21 Nov 2015

Microsoft Adopts The Robust ISOIEC 27018 Standard For Cloud Privacy But Challenges Continue In India

Privacy is a cherished human rights that needs to be protected at global level. Right now the mentality of governments around the world is that privacy rights are dependent upon charity of government and only to the extent permitted by the government. But privacy is the human right of every individual and is not a government charity. Similarly, privacy rights cannot be taken away by citing some vague and invented national security requirements.

Privacy protection in the information era is not easy to manage. Even our governments are not at all interested in protecting privacy rights of their citizens. They are not interested in reconciling the conflicting ideals of civil liberties and national security requirements. This is the reason why human rights protection in cyberspace must be internationally recognised by United Nations.

It is also the duty of technology companies to safeguard the data and information provided to them by various individuals and companies from unreasonable and illegal e-surveillance activities. These companies held the personal data of their users in fiduciary capacity and they can be held liable for violating the laws of various countries if they start sharing the data with law enforcement agencies on the drop of a hat.

Cloud computing is increasingly being used by individuals and companies to store their information, data and personal information. It is of utmost importance that cloud storage must not only be cyber secure but they must also be civil liberties compliant. In India, there are certain legal and regulatory issues that all cloud computing providers must comply with. However, most of the businesses and entrepreneurs of India are not complying with these laws and regulations. They are miserably poor in the fields of privacy and data protection (PDF) and very few of them are complying with cyber law due diligence (PDF) requirements.

It has been reported that Microsoft has adopted a new standard for cloud privacy that commits the company to protect the privacy of customers’ data, not to use it for advertisement purposes, and to inform the customer of legal requests for personal data. Google along with other companies has been fighting against e-surveillance activities of U.S. agencies. In the past, FBI’s National Security Letters (NSLs) with gag orders were declared unconstitutional by a U.S. District Judge. However, this order was subsequently narrowed down by the Judge and allowed the U.S. Department of Justice to appeal the decision to the United States Court of Appeals for Ninth Circuit.

Microsoft has declared that it would adopt the ISO/IEC 27018, published last year by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which outlines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a processor of personally identifiable information. This initiative of Microsoft would help in strengthening users’ privacy around the world.

However, there are many issues that have to be managed by Microsoft despite its latest declaration. For instance, the ISO/IEC 27018 standards provides that although law enforcement requests for disclosure of personally identifiable data must be disclosed to enterprise customers yet gag orders may prohibit such disclosures. Similarly, Microsoft has to manage conflict of laws in cyberspace as what is legal in U.S. may not be legal in India. In fact, if we go by the trends in India, cyber litigations against foreign websites would further increase in India and companies like Google, Microsoft, Facebook, etc must be well prepared for the same in advance.