White Paper: Data Protection In The Cloud. Data Protection In The Cloud

Transcription

1 White Paper: Data Protection In The Cloud Data Protection In The Cloud

2

3 Introduction The rapid emergence of cloud computing has placed it at the forefront of IT decision making and business strategies. While cloud computing benefits are well known and often justified, there are equally important considerations in relation to its use. One such key issue is that of personal and sensitive data outsourced, stored and accessed in the cloud. The goal of this paper is to highlight the key elements that organisations should consider when moving personal data to various kinds of cloud-based infrastructure - an increasingly elaborate issue in its own right. Much of the discussion will also apply to cloud service providers and any commercial stakeholders storing third-party personal data in the cloud on behalf of others. Data protection issues should be considered from both legislative and technology/security perspectives, and both concerns are of equal relevance. Emerging data legislation aims to streamline both aspects such that compliance with legislation will ensure adequate protection of personal data. Given the rapid pace of technology change however, this is still very much a work-in-progress for regulators, meaning that compliance to legislation may not guarantee secure data in all circumstances. Hence, corporate use of cloud-based services needs to be considered carefully on an individual case basis, ensuring that both sides are adequately addressed in parallel. The threat of fines and revenue deductions are placing increased emphasis on this topic, particularly in relation to EU attempts at data protection reform. The EU context provides the main focus of this paper. The next section provides a cursory overview of cloud computing, data protection and their present interaction. Key issues around considering data protection in a cloud service context are discussed from there, such as checklists for choosing cloud providers, cloud usage risk factors, responsibilities of various cloud service stakeholders in relation to data protection, contractual guidelines, issues around cloud-based data transfers between the EU and other jurisdictions, and avenues towards cloud-based data protection compliance. It also discusses potential implications of emerging EU data protection regulation initiatives in relation to cloud use and other data transfers. Cloud Computing and Data Protection Legislation - A Cursory Overview Cloud computing combines an array of technologies and service models that deliver new forms of software applications, processing power, and increased flexibility in technology platforms and IT infrastructure. Cloud-based systems can be categorised along several dimensions, for example in terms of location and scope, i.e. public clouds on the open internet, private clouds dedicated to an individual organisation or similar entity, hybrid clouds that adopt both public and private cloud elements, or community clouds where IT infrastructure is shared by a specific niche of user organisations for mutual benefit. Clouds can also be categorised in terms of the category of service that they provide in the cloud - for example three brief service model distinctions are: Software -as-a-service (SaaS): end-user application functionality, e.g. , word processing, CRM etc Infrastructure as-a-service (IaaS): computing resources such as processing power and/or storage Platform-as-a-service (PaaS): tools for constructing and deploying custom applications Cloud computing can provide a range of economic and convenience benefits depending on the specific usage context. These include reduced upfront technology acquisition costs, ability to scale requirements up and down as needed, reduced maintenance overhead, increased configurability, and the potential for increased security and service uptime among others. For individuals and smaller organisations in particular, the increased economies of scale provided by cloud computing provide access to highly advanced applications and technologies that would not otherwise be possible. Data Protection In The Cloud Page 1

4 Existing EU Data Protection directives, and their transposing legislation in individual countries applies to processing of personal data, including sensitive personal data. Personal data is defined as data relating to a living individual who is (or can be) identified either from the data, or from the data in conjunction with other information that is in, or likely to come into the data controller s possession. Sensitive personal data can relate to a data subject s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical/mental health, or information relating to criminal or legal proceedings. The legislation also applies to personal data processed in either an automated or manual way. A number of key rules around data protection apply. These include that data is: Obtained and processed fairly Only kept for specified, explicit, and lawful purposes and is only disclosed in ways compatible with such purposes Kept safe and secure Kept accurate, complete and up-to-date Is not excessive and adequate for the relevant purposes Is not retained for longer than is necessary Is made available to an individual on request Data protection laws are worded in terms of obligations around key data stakeholders. In relation to adoption of cloud-based services, key stakeholder categorisations include: Data Subject - the person whose personal data is being stored Data Controller - the person who, either alone or with others, controls the contents and use of personal data. Controllers are typically clients of cloud-based technology providers. Data Processor - the person or organisation who is responsible for managing, storing and processing personal data on behalf of the Controller, i.e. the cloud technology service provider in this context. As well as being Processors, cloud providers may also be Controllers themselves depending on what is done to the data. Cloud service sub-providers (or Data Sub-Processors ) may also be used by Processors to manage or process data in line with the needs of Controllers. In cloud computing, data transactions between various Processors and Sub-Processors can be fluid and complex, having implications on contractual agreements between Controllers, Processors and Sub-Processors. Data protection reform is gaining increasing prominence globally, with over 100 countries now having some form of legislation, either already implemented or in draft form. The EU in particular are pushing advanced reforms, with a unified Data Protection Regulatory Framework being proposed, aiming to streamline the individual legislation in individual countries that conforms to the existing EU Data Protection Directive (1995). Key goals of the draft legislation (earmarked for provisional implementation by 2015/2016) include: Single, unified EU regulation, meaning the same law will apply across the EU and associate EEA nations Increased fines for non-compliance, on sliding scale up to 1 million, or up to 2% of company revenues Introduction of end-users right to be forgotten - meaning that Data Controllers and Processors are obliged to remove individuals details from a database if they request it Right to data portability customers should be facilitated in moving provided personal data easily from one cloud platform to another Data Protection In The Cloud Page 2

