Computing services in the cloud, which provide access to compute capabilities, applications, and data from nearly anywhere with an Internet connection, have made it possible for both individuals and organizations to improve the efficiency of their computing operations, reduce infrastructure costs, and enhance the accessibility and availability of services and data.
However, the growth of cybercrime, most notably large data breaches that have exposed the personal information of millions of consumers, has led some jurisdictions around the world to look to regulatory measures to help safeguard this personal data, much of which is stored in the cloud. Not surprisingly, other jurisdictions are using the current demand for increased protection of personal data as a cover for driving protectionist agendas.
The end result is a much more challenging operational environment for organizations that store, manage, and process data in cloud data centers around the world.
While the intentions of many of these regulations appear to be noble, implementation of these regulations has created a significant burden for multinational cloud providers, which often hold or move people's personal data to different physical data centers around the world to optimize and adjust their storage space to meet demand.
Strict rules about handling sensitive customer data are being, or have been, implemented to address these concerns. Japan, for example, reformed its privacy law in May 2017, and established specific rules for handling personal information that would be applicable to cloud providers. The law states that no personal data can be transferred to a foreign country, except when a data subject has given specific advance consent to the transfer of that data to an entity in a foreign country; the country in which the recipient of the data has a legal system that has been deemed equivalent, in terms of data protection, to the Japanese system; and the data recipient takes adequate precautionary data protection measures for the protection of personal data, as specified by the Japanese data protection authority.
The regulation covers personal information and data of living Japanese persons, including "information about a living individual which can identify a specific individual by the description contained in the information, such as name, date of birth or other description (including voice or behavior information), including information which can easily be combined with other information so as to enable the identification of that individual," and information containing so-called "Personal Identifier Codes," which include "letters, numbers, marks, or other codes for use with computers converted from a person's bodily information which may identify the person, or (b) letters, numbers, marks, or other codes on cards or other documents which are unique to the user or purchaser, and may identify the person."
As such, cloud providers that are not owned or physically located in Japan face significant hurdles to transferring personal information in and out of the country, as they would need to secure the explicit permission of each user to transmit that data to a server outside of the country.
Meanwhile, in June 2017, Chinese regulators tightened laws on foreign data and cloud services, implemented new surveillance measures, and enhanced their scrutiny of cross-border data transfers, via the Personal Information Security Specification, which took effect May 1, 2018. Specifically, the regulation requires firms to store data locally in China, thereby forcing cloud providers such as Amazon, Apple, and Google, to transfer the management of their cloud businesses to Chinese-owned companies, or to directly partner with Chinese ventures to comply with this regulation.
The strict regulation is a direct result of concerns about Chinese citizens' personal data being captured and used by foreign entities, according to David Linthicum, chief cloud strategy officer with Deloitte Consulting. The regulation basically states that it is illegal to transmit personally identifiable information outside of the country, "So, as we understand the state of the law, if you do have a copy of someone's information outside of the Chinese borders, you would be in noncompliance with those regulations," Linthicum says.
China's regulation is based on rules developed for the European Union (EU) General Data Protection Regulation (GDPR), also set to go into effect in late May. The GDPR regulations, while somewhat similar to the regulations in China and Japan, appear to be even more broad.
The EU's General Data Protection Regulation harmonizes and updates the regulation governing the privacy and and protection of EU citizens' data.
According to the European Commission, the GDPR harmonizes and updates the regulation governing the privacy and protection of EU citizens' personal data, which is any information relating to an identified or identifiable person, or data subject, who can be identified by a name, an ID number, location data, or physical, physiological, genetic, mental, economic, cultural, or social identity. GDPR is enforceable and is equivalent to a U.S. Federal Law, and failure to comply with GDPR can lead to fines of up to 20 million or 4% of annual global revenuewhichever is greatest.
The GDPR applies if the data controller, defined as an organization that collects data from EU residents, or a processor, defined as an organization that processes data on behalf of a data controller, or the subject of the data, is based in the EU. The regulation also applies to companies and organizations based outside the EU if they collect or process personal data of individuals located within the EU.
"Does GDPR apply to entities outside of the EU? And the answer is that the EU is saying that it does," says Mark Hinely, an attorney and regulatory compliance specialist with Kirkpatrick Price, a Tampa, FL-based accounting firm and provider of technology compliance and audit services. "So, it could potentially apply to cloud providers, even if they're not located in the EU, either in part or in whole. So even if they don't have a branch or employee in the EU, or office in the EU, the law starts its jurisdiction over entities around the world to process personal data on the EU data subjects, and that term 'process' is pretty broad."
