Some of the biggest tech giants, rivals across consumer and enterprise services, have banded together for new set of agreed protections for cloud services.
Known as ‘Trusted Cloud Principles’, it’s a shared initiative that spells out five clear guidelines for handling customer data and is a commitment to protecting the rights of customers from government data access requests.
The agreed aim is to have a set of strong, uniform principles that ensure the platforms maintain consistent human rights standards while at the same time being able to compete in business.
Signatories also want governments around the world to have at least some legal baseline protections that apply to organisations that store and process data in the cloud.
“As cloud service providers, we are committed to protecting the privacy and security of our customers’ data in all jurisdictions through policy and technology,” the signatories said in a statement.
Cloud providers agreed principles
This new set of agreements is intended to build on any pre-existing internal policies that each of the companies may have made in this area, including undertaking internal human rights impact assessments, and is designed to be a minimum the companies commit to publicly. The five principles spell out that:
Governments should engage customers first, with only narrow exceptions.
Cloud providers expect governments to only seek data directly from enterprise customers rather than cloud service providers, other than in exceptional circumstances.
Customers should have a right to notice.
Customers of cloud services should have a right to advance notice of government access to their data, which only can be delayed in exceptional circumstances, when governments seek access to data directly from cloud service providers.
Cloud providers should have a right to protect customers’ interests.
Cloud service providers expect to have a clear process in cases where they choose to challenge government access requests for customers’ data, including notifying relevant data protection authorities.
Governments should address conflicts of law.
Service providers want government to have mechanisms to address conflicts with each other so that their legal compliance in one country does not amount to a violation of law in another.
Governments should support cross-border data flows.
Cloud platforms want to see governments showing support for cross-border flow of data as a driver of innovation, efficiency and security, and to avoid data residency requirements.
Developing a partnership role with government
The tech heavyweights are looking to create a strong network against governments that want to gain access to data under laws that don’t adequately protect human rights and the rule of law, and conflict with laws of other countries.
Government and law enforcement agencies regularly request data from technology companies and many of the large technology platforms publish annual reports on the numbers of requests, along with their transparency and privacy policies in relation to sharing consumer data.
In 2020 in Australia, for example, Apple received 918 requests for customer data related to device identifiers, such as serial number or IMEI numbers.
Microsoft received some 900 requests in the six months to December 2020 in Australia. Overall, Australia ranks seventh in the number of government data requests to Facebook, Twitter and Apple in the first three months of 2020, according to TechRobot, clocking up 2,486 behind the US in the top spot at 69, 598.
This initiative is about cloud providers developing a partnership model with governments when it comes to resolving international conflicts of law that impede innovation, security and privacy.
Harmonising cloud protections
As part of this commitment to protecting customer data and having a uniform set of guiding principles to handle government requests for data access, the tech giant signatories have also articulated a set of common objectives when it comes to providing cloud services.
• Recognising the interest of governments in protecting the safety, security, privacy, and economic vitality of both individuals and organisations using cloud services.
• Recognising international human rights law enshrines a right to privacy.
• Recognising the importance of customer trust and that customers have a right to control and security of their data. This should entail both safeguarding customer data in the cloud and creating products and policies that establish, maintain and enhance that trust.
• Upholding laws allowing governments to request data through a transparent process that abides by internationally recognised rule of law and human rights standards.
• Upholding international legal frameworks to resolve conflicting laws related to data access, privacy and sovereignty.
• Supporting improved rules and regulations at the national and international levels that protect the safety, privacy, and security of cloud customers and their ownership of data.
• Recognising the importance of regularly publishing transparency reports with aggregate statistics regarding government data requests.
“Through this initiative, we commit to working with governments to ensure the free flow of data, to promote public safety, and to protect privacy and data security in the cloud,” the signatories said.