Category Archives: World

What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why 😉 ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.


The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link:

OECD Guidelines, “refreshed” after 33 years

OECD published this week the revised version of the 1980 privacy Guidelines.

According to the OECD website, “two themes run through the updated Guidelines. First is a focus on the practical implementation of privacy protection through an approach grounded in risk management. Second is the need for greater efforts to address the global dimension of privacy through improved interoperability. A number of new concepts are introduced, including:

  • National privacy strategies. While effective laws are essential, the strategic importance of privacy today also requires a multifaceted national strategy co-ordinated at the highest levels of government.
  • Privacy management programmes. These serve as the core operational mechanism through which organisations implement privacy protection.
  • Data security breach notification. This provision covers both notice to an authority and notice to an individual affected by a security breach affecting personal data.

Other revisions modernise the OECD approach to transborder data flows, detail the key elements of what it means to be an accountable organisation, and strengthen privacy enforcement. As a step in a continuing process, this revision leaves intact the original “Basic Principles” of the Guidelines. On-going work by the OECD on privacy protection in a data-driven economy will provide further opportunities to ensure that its privacy framework is well adapted to current challenges.”

Should we say hello to the provisioned new global data protection law? I think so.

The future data protection law in Brazil could provide for all data to be stored locally

According to, <<as the Brazilian government attempts to create the country’s first set of regulations around data and Internet governance, Facebook and Google have expressed concerns over possible additions to the bill.

Proposed amendments to the Brazil’s “Internet Constitution”, the Marco Civil da Internet, include a requirement to store all data locally. The Internet giants, until now supporters of the creation of the regulations, are not happy about this possibility.

A Reuters article published this week cited Google’s public policy director Marcel Leonardi as saying that his employer is happy to support the Marco Civil, but only “in its original form” (without the requirement to set up datacenters in Brazil).>>

Read the whole story HERE.

Costa Rica gets information privacy law informs that  Costa Rica now has its own laws on the storing, sharing, and access of personal information, after Law #8968 was published in the official Gazette last Tuesday.

Under the law, individuals must now provide their express consent for the collection of their personal information in databases, and individuals will have the right to revoke that consent at any time.

The guidelines, which explain the scope of the law that was adopted in 2011, include for the first time the “right to informational self-determination,” which is defined as the right of every individual to know what personal information of theirs is collected in databases, and for what purpose.

The only exceptions are in cases where there is a court order, or when a resolution is adopted by a special committee of the Legislative Assembly.

The law also does not pertain to information that is normally public in Costa Rica, such as a person’s name and cedula number, which are commonly accessible in the Civil Registry.

The law says that personal information cannot be stored for more than 10 years, with some exceptions, and empowers residents to correct or remove information from databases.

Hong Kong: Students’ privacy exposed by webmasters’ negligence informs that names, phone numbers and email addresses of over 8,505 students of nine secondary schools and two tertiary institutions in the city were shown to have been exposed in documents retrievable by Internet search engines, the privacy watchdog reported on Tuesday.

Allan Chiang Yam-wang, privacy commissioner for personal data, said he believes the lack of vigilance and security measures to protect personal data revealed in the probe was only a “tip of the iceberg” of the widespread negligence among webmasters.

The compliance checks commenced in April, following media reports of leaks by the city’sschools. Nine secondary schools were confirmed to have uploaded files containing personaldata onto their web sites without access restrictions, involving a total of 2,115 students.

Two of the schools had leaked 786 students’ reference numbers (STRN), which were uniquelyassigned to each student for life. The Commissioner compared the sensitivity of the numbers tobirth certificates, as publishing the STRN would expose students to the risk of counterfeitidentities.

Three schools have also leaked both the email addresses and contact numbers of students ortheir parents in their files. The commissioner noticed some of the misplaced files had beenavailable for years.

All nine schools blamed their technicians for mistakenly publishing the files on their officialwebsites. The files in question, following the finding, were all removed and requires no furtheraction from the commissioner.

The investigators looked up the search engines to explore how far the oversight of webmastershad gone. The search keywords were said to be “simple”, but the office declined to reveal whatthey were.

A search over a period of 20 hours retrieved 39 files containing sensitive information, includingclass allocation results of 6,256 students attending the Lingnan Institute of Further Education.The record revealed part of the students’ identification card numbers and their names.

The institute also came under scrutiny last week when an inquiry panel criticized themanagement for problems in student enrollment, governance, quality assurance and otheraspects of the operations.

Read the whole story HERE.

