Think about your online activity over the last week. Chances are you sent a few emails via Gmail, moved some new family photos to an online storage service, perhaps creates some new posts for your blog, and updated your Pinterest, Facebook or Twitter accounts.
Add to this the fact that your online data could be stored in several different countries, and it becomes impossible to state that you own all the data you have created.
Dino Wilkinson, a partner with international legal practice Norton Rose Fulbright told TechRadar: "Under English law, there are no property rights in data as such – although this has not necessarily prevented individuals and businesses from treating data as property.
"Markets exist for buying or selling data and individuals regularly disclose their personal data in exchange for goods and services. However, the value in these cases is created through the right to sell or use the data in a certain way rather than a legal right of ownership.
Exercising your rights
"In the cloud context, the contract between service provider and customer must address this issue by defining the extent of the service provider's right to process and store data on behalf of the customer. The customer will often be under an obligation to impose restrictions on the service provider in relation to how they use the data due to legal and regulatory obligations imposed on the customer itself."
Dino continued: "For example, data protection laws give rights to individuals (or data subjects) in relation to the processing of their personal data; an organisation that collects such personal data may have legal obligations to process it in a certain way including limits on how it (and any third party contractors) use, disclose, hold and transfer that data.
"The collecting organisation (or data controller) will have to ensure that any cloud services provider it wants to use for the processing of that data will do so in a legally compliant way and in accordance with the data controller's policy. Typically, the issue is not one of data ownership but rather accountability to the data subjects."
When it comes to your data, looking closely at the terms and conditions of the online services you are using is of paramount importance. At present, the relevant parts of the terms and conditions of leading hosted service providers are as follows:
• Amazon Web Services
'Your Applications, Data and Content. Other than the rights and interests expressly set forth in this Agreement, and excluding Amazon Properties and works derived from Amazon Properties you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.'
'It is important that you can access your Google data when you want it, where you want it - whether is it to import it into another service or just create your own copy for your archives.'
• Microsoft Office 365
'You own your data and retain all rights, title, and interest in the data you store with Office 365. You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.'
Benefits of the hybrid model
And for businesses that are increasingly using cloud-based services to reduce costs and improve efficiency, creating a hybrid approach where the cloud and on-site servers are used can be effective. This offers a level of protection and more clarity of data ownership, as this information is not stored in the cloud. This approach is ideal if your business is in a regulated industry such as financial services, which have strict regulations about data storage.
One important aspect of data ownership is often called 'emergent data'. Many of the cloud service providers include in their terms and conditions the right to manipulate the data they are storing to create new data sets. Google is a good case here, as it often uses the data it is storing to generate its own metadata often for marketing purposes.
Espion's R&D Scientist, Dr Keyun Ruan, who coined the term Cloud Forensics says: "Meta-data is still an ambiguous space and different provider infrastructure generates and tracks different meta-data.
"Providers are often not transparent to customers, especially where they use services from other cloud providers or brokers thus causing a chain of dependencies for meta-data ownership. Meta-data can be solely owned or co-owned by the provider. Make sure to ask for a list from your provider, and understand the reasons for generating meta-data, who has access to it, and the ownership of each, as well as regulatory obligations for e-discovery, search, seizure or investigation requirements if any."
Protect and serve
Whether you are a business or are using cloud-based data hosting for personal use, there are some key steps you can take to ensure you retain the ownership of your data:
1. Read all the terms and conditions of each of the services you are using.
2. Identify where your data will be stored and how these countries manage their data regulations in comparison to your home country.
3. All data that is moved to and from the cloud is encrypted. However, hosting services may not be compelled by law to hand over the encryption keys to your data should you need them.
4. Back up your data to portable media and store this off site if you can. This will give you an alternative source for your data if your cloud hosting service goes out of business.
5. Enterprises that want to use cloud-based data storage services should take legal advice before choosing a service to partner with. This will ensure that the legal framework around the stored data is clear. A good example is data stored in the US that would be affected by the USA Patriot Act.
6. Check that your cloud service providers are compliant with standards such as SSAE16 and SOC2 certifications, among others. Ensure providers are subject to regular external audits and comply with best-available international standards for security, availability, integrity, privacy and confidentiality.
Digital ownership
The laws of intellectual property generally govern who owns the data you created personally and within a business process. In the UK these are the Copyright, Designs and Patents Act 1988 and the Copyright and Rights in Databases Regulations 1997.
These give ownership rights to the creator of any data. However, as the storage of that data could mean it being changed in some way by the cloud service provider, who then owns the new datasets? This is a potentially problematic issue.
Added to these potential issues is the question of where your data is stored, and therefore, which laws impact on its ownership and manipulation.
Andrew Joint, a Commercial Technology Partner at Kemp Little explained: "Within Europe the EU, has recognised that this is an issue on where there needs to be some clarity. The EU's Digital Agenda has specific goals for cloud computing which look to make sure it is an easy to access marketplace for SMEs."
Norton Rose Fulbright's Wilkinson concluded: "The EU is currently debating a new General Data Protection Regulation that will mark the first significant changes to European law in this area since 1995. It has been under discussion since 2012 and is anticipated to be ratified next year before coming into force around 2016.
"Draft versions of the new law suggest that it could have a significant impact on users and providers of cloud services in terms of stricter controls on the processing of personal data, harsher data security requirements and penalties.
"Also, user privacy includes the 'right to be forgotten', the concept of privacy by design by default, which will require that data protection issues are considered in the development of business processes for products and services. This will place greater burden on businesses to ensure that proposed cloud projects are fully compliant with the law."
Data ownership then has a number of facets that all need to be considered. Whether you are simply storing some family photos, or more sensitive information if your business uses cloud storage, it is vital to ensure you understand where ownership of your data lies.
http://ift.tt/1q1XOHl
No comments:
Post a Comment