Cloud computing technology covering an essential part of our business and personal lives, bring with it the discussions on protection of personal data as well as new terms like Big Data, Data Analytics and Mobility.
Cloud services are one of the most popular technologies both in Turkey and worldwide however they carry major risks with regards to protection of personal data and information security because of their content and service infrastructure.
Protection of data flow and data traffic between the cyber systems against outsider attacks, storage of data and taking measures for information and IT security should be evaluated as prior requirements by the IT departments. Individuals should also agree to user agreements upon careful consideration, take measures for security and pay attention to sensitiveness of the information found in mobile devices while using mobile applications.
When reviewed in terms of personal data, cloud services have many different implications: jurisdictions and locations where data is stored, scope and purposes of data processing, subcontractors, transparency and security.
The EU regulations in relation to Protection of Personal Data date back to 1990's. The Directive 95/46/EC on the Protection of Individuals With Regard To the Processing of Personal Data and on the Free Movement of Such Data forms the basis of the legislation. Directive 95/46/EC regulates the rights of "individuals whose personal data is being processed" under the titles of; collection of personal data, legitimate processing of personal data, security of processing, transparency principle, prerequisites for data transfer etc. Directive 2002/58/EC concerning The Processing of Personal Data and the Protection of Privacy İn The Electronic Communications Sector stipulates areas of electronic communications like traffic and location data, rules on unsolicited communication etc as a continuation of Directive 95/46/EC. In addition, Regulation EC No 45/2001 establishes the EDPS as the supervisory authority for protection of personal data.
Directive 95/46/EC defines "personal data" as any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This definition requires companies, which process, use or store personal and sensitive data of their personnel or customers to evaluate cloud services according to personal data legislation.
When reviewed from a cloud service perspective, it is seen that the data protection liability is shared between the customer who is deemed as data controller and the cloud company who is deemed as data processor.
In contradiction to a standard service relation, it is not the data controller but the data processor who decides where the personal data will be stored, which subcontractors will process the data and which security measures will be taken. Most of the time data passes through and is stored in different servers across the world. This means in terms of data subjects and controllers that they may not be able to exercise their rights to the extent possible under EU law. It is also possible that when the regulations of the jurisdiction to where the data is transferred do not offer an equivalent level of protection, cloud companies will have liabilities because of non-compliance with EU legislation.
From EU law perspective, when it is taken into consideration that the cloud company offers the same services to all of its customer and processes data of more than one customer, following issues will become more important for customers:
- Processing each customer's data separately and creating a system where customers cannot access each other's data,
- No processing of data unless there is an express consent and instruction from customer
- Stipulating the scope and limits of data processing
- Meeting required security terms
- Customer's right to monitor where data is stored and how it is processed
Unfortunately it is not easy to say that regulations on Protection of Personal Data draws the same level of attention in Turkish Law as it does for many years in EU law. Although the Constitution, Turkish Penal Code, Civil Code, Judicial Records Code and similar regulations stipulate some rules on confidentiality of data, there is no specific regulation in Turkey covering technical and legal terms of personal data processing. It seems like there are still many years for Turkey to consider complex legal problems arising from cloud computing technology and its infrastructure.
The "Draft Law on Protection of Personal Data" which has been sent to Great National Assembly of Turkey on 26.12.2014 is still waiting for enactment along with many criticism on its regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.