Cloud computing is increasingly becoming popular across industries, thanks to the unlimited storage capacity, increased cost savings, and better mobility and reliability. Now more than ever, businesses, large and small, are moving their legacy systems to the cloud as a strategic move to increasing efficiency and serving their clients and customers better.
However, the shift to cloud-based HR systems presents privacy and security concerns, such as data access, usage, storage, and transfer, among other compliance issues. Cloud computing and employment laws vary from one region to another. And considering that the “cloud” isn’t limited to one location, there are always legal challenges regarding how and when data can be stored or transferred from one cloud service provider in one country to another in a different region. These complex scenarios have led to the adoption of data law such as the CLOUD Act in the United States and the Data Protection Act in the UK.
Suggested Reading: Half a million new companies set up in the UK in 2020
Understanding all the cloud computing transactions and knowing what is legal and illegal within your jurisdiction will help your company stay compliant with all the data and privacy laws. Regardless of the cloud tech you’ve chosen – whether public, private, or hybrid, there are several provisions dictating the level of data security and privacy you should maintain to ensure compliance.
Cloud Computing Legal Landscape
In the United States, cloud computing is dealt with in commercial contracts; hence it’s governed by contract laws. These laws are more of state laws than federal laws. They are also drawn to specific related issues such as data security laws, data transfer laws, data breach and notification laws, and other provisions governing confidential information.
State privacy laws differ significantly per state. Similarly, how cloud computing is implemented determines how these laws are used to determine the parties’ rights and obligations. As far as federal laws are concerned, several sectoral provisions impose regulations on data security on specific sets of information, including how such information is stored in the cloud.
Some US regulatory measures require data owners to ensure that their third-party cloud service providers can maintain the privacy and security of the confidential data entrusted to them. Three federal privacy laws oversee how service providers handle personal information. These laws are:
1. Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA’s privacy rule prohibits any entity from using or disclosing protected health information (PHI) except where required by the rule or where authorized in writing by the person affected, i.e. the data owner. Before choosing a cloud service provider, it’s advisable to check if their terms of service violate the HIPPA provisions.
2. The Gramm-Leach-Bliley Act (GLA)
This act restricts financial institutions from disclosing customers’ non-public personal data to non-affiliated third parties. In case of a disclosure, as provided by the rule, the financial institution and the third party must adhere to strict regulations governed by the Privacy and Safeguards Rules. These rules ensure that the service provider is in control and responsible for the privacy and safety of the consumers.
3. Family Education Rights and Privacy Act (FERPA)
FERPA act protects students’ personal identifying information collected by learning institutions and associated vendors. Such institutions must have the student’s consent before disclosing or using personal data, including grades, billing information, or enrolment status. However, the law doesn’t prohibit the use of cloud computing solutions to host records. Instead, the law requires learning institutions to adopt high-level tech and security measures to ensure the privacy and safety of students’ data.
Cross-border Data Transfers
Sensitive data stored in the cloud can be transferred from one data center located in one country to another for several reasons, e.g. to maximize cost savings, etc. Several laws and regulations have been put in place to ensure compliance when transferring data across borders. Such rules are constantly reviewed and amended to meet the highest security standards in the market. For instance, the EU-US privacy shield became the defining framework on how personal data can be exchanged between the United States and the European Union from 2015 before the European Court of Justice declared it invalid in July 2020.
On the other hand, the CLOUD Act allows access to the personal data of US citizens stored in the European Union as well as access to data of EU citizens in the US. The act is one of the well-drafted laws that resulted from years of litigation. That said, most consumers would want data to stay within their jurisdiction, i.e. their home country, and vendors won’t be able to move or relocate the servers or data without prior written approval from the data owners (employees or consumers).
Navigating the data protection and privacy laws can be challenging if you are hosting your entire databases and IT infrastructure in the cloud. Changing suppliers or terminating a contract with your cloud-based service provider requires a keen consideration of all the laws identified above.
To avoid possible violations of the law, which could lead to court battles and hefty fines, you want to work with employment lawyers who are well-versed in the data and privacy niche. This way, you’ll have a team of experts to guide your every step and ensure data compliance with every regulatory body within your jurisdiction.