Judith Hurwitz, of Hurwitz & Associates, has a slide in one of her presentations that refers to protecting data in the cloud and reads, "Government and Industry regulation must be adhered to regardless of the location of your applications and your information."
The first thing that popped into mind was the classic 70s cop show scene where the cops, all sporting mutton chops and polyester leisure suites, are arguing about ownership of the crime scene...
The next thing that popped into mind was how confusing this must be; organizations have to be aware of, and comply with, the laws and/or regulations that apply to their operations in the country where the application(s) and data sit as well as their own country's. There can be no other interpretation of the slide because we know that privacy laws in Europe can be tough and those in the US are different but yet there is an expectation of data privacy in both jurisdictions. The slide deck contains several examples ranging from specific country laws, co-mingling of data, secondary data use, and the next point, data transfer across borders.
What about data in transit? Is data subject to the laws and/or regulations of the jurisdictions through which it passes en route to/from the site hosting the application? There are restrictions on sending data out of some European countries unless the receiving end complies with European requirements on data security, but what of the countries in between? Data stored in Europe usually go through gateways to get to North America and then through a gateway into the US, Canada, or Mexico and vice-versa. I suppose that the argument can be made that data in transit over backbone infrastructure is not susceptible to attack. But then I recall a certain government agency that wanted to snoop Internet data streams not too long ago...
What of the end users' expectation of privacy? If these users are in yet another country, can the requirements of that country be imposed on the applications' owner? Can lawsuits be filed in this case?
The simplest and most efficient solution would be to comply with the common requirements and the most stringent requirements from each country in order to be compliant with all. Not sure if this is the answer but it seems that it could be. Then again, I'm no lawyer so I may be wrong here.
No comments:
Post a Comment