What You Need To Know About Cloud Laws and Regulations
Keeping your data secure and private is not so easy these days. There’s often ambiguity under which jurisdiction your cloud-based data falls to and, on top of that, laws and regulations differ from country to country. Getting your head around all that can be a nightmare, which is why we want to make your life easier and turn your attention to what you need to know about cloud laws and regulations.
In fact, with recent breaches of privacy in the U.S. — like the Facebook scandal — these questions are more important than ever. The States has become an increasingly frightening place when it comes to data privacy and security.
Soon, for instance, there will be no net neutrality in the U.S. anymore. The NSA is always present with its PRISM project, and its daddy — the Patriot Act — is there, too. Also, there’s a new law on the block named CLOUD, which allows U.S. intelligence to yank U.S. citizens’ data off foreign servers.
Europe is less hostile an environment and the privacy and security of your data should survive longer there. However, it’s not without its faults: EU countries will occasionally disregard your right to privacy, the French spy on their citizens and the UK passed the Investigatory Powers Act, which is even more frightening than the Patriot Act.
The landscape is not all bleak, however, thanks to the GDPR coming into effect on May 25, 2018, and its promise of better privacy and security.
Russia is a whole different beast, with its internet censorship law which was passed in 2012. Russian law also limits where data on its citizens can be placed. However, in 2016 Russian Federal Antimonopoly Service approved a regulation that blocks ISPs from throttling or blocking any websites unless done so by the government, thus preserving net neutrality.
In Australia, the data retention law is in effect and it wants the citizen’s metadata. Ironically, it happened only weeks before Australia marked privacy Awareness Week. The law is one of the most intrusive in western societies.
We’ll take a look at specifics of the laws and regulations that are maintained around the world.
Cloud Laws in the United States
The U.S. doesn’t have one all-encompassing law for data regulation across the country. Instead, it has implemented sector-specific data laws and regulations that work together with state-level legislation in order to keep citizens’ data safe, like HIPAA.
The newest addition to the landscape of data privacy laws and regulations in the U.S. is Clarifying Lawful Overseas Use of Data (CLOUD) Act. It was introduced in February 2018 and President Donald Trump signed the legislation on March 23. It states that:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
In short, if you’re a U.S. resident, your data can be gotten to if you place it outside the U.S. in a country “with which the U.S. has an executive agreement.” Congress justifies that in another section, claiming the following:
“Timely access to electronic data held by communications-service providers is an essential component of government efforts to protect public safety and combat serious crime, including terrorism.”
The act will also give foreign governments (those that have an executive agreement with the U.S.) the right to request information on their own citizens from U.S. tech companies. The tech companies in question can cancel that request within 14 days if they believe that:
“The customer or subscriber is not a United States person and does not reside in the United States and that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.”
Senator Ron Wyden (D-OR) had something to say about it before the bill passed: “This bill contains only toothless provisions on human rights that Trump’s cronies can meet by merely checking a box. It is legislative malpractice that Congress, without a minute of Senate debate, is rushing through the CLOUD Act on this must-pass spending bill.”
Now, CLOUD wouldn’t be here today without the help of a certain regulation that brings red and blue stripes to your imagination when you say its name — the Patriot Act. Most of the controversial changes are written in title II of the act, named “Enhanced Surveillance Procedures.” Various provisions allow for giving data about electronic communication to law enforcement agencies.
Users or owners of a computer that’s “protected” can give permission for authorities to intercept communications carried on the machine. What makes a “protected” computer is stated in 18 U.S. Code § 1030 – Fraud and related activity in connection with computers and it broadly includes any device used by or for a financial institution in the United States or one outside the U.S. that affects interstate or foreign commerce or communication.
Title II also expanded subpoenas that were issued to ISPs with “the name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity, and length of service of a subscriber,” as well as session times and durations, types of services used, IP addresses, payment method and bank account and credit card numbers.
The title also allows for ISPs to provide customer records to alphabet agencies if they suspect that there is a danger to “life and limb.” U.S. citizens need to protect their privacy from Big Brother now more than ever. We’ll give some tips on how to do just that at the end of the article.
Europe as a whole doesn’t have laws that are as controversial as those in the U.S., but some passed recently and are turning heads.
