The Cloud Security Alliance says support for global data privacy standards and a consumer bill of rights is in...
The CSA's Data Protection Heat Index survey report, which was sponsored by Cisco Systems Inc., looked at some of the top issues around data protection and privacy in the cloud, including data residency and sovereignty, and lawful interception. The survey respondents include 40 of what the CSA called, "the most influential cloud security leaders" in the world, from CISOs to privacy and legal experts.
The findings show strong support for more global standards guiding the use and protection of private data. For example, the survey showed broad support for the Organisation for Economic Co-operation and Development's Privacy Principles to facilitate better data privacy standards and protection.
In terms of cloud computing, 62% of respondents said industry adoption of the OECD's data collection limitation principle, which places restrictions on the amount of personal data collected as well as the knowledge or consent of the data subject, would facilitate the adoption of cloud computing. Furthermore, 71% said industry adherence to OECD's security safeguards principle -- which calls for "reasonable security safeguards" to prevent unauthorized access, disclosure, modification and destruction of personal data -- would also facilitate cloud adoption.
In addition, 73% of respondents indicated that there should be a call for a global consumer bill of rights for data privacy, while 65% said the United Nations should play an active role in fostering the bill.
But according to Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), that may be difficult to achieve.
"The concept of privacy varies greatly according to region, and there are cultural differences that manifest themselves into different international laws," Hughes said. "I'm not confident that we'll be able to develop one universal framework that can take all of those concepts and cultural views and distill that down into one simple framework."
However, Hughes said, that doesn't mean that organizations and governments shouldn't at least try to find some common ground around data privacy standards. "When it comes to private data, I like to say that just because something is legal doesn't mean it's not stupid," he said. "You can have compliance and regulations, but that will never be enough. You need standards and frameworks to support data privacy."
Hughes also said the cloud is a major factor in how data privacy is being defined on an international level. The IAPP, which recently hosted its 2014 Privacy Academy along with the CSA's Congress in San Jose, Calif., has stressed the need for more privacy professionals in the enterprise, as well as better cooperation with infosec professionals, to help organizations better identify and protect crucial data. That effort, Hugh said, becomes complicated with the cloud, which isn't limited to a single region or location.
Indeed, the CSA survey showed a split among respondents on the subject of data residency and sovereignty. Most respondents, according to CSA, agreed that personally identifiable information (PII) should remain within the geographic boundaries of the subject's country. But, when asked how his or her country's definition of data residency or sovereignty compared to other regions, 37% said they were more open, 35% said more restricted, and 28% said they didn't know.
"The cloud is phenomenal case study for a lot of the issues around data privacy, such as data residency, usage, sovereignty, and others," Hughes said. "There's a definite need to come up with a common language around data privacy and protection that can translate to other countries."
Learn more about shadow cloud apps and services
Read why experts expect cloud breaches to endanger data privacy