As anticipated, the second booklet presented with the Annual Report of the Italian Authority for the protection of personal data deals with the system of cloud computing. Here we present a brief summary for the benefit of those who have doubts about the level of security and confidentiality of their data uploaded “in the cloud”.
Given the increasing offer of these services, the booklet presents itself as a “series of precautions” aimed at encouraging their appropriately aware and responsible use.
“Cloud computing” is a set of services for which resources are easily accessible and configurable on a network. Once they are connected to a cloud provider, users can perform certain activities such as using remote software not directly installed on their computers or save data on online storage systems.
It is essential to differentiate between private and public clouds. In neither case does the data reside on users’ “physical” servers, but whereas a private cloud is a closed system dedicated to the needs of a single organization, management of which is entrusted to a third party (easy to control), the infrastructure of a public cloud is owned by a supplier, the use of which is made on the web.
In a public cloud, confidentiality and availability of information are entrusted to the security mechanisms adopted by service providers and users who upload their data lose most of their ability to exercise adequate control over it.
The Italian Authority focuses on a number of aspects regarding cloud computing that require particular attention. For example if the chosen service is the end product of a transformation chain of services from other service providers apart from the vendor the user signs the service contract with, it may not be possible to ascertain which of several managers of intermediate services can access certain data. In addition to this, in the absence of adequate guarantees on the quality of network connections, temporary problems of data accessibility may be experienced due to breakdowns or traffic overloads; in other cases, portability and interoperability might be jeopardized by the passage of data and documents from one cloud system to another, or during an exchange of information with users of different clouds.
Outsourcing data to remote providers is not the same as keeping it on one’s own system: there are advantages and drawbacks that need to be taken into consideration. In this regard the Authority has drawn up a series of actions that are to be considered indispensable in order to use cloud services with due care and awareness:
-Prioritize consideration of risks and benefits of the services offered.
- Prefer services that facilitate data portability.
- Ensure the availability of data in case of need.
- Select the data to be included in the cloud.
- Do not lose sight of data.
- Be aware of where data will effectively reside.
- Pay careful attention to terms of contracts.
- Check the conservation policies of persistent data.
- Demand appropriate safeguards for the protection of confidentiality of data.
- Provide appropriate training for staff
The Authority closes with the reminder that the adoption of outsourced services does not relieve companies and public administration of their responsibilities for the protection of personal data. Thus, when using cloud computing it is essential to “rationalize its distinctive features in order to identify potential risks associated with such services and therefore to be able to take effective and specific protection measures.”
The presentation of the Italian Privacy Authority’s Annual Report in Parliament today has provided much food for thought.
There are many talking points, starting with the title of the Report itself, “Men and data”.
As stated in the report, “Men and data cannot be split up into different worlds. Data are not only the product of men and their ability to communicate and organize, but are now also an essential part of their way of being.” This is particularly evident in the world of “self exposure and global transparency”, especially in that world of social networks. In this context, speaking of the “right to oblivion” runs the daily risk of being perceived as laying unacceptable claim to restricting the right to “know” in all its meanings.”
In his speech the Authority’s President, Francesco Pizzetti raised many new issues such as net neutrality, the obligation to report serious breaches and the need to redefine responsibilities in the area of complex chains of data processing.
Great importance was given to the risks posed by cloud computing, smartphones and tablets, tools which can transform each potential user into an “Electronic Hop-o’-My-Thumb”, who often unconsciously leave the traces of their movements, as they have left their device’s location-based systems turned on.
This year the Authority’s Report also offers two modules on cloud computing and smart phones and tablets, which set out guidelines respectively for responsible use of services and current scenarios and operational prospects.
There is also a certain critical element in the Report regarding the current system of telemarketing and the recent Development Decree (decreto sviluppo).
The Authority recommends putting off unnecessary changes while waiting for the pending redefinition of the European guidelines, which in all likelihood will take the form of a directly binding Regulation. The Authority also hopes that its jurisdiction on making provision for new minimum security measures for the protection of personal data will be recognized. Obviously, given the quality of recent legislative measures, this would be preferable.
- Heavy fines for privacy violations for five money transfer companies
- Italian Government’s answer to the dramatic rise in cybercrime
- Italian DPA: reputation rating harms human dignity
- Recognise reliable sources of information as the antidote to “post-truth”
- France: from 2017 the “right to disconnect” comes into force.
- Accountability (1)
- Anonymity (4)
- computer crimes (14)
- Consumer rights (19)
- Copyrights (17)
- digital identity (12)
- E-commerce and contracts (24)
- Economic competition (2)
- Electronic signatures (20)
- Events (6)
- Internet control (11)
- Interviews (3)
- Labour law and digital world (1)
- Legal profession (7)
- Media (3)
- New technologies (9)
- Privacy (48)
- Responsibility of providers (23)
- Right to oblivion (8)
- Senza categoria (3)
- telemarketing (1)