Our daily lives, both personal and business, are heavily reliant on cloud-based applications (CBA’s), whether its banking, social media, messaging, storage, news, content creation, health, or many others. The growing use cases of IoT is only adding to this list.
Compliance Compendium’s Gareth Gadd has looked into the cloud environment and whether data is safe.
He said, “The internet is often seen as some magic place where things just happen when we do any of the above activities. Yet we fail to consider how complex the internet can be. CBA’s might not endanger your health (although, surprisingly Facebook might predict it) but it could end up affecting your wealth if you get phished, or worse.”
Compliance Compendium: Creators of CBA’s spend huge sums of money improving their apps and also huge sums on security, but sometimes they can overlook details that expose your data. Or it could be that these services are analysing your data and creating user profiles (whether or not you have subscribed to their services) and then sharing your data with third parties. In the USA it’s not illegal to make money from your data and the majority of CBA’s are from the US or have part of their infrastructure in the US (they do however subscribe to the EU/US data treaty but…).
In the case of Buffer, a minor glitch in its login procedure allowed a small number of users to access accounts that did not belong to them. It only affected a fraction of their user base and Buffer worked very quickly to fix the issue. Sounds innocent enough? Probably.
What about having a Facebook “Like” button on your website? Using the Facebook like-button’s primary function, funnily enough, is not a show of solidarity but a tool to track individuals and then permit data collection beyond Facebook’s products. The `European Court of Justice recently ruled that that website owners can be held liable for data collection relating to the use of the “thumbs up” website widget. Why, you might ask? Because EU Data Protection Authorities see this as making any organisation that uses it to being a joint data controller because websites “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing.”. Still innocent enough? Well, not if your business is called Fashion-ID. The German retailer were the one whom the ECJ, determined to be a data controller in the above scenario.
What about using Microsoft Office mobile apps (Microsoft Online)? Everyone uses them! Well, the Dutch Ministry of Justice and Security found that Microsoft’s Online apps exported user telemetry data to the USA without proper data controls. At least three of the mobile apps on iOS export data about the use of the apps to a US-American marketing company that specializes in predictive profiling.
Meanwhile in the German state of Hesse, they have deemed Microsoft 365 in a Windows 10 environment unsafe for schoolchildren because the Microsoft suite’s cloud storage and telemetry collection are not compliant with GDPR and complained that Microsoft had not made it clear exactly what data is collected and transmitted. It must be noted that Microsfot has worked with both German and Dutch authorities for years, so you can draw your own conclusions…Hesse also felt that the use of cloud applications from Apple and Google were equally problematic. Still innocent enough?
Part of the “problem” is that US companies have no GDPR equivalent at a federal level, but must observe EU law if they process EU personal data. US federal laws are on their way and the whole data privacy debate is set to heat up further – these guys want to carry on making money from your data, right?
Copyright © 2018 RegTech Analyst
