Cloud computing and cloud-service providers have brought about a significant shift in the globalized delivery of information technology services and computing resources. This article is the first in our new six-part series, “Understanding current cybersecurity challenges in law”. In this article, we will set the stage for our much more detailed future exploration of some of the current important issues relating to cybersecurity, and the law.
Most of us would likely be unsurprised to learn that the vast majority of our personal and professional data is stored in the cloud. The most popular social media apps – such as Instagram, Twitter, Facebook, and LinkedIn – all use cloud-based data storage for user accounts, profiles, uploaded content, and more. With the heavy volume of data being shared and the prevalence of these storage systems, we may at times overlook the principles we have been taught with regard to cyber hygiene, and end up taking our data security for granted.
Data are units of information, a set of values or variables — qualitative or quantitative — about one or more entities. Data security refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. This includes protecting your data from attacks — such as ransomware — that can encrypt or destroy data, as well as attacks that can modify or corrupt your data. Data security provisions also ensure that necessary data is available to individuals in an organization who are meant to have access to it.
Cloud-service models
When we connect to the cloud, there are three major factors to consider: where the data is being stored, where the storage infrastructure is located, and which laws govern the access to and disclosure of the data stored on that cloud system. A cloud service provider — often a third party — is the entity that owns and operates the hardware, software, and infrastructure necessary for the cloud to be operational. These resources and the associated services can then be accessed over the internet, on a pay-per-use basis, by individuals or organizations who subscribe to the service offered by the third party.
Cloud services are typically divided into three different models: public, private, and hybrid. In the public cloud model, organizations receive access to these services over the Internet from a shared pool of resources that are logically separated from one another. This is in contrast to the private cloud model, in which the cloud resources are dedicated solely to one organization, and are maintained on a private network. In the hybrid cloud model, both public and private clouds are used, with data and applications communicating between the two.
Cloud service subscribers usually have the option to isolate the storage of their data to a specific geographic region, allowing the subscriber to determine the nation under whose laws and policies the data is to be kept. The largest cloud service providers tend to deploy their services globally, giving the service provider the ability to move data anywhere in the world, as per the wishes of the subscriber. This is where we run into the challenge of data sovereignty.
Data sovereignty
When data is stored in a cloud environment, regardless of where the cloud-service resources are physically located, the data may be subject to the laws of other countries. In law, data sovereignty refers to the control a nation — or state — has over access to and disclosure of its digital information, and subject only to its laws. Where a cloud service provider — as a large-scale corporate entity — is operating on a global level, it could end up being required to comply with a court order, warrant, or subpoena request from a foreign law enforcement agency seeking to obtain data relating to the affairs of another nation.
If a national governing body decides to move its data outside of its territorial boundaries, that could have an impact on its ability to access data and services which are vital for the continuity of nationally-based businesses, health care, and other important infrastructure. In this scenario, when it uses cloud-based storage located beyond its national borders, the governing body would not be able to ensure full sovereignty over its data. The negative outcomes which can stem from a lack of full data sovereignty could have the potential to create widespread damage to the government and the nation as a whole, as well as businesses, organizations, and individuals in that nation. In this case, sensitive or valuable data could also unknowingly be subject to foreign laws and/or be disclosed to a foreign government, potentially without any form of notice to those affected, whose data is being disclosed.
Comparative strategies
In Canada, data sovereignty refers to Canada’s right to control access and disclosure permissions for its digital information, that is, data related to Canada — including Canadian businesses, organizations, and individuals – and subject only to Canadian laws. The Government of Canada has begun to address the intersecting issues of cloud-based storage, data privacy, and data sovereignty by outlining a “cloud-first” policy strategy. This policy rests on top of the more standardized consumer protection and privacy laws which are already in place. The “cloud-first” strategy was outlined in depth in the Government of Canada’s White Paper on Data Sovereignty and Public Cloud, which describes it as “a strategy whereby cloud services are identified and evaluated as the principal delivery option when initiating information technology investments, initiatives, strategies and projects”. The “cloud-first” policy encourages government departments and related agencies to consider their use of cloud-based deployment models and to utilize data storage options in a prescribed order of priority, beginning with public cloud, followed by hybrid cloud, then private cloud, and finally non-cloud data storage models.
