I wish I knew. With each article I read, I get (slightly) more confused.
Evidently, US authorities seem to insist that they are sufficiently safe, while
some European regulators occasionally appear to require additional safeguards.
Where does this leave a confused data controller?
First, in a state of bemusement, and then a feeling of frustration that there
does not appear to be a single, simple, message to follow.
Should they listen to the assurances of the US-based cloud providers,
who claim that all is fine and dandy, or should they take heed of other experts
who point out that other regulations can impose additional
obligations on data controllers and cloud providers in respect of some
categories of data. For example, financial services firms also have to comply
with MiFID standards, which require outsourcing service providers to guarantee
physical access to premises upon which data is processed. How can this be achieved
in a safe-harbor cloud environment? Presumably,
the identities of the location of sub-processors would need to be revealed. Presumably,
the data controllers would need to check for themselves. But opinion varies as to whether these are
steps that ought to be taken by responsible data controllers, or whether they
can rely on self certification by a safe harbour cloud provider.
Then again, the financial institutions
to which MiFID applies are surely large enough to negotiate special arrangements
with cloud providers. The vast majority of data controllers, I suspect, simply
don’t have the time or the resources to worry about these sorts of things.
So, I suspect, the data controllers will
continue to take their cue from the regulators. Surely, they will think, if the
regulator has not banned cloud operators from operating in their country, then
they must be ok. And, as the best known cloud
providers are large scale organisations, they are undoubtedly much better resourced
than any small or medium sized data controller would be to design, supply and
support a secure storage environment.
Given the current scarcity of computing skills, surely their offerings
can’t be too readily dismissed.
If I were to have a plea, though, it
would be for our chums looking after Britain’s critical national infrastructure
to consider promoting a British cloud service provider that met whatever
security standards were required to be considered sufficiently robust for the
British national interest.
But I won’t hold my breath.
.
Posts
