Archive for May, 2010

Of the Valorous Don Quixote’s Success in the Dreadful and Never Before Imagined Adventure of the Windmills

May 28th, 2010 by Monique Altheim

“It is quite clear,” replied Don Quixote, “that you are not experienced in this matter of adventures. They are giants, and if you are afraid, go away and say your prayers, whilst I advance and engage them in fierce and unequal battle.”

-DON QUIXOTE de LA MANCHA

Tags: data privacy, Data Protection Authority, facebook, FTC, Google, Microsoft, Personal Data, personal data protection, privacy laws, Privacy Principles, search engines, social media, yahoo. Online Privacy 1 Comment

Ediscovery, Cloud Computing and EU Data Protection: Cloud Nationalities Do Matter

May 25th, 2010 by Monique Altheim

Cloud Computing With Borders May Be On Horizon in Europe

by Jennifer L. Schenker

A proposal to build a national federation of interconnected computing clouds in France, funded in part by government in order to protect the country’s sovereignty, data privacy and local jobs, is gaining favor. Some fear that the idea, which is in part a backlash against American companies like Google, will spread to other parts of the Continent, potentially undermining the promised benefits to Europeans of cloud computing, which is being billed as the biggest shift in computing since personal computers were introduced in the 1970s.

French tech companies and businesses are calling on local governments in France to partner with private companies to build a network of data centers and shared cloud platforms and services that would respond to the computing needs of French businesses, organizations, governments and citizens, giving them an alternative to handing their data to American companies. The group called for local cloud infrastructure to be built with the help of funds set aside for France’s “grand emprunt national,” a €4.5 billion economic stimulus package that will start to kick-in at the end of next year.

Cloud computing is the term for a new form of distributed computing which allows consumers, enterprises and governments to store their data and their applications on networked servers rather than on local computers and data centers and to tap into computer applications and other software via the cloud, freeing themselves from building and managing their own technology infrastructure In addition to reducing operational costs, analysts say the shift to cloud technologies allows radical business innovation and new business models.

Some industry experts in Europe believe only giants like Google and Amazon can achieve the necessary economies of scale in building the massive data centers that underpin the cloud. They fear that national projects will be white elephants and question whether big enterprise customers like Danone and Carrefour will be willing to pay the price of French sovereignty. “Interconnection of hybrid clouds is not a simple problem and the risk is that the benefits come slowly and that local champions cannot grow and reach critical mass fast enough,” say Pierre Liautaud, a Frenchman who has worked in the tech industry for 25 years, holding executive positions at both IBM and Microsoft and heading up start-ups. He is currently organizing a November conference for the European Tech Tour Association to highlight European start-up companies in cloud computing. Most start-ups in Europe are concentrating on creating applications that run on top of infrastructure built and run by American companies like Google, Amazon and Microsoft.

Tags: Amazon, cloud, cloud computing, cross border data flow, Cross Border Data Transfers, data privacy, data security, European Union Data Protection, France, French, Google, Italy, Microsoft, trans border data transfers. Cloud,EDiscovery,Online Privacy 1 Comment

Privacy Week in Jerusalem, hosted by ILITA: A Preview

May 6th, 2010 by Monique Altheim

ILITA, The Israeli Law, Information and Technology Authority, will host a Privacy Week on October 25-29, 2010 in Jerusalem, Israel.

Article 29 Working Party recently published an an opinion finding that Israeli data protection law largely provides an “adequate level of data protection” under the European Union Data Protection Directive 95/46.

Thus Israel will be joining the small and select club of countries to which personal data from the 27 EU member states and three EEA member countries ( Norway, Liechtenstein and Iceland ) can flow without any safeguard being necessary.

( The other countries deemed “adequate” are : Switzerland, Canada, Argentina, Guernsey, Jersey, Isle of Man and the Faroe Islands.)

This International Conference will consist of two parts:

1.October 25-26: OECD Conference on “Privacy, Technology and Global Data Flows”

and

2.October 27-29: The 32nd Annual International Conference of Data Protection and Privacy Commissioners on: ” Privacy: Generations.”

At the recent IAPP Global Privacy Summit in Washington, D.C., one of the more interesting sessions offered a preview to the 32nd Annual International Conference of Data and Privacy Commissioners‘ main themes.

The panel consisted of Jules Polonetsky, Director of the Future of Privacy Forum, Yoram Hacohen, the Head of ILITA and Dr. Omer Tene, a Law Professor and an Israeli Legal Consultant on Law and Technology.

The theme of the conference will be:

A New Generation of Privacy :

1. A New Generation of Technologies

2. A New Generation of Users

3. A New Generation of Governance

1.The top issues for A New Generation of Technologies will be:

.Privacy by Design,

.E-Health and Genetics

.Profiling and Behavioral Targeting, RFID and the Smart Grid

.Privacy v. Intellectual Property

2.The top issues for a New Generation of Users will be:

.The past: Where did we come from?

.The present: Where are we now? What are the inter-generational shifts in privacy perceptions?

.The Future; Where are we headed?

3.The top issues for a New Generation of Governance will be:

.The relationship of Privacy and Antitrust Law

.Consumer Protection

.Erosion of Consent and the Right to Oblivion

.Government access to private sector data and Conflict of Law

Jules Polonetsky noted that this is the first time that the agenda of the conference has been revealed so openly, and also that for the first time, the conference will be featured on Twitter and Facebook.

ILITA on Twitter: ILITAgovil_en

ILITA on Facebook:Facebook Fan Page

The Privacy Conference’s Website:privacyconference2010.org

The participants at this session were invited to suggest further hot topics for inclusion in the conference. Some of the suggestions were:

.The role of the CPO in the US v the EU

.The differences in approach in the public v the private sector

.Data Security

.The human flesh search phenomenon in China

.The inclusion of Generation Y and their point of view on Privacy issues.

