Laws like PIPEDA (Personal Information Protection and Electronic Documents Act) of Canada, Sarbanes Oxley of USA or the Data Protection Act of UK are based on universal principles of protection of the privacy of the individual. With the cloud becoming more ubiquitous, the need to protect the privacy of information is becoming more urgent. Most data protection legislations stipulate that organizations collecting and storing personal information of their suppliers, employees and customers have a duty to protect the information gathered against unauthorized access and use. International flows of information are to be regulated. Consumer confidence must be enhanced. Data protection laws must kick into action the moment data is collected, collated and stored by the business.
With enterprises going global, cross border data transfers are an imminent reality. Cloud backup servers may be located in the US while data is generated in Europe, Australia, Asia or South America. Which law will apply to data that has been transferred from one country to another?
The European Union is of the view that cross border transfers of data must be monitored by a commission. They have accordingly constituted the European commission to examine the transfer of personal information from one jurisdiction to another and to allow such transfers only if the transferee jurisdiction has sufficient data protection safeguards in place.
The Canadian PIPEDA adopts an organization to organization approach. There is no questioning around adequacy of safeguards. Organizations can transfer personal data from one jurisdiction to another for processing without reference to any commission for permission, but they remain accountable for the security of the personal information.
Organizations planning to store their data with cloud backup service providers or third parties of any kind need to ensure that they remain compliant with the law. While it is OK to expect the cloud backup service provider to remain transparent, it is best to ask them about the processes and procedures they have in place for compliance with the law, if primary data server or the mirror server is located in an entirely different country or jurisdiction or they propose to transfer the data to their subsidiaries or third parties for processing. It is important to accept that transborder transfer of information is a fact of life in the cloud backup driven world. Privacy wise customers don’t make assumptions about how the data is handled. They make sure that they remain in control and data breaches do not occur due to carelessness or negligence on their part.