Cloud computing needs legal restrictions

Absrtact: Cloud computing from the date of birth accompanied with the legal controversy, many countries have begun to discuss the law to regulate it, the application of the original data protection Law, privacy law or targeted to the enactment of relevant laws. Ministry of Industry and Information Technology, Institute of Policy and Economic Research, Department of Legal Supervision, deputy director of Li Haiying in detail about the foreign cloud laws and regulations.

In April this year, Lie Cross, vice president of the European Commission, said cloud computing was critical to the development of Europe, and now we need to do some work, above all, the legal framework, "it is clearly an international dimension, including data protection and privacy protection, including the distribution of jurisdiction, legal liability and consumer protection." ”

The European Union adopted the Data Protection Directive in 1995 (i.e. the European Parliament and Council of October 24, 1995 on personal protection involving personal data processing and the EC directive on the free flow of such data), commonly referred to as "general directives", the most important provision for cloud computing, In the absence of a specific commitment mechanism, the EU prohibits the transfer of personal information from EU residents to the United States and most countries in the world. What does this mean for cloud computing? If you want to put data that contains personal information about the EU residents on the cloud (these personal information may be simple such as an email address or employment information), by transferring this data from the EU to almost anywhere in the world, you cannot simply throw that data into the cloud, but you need to meet at least one of the following conditions:

The International Safe Haven Certification (Analysys Safe Harbor certification) allows data to be transmitted from the EU to the United States, but not to other countries.

Format contracts, which allow data to be transferred from the EU to other countries other than the United States, but because cloud computing involves multi-level supplier relationships, format contracts are not always valid;

Binding corporate rules (i.e. rules for cross-border transmission of personal information by transnational corporations and international organizations under EU data Protection Law), which are designed specifically for multinational companies and therefore do not necessarily work with cloud service providers.

In order to implement the EU directive, each Member State also enacted the corresponding law. such as the German data protection law, the company that uses cloud computing must take the necessary measures to protect the integrity and security of personal data, regardless of whether the cloud service provider is located in the EU. For example, a company must enter into a contract with a cloud services provider to comply with the relevant provisions of the data protection law and face fines and civil litigation if they are not complied with.

The first is the issue of cross-border delivery. Cloud computing differs from traditional outsourcing services in that the main difference is in the use of cloud computing, where data is stored and delivered over the Internet, where the owner of the data is unable to control or even know where the data is stored, and the flow of data is global, across borders and across different time zones. The key to legal problems is that it is difficult for anyone to know where the data is shared and transmitted, where data is transmitted across borders, instantaneously and globally, and each country has its own laws and regulatory requirements, and the providers of cloud services are clearly unable to comply with the laws of all the countries involved, It therefore poses a challenge to the legal obligations under the jurisdiction of States.

Next is the issue of data protection and privacy. The relationship between cloud service and national data protection Law and privacy law is a topic of great concern at present. In the United States, it involves the Patriot Act, Sarbanes-Oxley law, and the protection of sensitive information. The Patriot Act authorizes U.S. law enforcers to contact anyone's personal records without permission, with the approval of the Court, for counter-terrorism purposes. This means that if you use a server located in the United States, or a cloud computing service provider located in the United States, U.S. law enforcers can, for the purpose of a counter-terrorism investigation, check your data without your permission by obtaining a court order. Canada also has a similar provision, with its Anti-Terrorism Act (ATA) and Defence Law (national Defense Act,nda) giving the defence minister the power to check data preservation. The No. 326 chapter of the American Patriot Act also requires all financial institutions (including credit card companies) to obtain, certify and record information on accounts, changes and payers in each account. The enactment of the Sarbanes-Oxley Act (Oxley) also provides a legal basis for data protection, and companies applying the Sarbanes-Oxley Act must ensure that their suppliers comply with Sarbanes-Oxley requirements when using cloud computing services. In addition, the issue applies to different sectors such as finance, health and other laws, as well as to different types of sensitive information, such as children's data. Federal laws in the United States, such as the Financial Services Act (Gramm-leach-bliley), apply to financial institutions for data protection, health Insurance Facilitation and Accountability Act (HIPAA), for health service providers and other health-related entities; Online Privacy Protection Act for Children (COPPA), Applies to data collected for children younger than 13 years old, and so on.

Third, the contract norms are difficult. Usually, the service provider and the customer through the contract to regulate their respective rights and obligations. However, before cloud computing establishes standard and trusted programs, it is difficult and impossible for users of cloud services to want to be protected through contracts. Flexible, Easy-to-use services and easy to share infrastructure are the advantages of cloud computing, but the way cloud computing is used creates a lot of security problems. Companies offering cloud computing are unlikely to make contractual commitments to security issues in their contracts with customers because they are out of control and cannot even tell customers where the data is located. If a cloud-computing provider is required to make a commitment and incur additional obligations in a contract, it is likely to disrupt the cloud's pricing model and make it more advantageous.

The legal issues arising from cloud computing are global, and in the future, in addition to the laws and regulations of countries within their respective jurisdictions, legislative efforts at the international level may be more conducive to the development of cloud computing and security protection.

The legal problems posed by cloud computing have challenged countries around the world, and the BlackBerry restrictions have been reopened in some countries. For example, France requires the government not to use the BlackBerry because all mail routes will be passed through the United States and are easily seen by the U.S. Department of Homeland Security. In India, in order to stop the government's ban on the use of BlackBerry equipment, RIM has worked with the government to address national security and user privacy issues. Cloud computing providers are also working on this. According to the New York Times, HP, Microsoft, Google and Oracle are all looking for ways to solve the problem, for example, in HP's UK labs, where researchers are trying to encrypt data before it is sent to the cloud center and then decrypt it after it leaves the cloud. Another solution is to give individuals the ability to digitally label data to control the personal information of each part of the cloud. The companies are also lobbying lawmakers to loosen restrictions to ensure that companies can develop cloud computing within the boundaries set by regulators.

(Responsible editor: admin)