Answers in reverse order. At 10 feet tall and 7 feet wide, Leona is not a person. Leona is a steel cylinder and her home (at least for testing purposes) was about 1km off the coast of California in the Pacific Ocean.
Leona has the potential to run your life. Once in service, she can stream videos; run social networks; and store vast quantities of files, including emails and pictures. Leona is potentially one of the new generation of cloud data centres. She belongs to Microsoft.
Why will she live underwater?
- Heat – just 300 computers working together produce an immense amount of heat.
- Time – the time to install a Leona equivalent underwater is reported to be a fraction of the time it takes to deploy the equivalent capability on land.
- Speed – it is said that 50% of the world’s population lives within 200km of the sea, resulting in shorter data transmission times between Leona-internet and Leona-users.
So, to answer the first question, Leona Philpot is an experimental format for a data centre and is designed to form part of what is known as the ‘cloud’.
Why should any jobbing barrister want to know about Leona? We need to take a short trip back in history.
Before the internet, any document generated by a barrister on his or her computer remained in that computer’s internal storage device, or ‘Hard Disk Drive’ (HDD). Computing power was, in effect, concentrated locally onto a specific user’s machine.
The arrival of the internet changed everything. Information held on one computer could be made publicly available to other computers around the world. Computer hardware also developed rapidly, with the original ‘clunky’ laptop giving way to the notebook, the slim ultrabook, the tablet and to smartphones.
Everything in the computing world has, therefore, become smaller, lighter, more powerful, quicker and comparatively less expensive – with one exception. The data which is processed on computers has exploded. In 2016, IBM reckoned that we create 2.5 quintillion bytes of data every day and that up to 90% of the world’s data had been created between 2014 and 2016. And that is just ‘create’, never mind moving around previously generated data.
Electronically created data has to be stored somewhere. The more data you accumulate, the greater the storage costs. Thus was borne the ‘cloud’, a computing model on which data could be stored on remote computer servers accessed by a user from the internet. The servers are maintained, operated and managed by a cloud service provider (Infrastructure as a Service, or IaaS for short).
From a chambers’ point of view, using the cloud provides a huge financial advantage; it no longer has to purchase and maintain expensive computer storage hardware. Instead, it can effectively ‘rent’ such storage as it requires at competitive rental costs. The chances are that you, personally, are no longer storing your case files and emails on your own computer and instead are availing yourself of remote storage.
Secondly, whereas once upon a time, hardware ruled the roost, it is now software that matters. If you are a busy barrister, you probably don’t want to be concerned with installing and maintaining the latest version of a particular piece of software. You can simply access it from the cloud resources. This also applies to legal practitioners’ manuals, law reports and precedents that used to form chambers’ libraries and clutter up your own shelves. Imagine having to update these yourself. Then there is email, a software service that you can access (Software as a Service, or SaaS for short).
So, what does the Bar have to pay attention to in the brave new world of data storage and access to software outside of a barrister’s own computer? We will assume that you, personally, wish to have your own cloud-based storage or software facilities and these are not provided through chambers. You will have to ‘negotiate’ your own agreement with a cloud service provider. This is probably going to be a standard form document, probably a ‘click through’ with credit card-based payments to confirm the service will be provided. There are specific issues which you should watch out for.
Where is your data being held?
The first thing is where exactly are you storing this data? By now, every practitioner will have heard of the General Data Protection Regulation (GDPR), which concerns ‘personal data’ – names, addresses and other identifiers of individual living persons. Much of your daily work will include such ‘personal data’ and ‘processing’ which involves just about every conceivable thing you can do with electronic data.
As a general principle, the GDPR requires that ‘personal data’ cannot be ‘transferred’ to ‘third countries’ (those outside the EEA), unless these have been cleared by the EU as having adequate levels of protection. ‘Transferred’ can include, for example, sending an email to a third country or saving personal data on a computer which is outside of the EU.
What happens if the EU has not officially cleared a particular country? Well, you can still transfer your personal data (without needing ICO approval) but you have to provide safeguards for those individuals whose data is being transferred, the rights of those individuals have to be enforceable and there have to be suitable remedies in place. This might be a challenge too far. Cloud storage providers are likely to have their own standard contracts which pay little attention to what has recently come into force. And do you honestly have the time to review and negotiate such a contract?
It is usually US companies that offer the most cloud computing opportunities. Currently, the EU and the US are working under the ‘Privacy Shield’ provisions, purporting to protect the fundamental rights of anyone in the EU whose personal data is transferred to the US for commercial purposes. But, be aware. Firstly, you will have to check whether your chosen data storage company is one of the 2,400 companies that has registered under the Privacy Shield. Secondly, the US is one of a number of countries that choose to take enforcement measures to obtain access to data stored in the cloud without necessarily informing you. Don’t be fooled by computers apparently being located in Europe – the US will exercise its rights if these computers are ultimately owned by a US company.
Overall, if you need your own cloud storage choose a non-US company which has computer servers located in the EU.
Data integrity; how is your data being handled?
Your specific duties of confidentiality under the Bar Code of Conduct do not disappear if you decide to lodge your case files/emails with a cloud service provider. The GDPR also lays down specific responsibilities between you (as data controller) and the cloud service provider (as data processor) which must be recorded in a written contract. You need to ensure that the cloud service provider you choose can meet the obligations to be required of it in the Regulation.
The following steps might assist you
Firstly, encrypt your data. Both Windows and Mac OS have functions which enable you to encrypt your files in the cloud computing space. Encryption renders the content indecipherable to the ordinary mortal, but you will have to ensure that you remember your password in order to access your files. You should double check if you can access your data on a smartphone or tablet.
Furthermore, there are applications available which will encrypt data held in the cloud for you. Look for a service which says it has ‘zero knowledge’ encryption – this means that the encryption provider doesn’t store your password for the data: any requests for the data have to come to you. (Conversely, if you do forget your password you are not going to be able to retrieve your data!) Encryption will go a long way towards fulfilling your GDPR data protection requirements.
This is not, however, the only concern. You have a responsibility not to lose data, whether by leaving your computer on the bus or handing it over to a third party which loses it. Hence, cloud storage providers may say that they will use their ‘best efforts’ to preserve your data but may disclaim any responsibility for its loss. Rather, they may place an obligation on you to ensure that separate backup arrangements have been made.
Lastly, what do the providers say about what will happen to your data when the relationship comes to an end? There are two issues. Firstly, what access will you have to your data; secondly, what steps will they take to delete effectively your data once you have retrieved it? This is particularly important with GDPR requirements to a) minimise data and not hold onto it for longer than is necessary, and b) to ultimately decide what happens to your data.