5 Organisations with more than 250 employees will be obliged to appoint a Data Protection Officer Companies operating across the EU will only need to deal with one national Data Protection Agency (DPA) i.e. the EU member state in which they have their main establishment. This will have implications for Ireland and other states offering R&D and other incentives for foreign investment. As many companies setting up European headquarters in Ireland would be answerable to the Irish DPA (Facebook being one prominent example), a strong alignment with any emerging EU data protection reform is likely in Ireland Rules on user consent for storing personal data will become more stringent, moving away from implied consent towards more explicit forms where applicable Stronger regulations on timely reporting of data security breaches will be enforced Increased requirements on implementing Privacy-by-Design principles into cloud-based services, both in relation to use by Controllers and Processors Choosing Cloud Providers - Pre Considerations When considering data protection issues in the cloud, clients should first consider holistically how usage of cloudbased services is appropriate to relevant business processes. Various decision frameworks exist to assist this process. One example is a guidance note developed by the National Standards Authority of Ireland (NSAI) and the Irish Internet Association (IIA) i. Such frameworks allow balanced consideration of potential adoption risks and benefits in relation to fifteen key criteria factors. In relation to data privacy and protection, the following issues are highlighted: Data in Question. What data will be placed in the cloud? How sensitive is that data? What would the implications of a data breach be? Legislation. What national and international data protection laws and contractual provisions apply to the data protection scenario(s) in question (individual EU laws, US Safe Harbour, sector-specific legislation, others?) Stakeholder Responsibility. How are the Controller, Processor and Sub-Processor responsibilities assigned to the cloud-based transfer(s) in question? Do certain stakeholders have multiple roles? Such categorisations will determine legal responsibilities of each stakeholder category, discussed later in this paper. Data Centre Location(s). Where are the cloud providers data centre(s) located? Are they within or outside the defined EU jurisdiction? If some or all data centre elements are located in non-eu (or EEA) jurisdictions, have data transfer issues been considered? Provider Guarantees. Can the provider(s) certify and guarantee these locations where data is stored, and ensure that any changes are notified to the client and do not violate contractual agreements or relevant legislation? Notifications. Will customers, employees, or other data subjects need to be notified if/when their data is moved to the cloud provider(s) in question? Data Breach Response. Does the cloud provider have an explicit policy around data breach incidents and notifications? The decision matrix also includes a range of checklist points relating to security issues, including quality of physical and logical access control requirements, security monitoring and alert provisions, data confidentiality protection via encryption and other methods, data backups and continuity, level of data segregation, support for security event logging and auditing, support for ediscovery and potential litigation events, compliance with security related standards (e.g. PCI, ISO/IEC 27001), breach notification support, and clarity around the chain of sub-processor processing (if applicable). Data Protection In The Cloud Page 3

