Like it or not, but we all are ‘on the cloud’ right now. In other words, most of the everyday online services from web-based emailing to mobile banking or photo storage are part of the cloud computing. All the information contained in the cloud can be accessed in every corner of the world using any electronic device which can connect to the Internet (a PC, a tablet computer, a mobile phone, etc.).
One of the main issues of concern in using the cloud is data protection. This is particularly due to the fact that the data in the cloud often contains commercial secrets of organisations or enterprises, information about customers, personal data, etc. Thus, it becomes important to know how the responsibility of data protection in the cloud is defined.
The cloud has a lot of legal problems. The data can be stored in more than one country not necessarily resided by data controllers. The information transferred to the cloud providers is spread to information centres which further break it up and transmit it to different servers. For example, some fragments of the data could be stored in the Eastern European servers, whereas the rest of it could be found in the Western European servers.
Thus, it becomes unclear which country’s legislation system should be applied had there be any disagreements on the data stored in the cloud. In other words, should it be complied with the laws of the country where the data is stored or with the laws of the region where the enterprise is established or the person resides? This should be defined in a contract between the cloud service provider and the cloud consumer. A special international group responsible for the data security and privacy in telecommunication usages has given out practical recommendations to the cloud controllers or enterprises which sign the contracts on transferring their information to the cloud.
When signing the contract, the cloud controller is recommended to ask the cloud provider for a detailed list of countries, where the transferred information is intended to be stored and managed. Such contract should oblige the cloud provider not to transmit the received data to the countries not included in the list. Although the cloud providers are apt to avoid responsibilities or incline to share them with the consumers, IT companies fail to bypass such responsibilities when the cloud customers experience damage due to the cloud providers’ fault.
Before starting using the cloud services, the cloud customer is also advised to enquire into the cloud provider, to ask for a third party audit which tests if all the requirements regarding personal data privacy and security are met. The European Commission has stated that the cloud providers working internationally ought to give evidence to their clients that they ensure them effective security systems and that their data cannot be accessed by other cloud customers. Furthermore, the cloud consumers should make sure that the cloud providers are able to erase all the copies of consumers’ personal data. Also, the customers should be informed with the possible consequences of deciding to retrieve the personal data from the cloud. Under such circumstances the customer should be offered a Certificate of Destruction.
Celebrating the data protection day on the 28th of January, this year the European Parliament debated on the reforms of the regulations on data protection agreed on in 1995, aiming to enforce the rights of data privacy in the Internet. If such reform is realised, the European Union would have a unified data protection system. This system would also include the right ‘to be forgotten’ which would enable users to become better in preventing data from protection related threats. To be more exact, the cloud consumers would have the right to delete their data if there were no legal grounds for preserving it. What is more, the system should also ensure that cloud service providers would become more accountable and responsible for the data processing. In other words, the changes would help consumers to be better in controlling personal data, in accessing it online and in being aware of its location.