In comparison, Germany – a member nation of the European Union – has not established a specific legal framework for cloud-based services, meaning that those services are subject to the general laws of both Germany and the European Union, as Germany is a member nation of the EU. The relevant laws which apply to data storage include: the German Civil Code, Commercial Code, Telemedia Act, and Copyright Act; national information technology security laws; the European Union’s General Data Protection Regulation (GDPR); and other standard rules relating to competition and consumer protection.
Contrasting with both Canada and Germany, the People’s Republic of China does not permit cross-border data flows, as a general rule. This means that all companies operating in China, including all of the large-scale data handlers and critical information infrastructure providers, must specifically localize their data within China. For the very rare cases in which Chinese data might need to be transferred abroad, the transfer must be explicitly approved via a lengthy process through the designated approved authority: the Cyberspace Administration of China.
Impacts of corporations
In addition to having an impact on governing bodies, data sovereignty laws also have serious implications for corporations. With the rise of social media, and the integration of cloud-services into our daily lives, there have been a number of scandals and controversies regarding non-consensual data sharing and/or breaches. We have also seen some of the significant issues which arise from conflicting data sovereignty laws and have resulted in some of the ongoing national — and regional — law reviews with respect to cross-border data sharing.
On March 17, 2018, just weeks prior to the implementation of the General Data Protection Regulation by the European Union, the New York Times and the Guardian broke the news that 50 million Facebook user profiles had been harvested for “psychographic profiles” by Cambridge Analytica. Facebook later reported that the number of Facebook user profiles, from which information was mined for targeted political campaigns and other projects, was over 87 million. On March 26, 2018, just more than a week after the initial story was published, Facebook stock fell by about 24 per cent, equivalent to $134 billion.
Just less than two months later, in May of 2018, Wall Street reported that Facebook had been able to recover their losses. While the impact to Facebook was mostly overcome, this scandal was able to shine a stark light of reality on the fragility of our assumptions of personal data protection in an online world. Unfortunately, while the Facebook-Cambridge Analytica scandal brought data and its importance to the forefront of consumer awareness, this level and scope of public awareness was only able to be reached after the personal data of millions of users was harvested through a massive breach of trust.
In another controversy, the Court of Justice of the European Union (CJEU) has recently determined that cloud-based services hosted in the United States are incapable of complying with the European Union’s General Data Protection Regulation and other EU privacy laws. In their decision, the Court of Justice of the European Union established that data exports are not merely financial decisions, as the fundamental rights of the users must also be considered as a matter of priority. This decision specifically impacts large-scale global data operators, such as Google Analytics and the Meta corporation.
In response, Meta issued a stark warning to Europe in their annual report filed with the Securities and Exchange Commission (SEC) which suggests that Facebook and Instagram will no longer be available within the European Union unless data is allowed to flow to its servers in the United States. In this report, the company argues that the lack of an acceptable data transfer framework “would materially and adversely affect [the] business, financial condition, and results of operations” as “Meta, and many other businesses, organizations and services, rely on data transfers between the EU and the US in order to operate global services.”
“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.” — Meta Annual Report
The outcomes of the ruling made by the Court of Justice of the European Union could impact many corporations, both in the United States and in the European Union. On March 25, 2022, following extensive media coverage, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The joint statement describes the framework as providing “a durable basis for trans-Atlantic data flows, which are critical to protecting citizens’ rights and enabling trans-Atlantic commerce in all sectors of the economy, including for small and medium enterprises” and promoting “an inclusive digital economy in which all people can participate and in which companies of all sizes from all of our countries can thrive.”
Conclusion
Around the world, public awareness of data sovereignty and the related issues has increased in recent years, along with our collective ever-increasing reliance on cloud services and storage resources. As we rely more and more on our access to cloud data storage and other cloud-based services, the amount of storage that we collectively need will correspondingly increase. Not only does this endear us evermore to the third party cloud-service providers on whom we rely so heavily, but it also presents us with an ever increasing potential loss due to the increasing risk of massive data breaches, identity theft, digital exploitation, widespread cyberattacks, among other cyber risks.
In our next article in this series on “Understanding current cybersecurity challenges in law”, we will examine the concept of digital governance, governance strategies, and the relation between digital governance, data sovereignty, and law around the world.