One of the other challenging aspects of the GDPR is the requirement that processors must obtain the authority of a controller by changing or engaging with a subprocessor or contractor. Essentially, that regulation means that if a cloud provider that processes EU citizens' data on behalf of a company or entity uses a third party to deliver a part of its services, switching that provider would require notification of each controller, or client, according to Hinely. For example, if the subcontracted service provider had a security breach, increased its rates, or changed the nature of its business, and the cloud provider wanted to switch to another service provider, the cloud service provider is required to notify and clear that switch with each client, Hinely explains.
Says Hinely: "That is incredibly problematic; if you have 1,000 clients, what if one of them says 'no', and the rest say 'yes'?"
Although Hinely understands the intent of the regulation ("I get what they're doing; they don't want organizations farming out their processing activities to other organizations that are not secure"), he thinks the regulation is overly broad and an ineffective way of trying to properly vet providers for compliance. "That part of the law does not seem to me to be both practical or supporting data security."
The implementation of new data protection laws is also raising questions about whether certain jurisdictions, such as China, are implementing ways to thwart the ability of foreign governments to obtain data on their citizens through legal mechanisms such as warrants. In essence, it is almost always more challenging for U.S. authorities that may be investigating money laundering or other criminal activity to obtain information on Chinese nationals when the data is stored on servers within China, than with a cloud system that may be located outside of China.
However, in the U.S., Congress passed, and President Trump signed into law on March 23, 2018, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the Stored Communications Act to require email providers to disclose emails in its "possession, custody, or control," even if the emails are stored outside the U.S. As such, U.S. cloud providers or organizations that held emails on cloud servers would be subject to this law, and would be required to directly turn over requested emails, even if they were held on servers located outside of the U.S.
As these regulations go into effect, companies moving data around the world will face significant compliance challenges, and likely will need to alter the way they do business.
Linthicum expects that when it comes to cross-border requests to hand over personal data on non-U.S. citizens to non-U.S. authorities, U.S.-based and other cloud providers may simply choose not to comply.
"If there's some criminal activity occurring in Europe, and the Belgian government wants to gather information, they can send the subpoena to Amazon, [which will] ignore it unless there's some risk to their business in Belgium," Linthicum says, noting that in today's world where consumer privacy issues have become a hot topic, there's little public relations benefit to turning over private data to authorities.
Further, there is typically little a government can do to compel a cloud operator that doesn't have a physical presence within its borders and does not wish to cooperate with a request for information. "A lot of these smaller cloud providers don't have a point of presence in the country and are just going ignore those reach-outs to gather information, and rightfully so," Linthicum says. "There's not a benefit to do it, and [small cloud providers] are just going to lose business by doing it. Lots of people view turning over their data at the request of any government as not a good thing."
As these regulations go into effect, companies that move data around the world will face significant compliance challenges, and likely will need to alter the way they do business. In many cases, companies may need to segment their customer base by jurisdiction to ensure compliance, and organizations that don't have adequate privacy protections in place will need to implement them quickly, or face possible fines. Compliance activity will create a significant operational and financial burden on both large and small companies, making it more difficult for those with smaller budgets and workforces to compete against their larger competitors.
The desire of governments to protect their citizens' data is ultimately in direct conflict with their desire to stimulate and support global commerce and trade, which is why Linthicum says both compliance with and enforcement of these regulations may be hard to manage. As a result, he says, many of these rules may be watered down in the future.
"If the [governments] are seeing a diminishing return in investment and return on productivity, to a point where it's really hurting the Chinese- or the European-based businesses, we'll see these regulations start to change over time," Linthicum says.
GDPR matchup: Japan's Act on the Protection of Personal Information International Association of Privacy Professionals, Aug. 29, 2017 https://iapp.org/news/a/gdpr-matchup-japans-act-on-the-protection-of-personal-information/
Digitool, GDPR Compliance 2018 Summary - 10 Steps in 10 Minutes to Avoid Fines, March 2, 2018 https://www.youtube.com/watch?v=WPwG-MNMuBQ
Where are we now with data protection in China?, Freshfields Bruckhaus Deringer https://www.freshfields.com/en-us/our-thinking/campaigns/digital/data/where-are-we-now-with-data-protection-law-in-china/
Eisenstein, I.H., Halpert, J., and Barnes, L.R.
CLOUD Act bolsters US government powers to obtain data stored abroad, DLA Piper Insights, April 12, 2018 https://www.dlapiper.com/en/us/insights/publications/2018/04/us-cloud-act-authorizes-search-warrants-for-data-stored-abroad/
©2018 ACM 0001-0782/18/9
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2018 ACM, Inc.