Many countries prohibit or restrict the transfer of information out of their borders. In most cases, the transfer is permitted only if the country to which the data is transferred offers an “adequate level of protection”
In addition, some countries are beginning to require that certain data be stored within their territory. This is the case, for example, with the new data localization laws of Russia and China, which require that specified personal data pertaining to individuals residing in their countries be stored within the country’s borders.
GDPR
The new GDPR is directly binding on any corporation that processes the data of EU citizens
The GDPR requires companies to keep records of their data processing activities
-
Applicability: The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU/EEA
-
Lawfulness: The processing of personal data is allowed only if (a) the data subject has freely given specific, informed and unambiguous indication of his/her consent to the processing of his/her personal data, or (b) the processing is authorized by a statutory provision.
-
Data Subjects Rights: Data subjects have rights to information regarding the processing of their data:
- The right to object to certain uses of their personal data; to have their data corrected or erased;
- To be compensated for damages suffered as a result of unlawful processing; the right to be forgotten;
- The right to data portability.
- The existence of these rights significantly affects cloud service relationships.
-
Cross-border Data Transfer Restrictions: The transfer of personal data outside the EU/EEA to a country that does not offer a similar range of protection of personal data and privacy rights is prohibited.
-
Breaches of Security: The GDPR requires companies to report that they have suffered a breach of security.
-
Discrepancies among Member States: There are numerous instances where each member state may adopt its own rules.
-
Sanctions: Violations of the GDPR expose a company to significant sanctions.
Costs and Storage: Preservation can require that large volumes of data be retained for extended periods. Customers should consider these questions and determine the risk tolerated before moving to the cloud:
- What are the ramifications of retaining data under the service level agreement (SLA)?
- What happens if the preservation requirements outlast the terms of the SLA?
- If the client preserves the data in place, who pays for the extended storage, and at what cost?
- Does the client have the storage capacity under its SLA?
- Can the client effectively download the data in a forensically sound manner so it can be preserved off-line or near-line?
RESUME:
- Cloud customers should understand the relevant legal and regulatory frameworks, as well as contractual requirements and restrictions that apply to the handling of their data or data in their custody, and the conduct of their operations, before moving systems and data to the cloud.
- Cloud providers should clearly and conspicuously disclose their policies, requirements and capabilities, including all terms and conditions that apply to the services they provide. Cloud customers should conduct a comprehensive evaluation of a proposed cloud service provider before signing a contract, and should regularly update this evaluation and monitor the scope, nature and consistency of the services they purchase.
- Cloud providers should publish their policies, requirements and capabilities to meet legal obligations for customers, such as electronic discovery.
- Cloud customers should understand the legal implications of using particular cloud providers and match those to their legal requirements.
- Cloud customers should understand the legal implications of where the cloud provider physically operates and stores information.
- Cloud customer should decide whether to choose where their data will be hosted, if the option is available, to comply with their own jurisdictional requirements.
- Cloud customers and providers should have a clear understanding of the legal and technical requirements to meet any electronic discovery requests.
- Cloud customers should understand that click-through legal agreements to use a cloud service do not negate requirements for a provider to perform due diligence.