6 Other general elements covered by the NSAI/IIA checklist include: Definition of key objectives and benefits to be gained from cloud adoption New or existing applications to be deployed Required availability and SLA metrics Network and internet infrastructure required to support chosen cloud usage Cloud-based data storage and extraction requirements Contingency planning around required capacity and potential future usage growth Necessary customisations, maturity and credentials of chosen cloud provider(s) Contingency planning in the event of third-party cloud provider failure Risk Factors around Cloud Computing and Personal Data In line with assessing cloud adoption factors, it is important to understand key risk factors around placing personal data in the cloud. A recent article by the EU s Working Party 29 Committee on data protection and privacy(ii) highlights some potential risks, including: Data Availability. Once data is committed to a cloud provider, vendor lock-in may make it difficult to move this data to other systems. Future EU legislation aims to enforce greater data accessibility and portability requirements on Processors, but at present this is a significant problem. Data Integrity. Cloud services are typically composed of multiple users sharing systems and resources, data from multiple sources can exist in proximity to one another. This may lead to a risk of conflict of interest and competing objectives in relation to how data is stored, managed and processed. Data Confidentiality. When personal data is placed in cloud servers, there is a risk that third parties may access that data in violation of data protection regulations. For example, if data in the cloud moves from one jurisdiction to another, and the receiving jurisdiction allows law enforcers to access such data, this may be in violation of the legislation in the sending party s jurisdiction. In relation to EU data protection legislation, data leaving EU-based jurisdictions for non-eu jurisdictions is perceived to be vulnerable to this risk. Data Intervenability. Use of highly dynamic cloud-based infrastructures may make it difficult for Controllers to perform appropriate intervention on personal data if needed - for example if time sensitive access, deletion or correction of such data is necessary. Data Isolation. As cloud-based providers will have simultaneous access to multiple datasets, there is the risk that rogue providers could merge and correlate datasets that should ethically and legally remain isolated and separate. Responsibilities of Data Controllers and Processors in a Cloud Context Both clients and providers around cloud-based infrastructures have specific obligations in order to adhere to data protection legislation. Key guidelines for controllers and processors in an EU context are defined - and set the benchmark for what needs to be fulfilled at a practical level from an IT security perspective. Cloud Clients The cloud client acts as the Data Controller. This means that they determine the ultimate purpose of the processing, how this processing is outsourced, and how all or part of this processing is delegated to one or more cloud providers. Where multiple Controllers are responsible for a given scenario, individual responsibilities must be clearly identified and stated to ensure adequate data protection. Data Protection In The Cloud Page 4

7 The cloud client or clients acting as Controllers must accept legal responsibility for abiding by relevant data protection laws, and are subject to relevant legal duties. They are therefore responsible for choosing a cloud provider that guarantees compliance with relevant data protection legislation. Cloud Providers The provider of the cloud-based service is considered as the Processor - but they may also act as joint Controller depending on the specific context, e.g. if the processor is authorised to process such personal data by the client for its own purposes. In such cases, the cloud clients must receive authorisation allowing this from the data subject. Cloud providers must ensure data confidentiality, and can only process data in line with instructions provided by client Controllers. Providers operating in EU jurisdictions must adopt appropriate security measures in line with legislation, and must support and assist Controllers in complying with the rights of data subjects. Cloud Sub-Providers Processors that subcontract services to Sub-Processors must make details of this available to clients, and prior consent from Controllers is also necessary. This includes notification of any new Sub-Processors, any changes to Sub-Processor roles throughout the service relationship, in which case permission must be obtained from Controllers. Details around sub-processing should include the names of Sub-Processors, the type of service subcontracted and any service quality guarantees that such Sub-Processors offer. Under any legal agreement, a Processor remains liable for any failure of its Sub-Processors to fulfil obligations under the agreement. Sub-Processors are also subject to any relevant point agreements made between the lead Processor and the Controller client. In particular, clear divisions of responsibility around processing activity should be made between Processors and Sub-Processors. There are also other requirements for which clients, providers, and any sub-providers are jointly responsible, including: Data Deletion. Personal data should be erased or anonymised once it is deemed to be no longer needed. Transparency to Data Subjects. Cloud clients must provide data subjects with details about how their personal information is handled by assigned providers - details about the nature and purpose of the processing, and any specific detail on identity of Processors and Sub-Processors to ensure fair processing. Transparency to Cloud Clients. Controllers engaging cloud providers should carefully check the cloud provider s Terms and Conditions, and assess them from a data protection viewpoint. In turn, Processors must be forthcoming in providing any relevant information to clients. Purpose Specification and Limitation. Client-Provider agreements should clearly determine the scope of processing, and should ensure that personal data are not illegally processed for further unrelated purposes - especially in the case where a large set of Sub-Processors are involved. Data Protection In The Cloud Page 5

