In the wake of the ruling by EU data protection authorities that Google must strictly limit the purposes for which it collects information about users and offer stronger privacy guarantees Karen Evans, former Administrator of the Office of Electronic Government and Information Technology (IT) at the Office of Management and Budget, and Jeff Gould, both SafeGov.org experts today called on the General Services Administration (GSA) and all cloud vendors serving the U.S. government to redouble their efforts to ensure that public sector cloud users in America receive the full privacy protections required by law. Because the privacy protections offered to U.S. government cloud users are sometimes hidden away in individual contracts that are inaccessible to the public, it is impossible for the American public to verify that these protections are in place and adequate. For this reason, Evans and Gould recommend that government agencies require cloud vendors to publish privacy policies expressly banning the collection or processing of end-user information for purposes (including advertising or market research) unrelated to government missions.
The SafeGov.org experts recommended two additional measures to ensure the privacy protection of government information. First, in accordance with Section 208 of the E-Government Act of 2002, Federal agencies should revisit their privacy impact assessments (PIAs) in order to verify that their vendors’ privacy policies and individual cloud service contracts fully comply with the law regarding authorized and unauthorized uses of data. Furthermore, as required by statute, these revised PIAs should be updated on agency web sites to reflect this review. Second, GSA should require Third Party Assessment Organizations (3PAOs) to conduct independent privacy audits of approved agency cloud providers and to publish their opinions as to whether these vendors are complying with all applicable statutes, policies and procedures.
“Governments all over the world are accelerating their move into cloud computing because of its evident economic and organizational benefits,” Evans said. “Public sector CIOs want peace of mind that government information is being stored in accordance with statute and policies and that users’ online behavior is not being tracked and analyzed for purposes other than the intended or stated purpose in their privacy policies and PIAs.”
Commenting the EU decision, Gould observed that “The European data protection authorities have now ruled that vendors providing cloud services to enterprises and government administrations must strictly limit the user information they collect, must tell individuals the specific reasons their information is being collected, and must offer strong opt-out mechanisms. This EU ruling thus sets a higher bar for the respect of online end-user privacy than exists today in the United States. But U.S. public sector users, including those in Federal, State and Local government as well as in K12 and college-level education, deserve the same level of protection as their European counterparts.”
Evans and Gould concluded that “The protections afforded the American public sector today by vendor privacy policies such as Google’s – or, even worse, by obscure and ambiguous clauses in individual agency contracts that may not be available for public inspection – are inadequate and unacceptable. It is necessary to bring transparency to this area, which is crucial for the continued healthy growth of public sector cloud computing.”
In issuing their call for improved privacy protections for U.S. public sector cloud services, Evans and Gould also recommended that cloud providers and their public sector customers cooperate to implement the following specific measures:
- Update agency PIAs to ensure that data storage and use at all technical layers from storage through applications comply with existing statutes, regulations, policies and procedures.
- Create an audit program to ensure appropriate segregation of government data at all levels (e.g. host, network, application, and platform). GSA, through its existing FedRAMP program, should require 3PAOs to publish their audit results and opinions so that Congress and the public may verify that the cloud providers are meeting the terms of their Federal contracts.
- Require the adoption and publication of privacy policies for government customers that expressly ban the collection or processing of end-user information for purposes (such as advertising or marketing) that are unrelated to the intended state purpose in their privacy policies and PIAs.