October 11, 2018
Expansion on Data Privacy and Protection Laws (CCSK Prep)
October 11, 2018
Authored in partnership with Raj Dhaliwal, Juris Doctor.
While studying for the Certificate of Cloud Security Knowledge (CCSK), offered by the Cloud Security Alliance (CSA), one of the main domains of focus is “Legal Issues: Contracts and Electronic Discovery,” which includes international law and breach disclosure laws. The CCSKv4 exam itself does not lean very heavily on this specific section (and especially not the details in this article), however, it is important to have at least cursory knowledge of these laws when working in cloud space for a career. Especially if your organization hosts cloud resources available internationally, you must know at least the basics of data privacy and data protection laws for the countries in which your service is offered. In this article, I will present some expanded information on the data privacy and data protection laws in Russia and China that are mentioned in the CCSK Security Guidance v4 document. While not extensive, this writing will hopefully fill in some gaps left in the Guidance and provide memorability. Another motivation is that Russia and China make up a large portion of the customer market for cloud service providers and other technology businesses.
For example, some countries may not care that your databases of user data are stored in Sumer, but Russia and China may potentially be upset depending on the demographic you’re marketing to, because they have laws that specifically state that all personal data of their citizens must be stored within their own country’s borders. Ideally there would be measures in place to prevent a conflict with their laws, but currently, these conflicts are dealt with in a reactionary way rather than preventative.
The CCSK Security Guidance v4 places high importance on the Russian data localization law, which requires companies “to store personal data of Russian citizens within Russia.” An important note on this, however, is that while the quoted statement is true, it is also worth mentioning that often that only means a copy of the data must be stored within Russia, while a copy may also be in the company’s home country.
Similarly, the Guidance also mentions that Russia places the restriction on data processing on Russian citizens’ data and may require a consent form. There is some shaky ground though – the requirement of consent forms with the CSP is dependent on some other factors. For example, if the CSP is a start-up and happens to gain a few Russian customers, the Russian government may not notice or choose to not pursue enforcement. Another factor is marketing – if a foreign CSP is specifically tailored and marketed towards Russian citizens, Russia may heavily pursue enforcement and require insight into the data being stored/processed.
Really, it is at the Russian government’s discretion on which CSPs they go after. Rather than go after the smaller start-ups, they may instead prefer to after “big fish” – larger CSPs that have a potentially large number of Russian customers. It’s also worth noting that the reasons for Russia’s choice of legal action for the above examples is not necessarily that it’s ensuring the protection of a larger number of Russian citizens’ data, but more than these “big fish” have a large amount of Russian citizen data that they want insight into and that the CSP has already done the legwork to collect. If Russia wants this data from the CSP and they refuse, there may be subsequent fines, orders to cease, or ultimately blocking the service altogether. A larger issue that is rising in importance in Russia’s decision to block services is encryption, but that is out of scope for this article and the laws concerning encryption is still in an infant state.
Perhaps not surprising, but China has similar laws to Russia. For example, China also has a data localization law, but a difference is that data can be transferred out of their borders as long as there is a legitimate business need (for example, a US company with a data center in China, or a China company with a data center in the US), the company has passed a security assessment complying to their access needs, and the Chinese government has decided there is no danger to “Chinese interests”. However, also similar to Russia, the Chinese government may not even step in at all. Factors they may consider are the number of citizens whose data are being collected, the extent of the CSP’s business in China, and analysis of what exactly the CSP “is doing”. Chinese data protection law does seem to more often indicate a desire for legitimately protecting their citizens’ data. For example, the CCSK Security Guidance v4 does mention the 2017 Cyber Security Law does require “the design and adoption of information security measures [and] the formulation of cyber security emergency response plans”.
While the CCSK exam doesn’t rely heavily on Russian and Chinese data protection law specifically, a good understanding of the flexibility of these laws is important to know for anyone wanting to take the CCSK exam. After all, the purpose of the CCSK exam is not to pass the exam, but to earn credentials in the cloud security space that provide others with a reason to trust in your guidance on cloud security matters. At the very least, it’s easy to not remember something that isn’t well understood, so I hope the descriptions of the laws detailed above at least make the subject matter more understandable and memorable.