8 Contractual Guidelines between Cloud Clients and Providers There are legal obligations under EU Data Protection legislation that a formal written contract, or equivalent electronic form, be signed between clients and providers. Fundamentally, the Processor should follow the instructions of the Controller(s), and that the Processor must implement technical and organisation measures to adequately protect the data. Key provisions include: Service Agreement Metrics. Formal definition of client instructions around how the data is to be managed by the provider under the relationship, with particular reference to measurable SLAs and penalties for noncompliance. Security Measures. Specification of specific security measures to which the provider must comply. Data Usage Definition. Definition of the subject context around the processing, the timeframe around which the cloud service will be used, as well as the extent, manner and purpose of the personal data processing. Data Deletion. Specifications around how data will be returned or destroyed once the service relationship has concluded, or when specific data is no longer needed. Confidentiality. Inclusion of confidentiality clauses around client and provider employees that will need to access data as part of the relationship, and that limit access to the minimum set of authorised persons. Rights of Data Subjects. Clear commitments that the provider will support client efforts to access, correct or delete data such that the data protection rights of Data Subjects are met appropriately. Data Sharing Boundaries. Provision that the provider will not share data with third parties (i.e. designated Sub-Processors or other parties) unless authorised to do so by the client. Names of Sub-Processors should also be provided. Data Processing Changes. Commitment that the provider will notify and receive consent from the client in relation to any future changes to Sub-Processor relationships. Consistency of Processing Chain. Consistency between agreed client-provider obligations, and providersubprovider obligations should be ensured. Data Breach Notification. Assurance that cloud provider will notify the cloud client of any data breaches. Data Transfer Locations. Statement of locations in which the provider is allowed to process such data under the contract. Right to Audit. Assurance of the Controller s right to monitor the provider s service and corresponding obligation to co-operate. This may extend to allowing the Controller to test or verify security and data protection elements of provider or sub-provider infrastructures. Service Feature Changes. Client to be notified by the provider of any relevant changes or new functionality to the cloud service, particularly with respect to data protection implications. Processing Event Logs. Provision of logging and auditing support of relevant processing operations performed by the cloud provider. Disclosure for Law Enforcement. Notification by the provider to the client of any requirement to disclose data to a law enforcement authority (unless notification is prohibited). Data Protection Compliance. Assurance from the provider to the client that data processing arrangements are applicable with national and international legal requirements. Technical Security Measures. Clients are legally responsible for choosing providers that provide adequate security measures conforming to data protection legislation. Key technical security parameters that must be met include provisions to ensure that data is available and that minimises service disruption (e.g. backup internet links, redundant storage, and effective data backup procedures), provisions that ensure integrity of stored data via methods such as cryptographic authentication techniques, message authentication codes, signatures, or intrusion prevention or detection methods. Data confidentiality should be assured via appropriate encryption or similar methods. Data Protection In The Cloud Page 6

9 Key Issues around Cloud-Based Data Transfer Use of cloud based services will often involve transfer of personal data across jurisdictional boundaries, and in the EU context there are data protection implications when data is transferred from EEA jurisdictions to jurisdictions outside the EEA. Various alternatives can be used to achieve data transfer compliance from a legal perspective. Options that could be considered by Controllers include: Does the personal data need to be transferred? In some instances, there may be alternatives to transferring personal data into the cloud. Even when data is transferred, it could be anonymised or encrypted in advance, meaning that it would bring such data outside the scope of data protection laws. Is an actual data transfer required? If the information merely passes through a jurisdiction (i.e. data transit), data protection law does not apply. However, the definition of what is regarded as a data transfer is still broad in scope - for example if a website based within the EU (EEA) involves users based outside the EEA accessing personal information via the website, this is considered a transfer of personal data. Has the data subject explicitly consented to the transfer? If the purposes of the data processing in the receiving country are different to those in the original sending country, consent must be re-obtained from the data subjects in question. Could the information being transferred become personal data in the future? If the information being transferred becomes part of a relevant filing system, the transfer would fall within data protection wording. Is the data being transferred to a white list region outside the EEA? The EU has approved a select list of countries that are deemed to have adequate data protection legislation in place, and to where transfers are deemed to be valid (iii). In relation to transfers to the USA, where a large proportion of cloudbased providers exist, general transfers from the EEA are not allowed. US data protection legislation is not consolidated at a federal level, and exists on an individual state and sectoral basis - for example sectors such as healthcare and banking among others having their own vertical legislation. There is also a Safe Harbor regime that lists a range of US companies that are deemed adequate for data transfer - hence transfers to such companies from the EEA is deemed valid. Does the data transfer fall under alternative measures - existing EU directives and transposing national legislation (Ireland among others) stipulate specific scenarios when transfers are permitted that would otherwise be not allowed. Hence, such scenarios can be leveraged by data controllers when crafting the transfer process and could be used to legitimise the transfer (subject to specific legal advice). Such scenarios include: o When the personal transfer is required by law o When data subjects have given unambiguous consent o When the transfer is necessary to fulfil specific contractual obligations between the data subject, data processors, or other stakeholders in the chain o When the transfer is relevant to overall public interest this often applies to the public sector context o When the transfer is necessary for legal reasons - i.e. obtaining advice or for legal proceedings o When the transfer is necessary to prevent injury to data subject s health or wellbeing o When the data transferred is already an excerpt from a statutory public register Data Protection In The Cloud Page 7