If you have any suggestions, you are welcome to email them to: steeringcom@privacyconference2010.com

Updates:

Program and Registration for Data Commissioner’s Conference now online

http://www.privacyconference2010.org/outline.asp

Irish block EU plan to allow data transfer to Israel http://www.irishtimes.com/newspaper/world/2010/0708/1224274266971.html

“The draft Commission Decision on the adequate protection of personal data in the State of Israel has been adopted on 25 October in the comitology procedure (so called Article 31 Committee),” said the spokeswoman. “The European Parliament has one month of scrutiny. Its opinion is however not binding for the Commission.” http://www.theregister.co.uk/2010/10/29/israel_gets_data_protection_laws_approved/

Tags: Article 29 Working Party, data privacy, Data Protection Authority, EU, EU Commission, European Union Data Protection, facebook, Future of Privacy Forum, Global Privacy Summit, Israel, Jerusalem, Jules Polonetsky, Omer Tene, personal data protection, privacy by design, Privacy Week, Yoram Hacohen. Conferences,Online Privacy Closed

Cloud Security and Privacy: A Legal Compliance and Risk-Management Guide, Part 1 and 2

May 4th, 2010 by Monique Altheim

In this two-part series, legal expert Robert McHale, author of Data Security and Identity Theft: New Privacy Regulations That Affect Your Business, provides a comprehensive overview of the legal security and privacy risks associated with cloud computing.

Part 1 discusses the principal federal and state laws regulating cloud activities.

Part 2 provides a practical due diligence checklist companies should consult before entering into a cloud service agreement.

While storage of user data on remote servers is hardly a recent phenomenon, the current explosion of cloud computing warrants a closer look at the associated privacy and security implications.

Cloud computing carries with it its own unique risks regarding the privacy, confidentiality, and security of business information, which companies must fully assess before migrating to the cloud. Armed with an appropriate legal compliance and risk-management strategy—and strong, fully-negotiated contractual protections—companies should be able to safely transfer their data and applications to the cloud.

Part I of this article discusses the principal federal and state laws regulating cloud activities, and the legal security and privacy risks associated with cloud computing.

U.S. Laws and Regulations Governing Data Security and Privacy

The United States has numerous federal and state data security and privacy laws with implications for cloud computing. Unfortunately, there is not a single, comprehensive legal framework in which the rights, liabilities, and obligations of cloud providers and cloud users are regulated or defined. Instead, U.S.-based cloud users and providers must rely upon a veritable hodgepodge of (oftentimes) sector-specific laws to evaluate their legal risks and obligations, and the contractual terms between them.

The most notable data security and privacy laws are examined here.

The European Union Data Protection Directive

The location of information stored in the cloud can have a profound impact upon the level of privacy and confidentiality protections afforded the information in question, and upon the privacy obligations of the cloud provider.

For instance, the European Union’s Data Protection Directive, which regulates the processing of personal data within the EU as a means to safeguard individual citizens’ privacy, is of particular significance.

Under the EU Data Protection Directive, personal data may be transferred to third countries (non-EU member states) only if that country provides an “adequate” level of protection. Most notably, the United States is not on the list of countries that meet the EU’s “adequacy” standard for privacy protection. Accordingly, an organization that does its processing in the cloud may be violating EU law if the data goes to a server outside of the EU to prohibited countries, such as the United States.

In order to provide a means for U.S. companies to comply with the Directive (and thereby ensure continued trans-Atlantic transactions), the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor Program” designed to protect accidental information disclosure or loss.

Management Guide, Part 2

Due Diligence and Cloud Service Agreements

An organization’s contractual agreement with a cloud service provider is perhaps the most critical component in evaluating cloud computing risks, and therefore should be carefully examined before being entering into a cloud relationship.

Cloud Service Agreements (CSAs) should clearly describe the services provided, guarantees, warranties, limitations, liabilities, and the responsibilities and rights of each party.

Proper due diligence requires inquiry into the following categories of concern: data security, performance, limitations of service, data migration, government and third-party litigation access, handling of trade secrets/confidential information, and exit plan, all of which are discussed in detail below.

Data Security

To properly manage the operation risk associated with cloud services, the cloud provider’s level of data security should be carefully examined. At a minimum, the following should be ascertained:

Is the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?
Who has access to customer data, and what are their backgrounds?
Where is the provider’s data center physically located, and what safeguards exist to prevent data centers from unauthorized access (for example, 24/7 security personnel)?
Does the provider promise to maintain user data in a specific jurisdiction and/or to avoid certain jurisdictions?
What are the provider’s migration policies regarding moving data back internally or to alternate providers? (Companies need to make sure that no data is lost or falls into the wrong hands.)
Does the provider conduct regular backup and recovery tests?
Do the provider’s security policies comply with all applicable regulatory rules?
Is the provider willing to undergo on-demand or periodic audits and security certifications?
Is the provider required to investigate illegal or inappropriate activity?
Is the provider required to disclose any new vulnerabilities that may affect the confidentiality of customer data, or the integrity and availability of their services?
In the event of lost or compromised data, can the data be backed up, and can it be easily reconstituted from the backups?
What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?
What happens to data when it is deleted?
What happens to cloud hardware (for example, trailers of servers) when the hardware is replaced?

Tags: cloud, data privacy, e-discovery, EDiscovery, Electronic Communication Privacy Act, EU, EU Data Protection Directive, Federal Rules of Civil Procedure, Gram-Leach- Bliley Act, HIPAA, HITECH Act, Personal Data, personal data protection, privacy, Rule 26, USA Patriot Act. Cloud,Online Privacy 1 Comment