I read this article about someone suing Apple because Apple did not disclose that Apple might store iCloud data with Amazon or Google and they were somehow harmed because they paid Apple a premium for iCould storage under something akin to false pretenses. Well it’s time to set the record straight kiddies.
The data industry and all legal people involved with it need to adjust to this simple fact: If a company encrypts your data and then processes your data using someone else’s hardware, the company is the ONLY entity involved with your data.
Every year since 2007 I have regularly negotiated dozens of agreements with data privacy and commercial attorneys at very large companies to process the personal data of some of the most powerful and famous people in the world. Very often the “other side” is operating under the false impression that vendors will protect their data against all loss and that vendors will compensate the customers for all of their losses if the data is lost/corrupted/breached/etc. This appears to be the same impression the general population, and more specifically, the litigants in this Apple iCloud suit, are operating under.
These people are all simply wrong. Apple is doing this correctly and I applaud them for setting the proper standard in the industry. The amount of time, energy, and money spent every year trying to improperly* hold companies accountable for their sub-processors’ activity is literally incalculable. The industry needs to adjust and move on to more productive uses of their resources.
Enjoy the mini legal lesson below.
* It is ALWAYS proper to hold a company responsible for their sub-processors’ activity if the company does not encrypt the data being processed by a sub-processor. That situation is Something Different.
Encryption doesn’t change responsibility in any way, because encryption can be broken, keys can be compromised, etc. This happens every few years.
To this point, your last statment: “…the company you’re using is under exactly zero obligation to tell you anything about sub-processors…” is incorrect under the GDPR and other similar privacy legislation.
Storage is considered sub-processing. Apple does, under the GDPR, have to disclose to you where your data is stored and with whom. Other privacy legislation in other countries requires the same. You will see this with various SAAS providers in their terms of use or contracts.
Under the GDPR, Apple is also potentially liable for the actions of their subprocessors. If a breach occurred, they, and Amazon, and anybody Amazon contracted with, and anybody *they* contracted with, and so on down the chain… could all be dragged in front of the EU court and be penalized as the court saw appropriate. That is why the GDPR mandates specific contracts between data controllers and processors/subprocessors – to clearly delineate who is responsible for what.
All of that being said, I don’t think the people filing this suit can claim any damages other than “the reason I chose the iCloud in the first place was because I thought only Apple could access my data”. So Apple’s obligation is likely a refund of the user’s iCloud fees – at most. But as a class action suit that could be a pretty penny.
I totally understand you believe these things and your beliefs do coincide with the general understanding of things but the general understanding is wrong.
First, nobody said anything about changes in responsibility so that part is correct however I am compelled to point out that most, if not all, current or currently proposed regulations including GDPR, do not require notifying individuals if the data is suitably encrypted. Why? Because the data has not actually been exposed. Yes, encryption can be broken but the laws are what the laws are and that is the current status of things.
Second, there is no requirement to disclose sub processors…GDPR does not require any such disclosure. Simply does not exist. You might think it does, but you will not find that in the GDPR nor in any of the latest rounds of data protection regs. You are correct about the downstream liability of processors, sub-processors, etc…
BUT…while storage is considered processing, the obligations that really come with GDPR/data regs center around disclosure to third parties and this is where the industry will eventually catch up with Apple, and, if I may say so, my own company where we have had this position for over a decade. Fact is that Apple will have much more success than we would on pressing this rather obvious conclusion…if you don’t have to tell an individual their data may have been compromised because it was encrypted, then it stands to reason that is because the data has not been disclosed to a third party and if the obligations for disclosing your sub-processors actually existed in any particular data reg (which it doesn’t) based on an obligation to disclose “disclosure” then if you did not disclose the data to a third party then there is no obligation to announce your sub processors.
In case you come back here and say “But, but…Controllers have to approve processors’ sub processors…in reality nobody is letting that happen commercially…companies are contractually allowing objections to sub processors under specific conditions BUT…as I said originally, if I have a contract with you to do something with your data and I choose to store that data at Amazon but, via encryption, Amazon reasonably does not have access to your data well then Amazon is not really a sub processor. They are an extension of me vis a vis I’ve rented some hardware from them that we will use and we are not asking Amazon to do anything with your data (because they can’t because they do not have access.)
Totally understand that this is a nuance generally lost on the industry but that is why it is so important for Apple to fight this fight. It is the right position and if it ever has any chance of influencing contract terms in the main, the proper position requires a Tech Giant to put it forward and defend it.
I will provide another example in kind of sort of the same ballpark. Industry standards require that when storage media is disposed of, the data needs to be properly removed/destroyed/erased/etc. Let’s say you have a MacBook Pro with FileVault. You are 100% compliant with standards if you simply reformat/erase that drive because everything on it was encrypted to begin with. No need to go all DoD multi-pass wipe before reusing the media. Encrypted data is “gone” / not disclosed. Treatment of encryption is inconsistent so I am glad Apple is on the job!