Of course each cloud-based service has its own terms and conditions, that the user agrees to (often without reading). Terms and conditions between user and company cannot alone protect the privacy and security of the users’ information. Security can be breached, and infrastructure can be damaged.
Moreover, terms and conditions or service level agreements, may be unfair, as well as illegal in some countries, and can of course easily be broken. Some countries have regulations about the protection of private information but in many countries the storing of personal information by companies is not regulated.
What legislative, judicial, regulatory and policy environments are cloud-based information subject to. This question is hard to answer due to the global structure of the internet, as well as of cloud computing.
The information stored by cloud services is subject to the legal, regulatory and policy environments of the country of domicile of the cloud service, as well as the country in which the server infrastructure is based. Privacy sensitive information, in general, is a serious concern.
Cloud computing also raises significant human rights questions, answers to which may pose obstacles for some wanting to take up this new opportunity. For example, how do cloud computing companies keep information secure and protect rights to freedom of expression and freedom of association? What human rights and law enforcement policies will cloud computing services have and how can civil society groups be involved if these are not determined in local contexts?
Cloud computing present specific challenges to privacy and security. In systems of law with extended data protection as in the case for EU and Switzerland, it is permissible to enlist the support of third parties for data processing. However, the data controller is still the one who is responsible for the processing of data, even if it is performed by other third parties on his behalf.
According to Swiss data protection law, the data controller must ensure that an appointed third party (data processor) only processes data in such a way as the data controller himself would be permitted to.
Furthermore, the data controller has to make sure that the data processor meets the same requirements for data security that apply to the data collector.
Depending on the sector (utilities, retail) to which the data controller belongs, specific additional requirements may apply. For example, banks and stock traders have to conclude a written agreement with the data processor in which they oblige the data processor to observe Swiss banking confidentiality. In the contract with the data processor, the bank has to therefore agree on corresponding rights to inspection, rights of command and rights of control.
Depending on the sector (utilities, retail) to which the data controller belongs, specific additional requirements may apply. For example, banks and stock traders have to conclude a written agreement with the data processor in which they oblige the data processor to observe Swiss banking confidentiality. In the contract with the data processor, the bank has to therefore agree on corresponding rights to inspection, rights of command and rights of control.
Under Swiss law, as under EU law, special rules apply when sending personal data abroad.
According to these, exporting data abroad is permissible if legislation that ensures adequate data protection in accordance with Swiss standards exists in the country in which the recipient of the data is located.
Nevertheless, if no adequate data protection legislation exists in the recipient country, the transmission of data from Switzerland is only permissible in special circumstances. In connection with the processing of personal data for business purposes, mention must be made of the following cases, in particular: conclusion of a contract with the data recipient in which they are obliged to observe adequate data protection; consent by the person(s) concerned; and transmission of data that concerns the contracting party in connection with the conclusion or implementation of a contract.
EU national laws require that data security is safeguarded when processing personal data. Confidentiality, availability and integrity of data must be ensured by means of appropriate organisational and technical measures. These also include the protection of systems and data from the risks of unauthorised, arbitrary loss, technical faults, forgery, theft and unlawful use, as well as from unauthorised modification, copying, access or other unauthorised processing. The data collector remains legally responsible for the observance of data security, even if he assigns data processing to a third party.
Sources:
3. Cloud Hooks: Security and Privacy Issues in Cloud Computing by Wayne A. Jansen, NIST
(Proceedings of the 44th Hawaii International Conference on System Sciences - 2011).
4. Aspen Publishers: The Computer and Internet Lawyer ( Cloud computing: Claims).
5. Cloud Computing Legal Issues by Patrick Van Eecke.
6. Legal Issues Associated With Cloud Computing by Laurin H. Mills.
This site was... how do I say it? Relevant!! Finally I've found something which helped me. Many thanks!
ReplyDeleteAlso see my site: hosting webhosting
Thank you. Glad we could help :)
ReplyDeleteVery informative! Thank you so much! ;)
ReplyDeleteYou're welcome :)
ReplyDelete