Facebook created a tool for users which digs into your data writes that Facebook has spent eight years nudging its users to share everything they like and everything they do. Now, the company is betting it has enough data so that people can find whatever they want on Facebook. And on Tuesday, it unveiled a new tool to help them dig for it.

The tool, which the company calls graph search, is Facebook’s most ambitious stab at overturning the Web search business ruled by its chief rival, Google. It is also an effort to elbow aside other Web services designed to unearth specific kinds of information, like LinkedIn for jobs, Match for dates and Yelp for restaurants.

Facebook has spent over a year honing graph search, said Mark Zuckerberg, the company’s co-founder and chief executive, at an event here at Facebook’s headquarters introducing the new product. He said it would enable Facebook users to search their social network for people, places, photos and things that interest them.

That might include, Mr. Zuckerberg offered, Mexican restaurants in Palo Alto that his friends have “liked” on Facebook or checked into. It might be used to find a date, dentist or job, other Facebook executives said.

“Graph search,” Mr. Zuckerberg said, “is a completely new way to get information on Facebook.”

Graph search will be immediately available to a limited number of Facebook users — in the “thousands,” Mr. Zuckerberg said — and gradually extended to the rest.

Every Internet platform company has been interested in conquering search.

But Facebook search differs from other search services because of the mountain of social data the company… (read the rest of the story HERE). China – Online companies face civil liability for breaching privacy writes that the National People’s Congress (NPC), China’s highest legislature, adopted – on 28 December 2012 – a decision on strengthening the protection of network information (‘The Resolution’). The Resolution outlines China’s intention to protect electronic information capable of identifying an individual and prohibits the unauthorised acquisition of citizens’ personal data. Effective from the date of adoption, it imposes civil liability on companies that infringe on individuals’ privacy, granting the affected individuals a private right of action against those companies.

Manuel Maisog, Partner at Hunton & Williams, told DataGuidance: “It is possible that the new resolutions will require significant operational changes, to address more traditional data privacy concerns, among some businesses that control or process identifiable electronic information. [However] some businesses will find that they need only make such operational changes to a modest extent, as the internet is an inherently cross-border communications network, these businesses may have, by way of complying with requirements of other jurisdictions, already be in compliance with some of the requirements of the new resolutions. For them, it may be a matter simply of extending their compliance practices to China and modifying them somewhat to make them work in China”.

The Resolution contains 11 clauses that establish requirements applicable to internet service providers (ISPs) and other businesses that collect… (read the whole story HERE). New Zealand – Adequacy status a ‘real coup’ for business writes that the European Commission formally recognised – on 19 December 2012 – the adequacy of the data protection regime in New Zealand, making it the first country in the Asia-Pacific region to receive such recognition. Viviane Reding, EU Justice Commissioner, noted the importance of high standards of data protection in boosting international trade; the annual value of trade in goods and services between New Zealand and the EU is €6.7bn and €3.1bn respectively.

Kathryn Dalziel, Partner at Taylor Shaw, told DataGuidance: “It has been a long process (over 10 years) – few countries have this recognition and it is a real coup for a small island nation in the South Pacific which relies on delivering goods and services internationally as part of its economic stability. I know that many [companies] will be including this recognition in the international marketing of their businesses and, as noted by our Ministers of Justice and Trade, it also opens up business opportunities in data processing, cloud computing and financial or call centre activity”.

Assistant Privacy Commissioner Blair Stewart said: “The decision should be helpful to New Zealand businesses that trade with Europe or hope to do so as it substantially… (read the whole story HERE)

Indian Government Wiretapping and started Blackberry Interception writes that according to a report, all major Indian telecom companies, including Bharti Airtel, Vodafone India and Tata Tele services, have agreed to share real-time interception of BlackBerry calls and data services on their networks with Security agencies to meet the December 31 deadline fixed by the Indian government.

Earlier in 2011, the government set the deadline for RIM to come up with facilities for interception, or face closure of their operations in India. The security agencies in the country have been trying to get the company to install local servers so they could access and monitor the stream of messages going back and forth to implement better security in the country.

The Ministry for Home Affairs ordered interception of about 10,000 phones and 1300 email ids, during October to December 2012. According to an Indian news paper report, About 500 new e-mail addresses of individuals were also added to the existing 800 e-mail IDs already under surveillance.
Most requests for surveillance came from the Intelligence Bureau, followed by the Narcotics Control Bureau, Directorate of Revenue Intelligence, Army’s Signals Intelligence Directorate, State Intelligence units followed by Police Departments of Andhra Pradesh and Maharashtra.