Lift12 Workshop: Lots of Clouds, Stormy Weather for Information Privacy? [en]

[fr] Je suis à la conférence Lift12 à Genève. Voici mes notes de sessions.

Live-blogging from Lift12 conference in Geneva. These are my notes and interpretations of Michel Jaccard’s workshop — best effort, but might be imprecise or even wrong! Hoping I don’t mangle things like last year

Cloud computing, data protection, etc… With Sylvain Métille of @idestavocats.

Know what you do, why, what are the risks and best practices. You have the choice to use the cloud or not. But it can be very difficult a few years down the road to know where the data is, but ou remain liable for that date.

Analysis limited to privacy issues. As close to real-life experience gets for lawyers: real agreements 🙂


  • losing control of the data: not a specific risk, but reinforced with cloud computing — makes it harder to enforce your rights over multiple entities and jurisdictions
  • non-compliance with the law: headache. You end up in lawyer ping-pong or chess game. Have spent days or weeks in negotiations just about who is taking what kind of risks in connection with cloud storage of certain data, to reach an agreement. “Sorry, I can’t do anything on my side, strict compliance with the laws I refer to” — lawyer in the middle, ends up drafting something like what follows: Party A shall be liable and responsible under whatever law might apply to that party… blah blah. Idem for Party B. If there is a disagreement, parties should in good faith try to reach an agreement. Difficult!
  • Vendor lock-in (same, non-specific but reinforced)
  • Access requests by law enforcement authorities. State police is now very keen to have access to data that is on their soil. So as a Swiss company, if you don’t know where your data is stored… You could get sued outside your country, and the data center be asked to hand over the data. Example: sensitive data, third party locates where the data is physically and attacks (legally) there.

If keeping control over your data, and exclusive ownership, is critical to your business, important to know that this is extremely difficult to ensure if you use cloud computing. Eg. you might want to keep HR stuff in-house.

US Law: if you’re aware of a potential security breach, that is, that somebody not authorized might access the data, then you have to proactively disclose it to the market (even without a real data leak!)

Information privacy:

  • CH: Data Protection Act (easy to understand)
  • EU: directives/regulations apply to data treated in the EU or related to residents
  • US: state laws and sectorial

Two important ideas:

  • Data
  • Consent (is king)

Consent has to be voluntarily given and based on adequate information.

Different types of clouds. (1) locally, cloud = data transferred to a server. 10a DPA. steph-note: lost here, sorry.

(2) distant cloud. Accessible abroad. 6 DPA.

Swiss banking privacy cannot be guaranteed to customers who consult their accounts remotely (typically, from abroad).

(3) very very distant cloud (India, US)… Those countries do not provide “adequate protection”. Instead of legal protection, safeguards can be granted in a contract (official models). Safe Harbor Framework (USA) for data of private persons. Careful, need to be safe harbor compliant for Switzerland! Consent in the specific case.

Storing in the cloud also means that there is no 4th amendment protection under US law (because the data is accessible by a third party).

Means the FBI (eg) can actually pretty much know everything before the indictment.

lift12 1100307.jpg

Questions around a sample privacy policy. steph-note: photo above is the beginning, it goes on…

  • Your information: what is it? what I provided? what you know about me from my usage?
  • Personal information: what is it? taste in food? name of my mistress? Very subjective!
  • Carefully selected: how?
  • On our behalf: legal wording, finally.
  • Hosting for our servers: cloud providers.
  • Email distribution partners: spammers?
  • Delivery fulfillment services: another politically correct term for… mass e-mailing?
  • Customer service agencies: telemarketers.
  • Does not say how I consent. Just by clicking? You could sue under Swiss law and say “consent was not given”. You don’t know what you’re consenting to.

Companies tell their lawyers: please draft a privacy policy to make sure I can do everything I want to do, now and forever. Don’t try and cover everything!

Means the minute you enter the online world, you consent to anything that can be done to your data (unrealistic).

Personally identifiable information: anything that might identify you. Popular concept in the US. In CH, IP addresses as such are personal data.

steph-note: dissection of privacy policy with Michel, entertaining

Conclusion: with this kind of agreement the company can do pretty much anything. (It’s a B2B agreement.)

If you want to delete your data we will make it permanently inaccessible (we won’t delete it!)

steph-note: question that’s nagging me… what to think of companies who do not want to use Google Apps or let their employees use Google Docs? Are they right to worry, or not?

Best practices:

  • don’t hurry, prepare charts
  • align marketing/business/IT/legal
  • know what your company will do with the database down the road
  • force your providers to show you their own subcontracting agreements
  • be transparent in your legal terms
  • always have a plan B…

Conclusion: legal compliance is great but it’s quickly a headache. Cheaper pricing is not always the best solution.

Leave a Reply

Your email address will not be published. Required fields are marked *