What are the rules for other countries in regard to personal data security in cloud computing?
Laws and regulations vary depending on the region; with cloud computing’s ability to have data and systems accessed from anywhere in the world, this can certainly create challenges in compliance. For example, the European Union’s Global Data Protection Regulation (GDPR) consists of seven principles outlined by the Information Commissioners Office (ICO) as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (security), and accountability (ICO, n.d.). In Russia, data protection rules can be found in specific legislation such as the Data Protection Act No. 152 FZ dated July 27 2006 (DPA). In UAE, instead of all-encompassing data protection laws at the federal level, they opt for several specific regulations, such as The Cyber Crime Law – Federal Decree Law no. (5) of 2012 and The Dubai Data Law, December 27 2015’ (InCountry, 2020).
Why do they have these rules?
With such a vast amount of information widely available over the Internet, the confidentiality, integrity, and availability of this data are mission-critical to organizations and individuals alike. In today’s state of cybercrime and unplanned disasters, local, state, federal, and regional data privacy laws and regulations ensure that providers do everything in their power to limit the possibility of data breaches or malicious attacks.
Do you believe they may be changed over time?
Any good law, policy, or regulation must change over time to adapt and evolve to rising trends and future events; failing to do this is similar to how the U.S.’s federal minimum wage law’s lack of updating is quite frankly, embarrassing to us all. As technology and the way we utilize it seem to expand every day, the laws and controls set in place to monitor and secure it need to as well. A cybercriminal’s perfect attack vector is against a security system that has not been updated; this principle applies to much of the technology-related world.
What are some basic differences in the privacy rules among the US, Asia and Europe?
While the E.U.’s GDPR applies to the entire region, the U.S. opts to cover specific industries with individual privacy rules, policies, and regulations. Quite often, other countries seem to adopt many facets of the GDPR in building their own regional and industry-specific laws and privacy best-practices.
How can these rules be enforced when many cloud providers use data centers spread throughout the world?
By the various countries in the world having their own privacy laws and regulations, it can be complicated to navigate the miles of red tape in preventing breaches of confidential data and adhering to the regional-specific rules for data collection, storage, and processing. Enforcing the abovementioned rules can happen if the country in question can prove, via service agreements, data contracts, and proper reporting and auditing, that the data that was at rest resided in a specific country; as you can guess, this can be difficult, but possible.
In your opinion, will there eventually be one standard for personal data privacy? Or are the differences too culturally embedded to overcome?
In the perfect world, having a single personal data privacy regulation to follow regardless of the region or industry would indeed be remarkable and make our jobs easier; however, each country’s business operations and local laws vary so much that I do not think it would be possible, at least for the near future. In my relatively limited experience, I find that many security breaches merely take the shape of a finger-pointing match while each provider and company points the blame at the other; having regional-specific policies assist a cloud service provider, for example, in pointing the blame at another country’s security practices, thus opening up the possibility of mitigating or transferring some of their risk.
ICO. (n.d.). The principles. Retrieved October 26, 2020, from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/.
InCountry. (2020, October 22). Data residency laws by country: An overview. Retrieved October 26, 2020, from https://incountry.com/blog/data-residency-laws-by-country-overview/.