Welcome back in this module, we're gonna talk about legal issues, contracts and electronic discovery.
Specifically, we're going to take a look at the legal considerations for data in the cloud. Will talk about the contracts with Cloud service providers in a bit more detail.
And we're going to talk about Elektronik discovery, which is a major part of modern day litigation.
The material in this module is not going to give you a law degree, nor will it make you an expert.
We will talk about legal implications to agree that you need to understand them for the CCS k exam. But by no means will this be a replacement for true legal counsel.
And keep in mind that laws and regulations affecting the cloud change frequently different regions and jurisdictions change at different paces.
Some of the regulations discussed may have changed even between the time of recording this
and when you're actually watching this,
uh, as it turns out, I'm recording it during the shelter in place of Cove in 19. And in the United States, there is a lot of talk about how do we deal with that? And how can we track immunity and vaccines and so forth. That's also brought up a real need for
more details around a federal level
privacy law within the United States. And at the time of recording this, there is no federal level for those laws.
So just that alone is a great example of why this stuff is moving fast.
And in the remainder of this video, we're gonna talk about data privacy basics.
Specifically, I'm going to introduce you to data privacy concepts and terminology.
Previously, laws define numerous obligations such as confidentiality and security obligations that a custodian or controller provider must provide by
the U in the US have regulations and and they break down and those specific roles that are involved in data and processing data,
we're going to go through the roles. They're often called by different names in different regions and different privacy regulations. And the nuances and legal definitions and details of those may vary. But here's a summary of those roles, at least at a level of detail. Good enough to get you through the exam. We start with the data controller.
This is the entity company.
Typically, that has the primary relationship with the consumer. Sometimes this is called the data Custodian as well.
Then you have the data subject. This is the consumer itself, the individual or the person that the data pertains to also referred to as the end user.
And then finally, we have the data processor. This is the third party entrusted by the data controller to process the data,
also referred to as the provider.
Knowing the three major roles When we're looking at data, let's talk about some common themes in privacy law throughout the Globe. Thes privacy laws. They really aren't new. They've been built over years and are really now being adjusted to clarify, because the specific impacts that technology has. And
we really want to increase the rigour of enforcement of these privacy laws
because the power that technology brings, for example, big data, big data mining how you can quickly and easily track millions of data points millions of individuals with modern technology. These are things that you really couldn't do back in the late sixties and seventies.
But frankly, a lot of the privacy principles in these laws
were established in the Fair Information Act of the late sixties and seventies, and they are ultimately intended to protect the individuals,
the responsibilities of the different roles we discussed in the previous slide. The controller, the subject, the processor.
They have certain obligations under the different laws. The specifics will vary by individual regulation, but overall, here's some of the obligations.
Data controller is required to ensure data processor safeguards data and can be held liable. The data controller themselves could be held liable if they are giving data to a data processor. And that data processor is not doing what they're supposed to be doing. They're not safe guarding the data or they're misusing the data.
In the last module, we talked about Facebook in Cambridge. Analytica,
in this case, Facebook was for most part, the data controller and Cambridge Analytica was the data processor. And as we saw in that example, and indeed the data controller, Facebook was held liable for the way that the data processor Cambridge Analytica decided to use the information that Facebook had
continuing on. The data subject
must consent to the data controllers collection and use intentions.
You have to tell the consumer Here's what I'm going to use your data. Four. You have to be clear, concise, specific, and you can't then at a later point, decide to use that data for additional things without obtaining additional consents from those individuals.
Data controllers and processors must adopt security measures to ensure protection off an individual's privacy.
So this can include things like anonymous ation taking general data, specific names of individuals, Social Security numbers, physical addresses and scrubbing them out for different purposes to provide additional analysis. It does happen that there are data breaches.
And so a lot of these laws actually
require that those data breaches be reported by the data controller to certain entities. Some laws require that the data subjects themselves be made aware of it. Some laws require that government agencies and specific regions be made aware of the data breaches.
And again, the specific regulation is going to dictate who you need to report it to
just understand that if something goes wrong, there is a legal obligation to let somebody else no outside of your own organization, don't try to cover up the data breach like uber did in late 2019.
So Cloud really breaks a lot of geographic boundaries. It's not always clear where physically are the servers and services being used running,
but the data itself is often bound to geographical boundaries. And if you're going to transfer data between borders of two different regions to different countries, let's say the Europe and United States or, let's say, outside of China, there are often in common that there are laws in the different countries
moving the data transfer. If you're taking it from one country, which has say, very strict data loss and you move it into a region or an area that has less protections and less stringent sees around how that data is managed and it really makes sense, they don't want it to get out of their hands and
going to an area where
the data is less protected because there's a reason that that particular region decided to have regulations that are really protecting that data. And this last point really piggybacks on the transfer in that
there are situations where they say no, you actually cannot transfer. In fact, we need to make sure that the data itself physically resides within the physical territory.
And as we'll see later in our overview of the different regional laws, Russia is very strict about this and so is China.
Even though there are common themes that we just discussed,
it really does come down to specific regulations. So how do you determine which particular privacy laws are applicable to your situation, your company and your use of the cloud?
Well, here are some questions that will impact the answer to that
first and foremost. Where's your business located? What is the country? That region, the state that it is headquartered in? It resides in.
And then where is the cloud provided themselves located? Where? Their headquarters,
Where is the data subject located? The people that your collecting the data around where they physically located. Also, where there's citizenships In a world where we have a lot of individuals with dual citizenships and even multiple citizenships, this could be a very tricky question toe look at.
And then finally, where are the providers? Physical equipment?
We have major cloud providers, Amazon Web services. Microsoft is there and Google,
but they have physical data, so locations all across the globe. And that's going to impact where you store the data and the data about which data subjects can reside in these different regions.
When you operate across multiple regions and in transact with users throughout the globe. You need to ensure compliance with the applicability regulations. If your cloud provider this needs you, make sure your different locations meet requirements and you identify the controls. You have to address the different privacy of machines
as a cloud user. You need to understand what the provider will and will not be doing for you. So you know the gaps that you need to feel. This all dovetails nicely with shared responsibilities. Model. We've hit on so many times in this course. Just keep in mind the cloud user will be ultimately accountable for adhering to the regulations.
In the coming lessons, we will provide an overview of different laws and regional regulations. But for this video we covered
data privacy terminology, Data controller, data processor data subject. What are those? We talked about common themes and data privacy laws. And then we also reviewed key questions and factors that are going to influence which data privacy laws are applicable to your scenario.