In the Netherlands, the lower house approved a bill that allows the police to hack suspects in a criminal case. It’s called Cybercrime III and, in its original form, gave the police the power to make use of software vulnerabilities that the developers were unaware of (zero-day vulnerabilities). This divided lawmakers and ultimately the bill was amended to require the police to report vulnerabilities to developers immediately.
The French government imitates the PRISM project with it expansive electronic surveillance networks, reports Le Monde. It has found that French intelligence collected massive amounts of data and stored it on its servers. The data included telephone records — the identifiers of participants, place, date, duration and the size of the message — as well as emails (metadata) and all internet activity which goes through Google, Microsoft, Apple and Yahoo.
French law strictly regulates data interception, but isn’t equipped to deal with storing of data by intelligence agencies. Another argument for this law is that “each request for requisition of data or Interception is targeted and cannot be achieved in a massive way, both quantitatively and temporally, and such practices would not be legally founded.” Ensures National Commission of computing and freedoms (CNIL). In other words, the French intelligence doesn’t acquire data on all residents all the time.
Privacy in the United Kingdom
In the UK, the law to watch out for is the Investigatory Powers Act. It allows for the government to access and store data of everyone in the country. That data includes browser history, phone records and messages. The government issued a restriction that justifies intrusions only in the case of “serious crime.” However, they defined “serious crime” itself as any offense punishable by six months in prison and any crime that involves sending a communication.
To avoid such scary regulations, the GDPR was drafted and it promises to be the great unifier and equalizer of data privacy and security laws in the EU. It will apply to all companies that process the data of people that reside in the union, regardless of the company’s location.
With the new regulation, notification of a breach will be mandatory in any member state where the breach is likely to “result in a risk for the rights and freedoms of individuals.” Such a notification must be sent within 72 hours of becoming aware of the breach. Data subjects (individuals who are the subjects of personal data) will have the right to obtain confirmation from the data controller (organizations or individuals) on whether their personal data is being processed, where and for what purpose.
The right to be forgotten makes sure the data subjects can have the data controller erase his or her data, cease the dissemination of data, and potentially have third parties halt processing of the data.
Another, often overlooked concept, that is included in GDPR is privacy by design. It calls for the inclusion of data protection from the start of the designing of systems, rather than as an addition. For more information on how this new law will change the data landscape of the EU, read our comprehensive GDPR definition article.
Russia (The Tin Curtain)
While not behind the Iron Curtain anymore, Russia still restricts what’s available online to its people. Censorship is enforced by the Russian Internet Restriction bill. The Russian government claims it’s there to protect citizens from sites that advocate drug abuse, child pornography or anything that’s deemed a bad influence. The criteria for that is highly subjective and some believe it’s there to promote censorship.
In Sep. 2015, Federal Law No. 242-FZ came into effect in Russia. In essence, it requires that all foreign business must store data on Russian citizens on servers that are located within the country.
The Russian regulator — Roskomnadzor — will make sure that everyone is compliant with that law. If someone files a complaint against a business that’s breached Law No. 242-FZ, Roskomnadzor files it in their Register. After three days, if compliance is not provided, access to the site will be blocked (.pdf warning). Furthermore, the regulator can make unscheduled compliance checks without restriction.
Metadata Tumble Down Under
In Australia, the Data Retention Law has been enforced since April 2017. Similar to the situation in France, telecommunications companies collect metadata, but in Australia, it’s not targeted and they collect indiscriminately. They will store the data for at least two years and give access to intelligence and law enforcement agencies.
This, of course, undermines the democratic principles on which Australia was founded and erodes individuals’ rights to privacy, anonymity and from having their personal data collected.
While threats from within and from without do exist, governments create laws that make it possible for malicious individuals or agencies to take advantage of the powers that they grant. It’s done in the name of security while taking away your rights to privacy.
Individuals are far from powerless and there are steps that you can take to make sure your data is secure and private: there are lots of tools that help protect your privacy, but the best solution is to use a VPN (read our what is a VPN article if you’re unfamiliar with it). We also have a list of what we think are the best VPN providers around. Also, if you store data in the cloud be sure you’re using a service that offers zero-knowledge encryption.
What do you think of the laws and regulations in this brave new world? Is there an interesting law that we’ve missed? Let us know in the comments below. Thank you for reading.