10 Model Contracts, BCRs and Regional Clouds Other approaches for supporting transfer of data outside the EEA include use of various EU-approved model contracts, or via use of Binding Corporate Rules (BCRs). The model contracts are EU-provided templates that can be adapted to detail the transfer in question (iv). A key distinction here versus the standard legislation is that data exporters and importers (i.e. controllers and processors) are now equally and jointly liable under this agreement - and data subjects can take action against either party if deemed responsible for a breach or other wrongdoing. BCRs are internal codes of corporate conduct that are designed to ensure that intra-group transfers comply with EU data protection law. They can be tailored to meet the specific needs of a corporate entity. While no explicit set format has been prescribed by the EU for BCRs, guidance on deploying the BCR approach is provided on the EU s DG Justice website (v). The in-progress EU Data Protection Regulations is aiming to integrate key elements of model contracts and BCRs into the core legislation. Hence, it is anticipated that there will be increased shared liability among controllers and processors, and intra-corporation data transfers should be easier to achieve, regardless of whether transfers outside the EEA are necessary. Nevertheless, cloud-based providers are often simplifying compliance needs where possible by providing regional cloud options as part of their service. These can give assurances to EEA-based clients that personal data stored via their cloud-based services will only be stored in EEA-based data centres and hence will not leave the jurisdiction. For example: Microsoft offer North Europe and Western Europe sub-regions for data centre storage around their Azure PaaS service Google Storage for Developers allow Europe and US-based restrictions Amazon EC2 provides several sub-region clouds for EU, US and Asian jurisdictions While such developments by key providers are positive, they only address the surface of jurisdictional issues around data protection legislation. For example, the precise geographical definition of Europe fulfilled by regional clouds is important, as some countries will fall outside EU data protection regulations. There are also several technology and security based issues around cloud-based data transfer that arguably fall outside any data protection compliance arguments at present, but are at least equally as important. These are discussed in the next section. Emerging EU Regulations - Implications for Cloud-Based Services? Growing cloud computing use is now one of the key driving factors towards data protection legislation reform. While data protection regulators are working towards a greater balance between the technical realities of cloud computing and the enforcement of citizen s data privacy rights, it is accepted that much work is yet to be done. In relation to pending EU regulation for example, there are still many ambiguities and concerns around the practical effectiveness and enforceability of such legislation attempts, particularly for example as cloud providers based outside EEA jurisdictions will also be subject to legislation for certain scenarios involving EEA-based stakeholders. From a market perspective, there are also concerns that the existing intent of such EU regulations may end up disincentivising EEA-based data controllers from using EEA-based cloud providers. A recent Queen Mary (University of London) publication (vi) highlights these concerns among others - we discuss such highlighted concerns below. Data Protection In The Cloud Page 8

