Not Only Cyberattacks, but Also Risks, Prism Risk Management Blog, May 21, 2012
Proposed “Consumer Privacy Bill of Rights” Could Protect Businesses Using Cloud Computing, but Also Makes Them Accountable to Employees, Prism Risk Management Blog, May 14, 2012
Public Cloud Computing Has New Guidelines to Help Protect Users’ Privacy and Security, Prism Risk Management Blog, April 25, 2012
Photo credit: ‘global solution’ by artM on stock.xchng.
Prism Risk Management, LLC 