This document discusses privacy and data protection issues related to personal data being stored in the cloud or with US-based technology companies. It notes that Google scans emails and documents to sell targeted ads. It outlines US laws like FISA, Patriot Act, and FISAA that allow government surveillance of cloud data. The document also discusses the EU Data Protection Directive and Safe Harbor Framework regarding transatlantic data transfers and the responsibilities of companies.

1. Mars- Avril 2013
Franck Franchin
1

2. Master Droit - Franck Franchin - © 2013
2
“Asking Google to educate consumers about privacy
is like asking the fox to teach the chickens how to
ensure the security of their coop”
Consumer Watchdog, March 2013

3. Master Droit - Franck Franchin - © 2013
 Search – Yahoo or Google keep your data for 18 months !
 Webmail – Google goes through every word of every
Gmail that’s sent or received to sell targeted ads.
 Google Docs
 Street View (Wifi traffic and pwd scans… hum ?)
 Conference Management Systems - very used in
academic research community with document sharing
(papers, reviews, patent drafts)
FREE SERVICE DOES NOT EXIST !
3

4. Master Droit - Franck Franchin - © 2013
 The Foreign Intelligence Surveillance Act of 1978 prescribes
procedures for requesting judicial authorization for electronic
surveillance and physical search of persons engaged in espionage
or international terrorism against the United States on behalf of a
foreign power.
 The Stored Communications Act of 1986 is a law that
addresses voluntary and compelled disclosure of "stored wire and
electronic communications and transactional records" held by third-
party internet service providers (ISPs)
 Patriot Act - Signed by President George W. Bush on October 26,
200, renew by President Bush on March 9, 2006
 The Foreign Intelligence Surveillance Act Amendment Act
(FISAA - 2008) allows US authorities to spy on cloud data that
includes Amazon Cloud Drive, Apple iCloud and Google Drive.
4

5. Master Droit - Franck Franchin - © 2013
 The US law allows American agencies to access all private
information stored with firms within Washington’s jurisdiction,
without a warrant, if the information is felt to be in the US interests.
 That means any company with a presence in the US and regardless
of where the data is stored or the existence of any conflicting
obligations under the laws where the data is located
 Some US-based cloud services and hosting companies might not
be able to comply with the EDPD : customers whose private data
should have been disclosed under FISA won’t be always notified
(which is not compliant with EC directives)
5

6. Master Droit - Franck Franchin - © 2013
 The famous 95/46/EC Directive
 The European Data Protection Directive requires
companies to inform users when they disclose
personal information
 There are clauses in the Directive that allow data
to be stored outside of the EU
 Evolution in progress since 2012 ; but strong
lobbying against data breach notification
enforcement and data aggregation processing
restrictions
6

7. Master Droit - Franck Franchin - © 2013
 The U.S.-EU Safe Harbor Framework provides guidance for U.S.
organizations on how to provide adequate protection for personal
data from the EU as required by the European Union's Directive on
Data Protection.
 Participation is voluntary
 Based on principles agreed by Directive 95/46 (October, 1995)
 Five major points :
◦ Data owner has been informed of data processing and transfer
◦ Data owner can revoke the rights he granted.
◦ Explicit agreement
◦ Access and change right (aka droit d’accès et de rectification)
◦ Data security (confidentiality, integrity, availability)
7

8. Master Droit - Franck Franchin - © 2013
 Payment card security standards body PCI Security Standards
Council (PCI SSC) has released new guidance for merchants using
cloud-based systems for customer payment data
 “Many merchants mistakenly believe that if they outsource
everything to a cloud service provider, much of of the responsibility
goes away for being PCI compliant – unfortunately, that’s simply not
the case,” Bob Russo, general manager at the PCI Security
Standards Council “A merchant needs to ensure that a cloud
services provider is PCI-compliant not just for its own piece, but for
the entire spectrum, including what that provider is specifically doing
for the merchant.”
8

9. Master Droit - Franck Franchin - © 2013
 TFTP (Terrorist Financing Tracking
System)/SWIFT (28 Juin 2010)
 Europol in charge of
 Audit conducted by Europol in Nov 2010, with
warning report issued in March 2011
 Too generic requests are made by US (Dpt of
Treasury) but acknowledged by Europol
 So generic, it’s impossible to confirm these
requests are compliant with European Data
Protection Directives
9

10. Master Droit - Franck Franchin - © 2013
 Nova Scotia Case - As part of a criminal
prosecution in US, the Court requested that the
US subsidiary disclosed documents stored in
Cayman Islands.
 Valetta Case – Australian subsidiary of this Maltin
bank was summoned by australian Court to
disclose documents stored in Malta
10