By Ella Jakubowska
  • Anyone using cloud services should be aware of what the “cloud” is, what it is not, and how it can affect our privacy and security.
  • Our information stored in “clouds” can be protected if the EU says “Yes!” to a strong ePrivacy Regulation, greater enforcement of the General Data Protection Regulation (GDPR), and drops the “e-evidence” proposals.

Storing our information in “clouds” gives us access to funny photos of our dogs at the touch of a button, lets us back-up our mobile phones so that we don’t lose our crush’s number forever if we drop our phone down the toilet (oops!), and the cloud also gives us the means to binge-watch that addictive TV show that everyone is talking about. It can even amplify computing capacity, giving doctors the power to treat rare diseases more effectively. Many of these things were unimaginable just ten years ago – but today, we carry this incredible power in the palm of our hands.

It is important that cloud users have the knowledge and control to upload data to cloud services safely, securely, and in an enjoyable way. Your personal data should be protected online, including when you upload it to and store it in the cloud. One of the fundamental aims of 2018’s General Data Protection Regulation (GDPR), after all, was to protect the personal data of all citizens in the EU, and to set a globally-leading standard for personal data protection.

The not-so-fluffy cloud

Yet, while the word “cloud” sounds soft and fluffy, the truth is that there is no such thing as “the cloud” or “your cloud”. People outsource the storage of data from their own device to the internet servers of a private company. In reality, these servers are “the cloud” and company they belong to most often profits from gathering more and more data. In some cases, uploaded data will be subject to only very weak data protections. And with the proposed ePrivacy text – a vital complement to GDPR – still stuck at the European Council after over two and a half years, anyone using the internet in the EU is left vulnerable and inadequately protected.

EU laws can keep it together

This is where stronger EU legislation is needed. Under the European Parliament’s ePrivacy text, a wide range of online rights will be protected. This includes the storage, transit and encryption of online communications, which would help to protect users when their communications data is backed up to the cloud. Personal data, other than communications data, is already protected by the GDPR. This is important because, as recent cases in Germany have shown, unlawful data breaches of minors’ data are already happening in Microsoft’s cloud services.

This is also an issue in the context of the so-called “e-evidence” debate on proposed legislation for law enforcement to access European citizens’ data across borders, straight from service providers. The legislation would allow police forces from other EU countries to directly access the private information that you have stored on the cloud: without a judicial warrant, without you or your own government knowing that this is happening, and even without you being a suspect. Under this proposal, cloud providers have very little opportunity to refuse requests to hand over cloud data, and crucial human rights accountability measures and due process mechanisms are completely missing. E-evidence legislation therefore poses a huge threat to the security and privacy of data that is stored on a cloud.

The cloud can give you flexibility, convenience and peace of mind – but it is important to know where your data is going, and who might have access to it. The cloud is no longer a source of reassurance and convenience if a private company (or a hacker) can misuse funny videos of you and your friends, personal messages with your parents about a health condition, or an intimate browser history that contains information about your sexual activities. In order to protect the information of millions of European citizens, the EU must adopt ePrivacy, enforce GDPR and drop the e-evidence proposals.

Remember, data protection is cool – and knowing your rights pays off!

Click to watch the animation

Read more:

Your family is none of their business (23.07.2019)
https://edri.org/your-family-is-none-of-their-business/

Real-time bidding: The auction for your attention (04.07.2019)
https://edri.org/real-time-bidding-the-auction-for-your-attention/

Video: Dance. Enjoy. Share. With care.
https://www.youtube.com/watch?v=5N_lrtOkW3g

Right a wrong: ePrivacy now! (09.10.2019)
https://edri.org/right-a-wrong-eprivacy-now/

“E-evidence”: Repairing the unrepairable (14.11.2019)
https://edri.org/e-evidence-repairing-the-unrepairable/

(Contribution by Ella Jakubowska, EDRi intern)