Protecting against privacy risk in the cloud

Privacy threats and emerging regulatory laws

Cloud service providers (CSP) face multiple constraints associated with cloud data services, such as technical or security challenges, legal, governance, and privacy issues.

These go beyond traditional threats such as network eavesdropping, illegal invasion, and denial-of-service attacks, to include specific cloud computing threats like side-channel attacks, virtualization vulnerabilities, and abuse of cloud services. 

New regulations such as the European Union's General Data Protection Regulation (GDPR), California Consumer Privacy Act, China's Personal Information Protection Law, being rapidly introduced are adding to the constraints mentioned above.

Artificial intelligence (AI)-based technologies have helped address technical constraints in the cloud, impacting privacy. However, cloud computing may still encounter privacy threats if legal due diligence is missing, especially in terms of contract structure or privacy impact assessments. 

Legal due diligence also provides clarity across all aspects of personal data management, including data collection, handling, retention, data breach reporting, and response plan. When it comes to personal data management, legal due diligence is critical from a financial and reputational standpoint. 

A 2021 Mondaq report highlights that “countries outside the EU that have less privacy protection than within the EU must implement extra safety by adding technical or contractual measures, especially in case of mass-surveillance to ensure that such surveillance does not infringe the fundamental rights of a person protected by the GDPR”. Schrems II can play a guiding role to ensure that such mass-surveillance incidents do not result in privacy violation or infringement of fundamental rights. The Court of Justice of the European Union’s (CJEU) Schrems II ruling invalidated the EU-US Privacy Shield and prescribed multiple requirements to be met before processing personal data outside the European Economic Area (EEA), including transfer risk assessments and standard contract clauses (SCCs) in contracts.

Cloud computing: Best practices for data management

1. Data classification and protection: PII data must be categorized in a cloud environment as this helps define model clauses or sub-clauses. For example, banking or health-related data requires detailed due diligence, as these are classified under the “special category of personal information or data” under GDPR and other privacy acts.

Personal data management must be clearly defined in any agreement, including cases where a CSP may retain or destroy all customer data hosted on the expiration or termination of the said agreement.

2. Identification of data handlers and processors: Whether the privacy agreement needs to be signed between a CSP and the customer, or a separate agreement is required between the CSP and a hyperscaler, is a critical consideration especially when CSP uses a hyperscaler to provide cloud services. In a cloud environment, each key stakeholder is also closely associated, and a legal binding agreement with all identified stakeholders may be necessary to ensure effective privacy management.

3. Defining ownership roles of data controller, processor, or sub-processors: Agreements must specify roles and responsibilities amongst the contracting parties considering the scope of engagement.

4. Impact assessment: Agreements must define the onus on each party to conduct data privacy impact assessments for transfers individually or jointly as required. These are critical to identify and mitigate privacy related risks. Further, such assessments must be recoded in writing and available whenever required for audit or other purposes.

5. Clarity on cloud location and data transfer: Due diligence must ensure a customer’s choice of data storage location, as clearly mentioned in the agreement. This is required when hyperscalers are deployed, since large CSPs have infrastructure spanning across various jurisdictions.

6. Third-party data access: Third-party data sharing spans across the roles of CSPs or hyperscalers in contracts. In case of mandatory sharing of data with external parties such as law enforcement agencies, CSPs or hyperscalers must ensure that a cloud agreement clarifies that data minimization is applied before sharing, and if law permits, inform the data handlers involved. A legal binding agreement with all identified stakeholders is necessary to ensure effective privacy management. 

7. Standard contractual clauses (SCCs) and adequacy clauses: SCCs provide legal mechanism in the form of contractual clauses that can be used by both the sender and receiver of personal data as a ground for data transfers from the EU to other countries, by providing appropriate data protection safeguards.

When customers or end-users of a non-EU CSP are subject to EU laws but data storage within the EEA is not possible, attorneys must get CSPs or hyperscalers to incorporate duly approved SCCs in the contract before data transfers. The agreement(s) must clarify if the data export location is covered under an adequacy clause or agree to a data transfer risk assessment for applicable locations. 

8. Breach notification: The procedures to be followed in case of data breach incidents need to be clearly defined and understood by all parties involved in an agreement.

9. Holistic stakeholder view: The parties to a contract must discuss other possible critical stakeholders in the privacy ecosystem and must mention those stakeholders in the agreement. 

10. Cloud model selection: A key clause that must be considered is the selection of an appropriate cloud model. For example, public cloud deployment may not be appropriate when sensitive data is to be hosted. Other key considerations include data processing terms, third-party components integrated and their licensing terms, provision for data protection officer, among others.

The silver lining

Promoting transparency, identification of appropriate governing laws based on jurisdiction and geography, defining liability of each party involved, and clarity on management—ownership, limitations, access to data, and mitigating financial losses are among the several benefits that cloud provides when exercised correctly with legal and privacy due diligence. 

In the above context, a Cloud Industry Forum report notes that “consistency, clarity, and transparency must lie at the heart of contracting with CSPs.” Likewise, a Gartner report highlights that “through 2025, 99% of cloud security failures will be the customer’s fault. Chief information officers (CIOs) can combat this by implementing and enforcing policies on cloud ownership, responsibility, and risk acceptance.” 

While there is no one-size-fits-all approach to safeguard oneself against regulatory, privacy, and security challenges in the cloud, which is also highlighted by the European Data Protection Board, the following proven best practices, and exercising due-diligence can help organizations mitigate their risks to a large extent.