Tag: GDPR

The Cloud Act and What it means for you, or more importantly, me!

The CLOUD Act, or to give it full nomenclature, the Clarifying Lawful Overseas Use of Data Act, has been passed into law by POTUS 45. This little act has been touted as an update to the ECPA, or Electronic Communications Privacy Act, and ostensibly, this is the case. What is worrying, though, is the way that it has been signed into law as a part of the Omnibus Spending Bill, without the oversight that a base privacy law should have been given. It feels like it has been smuggled through.

The Cloud Act: it’s MAD (Mutually Assured Data Access)
THE CLOUD ACT: IT’S MAD (MUTUAL ASSURED DATA ACCESS)

This is an act that has been praised by technology companies. The below is an outtake from a joint letter from Apple, Google, Facebook, Microsoft, and Oath (the new name for Yahoo).

The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.

And vilified by privacy and civil rights organizations. This is an outtake of what the ACLU thinks of the law.

The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people.

The Electronic Frontier Foundation also had a list of objections:

  • Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
  • Fails to require foreign law enforcement to seek individualized and prior judicial review.
  • Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
  • Fails to place adequate limits on the category and severity of crimes for this type of agreement.
  • Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
  • The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.

It seems that there are two sides to this story, and they are diametrically opposed. Why would the technology companies be on one side of the fence, and the civil rights organisations on the other? Especially considering Google’s mantra of “Do no Evil.” The wordings of legal documents often cause this type of result. Their intention is to be clear and leave little to no wriggle room for interpretation, but as you can see, the act has been read completely differently.

This post was previously published on http://www.tvpstrategy.com

—– Read More —–

Managing a Multicloud

There is no denying that the future of cloud is not just with a single provider, capable as AzureAWS and the other public providers are. For true data protection, your information needs to be in three separate locations, and with the rise of data sovereignty, there is a need for data to be kept within the boundaries of a nation-state. GDPR will place other obligations on companies and their data compliance. Smaller countries will suffer more than larger ones, with their multiple regions and zones per country per cloud provider. Smaller countries like the UK will have problems, as a single provider will not have three regions for true resiliency. Microsoft, for example, will have two regions in the UK for Azure (London and Cardiff) and two for Office 365 (Durham and London). Amazon will only have a single AWS zone: London. (Europe retains Frankfurt, Ireland, and Paris.) The other public cloud providers do not fare much better. Post-GDPR, data sovereignty will be front and center. So, what exactly can you do if you want, need, or desire to be totally in the public cloud: sell your customers in Europe and the world and not fall foul of transnational data-protection laws? A multicloud may be the answer.

Multicloud Puppet Master

Let’s look quickly at the main market providers: India, China, and the US. How they can remain compliant?

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–

GDPR: What is it, and Why should I care?

GDPR is a new set of European regulations that, in a nutshell, set out to codify how a data holder should secure and protect any personal data that they hold. Further, it also codifies the rights of the individual regarding any data held about them. Of course, it being a European regulation, it is obviously a lot more detailed than that.

Firstly, it may be helpful to explain what the difference is between a European regulation and a European directive. Both are legally binding on member states. However, a directive leaves wiggle room for the member states to decide how the stated directive obligation is met, whereas with a regulation, the European Union (EU) dictates both the obligation and the method of fulfilling said obligation.

GDPR – The Clock is Ticking

—– Read More ——