Managed Cloud Data Security

We all remember those classes that explained so much biology and so little of what we really needed to know when faced with the real thing. We all just closed our eyes and hoped for the best… The GDPR is no different.

The GDPR’s “Right to be Forgotten,” also known as “The Right to Erasure,” has been hyped a great deal over the last couple of years. In fact, the Right to Erasure requires that personal information (PI) be securely deleted when requested by the individual - within 45 days - if no legal reasons require it to be kept, i.e. litigation or regulatory compliance. But what about PI collected or purchased that make up the massive marketing contact lists used for marketing campaigns etc.?

As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected domestically must stay in that country. They argue that it’s in the Government’s interest to protect their citizen's personal information against any misuse. 

A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR).

Various government privacy regulations, including GDPR, CCPA, various state regulations, and the draft federal privacy bill currently in Congress (the Consumer Data Protection Act) all include some form of the right to data erasure, otherwise known as the right to be forgotten. Because the regulations don’t specify the specifics behind the right to data erasure, some are questioning what this right means when considering PI deletion. The purpose behind this particular privacy requirement needs to be better understood as to what the regulatory authority was actually trying to accomplish.  

The California Consumer privacy Act (CCPA) was passed last year (2018) with an effective date of January 1, 2020 – assuming no federal actions (check out the blog titled “Will the New California Consumer Privacy Act Stand?” for potential federal actions.)  

Make no mistake about it, California has passed a digital privacy law that impacts the national and global economy and represents a seismic change for compliance procedures in the US in much the same way that GDPR has changed privacy rules.[1] Not only because California has the fifth largest GDP on the planet, but because of the simple fact that companies are not likely to create dual systems of mapping and processes to differentiate between Californians and its other customers. 

With bipartisan support of the US., UK and major tech companies, new legislation enacted on March 23, 2018, replaces the outdated 1986 Stored Communications Act.  The Cloud Act[1] was forged out of necessity and fast tracked after a cross border conflict erupted when U.S. authorities sought a subpoena in NY for an Irish national’s emails stored in Ireland. Microsoft promptly filed suit against the United States and the Supreme Court is poised to make a decision in that case after oral argument earlier this year, yet the Justices implored Congress to replace the prior law to avoid a decision predicated on a law that predated cloud- based computing.[2] Fueling the rush to put new laws in place is the fact that tech companies are incurring massive fines by complying with US law enforcement subpoenas that violate the privacy laws of other nations.