In 2018, it will continue to be a subject which will exercise us intensively: that is, the debate on data protection and data security that has now been going on for years, given that more and more information is being digitalized and traditional security concepts and measures are no longer fit for purpose. Here, cloud computing is a pioneer in many areas, as security in connected systems is the No. 1 priority for every professional cloud provider. Because at the end of the day, it forms the basis of these providers’ core business.
Unfortunately, the term data protection is open to a multitude of interpretations, which makes it difficult to create appropriate framework conditions and define objective criteria, even without the global connection of databases.
In essence, we understand data protection as a measure against the misuse of data and, when considered through the lens of a more extensive security assessment, also as the necessary precaution against the unauthorized deletion or falsification of data. Personal data is considered to be in particular need of protection, as was already established in the world’s first Data Protection Act, that of the German state of Hesse, and in the follow-up, the German Federal Data Protection Act of 1977.
Since 1995, minimum standards have been defined in the EU and the protection of personal data has been determined to be a fundamental right. In the USA, on the other hand, the term data protection is reduced primarily to technical considerations. With a few exceptions, access to personal data in the US is widely accepted in society, mainly stemming from a standpoint of informal self-determination and freedom of expression.
Digitalization and data protection
At the very latest with the advent of Web 2.0 and smartphones, it started to become clear that the handling of personal data in a globally connected world is considerably more complex than accounted for in the existing regulations. Essentially, what is involved are personal social structures and actions on the web, as well as geo mobility profiles. This has given rise to the growth of a digital industry that operates on the simple principle of "convenience and price advantages in return for freely usable personal data".
In this context, what also needs to be separately considered is whether the data subjects are directly responsible for the data in question or whether these data are indirectly managed (for example, by the employer or industrial partners). Here, too, new business models are being developed in which continuous target group profiling is carried out in order to optimize business activities, based on multiple big data sources and data collected by the company itself. The problem arises if the data is collected without the explicit consent of data subjects, for example within the scope of a service action or a request for proposal (RFP).
With the introduction of cloud computing, a question that increasingly arises concerns how – in multinational and connected IT processing – the capacity to control compliance with legal regulations can be designed in conjunction with different legal partners. Understanding the complex current European data protection laws is already hard enough. However, taken together with the often small, but nevertheless significant, differences between EU member states, almost insurmountable challenges can arise if suitable legal support is not provided right from the start.
Cloud service providers and users alike find themselves confronted with serious data protection hurdles that lead to massive and unacceptable competitive disadvantages, for example compared to the USA. There is no way around data protection for every professional cloud provider: it is essential for their core business and is therefore at the top of the work agenda. For this reason, there are various initiatives and projects that deal intensively with the topic. For example, the supportive Cloud Privacy Check (CPC) reduces the entire data protection topic for the use of cloud services to four questions and allows direct comparison of 32 sets of national laws.
Where do we stand today?
The changes resulting from ongoing digitalization present society, companies, and to a particular degree individuals, with a great challenge. Whether it's the burgeoning wave of communication in children's WhatsApp chats that's getting out of hand, the unsecured webcam in the living room, the looming credit rating using social media profiles, or the jobs that are changing dramatically due to the use of algorithms and automation – this is all just too fast for many people, and data protection is often used as a braking mechanism.
However, this rightly gives rise to the question as to whether it is appropriate to evaluate and regulate innovations using conventional approaches. It has taken more than 20 years to extensively amend a Data Protection Act from 1995 and to bring it somewhat into line with the information society of today. Meanwhile, important clarifications, such as how to deal with the Safe Harbor Agreement, have been produced by private lawsuits and not on the initiative of data protection representatives, which is rather surprising. In the context of cloud computing, some data protection officers tended to conjure up ultimate worst case scenarios, and even today, you still far too often hear: "If using the cloud, then only a private cloud and preferably with your own systems". Which is a very dangerous recommendation, given that in many cases there is a lack of competence to adequately protect such systems, especially in the consumer sector.
Which steps must we take?
We need to look more closely and in greater detail at which data analyses can add value and, in doing so, grant potential data subjects a right of self-determination. Who wants to explain to a cancer patient that a study or therapy will fail due to the pitfalls of a complex data protection regulation? How do we want to reduce the number of traffic fatalities without using data and algorithms which as a matter of course also make it possible to identify individuals, places, and other information on a temporary basis? The principles of "privacy by design" and data minimization will not provide adequate answers to these questions. This requires more room for maneuver and a more intensive focus on granting data sovereignty than on data protection as a matter of classified information.
We live in an information society and we need appropriate information security. Many services commonly used today are part of a connected infrastructure and connected applications. This is work done by experts and must also be protected by experts. With the Star Audit, EuroCloud has developed an appropriate framework to examine the status of a cloud provider with respect to the important questions of law, data protection, and security, with this also serving as a template for the Trusted Cloud Label.
November 2017 saw the start of the AUDITOR project, funded by the German Federal Ministry for Economic Affairs and Energy. The associations eco and EuroCloud are directly involved in the development of a data protection certification in accordance with the European General Data Protection Regulation (GDPR). Before the new regulation enters into force in May 2018, the specific requirements for cloud services will be published in consultation with the data protection supervisory authorities.
Europe has a great opportunity to promote the positive effects of a digital society and to keep the negative side effects in hand. But this also requires uniform rules in a European digital single market. For some, the living-room voice assistant may represent the epitome of the Orwellian Big Brother world; for the grandmother who lives alone in the country, it might perhaps represent the lifesaver.
Smart Cities, Autonomous Traffic, Industry X.0, Artificial Intelligence, Virtual Reality, Digital Learning – we are presented with many opportunities and challenges which could improve our lives. An old-fashioned and overly defensive view of data protection, stymied by 1980s' approaches, should not lead into an offside trap! Modern data protection, on the other hand, can create a balance between the self-determination of the concerned party and digital progress.
Andreas Weiss is Director of the cloud association EuroCloud Deutschland_eco e.V. since its foundation and has been active within eco since 1998. He played a key role in developing the EuroCloud Star Audit as the first cloud-specific auditing process and is part of various research and SME supporting projects like NGCert (Next Generation Certification) and Trusted Cloud. He is the co-author of both the book “Cloud Migration”, dealing with issues of quality requirements and selection criteria, and the EuroCloud Guidelines "Cloud Computing – Law, Data Protection & Compliance” and the Cloud Acceptance Study.