The primary aspect of data collection was completed trough content analysis which is discussed below.The EU policy makers are determined to not only make the EU cloud friendly but cloud active and have called for the need to make changes within regulation to do so.
In contrast to this, cloud computing is predominantly unregulated in the U.S. and policy makers are encouraged to avoid introducing regulatory restrictions which could limit the future progress of the cloud computing business.According to the Data Protection Directive (DPD), sensitive data is described as special categories of data which include personal data revealing the racial origin, political opinions or religious or other beliefs, as well as personal data on health, sex life or criminal convictions or people.
A number of EU member countries have extra protection on some special categories of personal consumer data considered sensitive, including financial position and debts, requiring protection beyond what is required by the DPD. Usually, businesses will not obtain, analyse and keep any special categories of consumers unless given the consent to do so. Businesses can also decline requests to transfer special categories of data to third-parties without consumer consent. There are some personal data, although not classified as special, still require protection beyond Directive law and standards. An example of this is where telecommunication providers are expected to high extra privacy protection to their client’s geo-location data linked to their mobile devices. This would create considerable user privacy and security risks as up-to-date physical location of clients would be disclosed and can be tracked readily. Therefore within the EU, policy makers go beyond sensitive data to special categories of client data and ensure they are provided with heightened privacy and protection under EU law. In contrast, there is no data protection bill for sensitive data defined within EU’S DPD. In contrast, due to no inclusive legislation to defend consumer data privacy and security and transfers of sensitive consumer data cross-border, the U.S. cloud computing industry meets very little law limitations. There are laws in place for special sensitive data of consumers which include: information acquired online of children below 13, data acquired by businesses regarding their clients, information collected about patients by health care workers and customer credit card data collected by banking agencies. Companies in these industries are accountable for the protection and security of the sensitive consumer information, even once they are within the cloud. For personal data collected from other industries not described above, there is no specific legislation requiring privacy and security of data. For example, consumer data, such as names, address, email address, ethnicity, marital status or financial income is not treated as sensitive and protected by the U.S. law (King, 2019).Cloud computing provides businesses with the opportunity to allow clear communication through phone between two staff members from two different countries, both speaking different languages using voice recognition tools and translation software, producing smooth conversation without any issues or barriers of the foreign languages. Even though this is not a possible scenario at present, it is businesses are working on developing the technologies to do so within the EU. Some businesses are investigating possibilities of making cloud computing work seamlessly within the EU law restrictions in place currently by, for example, creating better solutions for data encryption before it’s sent to the cloud and then decrypt the data once it exits the cloud, which is in agreement with the EU law as the data stays anonymous. Improvements in encryption methods are not within the DPD’S list of conditions to provide clients with heightened data protection of personal data. As well as this, anonymous consumer information is not exposed to transfer limitations before exporting to different countries where their laws may not include necessary sensitive data protection laws e.g. U.S (Data Protection Directive, 1995)Most states within the U.S. have systems in place to give alerts whenever a data breach has occurred which adjure businesses to alert their clients of these data breaches exposing sensitive personal information which can be exploited by fraudsters. However, there is no law set in place stating notifications of these breaches are required. State laws regarding alerts on personal data breaches allow businesses to avoid any damages incurred through promoting them to use security measures like encryption, even though the state laws don’t authorize these safety methods. Torte laws give additional security protection for clients which allow them to reclaim monetary and settle with companies that wrongfully use their private data. How exactly tort law can be applied to highlight company failures to provide data privacy and security is still uncertain however increasing numbers of civil lawsuits are being purchased by clients for these kinds of claims. Overall, tort law is seen as unlikely measure to safeguard consumer data privacy, particularly in scenarios where the client must provide an acceptable expectation of privacy and security from the business and an irrational interference by the defendant. Conclusions and RecommendationsThe key findings within this case study illustrate that both the EU and U.S. privacy laws are in need of some changes to build a strong platform for the increasing growth of cloud computing. The main focus of these changes should concentrate on creating a regulatory framework which is desirable to consumers and creates the trust that their personal information will be kept safe and secure within the cloud. It would be a great advantage for cloud computing providers and businesses using cloud computing services for business advantages if they were to provide privacy laws stating the businesses responsibility and accountability to protect sensitive client data and encourage confidence and trust in cloud computing as they would benefit from this immensely. Changes required would include i) decreasing regulatory restrictions which limit EU and U.S. businesses from fully utilising the benefits of the cloud computing services at present and ii)broadening the legal definition of sensitive data which require more data protection in cloud computing environments. Subsequently, there are a few recommendations for this topic area. Firstly, both the EU and U.S. should modify and update their legal definitions of sensitive data include more than the existing categories of data in the Data Protection Directive, such as gender, financial affairs, and geographic location of clients. Secondly, since cloud computing environments are constitutionally between different countries, both the EU and the U.S. should avoid approving new laws and change current laws in place which restrict the EU and U.S. businesses from taking full advantage of cloud computing. This can mean amending laws such as EU’s Data Protection Directive which restricts the cross-border data flow and localisation requirements of some countries. Other alternative approaches could be used instead such as laws regarding the use of encryption to protect client data privacy as this would not restrict the use of cloud computing. On the other hand, the lack of extensive regulatory framework in the U.S, which includes government data protection laws requiring companies to protect client data and privacy and lack of protection for sensitive data leaves the buyer exposed and vulnerable to privacy and security risks in cloud computing. This leads to a decline in growth of consumer trust and participation in the cloud computing industry.