Data PrivacyData Privacy In Cloud Computing

September 21, 20220

INTRODUCTION

As organizations expand and extend across various jurisdictions, risk management of big data becomes a vital aspect to look out for. The pervasiveness of electronic communication, combined with the expense of maintaining an internal information technology (hereinafter referred to as “IT”) infrastructure that can keep up with the pace of business and evolving digital advancements has led to a dynamic increase in the usage of cloud computing services to store and a business’s electronic data.

Cloud computing vastly improves network storage capabilities by providing on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction from service providers. Cloud computing, used for key performance indicators within the company, or an email system, boosts productivity while decreasing IT based infrastructure and expenditures.

However, cloud computing entails the distribution of data among computer systems situated across the world. The manner in which cloud servers are spread across various jurisdictions introduces possible risks by transporting data into or enabling access to data from nations with stringent data privacy and protection laws.

In this article, we will discuss the several facets of cloud computing in the advent of data privacy concerns among the users across the globe.

PRIVACY CHALLENGES IN CLOUD COMPUTING

The consumers’ lack of control over cloud services poses a severe danger to data integrity, confidentiality, and privacy standards. The Madrid Resolution on International Standards on the Protection of Personal Data and Privacy (hereinafter referred to as the “Madrid Resolution”), tabled on the International Conference of Data Protection and Privacy Commissioners held in the year 2009, is an excellent starting point for developing universal rules for the protection of personal data and privacy.

The Madrid Resolution was accepted by data protection authorities from fifty nations during the 31st International Conference of Data Protection and Privacy Commissioners.  It emphasises the urgent necessity to defend privacy in a world without borders and to develop a consensus proposal for the development of worldwide privacy and data protection standards. Its goal is to develop a set of principles and rights that provide effective and standard privacy protection measures pertaining to the processing of personal data, on an international level.

This growing volume of personal data will boost demand for cloud services, especially if cloud computing lives up to its promises of lower prices for clients and the introduction of new business models for providers.

A few significant privacy issues with regards to cloud computing are as follows:

1. Data Confidentiality

While externalizing and outsourcing particularly delicate and sensitive data to a cloud service provider, user data confidentiality is a critical problem to address. Data stored on the cloud is often not encrypted before further transfer across the cloud servers, which makes such personal data susceptible to malicious or external attacks. A lack of trust in the data transfer process incorporated by the cloud service providers or cloud database service providers is a major security concern that keeps many users from using cloud services.

2. Data Loss

One of the most common security concerns that cloud companies face is data loss or theft. If a cloud database service provider has previously disclosed incidents of data loss or theft of vital or sensitive material data, it is observed that majority of the consumers has refused to utilise the said service provider’s cloud services.

Outages of cloud services are fairly common, even from companies like Dropbox, Microsoft, and Amazon, resulting in a lack of absolute faith in these services.  Furthermore, in such circumstances, even if only one storage unit is compromised, an attacker can easily get access to several storage units.

3. Transparency Issues

Cloud database service providers are usually committed to the transparent sharing of data and other requisite information in order to maintain a healthy relationship with the users and organizations. However, such transparency puts the security, privacy, and service level norms in jeopardy.

4. Hypervisor Related Issues

Virtualization refers to the conceptual separation of computing resources from physical constraints and limits. However, this introduces new complications such as user identification, accounting, and authorization. The hypervisor controlling  several virtual machines, makes it an easy target for attackers. Unlike physical devices that are independent of one another, virtual machines in the cloud server are often connected to a single physical device maintained by the same hypervisor. The breach of the hypervisor will thereby endanger several virtual machines.

5. Managerial Issues

Cloud privacy security issues include not just technical but also non-technical and management aspects. Implementing a technical solution to a problem or a product without adequately managing it, is certain to bring vulnerabilities. Lack of control, security and privacy management for virtualization, building thorough service level agreements, negotiating with cloud service suppliers and users, and so on are a few examples of managerial issues in cloud computing.

LEGAL REQUIREMENTS

Compliance with the Information Technology Act, 2000 (hereafter referred to as the “IT Act”) and relevant restrictions on data protection shall be applicable on the cloud service providers.

1. Data Privacy Regulations: The IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“hereinafter referred to as the “IT Rules”) apply to cloud services provided in India. The collection, reception, holding, storage, treatment, and transfer of personal information and sensitive personal data are governed by the IT Act presently.

The IT Act applies to any entity collecting data as well as any entity to whom the Data Collector transfers data for processing. A cloud service provider often handles data sent to it by its users, and hence the IT Act shall be applicable on such cloud service providers.

2. Government Access: The Indian Government has the authority to intercept, monitor, and decrypt information created, sent, received, or stored in any computer resource under the IT Act and the Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009. The Government may do so for reasons pertaining to state security and law enforcement.

3. Online Intermediary Guidelines: In India, cloud service providers may be protected as “intermediaries” under the IT Act and the Information Technology (Intermediaries Guidelines) Rules, 2011 (hence referred to as “Intermediary Guidelines”). An intermediary is someone who receives, keeps, or transmits records on behalf of another, or who offers any service related to maintenance or storage of such records.

The broad consensus is that intermediaries promote Internet use and/or provide access to third-party content via public-facing services. While cloud service providers do not provide such services, given the broad definition, they may be considered intermediates in some scenarios. Intermediaries benefit from safe harbour protection for third-party information or data stored by them, but they must also meet a number of compliance criteria.

4. IT Act and Other Indian Laws: Despite the lack of a special legislation covering cloud services, standard Indian laws will continue to apply to services provided to Indian clients or users in India. It should also be noted that the IT Act has extraterritorial applicability, and its provisions apply to offences or contraventions committed by anybody outside India.

AMLEGALS REMARKS

Cloud computing and cloud based servers is a rapidly developing technology that is resulting in new business structures and applications. The increasing usage of smart phones will play a significant role in aggravating cloud computing adoption.

However, cloud computing has privacy and security issues which needs to be addressed at the earliest. To analyze privacy concerns and set suitable protection measures, the global dimension of cloud computing necessitates established approaches and technology solutions. From a commercial standpoint, data privacy should be viewed as an opportunity for cloud providers to enhance their brand image and distinguish their services.

However, privacy concerns necessitate the cooperation of a diverse variety of stakeholders in order to encompass interdisciplinary methods that benefit all sectors of society. Interoperable built-in privacy components capable of complying with concepts such as data reduction in complex architectures are required for robust privacy protection. Privacy standards will play a significant role in increasing cloud service adoption by promoting social responsibility and resolving privacy concerns.


For any queries or feedback, please feel free to get in touch with chaitali.sadayet@amlegals.com or mridusha.guha@amlegals.com

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.