One of the major privacy concerns with cloud computing is what happens when the cloud resides over the border. In Europe, we have a certain amount of legislation protecting the privacy of our citizens. However, other jurisdictions may not be compatible on a legal level. A well known example of such a country are the USA.

In a previous article (13 July 2012), I discussed cloud computing on a conceptual level. As promised in that post, I will return to the privacy-related concerns in cloud computing. These revolve mainly around a lack of knowledge where and how data is processed. Therefore, one may question whether third parties are involved and if they are trustworthy. Additionally, the involved parties need not to be in the European Union and, thus, may have to comply to completely different rules.

A Safe Harbour to Dock the Data Boat
To overcome the problem raised by the much more permissive American rules on data protection, a self-regulatory framework was constituted. The goal of this framework, widely known as the Safe Harbour Framework, is to enable the data processing of European data on servers in the USA.

However, as can be found in a recent report of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, 10 September 2012), this is not enough for cloud computing using European personal data in the States. First of all, the Safe Harbour Principles are concerned with the transmission of data, not with the processing of it, across the border. Secondly, the company sending data to the USA is responsible for checking whether those principles are really applied, as the self-signed statement provides not enough evidence.

And… Is It Secure?
As one can expect, security is a main concern to me. Given that this is not a part of the default statements, a responsibility to assess the security lies with the user of the cloud computing service. This obligation can be easily fulfilled using the default security assessment and assurance standards. In other words, the best move would be getting a third party to perform an IT-audit with the corresponding certification.

It has to be noted that, in the process of assessing security, subcontractors should not be forgotten. As mentioned before, one of the fundamental technologies under cloud computing, service-orientation, relies on the composition of services from different vendors. For this reason, systems can exist from numerous services of several vendors chained together. Of course, the legal protections and obligations do not end with the first vendor.

Safe Harbour: It Is Merely the Beginning
The legal framework constituted by Safe Harbour is only a starting point when selecting cloud vendors across the American border. For starters, it is only self-regulation, which makes it quite soft in European legal terms. Additionally, it misses out on important points when concerned with the processing of data abroad. Therefore, a statement that a provider complies with the Safe Harbour Framework is only the start of the assessment, and not enough at all.

One Response to The Cloud over the Border: a Safe Harbour Is Not Enough

  1. […] confidential data in the cloud is still controversial, especially when this cloud crosses borders (17 September 2012). Therefore, a call for encryption of data stored with third parties was made. However, due to the […]

Leave a Reply

Your email address will not be published. Required fields are marked *