Protecting the privacy and security of sensitive customer data in the cloud
Introduction
Cloud computing is as important “to this decade [as] PCs were to the 1970's, a technological and social leap that will change how businesses function, how cities are planned, how people carry out their work and what citizens expect from online services”.1 The cloud offers many potential benefits to companies that may be achieved including reduced waste of information systems resources, increased data centre efficiency and lower operating costs.2 Already a $68 billion global industry, anticipated to grow $17 billion a year, the significance of cloud computing to the global economy cannot be underestimated.3 To reach this potential, it will be essential to ensure privacy and security for sensitive customer data, which is viewed as a top challenge for companies that are considering cloud computing.4
This paper focuses on the information privacy laws of the European Union and the United States, the world's two largest trading partners.5 It recognizes that the question of which countries' laws apply to a cloud computing scenario may be difficult to answer because “the exact place where data are located [in the cloud] is not always known and it can change in time”.6 Sometimes providing information privacy and security for sensitive data is required by law in the EU or the U.S. Apart from laws that mandate privacy and security for sensitive data, there are questions about whether sensitive data are adequately protected in the cloud. Information privacy and security failures may give rise to lawsuits, invite government investigations and undermine consumers' trust in cloud computing.7
Section snippets
Information privacy and security in the cloud
Cloud computing “at its most basic level … means the delivery of IT [information technology] resources as a service to multiple customers via the internet.”8 It “can be contrasted with an ‘on premise’ IT infrastructure whereby a business purchases and maintains its own
What is sensitive data?
The starting point for defining sensitive data under EU law is the list of “special categories of data” in the Data Protection Directive (Directive) that includes “personal data revealing the racial origin, political opinions or religious or other beliefs, as well as personal data on health, sex life or criminal convictions” of natural persons.21
How the EU regulates privacy and security for sensitive customer data in the cloud
European laws set high compliance obligations for companies requiring them to protect the privacy and security of consumers' sensitive data including sensitive data that is stored in a public cloud.
How the US regulates privacy and security of sensitive data in the cloud
The cloud computing industry faces few legal restrictions in the U.S. Currently there is no comprehensive federal legislation to protect consumers' privacy and personal data and no generally-applicable regulation that limits exports of personal data from the U.S. to other countries.59
Regulatory reform is needed to protect sensitive consumer data in the cloud
To adequately protect sensitive consumer data in the cloud, both EU and U.S. laws need to be revised to provide heightened privacy and security for sensitive data. Failure to do so will undermine consumer trust and expose organizations that adopt cloud computing or provide cloud computing services to security breaches and legal and other costs. EU Policy makers have called for a cloud strategy in Europe that would make the EU not only “cloud friendly,” but “cloud active” and anticipate the need
Conclusion
In both the EU and the U.S., privacy laws need to be reformed to provide a solid regulatory foundation for the growth of cloud computing. A primary goal of reform should be to build a regulatory framework worthy of consumers' trust that their sensitive personal data will be kept private and secure in the cloud. Both cloud service providers as well as companies hoping to gain the business advantages of using cloud computing to store and process customer data will benefit from having well
Nancy J. King ([email protected]) is an Associate Professor at Oregon State University's College of Business in Corvallis, Oregon, U.S.A. In 2008 she was a Fulbright Fellow at the Centre de Recherches Informatique et Droit (CRID), University of Namur, Namur, Belgium. While at the CRID she conducted comparative legal research from an EU/U.S. regulatory perspective on data protection and privacy issues related to consumers' use of mobile phones incorporating location tracking
References (0)
Cited by (100)
Friendly or competent? The effects of perception of robot appearance and service context on usage intention
2022, Annals of Tourism ResearchTechnology-enabled leadership and performance enhancement outcomes: an empirical investigation from the dynamic capabilities perspective
2023, Journal of Systems and Information TechnologyBUSINESS ETHICS IN E-COMMERCE – LEGAL CHALLENGES AND OPPORTUNITIES
2023, Access to Justice in Eastern Europe
Nancy J. King ([email protected]) is an Associate Professor at Oregon State University's College of Business in Corvallis, Oregon, U.S.A. In 2008 she was a Fulbright Fellow at the Centre de Recherches Informatique et Droit (CRID), University of Namur, Namur, Belgium. While at the CRID she conducted comparative legal research from an EU/U.S. regulatory perspective on data protection and privacy issues related to consumers' use of mobile phones incorporating location tracking technologies.
V.T. Raja ([email protected]) is an instructor at Oregon State University's College of Business in Corvallis, Oregon, U.S.A. He earned a Ph.D. in Business Administration from Washington State University, U.S.A. He has a Master's Degree in Mathematics from the Indian Institute of Technology, and a Bachelor's degree in Mathematics from Loyola College, India.