Privacy advocates have raised many concerns about cloud computing. These
concerns typically mix security and privacy. Here are some additional
considerations to be aware of:
Access
Data subjects have a right to know what personal information is held
and, in some cases, can make a request to stop processing it. This
is especially important with regard to marketing activities; in some
jurisdictions, marketing activities are subject to additional
regulations and are almost always addressed in the end user privacy
policy for applicable organizations. In the cloud, the main concern
is the organization’s ability to provide the individual with access
to all personal information, and to comply with stated requests. If
a data subject exercises this right to ask the organization to
delete his data, will it be possible to ensure that all of his
information has been deleted in the cloud?
Compliance
What are the privacy compliance requirements in the cloud? What are
the applicable laws, regulations, standards, and contractual
commitments that govern this information, and who is responsible for
maintaining the compliance? How are existing privacy compliance
requirements impacted by the move to the cloud? Clouds can cross
multiple jurisdictions; for example, data may be stored in multiple
countries, or in multiple states within the United States. What is
the relevant jurisdiction that governs an entity’s data in the cloud
and how is it determined?
Storage
Where is the data in the cloud stored? Was it transferred to
another data center in another country? Is it commingled with
information from other organizations that use the same CSP? Privacy
laws in various countries place limitations on the ability of
organizations to transfer some types of personal information to
other countries. When the data is stored in the cloud, such a
transfer may occur without the knowledge of the organization,
resulting in a potential violation of the local law.
Retention
How long is personal information (that is transferred to the cloud)
retained? Which retention policy governs the data? Does the
organization own the data, or the CSP? Who enforces the retention
policy in the cloud, and how are exceptions to this policy (such as
litigation holds) managed?
Destruction
How does the cloud provider destroy PII at the end of the retention
period? How do organizations ensure that their PII is destroyed by
the CSP at the right point and is not available to other cloud
users? How do they know that the CSP didn’t retain additional
copies? Cloud storage providers usually replicate the data across
multiple systems and sites—increased availability is one of
the benefits they provide. This benefit turns into a challenge when
the organization tries to destroy the data—can you truly destroy
information once it is in the cloud? Did the CSP really destroy the
data, or just make it inaccessible to the organization? Is the CSP
keeping the information longer than necessary so that it can mine
the data for its own use?
Audit and monitoring
How can organizations monitor their CSP and provide assurance to relevant stakeholders
that privacy requirements are met when their PII is in the
cloud?
Privacy breaches
How do you know that a breach has occurred, how do you ensure that the CSP
notifies you when a breach occurs, and who is responsible for
managing the breach notification process (and costs associated with
the process)? If contracts include liability for breaches resulting
from negligence of the CSP, how is the contract enforced and how is
it determined who is at fault?
Many of these concerns are not specific to personal information, but
to all types of information and a broader set of compliance requirements.