POSTED BY Anthony Gatto
In a recent CNN story, it was reported that Eric Snowden leaked classified information to the press regarding a United States National Security Agency (NSA) surveillance program titled “PRISM” which allows the NSA to gather information from such global giants as Microsoft, Facebook, Google, and others. Additionally, in a recent USA Today story, it was reported that a July 2014 cyberattack on J.P. Morgan Chase & Co. compromised information from 76 million households and 7 million small businesses. With stories such as these appearing more frequently in recent news, consumers who utilize the service of storing data in a cloud or conduct business transactions over the internet cannot help but wonder: How safe is the information I have stored in a cloud?
The answer may very well depend on the country or jurisdiction your cloud hosting company is located in. Foreign privacy laws may be considerably different than the ones in your own country and a cloud hosting company in your country may contract with foreign data centers that have unfavorable privacy laws. To add further confusion, organizations located in countries within the European Union may share information with organizations in United States as long as they adhere to the Safe Harbour privacy principles of notice, choice, onward transfer, security, data integrity, access and enforcement. Since the Safe Harbour Agreement is separate from the individual privacy policies of the EU and the US, critics have viewed this as an avenue to sidestep legal obstacles for sharing information. With age of technology upon us and ever increasing globalization, a consumer or average internet user may be left wondering if the right to privacy applies to information stored in a cloud.
The Right to Privacy is a fundamental right that is deeply rooted in American history. The Supreme Court affirmed this idea in Griswold v. Connecticut, 381 U.S 479 (1965), where the Court held that some liberties are so important that they are deemed “fundamental rights” in which the government cannot infringe unless strict scrutiny is met. Almost all of these liberties are not mentioned in the constitution but have been protected by the court under the due process clause of the Fifth and Fourteenth Amendments or the equal protection clause of the Fourteenth Amendment. The Griswold Court further held the right to privacy is one of those fundamental rights. If the right to privacy is such a fundamental right, it might be the vehicle to use when constructing a constitutional challenge to data sharing and privacy.
However, several problems arise when attempting to utilize the right to privacy to challenge the Constitutionality of data sharing. First, as previously noted, many organizations contract with foreign data centers who may only be subject to the data sharing and privacy laws of their country. Next, a global business entity may be able to avoid legal hurdles by establishing their corporate headquarters in a country where they are subject to minimal privacy laws despite that entity conducting business internationally. Finally, if a consumer utilizes the services of a United States company to store data, the consumer must be aware that United States has not adopted a comprehensive data privacy policy but rather has adopted limited sectoral laws in some areas. These sectoral laws, such as Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children’s Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA), tend to promote information flow and data sharing rather than restrict it. From this information, it can be inferred that prevailing on a right to privacy constitutional challenge will not be an easy task.
With little global legislation concerning data sharing privacy and without a workable constitutional challenge, we as consumers must take it upon ourselves to ensure that we have minimized the risk of our stored information being shared. The following is a list of questions one should ask their data hosting company:
- In what country is the company headquarters located?
- Are they ISO27001-accredited? (This will ensure the highest level of security for your data).
- Who has access to company data?
- Is the support staff’s access to data monitored?
- When was their last audit?
Further due diligence can be done by researching the data protection laws in the country that your data may be hosted in and finding out what access the government of that country has to this data.
Although these precautions may seem tedious and time consuming, this blogger is informing you that it might be your only option to protect your information. Until global legislation on data privacy is agreed upon, countries, governments, and business entities will continue to find loopholes and not even our constitutional right to privacy can protect us from these intrusions.
Bio: Anthony is a Staff Member of the Journal of High Technology Law. He is currently a 2L at Suffolk Law and holds a B.S. in Finance from Suffolk University.