11 Overemphasis on location? It is felt in some quarters that EU data protection regulation places an overly narrow focus on where personal data is located as part of cloud-based data transfers (and similar technology scenarios), and more specifically if the data resides outside the EEA jurisdiction. This approach was valid in past computing generations when the primary means of data transfer between countries involved physically moving storage media. However with the advent of internet and cloud-based transfer, this emphasis on data location is increasingly less relevant. The location of data alone does not determine its level of protection, and it cannot be implied that data stored within the EU/EEA jurisdiction is automatically more protected than if stored elsewhere. Equal (or greater) emphasis on technical data protection measures What is of equal or even greater importance than data location is how the personal data is protected from access, regardless of where it is stored. Is the data strongly encrypted prior to transfer? Are relevant decryption keys securely managed? These questions are ones to which data protection regulations could align with more explicitly in order to achieve greater consistency and enforceability from a cloud-computing perspective, or perhaps via greater support for self-regulation initiatives. In relation to provider s cloud-based systems, certain innovations could assist this effort. For example, if cloud providers were able to store personal data in a strongly encrypted form such that they themselves did not have (or need) access and such that only the cloud client can decrypt and access it, this would greatly improve data protection and lessen the need for emphasis on data location in legislation. Definition Ambiguity In the context that data location will remain an important element of data protection compliance for at least the foreseeable future, it is also important to consider what exactly is meant by data location in the legislation. Does location imply the actual location of the personal data, i.e. location of the data centre, or does it imply the geographical location of the recipient? Other similar ambiguities and complications exist in relation to how subprocessors could be categorised, and by extension whether they must comply with a particular data protection context. For example, there is a distinction between layered relationship in a cloud service provider chain (e.g. a user using a SaaS provider who in turn hosts their service on an IaaS provider such as Amazon EC2), versus a situation where a sub-provider processes data on behalf of a client-facing provider, and needs to understand the specific semantics of the personal data in question. While some commentators argue that such distinctions should be clarified in data protection legislation, this is presently not the case. Other Concerns There are also concerns in relation to the increased bureaucracy that the regulation could create. Corporate requests for data transfers would need to be made in a legally binding instrument, such as the BCRs, model clauses, and other alternatives already discussed. As it stands, such contracts must be approved in advance by the EU Commission or delegated authority, and must be granted on a case-by-case basis. This has the potential to greatly increase workload on regulatory resources that are already very stretched, when similar resources could be assigned to other important tasks such as prevention, enforcement and investigation of issues around data breaches for example. Clearly, such debates indicate that data protection in relation to cloud-based services has both legislative and security technology elements that overlap to some extent and will hopefully converge more closely in the long term, but for now, they should be treated as individual data protection compliance steps as well. Hence, compliance to legislation as it stands does not yet imply total protection and security of personal data. Data Protection In The Cloud Page 9

12 Espion Support for Data Protection Compliance Initiatives Espion work with a wide range of organisations across all industries and business functions, providing advice and assistance relating to the holistic compliance, protection and management of key information assets. From a compliance perspective, we help organisations to comply with various legislative requirements, ranging from ISO, PCI (payment card), COBIT and various Business Continuity standards among others. We are also experts in a range of security techniques that can be deployed as part of any data protection compliance effort. Our data protection compliance framework can incorporate a range of activities such as security risk assessment and scoping of enterprise networks, application and infrastructure penetration testing, vulnerability scanning and assessment, software application testing and Security Information and Event Management (SIEM) among others. Such services can be applied to test any cloud-based deployment scenario for data protection compliance. We have carried out detailed data protection compliance assessments on behalf of both cloud infrastructure clients and cloud service providers, and hence from both Data Controller and Processor perspectives. Key services we can provide in relation to data protection security and compliance to data protection legislation include: Audit of cloud-based workflows and data transfer procedures with respect to relevant DP legislation Audit of cloud service provider s infrastructure on behalf of providers themselves, or on behalf of service clients. Audit of cloud-based processes with respect to key Information Security and Business Continuity standards (ISO, PCI, COBIT, etc) Decision support around assessing and choosing cloud providers with respect to security and data protection compliance issues Privacy-by-design consultancy around emerging cloud-based products and services Need to Know More? Contact Espion Group at or info@espiongroup.com References i Adopting the Cloud - Decision Support for Cloud Computing, NSAI Standards SWiFT 10:2012, issued 4 th April 2012 ii Opinion 05/2012 on Cloud Computing, Article 29 Data Protection Working Party, Adopted July 1 st 2012 iii Commission Decisions on the adequacy of the protection of personal data in third countries, European Commission iv Model Contracts for the transfer of personal data to third countries, EU DG Justice v Overview - Binding Corporate Rules, EU DG Justice vi W Huan Hon, Christopher Millard - Data Export in Cloud Computing How Can Personal Data Be Transferred outside the EEA? The Cloud of Unknowing, Part 4, Queen Mary University of London, School of Law, 4 th April 2012 Data Protection In The Cloud Page 10

13

14 About Espion Espion are Corporate Information specialists. We work with organisations across all industries and business functions to provide advice and assistance relating to the holistic compliance, protection and management requirements of their most valuable asset information. This allows our clients to focus on their core business and ultimately achieve greater success. Espion Headquaters Corrig Court, Corrig Road, Sandyford Industrial Estate, Dublin 18, Ireland +353 (01)